The stream of massive data breaches continued in 2015. It seems that no sector was immune to hacking: banks, government, dating sites, healthcare, ISPs, and even security companies were compromised. Anywhere there was sensitive data hackers were trying to obtain it, and in many cases they succeeded. However, hacking is not entirely without risks, and law enforcement in various countries indicted or arrested individuals alleged to be responsible for some of these data breaches, including the Office of Personnel Management, JP Morgan, and Talk-Talk. Let’s take a look at some of the things that we think might be happening in 2016.
Someone will find a way to monetize an IoT attack
Security on most IoT devices is terrible, but they have not been subject to many attacks for several reasons. Since there is a large variety of devices, there is no uniform attack surface that cybercriminals can explore. Additionally, it’s difficult to monetize a remote attack that turns down someone’s thermostat or burns their toast. However, the criminal mind is extremely inventive and someone, somewhere is going figure out how to profit by hacking vulnerable devices. For instance any voice activated device has a microphone which might be used to spy on conversations, and any smart TV with a webcam might capture video as well. Even a device with no external sensors might be used to monitor network traffic and relay it to an external spy.
Any IoT device installed in a secure environment should have a way for the vendor, and only the vendor, to install patches if vulnerabilities are discovered. Look for the ability to automatically download digitally signed firmware updates. Beware of any listening or webcam devices in conference rooms or other places where sensitive topics are discussed. If you must have secret discussions in a room with a smart TV, don’t assume it isn’t doing anything because it is turned off. Unplug it from the power outlet unless you are actually watching TV.
DDoS and ransomware extortion will continue to increase
The ease of using Bitcoin for various types of extortion has led to an increase in ransomware and DDoS extortion. However, for the victim the results differ. If you pay a ransom for your data, the chances are you will get it back. If you pay off DDoS attackers, they are likely to just come back for more. Businesses should sign up for a reliable DDoS protection service before they get attacked, rather than having to pay ransom to delinquent script kiddies. Paying ransom to prevent DDoS will only make things worse.
Ransomware is such a cash cow for cybercriminals, and thanks to Bitcoin the barriers to entry are low, so we can expect to see the attacks continue and spread to other platforms such as OSX and Linux. The best protection against ransomware is not to get infected, so make sure your spam filtering and anti-virus software are current and effective. However if you do get hit, simply being able to restore from a backup will prevent you having to pay ransom. Make sure all your critical data is backed up. Test out your restore process from time to time to make sure it still works. For individuals and small businesses there are a number of cloud backup services that do a great job and are far better than paying ransom.
Zero days become so valuable we may see them deliberately introduced by developers
As zero day vulnerabilities prices skyrocket to six to seven figures, some developers will deliberately insert bugs into major vendors’ code so that a friend can claim the bug bounty, and split the reward with them. Currently the economics aren’t quite there in the U.S. It wouldn’t make sense for a programmer making a six-figure annual salary to risk losing that for a share of a six-figure bug bounty. However, companies that outsource development of key products to countries where developers are paid less are already at risk to this type of deception. We have already seen vulnerabilities deliberately introduced into open source software such as WordPress plugins, and commercial software will probably not be far behind.
Cyberattacks will increasingly cross over into the real world
As more factories and critical infrastructure are connected to the Internet, they will become more attractive targets for terrorists and hacktivists. According to a recent ESG survey, 68 percent of critical infrastructure organizations surveyed claimed they experienced one or more security incidents over the past two years. We may see cyber attacks evolve with attackers escalating from defacing websites to shutting down refineries or power grids.
Attaching infrastructure to the Internet allows for remote monitoring and control, which is extremely convenient for the owners and operators. However, this has to be weighed against the increased vulnerability to attack from anywhere in the world. As we have seen over the past few years, there is no such thing as a completely secure system when faced with a sufficiently determined attacker with enough resources.
If you must connect your chemical plant, pipeline, or munitions factory to the Internet, make sure that the cost of breaking is greater than the damage that an attacker could do, and confirm this by regular penetration testing. The weakest link in any system is often the people using it, so make sure that your staff is trained to detect and respond appropriately to spear phishing and social engineering attacks.
Presidential candidates will be prime targets for hacking
With the election season in the United States gaining steam, presidential campaigns and PACs will be prime targets for hacktivists. We can expect to see hackers release embarrassing emails or campaign planning documents from campaigns that don’t have first rate OpSec. After made this prediction but before publication, Anonymous announced that they are going after Donald Trump, but we expect he will not be the only candidate to attract this sort of unwelcome attention.
High tech companies will be driven out of the UK
The United Kingdom will pass the Investigatory Powers Bill requiring a backdoor in strong encryption. As a result, other major Internet companies will follow Yahoo!’s lead and move their operations out of the UK to avoid being subject to this law.