The Cyber Security Year Ahead: Brace Yourself for a Bumpy 2018
In insight / By Phil Muncaster / 02 January 2018
Along with New Year's resolutions and the back-to-work blues, January is traditionally a time when security vendors release their predictions for the 12 months ahead. There’s always a fair amount of self-serving entries in there — think, cloud security companies warning of cloud-based threats. But the truth is that few are better placed to make such predictions than the men and women who spend their days developing products to anticipate the evolution of the threat landscape. I’ve spoke to many over the past few weeks and distilled what I think are some of the major trends to watch.
So with that, here are my top eight predictions, with the caveat that, as always, there’s a certain element of continuity from one year to the next, just as there will be some wildcard events in 2018 that no one can predict.
1. Time to ditch passwords
This week, dark web analyst firm 4IQ revealed the discovery of a searchable database on the cybercrime underground packed with over 1.4 billion breached credentials. It even included hints on how users typically reuse passwords and create repetitive patterns over time. The term “wake-up call” is over-used in security circles, but if this doesn’t cause firms to rethink their approach to identity and access management nothing will. The classic password/username combo has not been fit-for-purpose for many years. It only exposes organisations to the risk of damaging cyber-attacks and exposes customers to phishing and fraud. Multi-factor authentication is the only way to protect privileged internal accounts and keep consumers safe.
2. GDPR: an ongoing challenge
For those of you who think the GDPR headlines will finally die away after the sweeping new regulation comes into force on 25 May this year, think again. The latest research claims that less than a third of retailers have an incident response plan in place in the event of a breach, for example. It follows numerous warnings this year that board members don’t know or simply don’t care about the new regulation. We’re more than likely to see some high-profile fines get handed down in 2018 as organisations continue to walk the compliance tightrope. Some may well come from the US, where coverage has arguably been limited. Also expect to see fines levied against data processors as well as controllers, because many firms still don’t realise that both have liability in this area.
3. Ransomware is just getting started
Reports of the slow demise of ransomware have been much exaggerated. In reality, it will be used in new and possibly more targeted ways to extract maximum funds from affected companies. Yes, the WannaCry and NotPetya attacks this year forced many firms to confront this relatively new threat. But there’ll always be fresh victims, and organisations which have most to lose — think critical infrastructure firms — should be on high alert. Trend Micro has even predicted ransomware-free extortion attempts in which hackers could steal customer data and then threaten to go public to GDPR regulators if they’re not paid.
4. New architectures, same old threats
Much has been made of late about the benefits of new cloud-driven application architectures such as serverless apps and containers. As organisations look to drive digital transformation through these new software components, they also run the risk of exposing themselves to greater risk, unless they add security as “far left” as possible in the application lifecycle. That means moving DevOps towards DevSecOps.
5. Machine learning, for good and bad
There are few cybersecurity vendors on the market today that aren’t trumpeting their use of machine learning and AI-style technologies. Those that are genuinely using such tools to good effect do so to analyse vast sets of data to find the needle in the haystack indicating a potential threat, and then follow-up with trained experts to dig further. However, there’s also a strong possibility that the black hats will look to harness the power of machine learning to find and exploit zero-day vulnerabilities quicker, as well as to design malware that can’t easily be detected by such tools.
6. Fileless attacks to proliferate
Several security vendors are warning of an increasing trend towards so-called “fileless” attacks abusing non-malicious enterprise tools. In fact, Verizon claimed in 2017 that half (49%) of all breaches over the previous 12 months there was no malware involved at all. Instead, attacks could crack network admin accounts (see entry #1, above) and use legitimate tools like PowerShell to achieve their ends. Of course, by eschewing malware it makes such attacks much harder for traditional security filters to spot. Organisations need instead to focus on spotting suspicious behaviours.
7. IoT threats come of age
Gartner predicts that by the end of 2017 there will be 8.4 billion connected “things” in use globally. Many of these will continue to be shipped without adequate security, allowing attackers numerous ways to cause mayhem. Poorly protected endpoints could be compromised to infiltrate the corporate network, while others could be hijacked to cause direct damage in operational environments — possibly by rival companies or even nation states looking to hit critical infrastructure. Widespread, systemic vulnerabilities like Devil’s Ivy and KRACK will only make their job easier.
8. The problem with vulnerabilities
Experts reported 15,000 new vulnerabilities were discovered in 2016 and this year will likely see a similar number, if not more. Put simply, software flaws are the fuel that feeds the fire of online threats. As WannaCry showed us, they don’t even need to be zero-day vulnerabilities to have a major impact: the SMB flaw exploited in that attack was patched by Microsoft a couple of months before it hit. The coming year will see cybercriminals increasingly looking to hedge their bets with “spray and pray” attacks exploiting known flaws and designed to capitalise on many firms’ lack of comprehensive patching programmes.
IT bosses must prioritise best practice security steps like patch management in 2018 if they want to mitigate the majority of threats coming their way. The good news is that even implementing these basic measures could protect them.
As a managed IT services provider, Nasstar is constantly reviewing its security posture based on the current and predicted threat landscape to ensure clients are protected from threats.
Nasstar has many layers of security protecting its hosted platforms but it is crucial that its clients creates a cyber savvy culture within their organisation. That comes from the top down, and it spreads via effective training and regular updates to ensure best practice is always front of mind for staff.
That’s why as a managed service provider, Nasstar puts a major focus on education and training – of our own staff and those of our clients, in things like Cyber Essentials. Security is present at every layer of our organisation, and it can be in yours too.
For more information read our short guide on the ways that Nasstar protects customer services.