As IT systems evolve — in offices, data centres, production facilities, transportation systems, homes and all points in between — so the arms race between security professionals and an ever-changing cast of bad actors involves new challenges for the former and fresh opportunities for the latter.
That’s why, despite the best efforts of the ‘good guys’, every year sees a crop of headline-grabbing cyberattacks as the ‘bad guys’ find new ways to infiltrate networks and exfiltrate data, hold assets to ransom, or wreak havoc in other ways, for whatever reason.
And beneath the headlines, there’s a background level of security breaches — often under-reported — that are the inevitable result of businesses failing to monitor their networks and protect them against multiple types of attack, and users neglecting basic security hygiene.
As in previous years, Tech Pro Research has collated a large number of turn-of-the-year predictions in order to get an overview of the cybersecurity landscape as 2018 gets underway. All of these predictions were made before the biggest security story in years broke, in the first week of January — the Spectre and Meltdown processor vulnerabilities, caused by exploitable flaws in modern CPU design.
We’ll return to this potentially seismic shift in IT security at the end of this article, but first let’s look at 2017’s cybersecurity highlights (or lowlights).
Here are 2017’s biggest hacks, leaks, and data breaches, according to ZDNet’s Zack Whittaker:
|Target||What was compromised||Attack vector|
|TSA||1000s of documents||passwordless backup drive|
|Verizon||14m subscriber records||unprotected third-party Amazon S3 storage server|
|NSA||>100GB of Army Intelligence data||virtual disk image|
|Equifax||PII on 143n consumers||unpatched web vulnerability|
|Bell Canada||1.9m customer records (partial leak following unpaid ransom)||n/a|
|Freedom Hosting||data on compromised Dark Web servers||system privilege escalation|
|Handbrake||RAT infection||password-stealing malware|
|HipChat||user account info, some messages & content||cloud app (third-party library vulnerability)|
|Cloudflare||customer data from Uber, 1Password & OKCupid||SSL data leakage from edge servers|
|Wonga||customer data from 270,000 accounts||n/a|
|PoliceOne||data from 715,000 accounts (hacked in 2015, exposed in 2017)||n/a|
including UK NHS]
|>300,000 computers infected with ransomware worldwide||WannaCry worm (based on stolen NSA hacking tools)|
|TigerSwan||PII on prospective employees||unlisted AWS storage server|
|Uber|| data on 57m users (hacked in 2016,
exposed in 2017)
|AWS account accessed via private GitHub repository|
|Cellebrite||900GB of sensitive corporate data||Cellebrite web servers|
|Sabre||payment and customer data||SynXis reservations system (a SaaS app)|
|ai.type||>577GB of PII on >31m users||passwordless database server|
|US Air Force||1000s of USAF documents||unsecured backup drive|
|CIA||1000s of documents on hacking efforts||WikiLeaks|
|Virgin America||login information and passwords for 3,120 employees||n/a|
|Deloitte||confidential documents & emails||email server admin account (no 2FA)|
|DaFont||account information for 699,000 users||SQL injection|
|Universities & US Federal agencies||PII, confidential documents, IP (potentially)||SQL injections|
|iCloud||access to 250m accounts + ransom demand||previously compromised third-party services|
|Dallas Texas||city-wide sounding of all emergency sirens||‘radio replay’ attack|
|OneLogin||SSO information for 1000s of clients||AWS instance accessed via intermediate host|
Particularly noteworthy cybersecurity lapses last year were the massive Equifax breach and the global WannaCry ransomware outbreak. The above list also includes several breaches of cloud security, often via third parties — attack vectors that are likely to become more prevalent in the future.
Predictions for 2018
This year, we’ve examined 518 cybersecurity predictions from 83 organisations, assigning them among 46 emergent categories (often splitting a prediction between two or three categories). Here are the results:
Let’s take a close look at the top five cybersecurity concerns for 2018:
As in 2016 and 2017, the number-one cybersecurity concern for the coming year is the Internet of Things (IoT). This really is ‘a security time bomb’ ( Nuvias Group) because, as Cyxtera puts it, the IoT has moved ‘from coffee pots to connected cars’ and therefore ‘from myth to reality’. Of course, the IoT has long been flagged as a security concern, but the combination of widespread adoption and minimal security provision means that, according to CloudBees, ‘security breaches related to unexpected uses of Internet of Things connected devices will more than double compared to 2017’. There will be more types of IoT attack, too, according to Symantec: ‘Expensive home devices will be held to ransom’; ‘IoT devices will be hijacked and used in DDoS attacks’; and ‘IoT devices will provide persistent access to home networks’. The result may be that ‘early adopters will begin to regret purchasing smart devices’ (F-Secure). Meanwhile, SentinelOne cautions that enterprise IoT will emerge as ‘a new threat vector’, providing ‘yet another entry point for a network breach that, with a lateral move, can give attackers access to identified assets of interest’.
The EU’s GDPR (General Data Protection Regulation) comes into force on 25 May 2018 — a fast-approaching date that has propelled it into second place this year. GDPR will not only apply to companies based in the EU, but also to any organisation that handles data pertaining to EU-based customers or businesses. Non-compliance with GDPR’s breach notification regulations will carry fines of up to €20 million or 4 percent of a company’s global annual turnover in the preceding financial year, whichever is greater. A big deal, then, and GDPR will ‘challenge a lot of businesses who are not already prepared’ (Avecto). Unfortunately, according to Forcepoint, ‘most organizations will not be ready prior to the GDPR enforcement date, and panic-driven policies will stifle businesses as they struggle to become compliant’. Small businesses will be hit hardest by GDPR, says CrowdStrike, due to ‘security immaturity’, while Trend Micro predicts that ‘many companies will take definitive actions on the General Data Protection Regulation only when the first lawsuit is filed’. The punitive level of fines under GDPR could also lead to blackmail attempts, says Nuvias Group, as bad actors threaten to expose non-compliance issues. However, on the plus side, ‘GDPR will force organizations to assess their wider data security practices’ (NTT Security).
FireEye notes that ‘people are really starting to put critical data into the cloud’, which goes a long way to explaining why cloud security has risen to third in our ranking. Breaches of cloud storage — specifically AWS S3 buckets — in 2017 prompted Palo Alto Networks to remind us that although ‘the cloud is someone else’s computer’, organisations still need to protect the information they put there. That requires security operations with visibility into cloud services, says FireEye CEO Kevin Mandia, while Centrify feels that ‘the rapid move to the cloud will increase the adoption of zero-trust network models and modern microservices architectures which will mandate the use of least privilege’.
The cloud security outlook remains pessimistic for some, though, with Symantec predicting that organisations will still struggle with both SaaS and IaaS security, resulting in ‘more breaches due to error, compromise and design’. Thales also foresees that ‘more major breaches will be announced that can be traced back to purely misconfiguring the cloud’, while A10 Networks predicts that cloud providers will become ‘a target by attackers looking to cause disruption’. Don’t be surprised to see ‘massive cloud data breaches [in 2018] — primarily because companies are not yet fully aware of the complexities involved with securing cloud data’ (Imperva).
Cryptocurrency and blockchain
There are several strands to the topical subject of cryptocurrencies and blockchain technology, covering both sides of the security fence. Starting with crypto-currencies, Imperva expects to see ‘a growth of cryptocurrency mining attacks where attackers are utilizing endpoint resources (CPU/GPU) to mine cryptocurrency either by cross-site scripting (XSS) or by malware’, adding that remotely hackable IoT devices and operations set up by insiders may be increasingly involved. According to Bill Weber, principal security strategist at eSentire, “businesses will continue to experience financial losses as they move to adopt cryptocurrency technology without appropriate security controls, creating new markets for trusted providers of crypto-economic business transactions”. The prediction from Proofpoint is that cryptocurrency theft will give malware the ‘Midas touch’, noting that ‘in this regard, cryptocurrency mining bots, or coinminers, represent the most direct path to profit for cybercriminals’.
All of this ‘criminal and illicit online activity’ surrounding cryptocurrencies and associated blockchain technology leads Check Point to speculate that ‘international government and law enforcement agencies [could well] take action over the abuse of cryptocurrencies, which will in turn adversely affect the value of the currency itself’. Meanwhile, Watchguard wonders whether ‘hackers [will] find a vulnerability severe enough to completely wipe out a popular cryptocurrency’.
Blockchain is emerging as a key enabler not just for cryptocurrencies, but also potentially as a cybersecurity option, says Centrify, but there’s a way to go yet: ‘While we expect blockchain to emerge as a potential disruptor across many areas of technology in 2018, it will take several years before vulnerabilities can be addressed and the technology is considered mature enough to act as a basis for enterprise security’. A10 Networks is more optimistic, suggesting that blockchain will be ‘more than just a buzzword’ in 2018 and will be widely leveraged: ‘By design, blockchain technologies are more secure than their predecessors, creating an online environment with tighter security and less anonymity than we’ve seen in the past.’
Cyber-extortion & ransomware
Following last year’s WannaCry saga, ransomware was never going to be far from the top of the prediction rankings, and this year it comes in at number five. Many pundits predict that cybercriminals will continue to reap rich pickings from ransomware attacks. Here’s FireEye, for example: ‘We expect to see continued use of ransomware in 2018, especially as administrators are slow to patch and update their systems’. According to Centrify ‘the dark but lucrative trend in ransomware will continue to explode in the coming year’, while KnowBe4 foresees ‘exponential growth of the ransomware plague, especially the “as-a-service” strains’.
Trend Micro expects evolution in this area: ‘the ransomware business model will still be a cybercrime mainstay in 2018, while other forms of digital extortion will gain more ground’. The main candidate seems to be targeted threats of business disruption: ‘In 2018, we expect sophisticated attackers to launch business interruption ransom attacks on companies with digitized operations (At-Bay); and ‘profitability of traditional ransomware attacks decline as defenses improve, and attacker focus shifts to high net-worth individuals, sabotage, and business disruption’ (McAfee). Forrester is more specific: ‘Cybercriminals will use ransomware to shut down point-of-sale (POS) systems’, while for Crowdstrike, the next phase of ransomware may be where criminal groups ‘hold entire networks hostage while demanding millions of dollars in ransom from businesses who need to get their operations back up and running’.
Completing the top ten prediction categories for 2018 are: the scale and targeting of cyber-attacks; artificial intelligence (AI)/machine learning (ML) and emerging cybersecurity technologies; nation-state cyber-activity; authentication & ID management; CxO and business culture issues.
It’s interesting to compare the 2018 top ten to previous years:
|1||IoT security||IoT security||The Internet of Things|
|2||GDPR||Security automation & orchestration||CxO issues|
|3||Cloud security||Malware & bad actor evolution||Politically motivated cyber-attacks|
|4||Cryptocurrency & blockchain||Ransomware evolution & escalation||Mobile security|
|5||Cyber-extortion & ransomware||Nation-state attacks||Cloud security|
|6||AI/ML and emerging security technologies||Cloud security||New cyber-attack vectors & targets|
|7||Nation-state cyber-activity||Regulation, governance & cyber-insurance||Ransomware & extortion|
|8||Scale & targeting of cyber-attacks||Mobile security||Security, privacy, law enforcement & cyber-insurance|
|9||Authentication & ID management||Industrial IoT & critical infrastructure||Malware evolution|
|10||CxO & business culture issues||Social engineering||Frequency and scale of cyber-attacks|
The IoT is front and centre in each of the three years, with cloud security, ransomware and nation-state/political cyber-attacks also ever-present. New top 10 entries in 2018 are topical areas like GDPR, AI/ML and crypto-currency/blockchain, while mobile security has slipped down the rankings (to 20th place) this year.
No sooner had 2018 got underway than news broke of major vulnerabilities — Spectre and Meltdown — in modern processors that, although rapidly addressed by OS and microcode patches, will probably require replacement of CPU hardware with fundamentally different designs in the long term. In the meantime, vigilance (there are no known exploits as yet), rigorous patching and acceptance of potential performance hits will be the order of the day.
Looking at the breaches from 2017, experts’ predictions for 2018 and taking the recently revealed CPU flaws into account, the reality in cybersecurity must be that everything is potentially insecure. For businesses, this means that basic security hygiene and regulatory compliance are essential, defence in depth and resilience to cyber-attack are priorities, and insurance against almost inevitable network compromise is extremely advisable.
Read more on cybersecurity
- IoT security: Keeping users on their toes means staying on yours
- IT leader’s guide to the threat of cyberwarfare
- Cloud security and IoT are the new peanut butter and jelly
- Encryption policy
- Incident response policy
- Intrusion detection policy
- Cybersecurity in 2017: A roundup of predictions
- A roundup of cybersecurity predictions for 2016