November 7, 2017

Security Predictions 2017 – How did we do?

Carl Leonard Principal Security Analyst

Every year, Forcepoint makes security predictions for the 12 months ahead. Here, we review how well we did in our 2017 Predictions Report, released in November of 2016.

Overall, we made 10 predictions: predictions 1-5 were those driven by macro forces, such as new developments in foreign policy, demographics, trade law, corporate policies and market forces; predictions 6-10 were primarily in the digital realm.


The Digital Battlefield is the New Cold (or Hot?) War                                             A

We predicted that both offensive and defensive cyber operations would become as important as physical weapons during actual conflict. We spoke about the rise of “cyber terrorists,” which would become a growing problem, and a potential target for military operations as enemies of the state. Cyber terrorism can also take the form of nation states interfering in elections, as recent reports assert. Further underlining the importance of this, the US Government decided in January 2017 to formally designate election infrastructure as part of critical infrastructure.

There were several incidents this past year which support the notion of disruptive or destructive cyber attacks to support political objectives: the alleged interference in both the U.S. and German elections; claims such as those made by Qatar against the UAE; and claims made by Indian activists against Pakistan government websites. Concrete attribution is still a problem in each of these cases, and even with some security firms pointing at North Korea as the culprit behind Wannacry, definitive blame remains difficult to prove.

Millennials in the Machine                                                                                         C

Millennials are projected to make up 75 percent of the workforce by 2025*. We predicted that accidental data breaches would become more common as millennials entered and changed the cultural norms of the workplace. The quantity of data breaches has certainly risen, but we have found it hard to consistently prove a correlation between the age of the individual responsible for the breach, and the breach itself.

There are some examples such as the junior software developer who posted on Reddit that he or she accidentally deleted an entire critical database, but as the individuals behind data breaches usually remain anonymous, our assumptions remain unproven.

However, we can point to changing attitudes to technology and privacy, which we believe poses a risk to enterprises. Raytheon and Forcepoint recently collaborated on a survey, Securing Our Future: Cybersecurity and the Millennial Workforce, which highlights risky behaviors from millennials. In the month previous to the survey, 77 percent had connected to unprotected Wi-Fi and 42 percent shared a password with a non-family member during the year. Another survey showed only 26 percent of university students said they were aware of any breaches at their schools. Considering the prevalence of BYOD policies in enterprises, these attitudes clearly pose significant risks.

For this prediction, we give ourselves a C. We said organizations need to get ahead of the security curve by adopting technology that puts context around employee behavior to distinguish between harmless or accidental behavior and risky or malicious employee activity. While the quantity of data breaches continues to rise, the insider threat remains a plausible attack vector arising from all employees, not just millennials.

* According to population estimates by the U.S. Census Bureau and Pew Research Center

Compliance and Data Protection Convergence                                                     A

We are now nearing the deadline of the European Union’s (EU) General Data Protection Regulation (GDPR) becoming a legal requirement, with enforcement beginning in May of 2018. We predicted that corporate and social responsibility for protecting personally identifiable information (PII) would converge, becoming a reality for organizations of all sizes. We also said that, beginning in 2018, the new, true impact of a data breach would be re-examined prior to increased sanctions for non-compliance incidents. We said that the impact would be felt most by large enterprises that had not prepared going into 2017.

The industry could not have asked for a larger impact to drive home the importance of GDPR compliance than the Equifax breach, which revealed the personal and irreplaceable private data of 145 million U.S. citizens. And while most of the breach mostly affected U.S. citizens, 15.2 million records belonged to British and Canadian citizens. The British ICO and U.S. Congress are now asking Equifax for answers; it’s clear that the industry is sitting up and taking notice. If this happened a mere eight months later, the outcome for Equifax could have been significantly different.  We are finding that organizations are driving towards improving their data protection strategies, in order to reduce the risk of a breach and the accompanying larger fines if they’re proven to be negligent.

Rise of the Corporate-Incentivized Insider Threat                                                 B-

We predicted that more cases of corporate-incentivized insider abuse of PII would come to light.  We thought that it might create a new definition of insider threat, where the organization inappropriately leverages customer data to meet corporate profit expectations and other performance goals. 

We were close, but again examples are scarce. There were two cases in 2017 where courts found companies guilty of falsifying customer data to make money – US-based home healthcare provider Dynamic Visions and a group of US physicians fraudulently manipulating patient records. In addition, British-based Verso Group was fined over $100,000 for selling on people’s personal data for marketing purposes without appropriate permissions.

In addition, we continue to see commercially sensitive data extracted from one organization to another. What is different this year is an improvement in the tracking systems of organizations allowing for this activity to be identified sooner and, in some cases, legally challenged.

For example, Uber is currently in the middle of a trade theft case brought on by Google, who claims that Uber’s laser sensor tech for self-driving cars is based on data stolen by a former Google engineer who later became an Uber executive. Another case involves a U.S.-based salesperson who, after leaving one company for a role at another, continued to access the former company’s databases, essentially committing corporate espionage.

Technology Convergence and Security Consolidation 4.0                                    B-

We predicted that companies not taking part in industry convergence — unless they received additional venture capital — would be more likely to exit the industry as a result of vendor consolidation. Security-related mergers and acquisitions continue to take place; we acquired UEBA specialist RedOwl in August 2017 and Skyfence in February 2017.

We’re not the only company building up our portfolio. As City AM reported in July, not only are security acquisitions increasing but so are the prices of security-related businesses. Cybersecurity Ventures reported major acquisitions for 2017, with an expectation of more throughout the year: Microsoft bought Israeli company Hexadite for $100 million; CyberArk signaled their appetite for an  acquisition with a $42 million deal to take over DevOps security software company Conjur; Gemalto closed on one of the largest deals in the quarter with their $850 million purchase of 3M’s identity management business; and numerous small players got snapped up by the likes of Honeywell, EY, General Dynamics and Accenture.

We also said that security training and products focused on increasing security resources, such as sandboxing, could be the next big wave. The market has seen increasing popularity of SIEM technologies, which free up scarce and expensive personnel resources by reducing the signal-to-noise ratio, allowing people to focus on incidents that pose true threats to security. Gartner predicted that SIEM technologies would be among the fastest growing security technologies for 2017 and beyond.

The Cloud as an Expanding Attack Vector                                                              B

In 2017, we predicted a rise in hypervisor hacking, and stated that Denial of Service attacks would rise against cloud providers; this is a prediction which came close but had low impact. While there are plenty of known vulnerabilities in hypervisors, including the Xen project listing seven patches for hypervisor bugs, we are seeing low incidents of real-life examples when good practices are followed.

We also stated that organizations migrating their vulnerable environments to the cloud would experience reduced overall security if they relied solely on security within the cloud. To combat this, we also stated that hybrid security would become a popular method to protect data wherever it is used or accessed. This is happening — in addition, it has become necessary for businesses to better understand what visibility and control they have on that data, hence the rising demand for CASB and DLP solutions.

As organizations move to the cloud, access control and permissions mistakes are being made that can result in data being exposed publicly, as in the examples reported by Dark Reading and others.

Voice-First Platforms and Command Sharing                                                         B

We predicted that the convergence of technologies would generate a new round of consolidation, and that the number of apps designed to leverage voice-activated commands AI (e.g. Siri, Alexa) would explode in 2017, creating a completely new threat vector.

Voice-activated AI has indeed grown, with Google Home entering the market as an Amazon Alexa competitor; eMarketer predicts that voice-enabled speaker usage will grow 130 percent in 2017. Google Analytics has also added voice-activated analytics, giving differing forms of access to potentially sensitive data. While threats have not yet been realised, the opportunity exists and is growing.

AI and the Rise of Autonomous Machine Hacking                                                 C

We predicted that widespread weaponization of autonomous hacking machines by threat actors would emerge in 2017, creating an arms race to build autonomous patching. We imagined self-directed hacking machines launched by rogue hackers or state actors to anonymize attacks, target and overwhelm rival national cyber defences, or trigger a response that would quickly evolve into geopolitical and economic crises. While we have not seen much movement in this space, the potential is still there. We think this prediction is still one to keep an eye on; if realized, the impact could be severe.

Ransomware Escalation                                                                                            A+

We gave our prediction about the explosion of ransomware an A+, unfortunately, since it negatively impacted so many people worldwide. If this were a 10-point scale, we’d have turned it up to 11.

We said that there should be no expectation ransomware would go away and that hackers would have to alter their current playbook, morphing ransomware to include data exfiltration techniques, in order to better capitalize on every hack.

The following are examples of disruptive ransomware which morphed and developed to achieve its aims.

Wannacry, May 2017 - The appearance of WannaCry in May of 2017 introduced worm-like capabilities to ransomware.  It was a milestone moment which spawned many derivatives seeking to spread quickly from organization to organization.

Jaff, May 2017 - Even with the attention paid to ransomware spreading via network vulnerabilities in the SMBv1 protocol, we must not forget about the traditional email lure; in Jaff’s case, this was observed at a rate of 4.5 million emails per hour.

CradleCore, May 2017 - The RaaS (Ransomware as a Service) model did not work for the malware author, so instead it was offered for sale as source code, and others were later able to enhance it. CradleCore highlighted that code re-use and through modification generated a threat landscape of tomorrow different from that of today.

Philadelphia, June 2017 - This reinforced that particular industries are deemed more attractive to ransomware authors: healthcare and financial services have money and desire to get their files back, which results in increased ransom demands and targeting.

Petya, June 2017 - Petya (aka NotPetya) initiated a debate on the motivation of the attackers: was the goal of Petya to wipe/destroy machines or to hold them to ransom?  The jury is still out, but Petya reinforced the message of seeking to understand the intent of the attacker, in order to best protect data or recover it in the most appropriate way.

Bad Rabbit, October 2017  - This brought home the importance of protecting businesses from drive-by downloads and training users to not interact with fake software updates.

Abandonware Vulnerability                                                                                     A

We stated that we’d see more “abandonware,” (i.e., orphaned technologies), where owners stop supporting and upgrading their products. Petya (aka NotPetya) went even further. While compromised software wasn’t abandoned in this case, the original authors had lost control of the update servers; as a result, trusted automatic updates wrought havoc across the world.

Forcepoint had previously warned this could happen. Last year, we stated that IT security professionals and other security researchers relied upon out-of-date, unsupported legacy tools to reverse engineer programs for a variety of purposes. We expect to see more legacy, end-of-life abandonware vulnerabilities leading to data breaches.

This part of the prediction was proven recently with the so-called “KRACK”, where researcher Mathy Vanhoef released details of an attack against the WPA2 Wi-Fi security protocol, a protocol adopted since 2004. This is certainly a concerning discovery with far-reaching implications but there are mitigating factors: many applications such as online banking, accounting or even Facebook and Google use HTTPS to provide an additional layer of encryption. Attacks against HTTPS are not unheard of but would require the presence of additional vulnerabilities and effort on the part of an attacker to break.

Final Grade: B

Overall, we’d give ourselves a solid B for this year’s work, as we were pretty close on many threats. In general, enterprise and government organizations must consider how the traditional perimeter has evolved and, in some cases, dissolved. Stay tuned to discover next year’s impactful security threats and possible industry shifts in our Forcepoint 2018 Security Predictions Report.

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.