“Cyber criminals are also exploring new practices, and forming their own mergers, creating organizations capable of more sophisticated, specialized attacks. These changes will require organizations to implement better, stronger security controls, and become more attentive and agile in their reactions. This cycle should come as no surprise, its Newton’s Third Law at work, a constant cycle of action-reaction.”
As companies brace for another year of cyber threats, so too it seems that hackers are also preparing for 2017. This is not good news, but comes as no surprise, as 2016 was riddled with data breaches. The Identity Theft Resource Center (ITRC) reported 980 reported data breaches for the year – a 26% increase over 2015’s total data breach number of 781.
Other types of cybersecurity threats made a lot of noise in 2016, wreaking havoc on everything in its path, from the hacking of the Democratic National Committee (DNC) email systems to the denial-of-service (DDoS) attacks launched in late October that brought many of the world’s most popular websites to a sudden halt for nearly a day.
Even as cybercrime has reached new heights globally, it still feels very personal, as everything from your TV remote to your voting ballot seems to be accessible to hackers. The New Year will bring an expansion of these types of threats, as well as continuation of the usual fraud attempts (malware, retail data breaches) that reach the news headlines on a weekly basis.
Attacks on Critical Infrastructure
Power plants, electrical grids and telecommunications networks, constructed before the threat of cyberattacks, are at risk from nation-states, terrorists and organized cybercrime. In fact, attacks on physical infrastructure as well as computer networks have increased within the utility sector, and will most likely continue to rise. On January 6th, Bloomberg reported that the U.S. Energy Department, in their Second Installment of the Quadrennial Energy Review, find that the electricity system “faces imminent danger” from cyber-attacks, which are growing more frequent and sophisticated.
“Cyber threats to the electricity system are increasing in sophistication, magnitude, and frequency,” the DoE said in the 494-page report. “The current cybersecurity landscape is characterized by rapidly evolving threats and vulnerabilities, juxtaposed against the slower-moving deployment of defense measures.”
Ponemon Institute and Unisys’ recent report shows that there is a considerable protection gap in this sector. The United States suffers more blackouts than any other developed country in the world, thanks to aging power grids and infrastructure. Even more disturbing than an inconvenient power outage that would ultimately be resolved is the threat of a power outage caused by a cybersecurity attack.
In its report, the Department of Energy detailed 76 recommendations to boost energy security, including increasing the collection of data about online breaches from utilities. Additionally, the report found that total investment requirements necessary for grid modernization range from $350 billion to $500 billion.
Regardless of source and motive, it is essential that security specialists work to improve safety measures in place and create plans for if and when an attack on infrastructure occurs.
As technology advances, “online” devices – from drones to routers – are being widely adopted. Consumers want these devices for convenience and connectivity, while enterprises consider IoT (the “Internet of Things”) a strategic initiative vital to business growth. In fact, roughly 31% of organizations, per IDC’s Global IoT Decision Maker Survey, have launched an IoT initiative, with 43% planning to deploy IoT in the next twelve months.
In fact, IoT is expanding so rapidly that it has its own list of predictions for 2017, covering everything from IoT security, to platform, to device management, to IoT analytics. Gartner released a slideshow featuring the top 10 IoT technologies that should be on every organization’s radar for 2017 and 2018. PYMTS also has an IoT tracker, showcasing 80 top companies that are leading the way in all aspects of IoT.
However, hackers have taken notice of IoT vulnerabilities. 2016 saw the first major Distributed Denial of Service (DDoS) attack leveraging IoT devices.
“The 10/21 attacks were made possible by the large number of unsecured internet-connected digital devices, such as home routers and surveillance cameras. The attackers employed thousands of such devices that had been infected with malicious code to form a botnet. The software used to crawl the internet to find unsecured devices is freely available. Even though some of these devices are not powerful computers, they can generate massive amounts of bogus traffic to swamp targeted servers, especially if you abuse a large numbers of them at once.”
Organizations implementing IoT technologies need to be aware of the current tradeoffs – security versus convenience.
Ransomware has become a “go-to” tool of choice for many cyber criminals, and has worked its way onto every security watch list for 2017 – some estimates have ransom attacks increasing 10-fold over the next year. It’s not shocking that the success of ransomware will result in an increase in attempts; however, experts believe that the increase in demands will skyrocket.
“Up until now, ransom demands have been relatively low and generally viewed more as nuisance payments to regain possession of information that is worth considerably more, in some cases, millions of dollars. But it is widely speculated that, as these attacks increase, the cyber criminals behind them will also begin to understand the value of the data and how to capitalize on that data. This will likely result in a sharp increase in the ransom awards being demanded.”
A possible reason for the success of ransomware is the move to the cloud, which could provide cybercriminals the opportunity to spread malignant code from cloud to cloud, attacking single or multiple organizations.
Experts are still trying to determine the best strategies to handle ransomware. Some experts are focusing on prevention, such as separately maintaining data backup facilities and cooperating with law enforcement and peer organizations. The FBI provides a detailed public service announcement on their website, providing a list of measures that can lessen the risk of a successful ransomware attack. Interestingly, the FBI has recently advised that payment for those hit with ransomware may be the best option – which could potentially drive up the costs for the ransom itself. Other security experts, like Brian Krebs with Krebs on Security, say do not pay up.
“First off — breathe deep and try not to panic. And don’t pay the ransom. The key objective of ransomware is a psychological one — to instill fear, uncertainty and dread in the victim — and to sow the conclusion in the victim’s mind that any solution for restoring full access to all his files involves paying up,” says Krebs.
Krebs advises a number of steps ransomware victims can take, stating nomoreransom.org as the first place victims should look for help. This site, backed by security firms and cybersecurity organizations in 22 countries, estimates that it has been able to save 6,000 victims of ransomware more than $2 million to date.
Malware’s Continued Threat
There are a couple of good reasons that hackers continue to breach retail, healthcare and education payment systems – it’s a lucrative way to make money
Malware – a fancy name for malicious software that has been installed in a point of sale (POS) system to find clear-text credit and debit card numbers – has been the cause of the majority of the multi-million-dollar, large retail breaches in the past few years, and there are no signs that malware attempts will slow down. Antivirus provider Kaspersky Lab recently reported that around 323,000 new malware files are being identified each day by its product as opposed to 70,000 files per day in 2011 — and it is an increase of 13,000 per day when compared to 2015.
While malware fraud totaled $10 billion in 2014, it is estimated to top at $20 billion by 2018.
Hackers are perfecting their craft, becoming more sophisticated with their malware design, which means it will be increasingly more difficult for those hit to detect that they have been breached.
“Just like mobile apps for your iphone, malware designs are constantly improving and being modernized. Part of that improvement means the ability to bypass firewalls, easier execution and better deception methods. These newer versions are less resource heavy, causing less computer lag and red flags to the user. As a result, those infected may have little to no knowledge that their systems have been compromised. Because they are better at remaining undetected, late discovery could result in more files being infected and/or stolen, and costs to organizations will rise.”
While EMV continues to be implemented to authenticate the physical card used at the POS, the only true way to stop malware dead in its tracks is to encrypt payment data in the POS, whether it is data entered at the terminal or data stored for later use.
PCI’s Jeremey King recently stated that “to avoid any instance of data theft, point-to-point encryption (P2PE) must be adopted by credit card and bank service providers.” So too goes for merchants that accept credit cards as payment.
“As cybercriminals continue to target the ecosystem, more and more merchants are investing in point-to-point encryption (P2PE) to maintain the integrity of payment transactions and secure the card data,” says King.
King also emphasized tokenization as a necessary method of securing card data. Tokenization enables merchants and enterprises to safely “store” cardholder data at rest for use in future transactions. Tokenization, like P2PE, effectively renders the data useless to hackers.
One thing is for certain – the cyberthreats we face in 2017 are daunting. At the end of the day, private, public and government entities will need to work together to prevent these attacks – since no organization is off limits or immune.