MUMBAI, INDIA: Next year promises to be super interesting what with the US elections and payments technologies likely to dominate the whole of next year. No wonder, security vendors are predicting the US presidential election cyber-antics; cyber-criminals pickpocketing the wallet on your phone; and an increase in vulnerabilities from the aging Internet, among other security challenges.
Listed below are the key highlights:
The US elections cycle will drive significant themed attacks: Attackers will use the attention given to political campaigns, platforms and candidates, as an opportunity to tailor social engineering lures. Others will focus on hacktivism, targeting candidates and social media platforms.
In addition to the obvious social engineering of threats around the political campaigns, platforms and candidates, the tools and infrastructure of those involved with the political process will be targeted (ie candidates, news sites, support groups). Hacktivists may reveal unwelcome personal details or use compromised accounts to spread false information appearing to come from the candidate. Security lapses and gaps in defenses will prove costly for those who are not diligent during this time.
Mobile wallets and new payment technologies will introduce additional opportunities for credit card theft and fraud. Hacks targeting mobile devices and new payment methodologies will impact payment security more than EMV.
The increase in non-traditional payment methods on mobile devices or via beacons and smart carts will open up the doors for a new wave of retail data breaches.
Forgotten maintenance of the Internet will become a major problem for defenders as costs rise, manageability falls and manpower is limited.
Like barnacles on a boat, the cost of security maintenance will begin to grow and create massive problems with the Internet and security practices. A surprising number of the most popular websites on the Internet are not as secure as they should be with respect to certificates. Additional problems include: old and broken Javascript versions that invite compromise; rapid OS updates and new trends in software end-of-life processes that cause havoc; and new applications built on recycled code with old vulnerabilities. All of these ghosts of Internet past will come back to haunt in 2016.
The addition of the gTLD system will provide new opportunities for attackers: The number of gTLDs as of November 2015 exceeds 700 domains, and about 1,900 more are in the waiting list.
As new top-line domains emerge, they will be rapidly colonized by attackers well before legitimate users. Taking advantage of domain confusion, criminals and nation-state attackers will create highly effective social engineering lures to steer unsuspecting users toward malware and data theft.
Cyber-security insurers will create a more definitive actuarial model of risk–changing how security is defined and implemented: Insurance companies will mature their offerings with qualifications, exceptions and exemptions allowing them to refuse payment for breaches caused by ineffective security practices, while premiums and payouts will become more aligned with underlying security postures and better models of the cost of an actual breach. Further, insurance companies will greatly affect security programs, as requirements for insurance become as significant as many regulatory requirements (PCI, HIPAA, ISO 27001).
The Internet Of Things (IOT) will help and hurt us all: The boundaries between corporate and personal devices have become blurrier, causing increasing friction and security challenges affecting critical infrastructure.
Industries that utilize a large number of connected devices and networked systems in the course of their everyday business, such as healthcare, are likely to face a wider range of security vulnerabilities and threats.
DTP adoption will dramatically increase in more mainstream companies: As a result of the very public breaches of 2015, predicted changes in cyber insurance, increased visibility in the boardroom for all things cyber and continued worries about data loss, there will be a more aggressive adoption of data theft prevention strategies outside of its traditional financial services installation base.
The prevailing assumption among security teams will become we are already compromised to help them strengthen their ability to deal with the inevitable.
Societal views of privacy will evolve, with great impact to defenders: Increasing frequency of data breaches, such as the many seen in 2015, are changing the way we think about personally Identifiable Information (PII). Further breaches and loss of PII will drive major shifts in the way in which privacy is perceived. Just as the last decade saw the introduction of the right to be forgotten, anticipate that within the next decade similar large shifts in privacy rights and expectations will emerge.
“The increase in connectivity and the digitization of the daily lives of both businesses and the general public will also lead to an exploitation of payment systems, IOT devices and the reformulation of our current perception of privacy. Smart cyber security is no longer about just preventing a breach, but building the resiliency and the flexibility to respond to and minimize the potential negative outcomes of a breach,”said Joshua Douglas, CTO, Raytheon|Websense
“The year 2015 will be seen in retrospect as a watershed year for information security, as many of the evolving threats and security practices now emerging will be directly attributable to events in this last year. Lures created from interest in US Elections, as well as other high profile events, will present opportunities for social engineering, not just for consumers but also for the candidates themselves. In the digital age, data handled less than securely could impact elections or even the candidates themselves. The evolution and expansion of an aging Internet will present significant opportunity for attackers while simultaneously tripping up defenders,” Carl Leonard, Principal Security Analyst, Raytheon|Websense Security Labs.