2016 Cyber Security Threat Predictions and Why Nutrient-Extracting Blenders Still aren’t the Answer
NNT review and discuss the range of Cyber Security Threats predicted by analysts and vendors and present a Top Ten of Cyber Security Safety Measures. Drinking kale and beetroot smoothies isn’t one of them, but to find out why not, and to see what did make the list, read on…
“To begin with we consulted a number of expert sources. As with many of these prescient type reports, conjecture and guesswork certainly play their part. That said there is enough fact based on current trends and previously observed activity to take all this very seriously indeed.”
What Does Experian Think?
What Does Experian Think?
Chip & Pin won’t stop payment card breaches (only 53% of IT Security Executives believe EMV cards will decrease the risk of a breach)
- Whilst we may have expected there to be some pessimism to the claims that Chip & Pin would represent an end to Credit Card theft. Interestingly 47% predict no discernable improvement at all– never mind any sort of total prevention
Attacks on Healthcare Institutions will increase (Healthcare Records worth 10 times that of CC details)
- Healthcare records are worth 10 times more than that of credit card data. Healthcare providers have notoriously poor defenses – FBI warnings following a bout of breaches including one leading provider who had 4.5 million records compromised
- Healthcare records are being used to fabricate insurance claims, purchase drugs and generate fake ID’s. The lack of prevailing security and the rich source of personal data available, makes this a very attractive target for cyber criminals
Cyber conflicts between Enemy Nations will increasingly affect civilians
- Cyber war between Enemy Nations may include public facilities such as Airports, Hospitals and Government Facilities
- Perhaps this should come as no surprise as we have already seen examples of this right back to Stuxnet (originally designed to attack Iranian Nuclear Facilities) and the more recent disabling of Ukrainian Cel Networks by Russian intelligence
Hacktivism will make a come back
- Hacktivism- both corporate shaming and ‘Cause-Based’ will increase – considered the ultimate leveler
- From Ashley Madison to threats on ISIS. The apparent success of some of these initiatives is fueling a renewed vigor for those purporting to represent a cause – however justified
What Does Trend Micro Think?
What Does Trend Micro Think?
2016 will see an increase in online extortion
- We’ve already seen examples such as the LA Presbyterian Med Center settlement. The fact that this was a relatively quick and easy ‘Hack for Cash’ is driving another predicted trend, which we will touch on later. The LA Hack speaks to both the targeting of Healthcare as well as the increase in Ransomware
At least one consumer grade smart device will cause fatalities
- From Drones circling our no fly zones to Medical Smart Devices used to transmit emergency care information. All of these are targets and all occupy worryingly close links to human lives
China will drive mobile malware growth to 20M by the end of 2016
- Growth in Mobile Malware is already accelerating way faster than traditional computer based Malware. Since we started tracking PC Based malware in 1984 it took 20 years to grow to 20m instances. In contrast, we have seen Mobile Malware grow to these levels within 6 years (Source: Trend Micro)
Hacktivism will increase
- Trend agrees with Experian!
Little or no change in priority or investment at a corporate level
- Despite all if this, less than 50% of organizations will have dedicated IT protection specialists
Cybercrime legislation will become a Global Movement
- United Nations will inevitably combine forces to improve both Cyber Protection as well as their ability to fight back
What Does Gartner Think?
What Does Gartner Think?
The attack surface is changing all the time
- Contemporary threat environment is broadening with the advance of Shadow and Bimodal IT
- Means of enabling IT is changing. The Marketing Department may well have their own IT assets beyond the IT teams reach
- The better you understand what you have the better able to protect and monitor it you will be
Don’t focus too much on Zero Day Threats!
- 99.99% of exploits are based on vulnerabilities known for at least a year, and this trend will continue through 2020! Last year’s most prevalent malware ‘Conficker’ based on a 7 year old vulnerability within Windows
Emphasis should be more on prevention than detection
- Focus on the fundamentals of cyber protection rather than investing in emerging technologies
Known vulnerabilities will be sold on the black market more
- Where new vulnerabilities and new exploit techniques are discovered, the value of these is now better understood with an established market available
NNT Summary of 2016 Cyber Security Threat Predictions
- The field of attack is broadening as new lucrative and disruptive targets are identified, and those with a cause to promote seek to enter the arena
- Organized crime will join the cyber-crime movement as it ceases to be the sole domain of the specialist hacker. $17k quick and easy ‘Hack for Cash’ at LA Presbyterian Medical Center combined with the prevalence of Malware on the Black-market makes cyber-crime suddenly accessible and attractive to common-all-garden crooks
- Apathy (it won’t happen to us) and cost will remain the two major blocks to Corporate and Government Cyber Security
- The litigators are circling! The stakes are going to be raised as more lawsuits are brought for damages relating to the loss of personal identifiable information
The Typical Mistakes Made by Most IT Teams and Why Corporate Cyber Security fails
So we all get sold on the need for Cyber Security defense measures and there is plenty of FUD (fear, uncertainty, and doubt) used to amplify the urgency and acuteness of the need.
The difficulty when determining the right Cyber Security strategy for your organization and in turn which technologies and products to use is not too dissimilar to assessing the market choices for keeping your body fit and healthy.
Many vendors try to say that they can deal with all known threats to the enterprise when actually, just like your personal health, it just isn’t as simple as that. Cyber Security takes many forms and the range and nature of the threat are so varied that there just isn’t any getting away from the fact that it will require a multi-faceted solution.
But – it’s easy to be tempted by the pitch! A sexy looking security appliance with a slick GUI is very tempting. And if it really can capture and defeat APTs, stop Phishing attacks and malware, block and alert on insider threats, hacktivism and rogue employees, while also protecting your IT from ransomware and government-sponsored/ blue chip espionage, then all your problems would be solved.
Likewise, if you really could lose weight, build a six pack and get marathon-beating stamina from drinking a kale and Persian cucumber milkshake, we would all do it. And of course, an anti-oxidant rich cocktail of vitamins and nutrients probably will help in some way, but it isn’t going to get everyone losing weight and getting fit. In fact, most would give it up and go back to bad habits.
Which brings us back to Cyber Security – it’s also a 24/7 discipline and requires a combination of technical measures, procedures, and working practices to maintain solid defenses.
It’s precisely for this reason that organizations get breached and will continue to get breached unless Cyber Security mindset becomes second nature for all employees.
So, in the meantime, what should you be focusing on? Here’s a quick summary – there are more comprehensive security policies, standards and guidelines out there – see the PCI DSS (Version 3.2 is almost here) or any of the other standards I showed earlier like NERC CIP, NIST 800-53 etc. There are also generic policies, like the SANS Top 20 or the CIS Security Policy that are freely available.
Top Ten Cyber Security Tips
- Mitigate Vulnerabilities
- Firewall or better, IPS
- System Integrity Monitoring
- Change Control – augmented with Threat Intelligence
- Promote and enforce an IT Security Policy
- Finally - Don’t be too thrown off course by the latest ‘must-haves’
Top Ten Cyber Security Tips: 1
1. Mitigate Vulnerabilities
Easier said than done and most security policies duck out of providing specific prescriptive guidance, partly because this is a fluid area and the latest intelligence is always needed, but also because vulnerabilities need to be balanced against risk and operational requirements.
In other words, most security professionals will tell you to minimize open ports and remove any unnecessary services, in particular, FTP and Web Servers, so a typical hardening exercise involves removing these. But if you actually need these for your application then you will need to provide security via other means.
The latest Microsoft Security Policy covers literally thousands of settings that control functional operation and in turn security of a host, so deriving the best-balanced build standard can be a painstaking task. The Center for Internet Security Benchmarks provides secure configuration guidance drawn from manufacturers like Microsoft and RedHat, combined with academic and security researcher input. They are available free of charge and provide full details for auditing for and remediating vulnerabilities from a comprehensive range of platforms. This is an area where automated tools are definitely an essential.
Top Ten Cyber Security Tips: 2, 3, 4, 5
2. Firewall or better, IPS
The best-understood elements of any Cyber Security kitbag are the firewall and AV. They are fallible as we all know – zero-day threats easily evade AV even while the AV is gobbling up system resources and more often than not, getting in the way.
Likewise, for the firewall or IPS - there are numerous ways to leapfrog the Firewall using phishing attacks, APT technology or just plain old Inside Help. However, as we said earlier, there isn’t going to be a quick fix, single course of action of technology that will keep us secure, and these legacy security components still play an essential role. Less well understood are some of the complementary technologies available that can be used to plug further weak spots. The market is awash with good ideas and exciting sounding technology, I would say to look at what is available to you right now, but is probably not being used.
Namely EMET and AppLocker – both are Microsoft offerings, free to use, but require a little bit of know-how and experimentation to implement.
EMET works to head off a number of malware techniques, especially ‘file-less’ malware that tries to use process hijacking, memory exploits, browser vulnerabilities and man in the middle attacks.
AppLocker provides the means to whitelist/blacklist program and DLL operation to really lockdown PC and Server operation.
There are many commercial offerings covering similar areas of course, but neither of these, nor Windows Defender, should be overlooked.
Top Ten Cyber Security Tips: 6, 7
6. System Integrity Monitoring
7. Change Control – augmented with Threat Intelligence
Three main reasons why change control and system integrity monitoring are vital to maintaining Cyber Security:
Firstly, once our Vulnerability Mitigation and secure configuration work have been implemented, we now need that to remain in effect for ever more. So we need a means of assessing when changes are made to systems, and to understand what they are and if they weaken security.
Secondly, any change or update could impact functional operation, so it is vital we have visibility of any changes made.
And finally, if we can get visibility of changes as they happen – and especially if we have a means of reconciling these with details of known expected planned changes - then we have a highly sensitive breach detection mechanism to spot suspicious action when it happens
All leading Cyber Security policies/standards call for change control and system integrity monitoring for all these reasons – it is key.
Top Ten Cyber Security Tips: 8, 9
8. Promote and enforce an IT Security Policy
9. Encryption (BitLocker)
Cyber Security isn’t just the responsibility of the IT team and their security kit, but must be an organization-wide competence.
Children grow-up being taught about food hygiene, it isn’t just the remit of professional chefs. Unfortunately, it takes generations for this kind of knowledge to become universally assimilated, so until Cyber Security hygiene itself becomes a basic life skill for all, it will be down to the workplace to educate.
To this end, in case you don’t already have flyers/posters for Cyber Security education there are plenty of resources available, again the SANS Institute provides a bunch of these that are free to use and very good.
Separate but related is the subject of data encryption – it slows everything down and gets in the way on a daily basis BUT it can prove a lifesaver if there is a breach that results in data theft. Loss of a company laptop is a pain, but the loss of confidential data could result in anything from acute embarrassment to fines and lawsuits. Again, plenty of commercial options exist and there is also a free of charge MS option for this too in BitLocker. You can use it to encrypt all drives or just data on local and removable drives.
In an enterprise environment this is controlled via Group Policy and as such, can also be audited automatically in the same way that vulnerabilities can be assessed. Used correctly, this same audit report can not only provide the recommended settings to use when first implementing BitLocker, but it will also highlight any drift from your preferred corporate build standard, along with all the other security settings needed to protect systems.
Top Ten Cyber Security Tips: 10
10. Finally - Don’t be too thrown off course by the latest ‘must-haves’
The final piece of advice really is to focus on getting the fundamentals right and not chase the latest, niche or point products. If the maxim of ‘there is no such thing as 100%’ security is accepted then how are you going to achieve Cyber Security?
The only answer is that it will need to be managed as a layered and 360-degree discipline, comprising technology and processes to first instigate and then maintain security.
Vulnerability Management, System Hardening, Change Control and Breach Detection are some of the absolutely essential components needed – the good news is that this can all be automated and just the ‘need to know’ exceptions reported for investigation.
Final words: Get your technology right for the general, everyday security before investing too much time and money into the latest ‘hot’ product.