Maio 21, 2018

Security Predictions 2018: how are we doing so far?

Carl Leonard Principal Security Analyst

Back in November we released our Security Predictions for 2018. Now, only six months on, we can uncover just how many of our predictions have come true already. While we’re pleased with our accuracy, the reality can be somewhat discouraging, as many of these predictions bring additional risk to businesses like yours.

The goal of our Security Predictions is to give you a better understanding of the risks your organisation faces, and how you can better defend against them. I offer my top tips to mitigate at the foot of this blog.

Our eight predictions for 2018 oriented around a core theme of privacy with regulations such as GDPR prompting organisations to think critically about how they are protecting personal data and intellectual property. We also discussed ubiquitous encryption, data aggregation, cryptocurrency and ransomware.

Privacy Fights Back

Our first prediction anticipated “The Privacy Wars,” a polarising debate pitting technologists and members of the public, splitting opinion in government, at work and at home.

This debate has been thrust into the mainstream due in part to the Cambridge Analytica case involving Facebook. Revelations have been made in the press highlighting the extent to which people’s private data has been collected and used over many years by the social network and the consulting firm. Mark Zuckerberg has appeared before the US Congress and Facebook users and commentators continue to monitor the case. One could have anticipated this as a “predictable surprise” with a perfect storm of sharing, collecting and processing that one could only image just ten years ago. As a stand-out story of 2018 the outcome will trigger debate in the public domain for years to come.

Voice-activated systems are being deployed in tens of millions of households capturing and acting on commands. If you are interested in what Apple, Google and Amazon have been collecting, this article describes how to remove historical voice commands from devices such as Alexa.

It is not just our likes, follows and preferences for cat videos that are up for discussion. Biometric data is now being used on city streets to identify individuals that have triggered the interest of the police as in this example of portable fingerprint scanners being used in the UK.

GDPR will do a lot to safeguard the privacy and personal data of EU citizens, in particular, by making sure the data is used for the intended purpose, is protected and does not end up in the hands of criminals who may misuse it. This brings us nicely to our second prediction.

GDPR: Procrastination Now, Panic Later

We anticipated that many organisations would be slow to prepare for GDPR and it appears that many are only now initiating programs to be “GDPR ready.” Is this a case of “too little, too late”? I hope not.

The General Data Protection Regulations (GDPR) will be enforceable from 25 May 2018. With just days to go it is apparent from discussion at cyber security conferences and trade shows over the last six months that many businesses are simply not aware of their responsibilities in respect of the regulations and are not prepared to respond to a breach of personal data.

While technology is not the complete answer in the People, Process, Technology puzzle it can be a leading indicator to uncover issues around data loss and anomalous behaviour. Needless to say, Forcepoint can help; take a look at our GDPR Resource Pack as well as my Top 5 tips to initiate change in your organization.

I think everyone is looking (forward?) to see how things play out post-May.

Disruption of Things

We predicted that Internet of Things (IoT) devices would not be held to ransom as much as being leveraged for destruction in 2018. That didn’t stop the Oxford English Dictionary adding ransomware to their pages for 2018.

Surveys identified that almost one-third of energy companies hadn’t given special consideration to network security as part of their IoT rollout – a worrying observation if true. Penetration testers are already seeing careful configuration to be lacking with one such firm identifying school heating systems vulnerable to manipulation.

MIT Technology Review recently listed smart cities as one of the 10 Breakthrough Technologies for 2018 so it seems as though the surface area being presented to cyber criminals will continue to grow. As we talk about such applications for IoT it is worth noting that 2018 has presented the first public discovery of an unauthorised cryptocurrency miner in an ICS (Industrial Control Systems) or SCADA (supervisory control and data acquisition) setting.

Speaking of which…

The Rise of Cryptocurrency Hacks

We all know that cyber criminals follow the money trail. There have been numerous attacks on cryptocurrency systems during the last six months which fit to our prediction. And while indeed predictable, this is certainly not surprising. (“Predictable surprises” is in fact a phrase which Dr. Richard Ford, our Chief Scientist, has blogged about).

During 2018 we found that jumping on the cryptocurrency and blockchain wagon can be both good and bad for your business. The company behind cryptocurrency USDT (Tether) admitted that $31m USD had been lost due to external attackers at the end of 2017. This had a knock-on effect for other cryptocurrencies as value was lost due to loss in confidence. Some organisations on the other hand enjoy a change in fortune as share prices rocket upon announcing blockchain programs.

Sparking comparison with the delivery method of NotPetya ransomware of mid-2017 the Windows version of the Bitcoin Gold cryptocurrency wallet was apparently compromised at source and replaced with a version that stole funds.

We have seen reports that British companies are stockpiling BitCoin in readiness to pay a ransom. While we don’t recommend payment, some businesses are choosing to explore all options.

Data Aggregators

While everyone’s eyes are on the Facebook / Cambridge Analytica case the full impact is still to be revealed. In November we predicted that the attractiveness of huge quantities of data and complex ingress and egress will create a security challenge for data aggregators. Cyber criminals have known for a good while the extra value in building out FULLZ (complete sets of information pertaining to individuals).

As legitimate business models mine and combine the gold that is disparate data sources it has been clear that the outcome can often exceed the original intent. The creation of heat maps with the Strava fitness app data combined with GPS data permitted visibility into un-user information, locations and run patterns.

Cloud Security

It’s no secret that organisations are moving (or plan to soon move) to the cloud. They are doing this in droves, as a recent January 2018 report from Okta shows. Microsoft O365 has over 120 million active monthly users as reported by Ars Technica.

We predicted that a move to cloud computing will increase the risk of a breach from a trusted insider.

In the case of Deloitte, one of the “big four” accounting firms, administrator credentials were used to access the corporate email server. Two factor authentication (2FA) had not been deployed with access gated by only a password. As more businesses move to the cloud it will become ever more essential to lock down critical systems and secure the data held in them.

With mandatory breach notification being dictated by regulations such as GDPR it will be interesting to analyse the root cause of data breaches and how they relate to cloud security post-May.

Encrypted by Default – Implications for All

From July 2018 Google Chrome will label all HTTP websites as “Not Secure” in a push to move webmasters to use HTTPS. As we reported in November 2017 only 70 of the top 100 non-Google websites, accounting for 25 percent of all website traffic, are using HTTPS by default. Are you using HTTPS by default on your websites?

We predicted that an increasing amount of malware will become MITM-aware; that is it will realise when a security product is examining the otherwise encrypted traffic and respond accordingly. We shall continue to track the adoption of such techniques.

Major web properties are still struggling with HTTPS. Governments are forgetting to renew certificates, banks have not yet migrated to HTTPS on their homepage and implementations of common websites are showing problems.

If you wish to check the performance of your own SSL servers’ configuration you could use the renowned SSL Server Test offered by Qualys. If the result is not so great, consider moving to HTTPS by default to offer a more secure experience for your users.

The news is not all bad. Facebook now uses HSTS and Chromium preload lists to load external links as HTTPS.

The Next Giant Leap for the Industry

The migration to cloud, the determination of adversaries and the barrage of data breach events make it a struggle for IT teams to balance the right mix of resources between detection, mitigation and prevention. We have been working hard to make that easier.

Forcepoint is leading the charge to deliver human-centric security. See our recent announcements and coverage from the 2018 RSA conference to learn how we are redefining cybersecurity by launching Dynamic Data Protection for risk-adaptive protection.

Top tips to mitigate

  • Many business collect personal data for marketing, sales or general business needs. Review your privacy policy and seek to protect that data.
  • Work to finalise your GDPR-readiness plan. Identify your most critical data (personal and intellectual property), seek to protect that and prepare your incident response plan.
  • If you have acquired cryptocurrency coins seek to protect the wallet from malicious attackers.
  • Consider the threat posed by the use of cloud applications in your organisation. Do you have the tools to uncover a Shadow IT problem, or protect the data within sanctioned apps?
  • If you do aggregate data it is important to understand the impact of combining those sources and how that affects your users and original declaration of the purpose of such data collection and processing. Review your policies accordingly.
  • Consider deployment of SSL Inspection technology to permit interception of malicious command and control traffic using HTTPS.
  • Migrate your website to HTTPS as opposed to HTTP. As of June Google Chrome will otherwise mark it as “Not Secure.”

Our grade so far

With only six months passing since we released our 2018 Security Predictions we have assigned ourselves a B+ grade. A high mark for us unfortunately means that many of our predictions ring true. We shall continue to monitor developments throughout the year.

2019 Predictions

Look out for the continued analysis of our 2018 Security Predictions as we lead up to a new set of 2019 predictions to be released at the end of the year.

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Leia mais artigos do Carl Leonard

Sobre a Forcepoint

A Forcepoint é líder em cibersegurança para proteção de usuários e dados, com a missão de proteger as organizações ao impulsionar o crescimento e a transformação digital. Nossas soluções adaptam-se em tempo real à forma como as pessoas interagem com dados, fornecendo acesso seguro e habilitando os funcionários a criar valor.