While it may be a new year, risk managers’ top challenge remains the same: cyberrisk. The top threat vectors, however, constantly evolve. In 2016, cyber continued to dominate the news worldwide, particularly marked by the rapid rise of ransomware, the internet-crippling Mirai botnet exploiting the internet of things, Russian hackers interfering with the U.S. presidential election, and two record-shattering data breaches of 1.5 billion total accounts at Yahoo. According to cybersecurity experts, the following threats may define the cyberrisk landscape in 2017:
Ransomware could be considered the cyberthreat of 2016, with the FBI seeing more than 4,000 attacks daily, a 300% increase over 2015, and headline-grabbing incidents reported across all industries. Kapersky Lab reported that ransomware attacks on businesses went from one every two minutes in January to one every 40 seconds by October. With ransomware available for purchase on the dark web and the considerable efficacy with which hackers deploy these cash-grabs, the threat will only continue.
“Companies may start to actually budget money to buy back their own data after a ransomware event,” predicted Tom Kemp, CEO of Centrify. “As long as the majority of ransoms remain relatively low, companies will continue to pay them, and they may do so without involving law enforcement to avoid disruption of their businesses and blemishes to their brands.”
Forcepoint believes that these attacks may also become an increasingly strategic tool as they evolve. “Unethical organizations may fill their need for technological innovation and development by hiring ransomware hackers to obtain specific information from competitors,” the firm predicted. “At the same time, ransomware hackers may offer to sell ransomed critical data to the highest bidders while collecting ransom payments from their victims.” To address the risk, more insurers are introducing specific coverage, and the FBI urges victims to report incidents to law enforcement to better combat attackers.
The vulnerability of internet of things (IoT) devices is well-established. Security firm Fortinet summed it up as “a huge M2M (machine-to-machine) attack surface, growing to over 20 billion connected devices, built using highly vulnerable code, and distributed by vendors with literally no security strategy. And of course, most of these devices are headless, which means we can’t add a security client or even effectively update their software or firmware.” But the proliferation of connected devices (the vast majority of which are never secured by users) also poses one of the greatest fundamental cyberrisks to all, as evidenced by the Mirai botnet DDoS attacks that crippled internet services at the end of 2016. As the internet of things gains more ground among consumers and enterprises alike, these devices offer more power that can be exploited by cybercriminals in attacks of unparalleled strength.
“Connected devices, like sleeper agents, are innocuous until activated by cybercriminals,” Trend Micro explained. “We predict that, in 2017, more cyberattacks will find the internet of things and its related infrastructure front and center, whether threat actors use open routers for massive DDoS attacks or a single connected car to stage highly targeted ones.”
The firm predicted, “From 2017 onward, service-oriented, news, company, and political sites will get systematically pummeled by massive HTTP traffic either for money, as a form of indignation, or as leverage for specific demands. Unfortunately, we also predict that vendors will not react in time to prevent these attacks from happening.”
Bug bounty programs, in which enterprises offer white-hat hackers cash incentives (and often public recognition) for finding and reporting cyber vulnerabilities, went more mainstream in 2015 and 2016, with particularly notable programs from Apple and even the Department of Defense. Indeed, Hack the Pentagon marked the first cyber bug bounty program in the history of the federal government.
According to Defense Secretary Ash Carter, in less than a month, 250 hackers submitted at least one vulnerability report, which was then remediated in real-time. The total cost of the Hack the Pentagon program was $150,000, he said, while hiring an outside consulting firm to run similar testing would have cost more than $1 million.
Whether hosted in public or private, these programs offer a cost- and resource-efficient means of rooting out potentially catastrophic cyber vulnerabilities, essentially crowd-sourcing security. While these were initially focused in the tech industry, according to Bugcrowd’s annual State of Bug Bounty report, programs more than doubled last year and more than 25% of those Bugcrowd has launched are now in more traditional verticals like financial services and banking. The firm has seen considerable growth in programs on the enterprise level and notable diversification in the industries introducing bounty programs. This is further facilitated by the growth of private programs, which are often more focused in scope and hosted for more money and no publicity. “Private programs are more conducive to organizations with more compliance requirements, such as the Payment Card Industry Data Security Standard and Sarbanes Oxley, while retaining the integrity of the bug bounty model and delivering the value of the crowd,” the report said.
With new voice-activated artificial intelligence platforms like Siri, Cortana and Amazon Echo, consumers are not only buying cool or convenient gadgets, but adopting new vulnerability surfaces. These AI assistants will “alter user behavior and expectations from their web experience and, ultimately, diminish users’ autonomy,” Forcepoint predicted. “‘Normal’ human behavioral traits and expectations, such as personal and intimate privacy, will be challenged by the ever-present eavesdropping of AI technology that interacts with—and knows—everyone in its presence.” This eavesdropping and recording of immense quantities of personal data also relies on maintaining that data to improve the baseline technology, meaning tremendous amounts of information need to be safeguarded by varied security measures in massive cloud repositories. As more apps adapt to work with these platforms, accessing voice data could also give hackers another means of bypassing security. “New interface-based security risks will also accompany this app proliferation, allowing hackers to bypass existing security protection, leading to an increase in AI app-associated data breaches,” Forcepoint explained.
As more personal credentials are compromised in breaches and that data is sold and resold on the dark web, the risk for users continues to extend into an ever-widening web of vulnerability because of how frequently usernames and passwords are reused across sites. “Companies that didn’t experience a first-hand data breach may see repeat unauthorized log-ins and be forced to notify their users that their information is being misused,” Experian explained in its 2017 data breach industry forecast. “This can be compared to an earthquake ‘aftershock’ where the effects of an attack reverberate and are felt long after the initial disaster. Unfortunately, the potential damage of an aftershock breach is likely the same as when the primary organization loses personal information. Customers of these businesses are likely to express concerns and the potential for fraud is as tantamount as the original incident.”
In the wake of breaches of unparalleled size at Yahoo, for example, other sites will have to address the security and reputation risks of potentially compromised user credentials despite no personal wrongdoing. Companies should take this threat as another reason to consider implementing two-factor authentication, Experian said, and should account for aftershock breaches in their incident response plans and ensure these are treated just as seriously as traditional breaches.
Business Email and Process Compromise
In business email compromise scams, including CEO fraud, cybercriminals use hacked or spoofed email accounts to trick finance departments into transferring funds to the fraudster’s account. These simple but effective schemes have been on the rise, netting about $3 billion over the past two years. Trend Micro predicts these attacks will continue to increase in 2017, but will be joined by scams they call “business process compromise.”
As in the Bangladesh Bank heist that lost about $81 million to hackers last year, these attacks hinge on complex understanding of internal company processes. Criminals hack into the enterprise and modify, add or delete entries in a given business process, such as deliveries or invoicing. They then reap the rewards when the business carries out these modified or unauthorized transactions and delivers valuable goods or sends payment to the incorrect party. Given the large payouts and enterprises’ limited visibility into the risks surrounding business process attacks, Trend Micro expects these to gain traction and urged that strong policies and practices regarding social engineering must be part of an organization’s culture.
“Recent events like the U.S. election have highlighted how a lack of appropriate security measures can impact the entire globe in ways we hadn’t considered,” Kemp said. “Regulations that address the vast majority of cybersecurity threats already exist. It’s the adoption of key technologies that help to adhere to these regulations that’s lacking. And that isn’t to say that companies aren’t trying. Many organizations already have teams devoted to meeting the government and industry regulations they fall under. Still, in 2017, we’ll likely see a renewed effort by government regulators to accelerate the implementation of security technologies. Ignoring the regulations or inching toward adherence will no longer be acceptable. Extensive progress will be expected—and required.”
Trend Micro added that changes like implementation of the General Data Protection Regulation (GDPR) “will force enterprises to conduct a top-to-bottom review of data processing in order to ensure or establish compliance and segregate EU data from the rest of the world’s,” require review of existing cloud storage contracts, and raise administrative costs as enterprises invest in a comprehensive data security solution, including employee training, to enforce GDPR compliance.
Forcepoint said that, “Risk registers will be reset and the new, true impact of a data breach may be re-examined prior to increased sanctions for non-compliance incidents beginning in 2018. The impact likely will be felt most by large enterprises that have not prepared in 2017.”