2017 was a landmark year for cyber attacks with hundreds of millions of people affected around the world. According to the Breach Level Index report, nine billion records have been breached since 2013 – with nearly two million of those in the first six months of 2017 alone.
Indiscriminate and increasingly smart, today’s cyber attacks have seen hackers arming themselves with an arsenal of tactics for cyber warfare. Indeed, WannaCry, a strand of ransomware that targeted computers running the Microsoft Windows OS, affected more than 300,000 computers across 150 countries, with total damages rising into the hundreds of millions to billions of dollars.
One of the most prolific victims was the NHS in the UK, where nearly 7,000 appointments were cancelled.
Systems the world over collapsed under the pressure of the malware, increasingly highlighting the necessity for stronger cyber security and a better understanding of the digital skills required around it.
Organisations and individuals need to be increasingly vigilant about cyber security, so today we’re looking at the emerging and continuing trends for 2018.
1. Ransomware isn’t going anywhere
Ransomware is poised to be a big trend into 2018, with state-sponsored attacks adding fuel to an already roaring fire.
Ivan Quill, Integrity360’s Pre Sales Technical Architect agrees. “The main takeaway from 2017 has got to be ransomware, with it now being weaponised into a state-sponsored hacking tool, as per the WannaCry outbreak.
“We can only expect this to perpetuate and increase into 2018. There are different motivations for the use of Ransomware that we need to be aware of, if we are to tackle this. On the one hand, you have organised crime using it as a source of revenue. On the other hand, where the perpetrator is state-sponsored, the motivation seems to be general disruption.”
And it’s not just WannaCry that’s stealing headlines. NotPetya, in the Ukraine, escaped into the wild and did untold damage, with cost estimates hitting $300 million. While WannaCry was motivated by monetary gain, NotPetya was purely destructive, stealing or destroying data from companies including Uber, Deloitte, and Equifax.
“The risk factor increases tremendously when taking into consideration the ease of establishing a foothold into an organisation through phishing,” explains Calum Mackenzie, Cyber Intelligence Lead.
“This has especially been the case in the last few months of the year with the spotlight very much on Microsoft Office DDE based attacks, where malicious Office documents sent via email are used to compromise endpoints. We have seen malware authors chaining attack techniques in both WannaCry and NotPetya to achieve lateral movement to spread and increase the impact it has on the network.
“The availability of this advanced tooling in the wild allows threat actors and threat groups to use and modify the code to launch attacks of their own. This presents a serious risk especially when most organisations aren’t adequately equipped to defend or even detect these types of attacks. With many techniques at the disposal of adversaries right now, these type of multi-phase attacks are only set to increase.”
Though, Calum says, it’s not all doom and gloom. “Defenders should be as excited as ever with the number of countermeasures at their disposal,” he says. “We have some of the best protection mechanisms available right now and the ability to collect almost any data we want from systems, networks and applications so staying afloat or becoming less of an easy target is entirely possible,” he concludes.
2. The dynamic perimeter will come to the fore
With the pervasiveness of BYOD, cloud and the mobile workforce it has become very clear that there is no longer a perimeter that can be statically determined, and established enterprise security architectures are due for an overhaul. Barbara Bogdanescu, Chief Architect & Product Director notes that “With a dynamic perimeter that needs to meet business requirements in terms of agility, flexibility, productivity and risk, many companies will look towards the new Zero Trust network models as well as security from the Application level rather than at a network level. Visibility, real-time alerting as well as SOC team up-skilling will be paramount for the transition.”
3. Internet of Things threats to continue
While the Internet of Things can make life easier, it’s a double-edged sword for privacy. The effectiveness of IoT on a personal level rests on the amount of access connected devices have to your daily life and your data – but it’s becoming more common in business spaces too, especially in verticals such as ecommerce.
However, as IoT-enabled devices become more popular, the exposure risk increases exponentially – and this has already begun. Though it has since been patched, BlueBorne was a series of simple Bluetooth-based attacks that affected Gen1 Alexa devices – which begs the question: what happens if attackers choose to target an employee’s home network of IoT-enabled devices in order to access sensitive company-wide information?
Sean Rooney, Cyber Risk and Assurance Director, flags artificial intelligence and machine learning as both a positive and negative in the realm of IoT.
“Artificial Intelligence and machine learning will help us in our war against cybercrime,” he explains. “However, it will also be used by the cybercriminals and nation states to support their attacks by learning from our response, and to enable them to exploit newly discovered vulnerabilities before we can patch them.”
4. Stolen PII to be put to malicious use
Barbara Bogdanescu believes that we are sure to see personally identifiable information (PII) put to malicious use, given the large amount stolen and leaked over the last year, and given the sensitive nature of some of it (e.g. the Equifax breach).
“Valid data - as with some of the data it will take quite a while to change/invalidate it - combined with AI/ML as well as social engineering techniques will lead to extremely hard to detect spear-phishing attacks and social engineering attacks. The human link is always the weakest and it will continue to be exploited.”
5. GDPR will rise to the fore
The General Data Protection Regulation (GDPR) significantly changes data protection laws in Europe, increasing data obligations for organisations while strengthening the rights of the individual. Arriving in May 2018, it’s destined to usher in a sea-change for how organisations (and individuals) process and deal with data.
“It is likely that we will see an upsurge in data protection audits from the data protection commissioner,” Sean Rooney says. “While it is likely to start off with a little leniency, we will probably see some organisations being made an example of. As with information security, there is a major shortage of skills in data protection and data governance, so there are major career opportunities in these areas, and there always will be.
“We may see shareholders begin to sue the boards of companies for unintentionally lying to them about the readiness of the organisation to deal with an attack. So, we will start to see management painting a true picture of their cyber security profile and maturity. Cyber security will become part of the risk function, and taken out of being the sole responsibility of the technical department.”
Indeed, the implementation of GDPR will expose organisations who are light on adequate security – and it will add transparency as organisations will be obliged to disclose breaches within 72 hours.
6. Increased adoption of the cloud equals increased risk
According to McAfee’s Building Trust in a Cloudy Sky: The State of Cloud Adoption and Security report, hybrid cloud adoption grew threefold in the last year, increasing from 19 percent to 57 percent.
73 percent of the companies profiled were planning to move to a fully software-defined data centre within two years – which means the cloud will be a prime target for attackers.
Poor configuration, poor maintenance, and a lack of understanding of where responsibilities lie may lead to organisation-wide breaches.
If your organisation is moving to the cloud, ensure that you create a security policy, encrypt your files, enhance authentication processes, and stay on top of new trends.
7. Companies will become aware of the basics and they’ll more readily meet the skills gap
ISACA, a non-profit information security advocacy group, predicts that there will be a global shortage of two million cyber security professionals by 2019. It’s an area that’s constantly growing, though it faces a real skills shortage.
The proliferation of ransomware and the incoming transparency of GDPR compliance means organisations will need to tool up on a macro and micro level.
“There never has been and there never will be a silver bullet for fighting cyberwarfare,” says Sean Rooney. “Security must be built into the fabric of how we do our business. Executives must have full understanding of the security maturity of their organisations, and prioritise their programs based on the risk.
“Organisations must look at their strategic business objectives and build their security strategy around enabling the organisation to achieve those objectives securely. Comprehensive security programs should be built around a modern security framework, or an amalgam of the top one, such as the NIST Cyber Security Framework, the CIS top 20 critical controls and an effective ISMS built around ISO 27001 which will also help with GDPR compliance.”
In many cases, the basics are missing – which was typified by the Equifax breach which was caused by a known vulnerability that went unpatched.
“This brings us back to the fundamental lessons which have been hammered home this year,” says Ivan Quill, “linking both the Equifax and the WannaCry incidents, which is that timely system patching is critical to the security of any solution.”
Calum Mackenzie highlights the following as benchmarks for cyber security efforts in 2018:
- Run compromise assessments: In which an organisation is assessed for signs of compromise to determine if a malicious actor is already operating on their network. Naturally, this will be paired with penetration testing to understand the organisation’s exposure risk.
- Testing your defensive stack: Run attack simulations that walk-through scenarios and techniques. Consider employing a Red Team to test your defences in real-time.
- Implement application whitelisting: Block executables that haven’t been permitted to run on your systems.
- Implement endpoint protection: It can detect attack techniques via behavioural analysis and by identifying malicious characteristics.
A strategic approach to cyber security will be key to a safe 2018.
To find out more about these 2018 trends, join us for our webinar where Cyber Risk & Assurance Director, Sean Rooney will delve into these trends further and give his thoughts and recommendations on the year ahead. Register now.