As organisations plan their IT budgets and cyber security defenses to defend against the threats they will face in the coming year, the questions is: What should they expect from hackers? Everything. This may sound flippant, but the truth is that everything we have built as the foundation of our security practices is rapidly changing. The rate of change will accelerate in 2018, with no indicators of slowing down in the near future.
In 2017 we saw businesses having to patch their systems which shrank from months or years to weeks or days. No one needs a 0-Day if they know the business doesn't have a patching window until the end of the quarter or that they will probably miss one or two servers no one was administrating.
We saw some of the biggest distributed denial-of-service (DDoS) attacks-ever in late 2016 and through 2017. The threat of a series of DDoS attacks that exceed 1 Tbps looms over us, in a very real sense. Maharashtra in 2016 saw many small and medium sized internet service providers being targeted by a DDoS attack. The attacks which were carried out at the speed of 200 gigabytes per second, paralysed the internet in Mumbai, affected multiple businesses. DDoS attackers originally coordinated people, and then there were botnets of PCs, and then botnets of servers, and now botnets of IoT devices.
To prepare for this reality, here are some of the highlights that I think we will see in the cybersecurity industry in 2018.
Fear of the organised threat actor
The biggest threat facing us in 2018 is organised threat actors. Year 2017 showed us that businesses are facing criminal organisations, hackers backed by competitors and even nation states. We have long suspected this would be the case, but it's becoming increasingly clear that the level of sophistication and tenacity shown by these attackers is far beyond the opportunistic hacking many enterprises are currently prepared to defend against. Because attribution is so hard and proving who the attackers were is nearly impossible for most organisations, the hacks will be more brazen as the year goes by.
Consumers have made it clear that new features and costs are much more important than security or privacy when it comes to IoT. Because of this, these devices continue to be built with little or no concern for security and they will continue to be abused to fuel DDoS campaigns and other types of attacks. Even more secure devices like phones and tablets are being targeted for their greater computing power, to be used by malware such as WireX in DDoS attacks and ad scams.
Hacker motivations shift from curious to criminal
The motivation of hackers is increasingly moving from the curious individual to organised crime and nation state actors, where hacking is simply a day job. It becomes the source of a paycheck, which is both good and bad for defenders. On the one hand, drawing a paycheck is often less motivation for pushing boundaries and finding new vulnerabilities to the hacker, meaning they will try the same tried and true tactics that have worked before. On the other hand, because it's a job, hackers will have greater resources and more confederates to help build out specific tools than ever before. Organised hackers will be much more dangerous than individuals or small groups could ever be.
Future for biometrics in security
Biometrics are a complex question for security. We are already using complex biometrics on our phones and other devices to provide security, often with mixed results. But the downside of those controls is that we are also providing data on how we live our lives in order to provide that questionable security. It's impossible to change a thumb print if a database was compromised and the owners were improperly recording and securing the biometric data.
The larger theme of biometrics is also incredibly complex when it comes to the health data of individuals. This complexity increases given the size of this market as well. India IoT market is expected to grow from $1.3 billion in 2017 to $9 billion by 2020 as per a report by Deloitte TMT Predictions 2017. The global market, on the other hand, is expected to touch $300 billion in next 5 years.
Activity trackers are the quintessential example, we can record heart rate, blood pressure and almost any other biometric an individual might want to pay for. But that data can be used against the individual, either by someone who steals the data or by an employer who legally collects the data and decides an employee is a health risk. There are years of wrangling to come from the legal and ethical standpoint of this data.
Time to reevaluate tools
IT professionals should re-examine and evaluate the security controls throughout their enterprises. The threat landscape has changed significantly in the last year. The biggest impact the security team can have is to understand how effective are their current protections against threats. The controls that were seen as effective enough in 2017 may be less effective than needed for 2018, so performing a new evaluation of effectiveness and risk is essential.
Cleaning up of the technologies and processes enterprises already in place needs to be the priority for the security team, because there will be far greater number of attacks. This is why phishing continues to be so effective for attackers and why the edge case server that went unpatched is so dangerous to the enterprise.
(The writer is Senior Product Manager, Cloud Security, Asia-Pacific, Akamai)
Updated Date: Jan 15, 2018 16:10 PM