A Look Back at our 2016 Security Predictions: How'd We Do?
We’re only weeks away from revealing all the NEW security challenges we’re watching for in 2017. In anticipation, we examined last year’s predictions to see how accurately we judged security trends for 2016 and grade ourselves on the results.
Want to know what the next wave of Ransomware will look like? Or the impact AI may have on your organization’s data security? Forcepoint’s 2017 Security Predictions goes live in November. Register now for your region’s webcast and find out what’s coming next year.
The U.S. elections cycle will drive significant themed attacks: A+
Our first prediction proved true shortly after our 2016 report’s release with Anonymous launching an attack against the Trump Tower website on Dec. 11 and declaring “total war” on the candidate in early March 2016. The months that followed saw an alleged Russian hack of the Democratic National Committee, foreign hackers breaching state election systems and consideration by the Department of Homeland Security to add America's election system to its list of critical infrastructure.
Our prediction even described the potential for a “future cyber Watergate” – language that was echoed in remarks by U.S. House Democratic leader Nancy Pelosi and a former U.S. intelligence officer after the DNC breach who themselves described it as an “electronic Watergate” and “Watergate with a cyber twist.”
We gave ourselves an A+ for (unfortunately) getting almost every aspect of this prediction right.
Mobile wallets and new payment technologies will introduce additional opportunities for credit card theft and fraud: C
Last year we predicted that rapid chip and PIN implementations would drive cyber criminals to tamper with physical payment terminals. We also expected an increase in the hacking of increasingly popular payment methods (like the Venmo and Cash apps) and for malware authors to escalate efforts to steal from digital wallets. Although we didn’t see the number of breaches that we might have expected, there were a few events that led credence to our concern for such attacks.
At the Black Hat conference in Las Vegas this year, researchers showed how a vulnerability within major ATM makers and banks could be exploited to instruct an ATM to constantly draw out cash. In the same month, security researchers discovered vulnerabilities in Samsung's mobile payments app that could allow hackers to gain control of the device. Most recently, hackers accessed customer data from payment processing systems in handbag maker Vera Bradley’s stores via an installed program that tracked data contained in the magnetic stripes of payment cards.
While these new payment technologies have proven to present new opportunities for digital fraud and manipulation, as noted above, we didn’t (thankfully) see it much put into actual practice this year; for this we gave ourselves a C.
The addition of the gTLD system will provide new opportunities for attackers: B
While not yet a challenge to .com, gTLDs (generic top-level domains) like .bank, .law, and .security, are certainly gaining ground. Respondents in a July 2016 survey felt these domains were providing more structure to the Internet. But these new gTLDs also created more security concerns. As these domains are still unfamiliar, users are often reluctant to provide these sites personal information.
This reluctance is no surprise when looking at statistics gathered by the Spamhaus Project, an organization tracking spam and related cyber threats. In tracking frequently used gTLDs, they’ve created a revolving list of Top 10 Most Abused Top Level Domains and their “Badness Index”. As of October 17th, the number one abused domain was .science - seen a total of 41,184 times with a full 36,334 of those categorized as bad.
Although we haven’t yet seen any large scale consequences of new/bad gTLDs, we gave ourselves a solid B for hitting the mark on their probability for being abused.
Cybersecurity insurers will create a more definitive actuarial model of risk – changing how security is defined and implemented: B+
We predicted that cyber insurance providers would begin to account for risk in more sophisticated ways in determining policy prices and coverage, including: looking at organizations’ cyber security culture and tools; industries in which they operate; and whether they’ve previously been breached.
In January 2016 the Center for Risk Studies at Cambridge University, along with eight leading modelling and risk assessment and insurance companies, published the Cyber Exposure Data Schema. This strategy aims to provide a uniform approach for insurance companies to assess and manage cyber risk, and conforms to our forecast.
On the other hand, while we anticipated an uptick in the adoption of cyber insurance outside of the U.S, an October survey showed a drop in the number of UK firms insured against cyber threats. However, Graeme Newman, director at CFC Underwriting in London, also stated that “The interest in cyber is phenomenal right now. It’s never been hotter…It feels like now it’s reached that stage of maturity where we’re seeing more and more buyers, we’re seeing more and more market participants, and everybody’s talking about cyber right now.” Marsh & McLennan Companies estimates the European cyber insurance market is growing by 50 to 100 percent annually.
We gave ourselves a B+ for correctly estimating the shift in risk assessment practices as well as overall global growth trends.
Data Theft Prevention (or Data Loss Prevention) adoption will dramatically increase in more mainstream companies: B
In 2016, cybersecurity regulations and cyber insurance continued to drive adoption of data loss prevention (DLP) solutions. EY’s Global Information Security Survey found that data leakage and data loss prevention were more important than incident response capabilities, security operations or security testing for 2016 for more than half of CIOs, CISOs, CFOs, CEOs and other information security experts. In August of this year, Gartner predicted 90 percent of organizations will implement a form of DLP by 2018.
Insider threats appear to be partly responsible for increases in DLP allocation. According to Accenture and HfS Research, 69 percent of enterprise security executives reported a theft or data corruption incident by an insider over the last year. And given the potential regulatory fines associated with lost data, not to mention legal complications and PR damage that could result, companies are increasingly looking to DLP solutions to keep from losing critical data.
For accurately predicting its adoption uptick, we gave ourselves a B for our view on DLP
Forgotten ongoing maintenance will become a major problem for defenders as maintenance costs rise, manageability falls and manpower is limited: B
We concluded that in 2016 attackers would worm their way into organizations via forgotten or abandoned systems. Only weeks after our report’s release, it was discovered that a software bug had erroneously set thousands of prisoners free long before their sentences required. The same month, the Federal Trade Commission (FTC) reached a settlement with Oracle on charges it deceived consumers running older versions of Java about the product’s security, though it was highly susceptible to malware. Then in January 2016, an Australian hospital was infected when malware infected machines in the hospital running on older Windows operating systems. In the same month UK banks were found to be using outdated SSL security that out them at high risk for attacks like POODLE. A few months later, advanced mobile malware that allowed attackers to monitor a victim in real time was found to have impacted up to half a billion older Android devices. This was followed in July by the discovery of a 20-year-old vulnerability in the Windows Print Spooler that allowed for watering hole attacks.
We gave ourselves a B for this prediction. While there were indeed incursions as a result of outdated software, and detection of vulnerabilities where such attacks could occur as a result, more diligence on the part of manufactures and security practitioners alike fortunately appear to have limited successful malware intrusions.
The Internet Of Things (IoT) will help (and hurt) us all: B
When coming up with our predictions last year, the infrastructure and security of the Internet of Things, especially as it pertained to Healthcare IoT and wireless technologies, were top of mind. We thought that the same technologies making medical care, home security, cars, and almost everything we use and interact with on a daily basis more efficient and beneficial would also cause significant security problems. We also theorized that the use of these internet connected devices at work might negatively impact business security.
In February, customers of smart alarm provider SimpliSafe were no doubt dismayed to find that their PINs could be harvested and alarms turned off from yards away. At Black Hat USA, a research firm gave evidence that Bluetooth devices, used for keyless entry and mPOS (mobile point of sale) functions, were vulnerable to cloning and unauthorized access. A British investigation in September of this year found hundreds of thousands of devices – including webcams and baby monitors - vulnerable to digital eavesdropping. In the same month, Chinese researchers exploited vulnerabilities in one of Tesla’s vehicle models allowing them to take over the brakes, among other features. This month saw two new concerns. First, a Wi-Fi enabled insulin pump was found to be vulnerable to attacks that could disable it or alter commands that could not be fixed via the usual software updates. Then, a hosting service was hit with the largest DDoS attack ever seen using more than 150,000 IoT devices, including cameras and DVRs.
For correctly concluding the rise of IoT would see a concurrent rise in vulnerabilities, but because businesses have not yet been overly impacted, we gave ourselves a B.
Societal views of privacy will evolve, with great impact to defenders: B
In last year’s report we opined that data breaches and the loss of personally identifiable information (PII) would drive major shifts in the way in which privacy is perceived. Following publicized major consumer breaches, like Target, Home Depot and others, recent studies have shown that we are concerned about privacy and being the victim of a breach, just not enough to change our behavior.
In fact, earlier this year a Virginia judge ruled that for those using a computer connected to the Internet can’t reasonably expect privacy, writing in his statement that:
"Hacking is much more prevalent now than it was even nine years ago, and the rise of computer hacking via the Internet has changed the public's reasonable expectations of privacy. Now, it seems unreasonable to think that a computer connected to the Web is immune from invasion. Indeed, the opposite holds true: In today's digital world, it appears to be a virtual certainty that computers accessing the Internet can—and eventually will—be hacked."
Further, the adoption of IoT devices in the home and the workplace means users constantly balance the right to privacy with the convenience gained by using a system that is constantly “on” and tracking activity. Fantastic benefits can be gained from permitting IOT devices to gather information that (consider the rapid adoption of IOT devices in the healthcare sector designed to collect personal data to be used by physicians), but decisions around limits of responsibility still need to be made.
Because who has the obligation for the storage, movement and processing of data still ultimately needs to be determined and will likely be played out for some time to come, our final prediction earns a B.