Authored by BeyondTrust Security Experts:
Brad Hibbert, CTO | Morey Haber, VP Technology | Scott Carlson, Technology Fellow | Rod Simmons, Sr. Director, Product Management
In the cosmic wink of an eye, 2016 is almost done. So, it’s that time of year to invoke the dark arts of prediction and try to determine how the next year will unfold. For cyber security, predicting the future is not nearly as scientific as tracking the next major hurricane or earthquake, but certainly does follow trends and patterns.
While technology evolves from on premise resources to the cloud, the reality of drone swarms becoming a weaponized medium for attacks, and governments openly performing cyber-attacks, we can see that if it is connected to the net, it is fair game for an attack. Nothing is immune – from cameras and thermostats, to alarm systems and mobile devices. It does not matter who owns them either. Everything from personal systems to voting machines are valid attack vectors and, surprisingly, systems not considered worthwhile for an intrusion, become key beach heads for advance cyber-attacks.
If you consider all these crazy trends, blips in the news about attacks, and the patterns – from password re-use to the rise in usage of end of life systems – predicting the future for cyber security is really not that outrageous. We’ve assembled a crack team of security experts (YouTube video), and here are our thoughts for the forthcoming year…
Prediction #1: The first nation state cyber-attack will be conducted and acknowledged as an act of war.
We have seen cyber-attacks range from disrupting power grids to Stuxnet. 2017 will see the first large scale attack by a nation, against another sovereign nation, and be acknowledged as an attack and the techniques used considered as weapons (albeit software, malware, vulnerabilities, and exploits).
Prediction #2: The concept of passwords and password re-use will take front and center stage in home and business awareness.
Re-using passwords is fundamentally one of the most dangerous habitual cyber security human practices. Large scale breaches from Yahoo and Twitter will help fuel the fire until everyone realizes the dangers of this practice. It will take a few more major incidents in 2017 to raise awareness. Once this happens, people will begin using unique passwords as often as they lock their car doors in a parking lot.
Prediction #3: The Internet of Things (IoT) –everything from toy drones to routers – will come under government cyber security scrutiny and require manufacturers to tighten security.
Ongoing threats related to IoT devices will force manufacturers to tighten security layers, including patchable firmware/software, secured authentication, and controlled privilege access. Regulation will be pushed forward for vendor responsibility around IoT device software updates. Today, most IoT devices are considered throw away devices and security patches are not issued. But, new regulations will be driven by large scale attacks using IoT to amplify the attack as we saw with KrebsonSecurity against an industry that has powerful lobby interests.
One of the largest denial of service (DoS) attacks to date targeted a French service provider and was hosted on mobile smart devices, proving that if it is connected to the Internet, it can be weaponized. Internet connected devices need to meet minimum security standards just like automotive safety. This type of hack will escalate until legislators step in and provide a plan. We predict that a major hardware manufacture will disclose vulnerabilities that are in firmware of devices they ship. Until then, IoT devices will be released with all sorts of flaws and potential exploit vectors, and many of them will be used to conduct malicious activity.
Prediction #4: Commercialized anti-DDoS will emerge.
Speaking of DoS attacks, following constant DDoS attacks above the 500GB mark, a new startup that directly attacks and patches botnet systems will launch in an unregulated country. This attack/defense service will be directly responsible for patching a hundred million hosts.
Prediction #5: Behavioral technologies, such as pressure, typing speed and fingerprints, will be embedded into newly-released technologies.
Driven to ensure their products are not compromised by ever-more sophisticated cybercrimes, companies such as Apple and Lenovo will start to release products that have biometric sensors built into the touchpad. This will enable the integration of tools and technologies that advance the concept of biometric/facial recognition into areas like typing speed, pressure and other behavioral-type detection systems.
Prediction #6: Adaptive and behavior-based authentication grows in importance.
Identity will continue to be a focal point for security as credentials being used in highly visible attacks combined with mobility, cloud deployments and increased regulation drive awareness and allocation of dollars. Organizations will continue to look at adaptive- and behavior-based authentication to balance security and operational concerns.
Prediction #7: Tor v2 comes online.
Since the government has infiltrated the Tor network, a few large companies will start to setup cross-country file transfer networks that have terabytes of bandwidth and the equivalent of exit nodes everywhere. This “Tor v2”-type experience will start to be included in most releases of Google software, and will move us toward a network that is fully encrypted and clear-text at all times.
Prediction #8: Compliance concerns drive growth in the endpoint and device market.
More companies will get aggressive with outdated software and will do direct checks to make sure software is in compliance. A hard stance on outdated software accessing banking systems knocks user acceptance down 40 percent, but increases the purchase of new computers, Chrome books, mobile devices, and tablets because they are much more secure than old, outdated computer systems.
Prediction #9: Continued exploits of known vulnerabilities.
We will continue to see the majority of attacks beginning with an exploit taking advantage of a known vulnerability where a patch has been readily available. Ongoing and timely patch and shielding processes continue to be a challenge.
Prediction #10: Increasing number of cloud-based attacks cause vendors to double-down on security.
We will see attacks targeting cloud management platforms, workloads, and enterprise SaaS applications, causing organizations to expand their privileged access management budget allocation beyond traditional desktops and servers.
Sarah Conner (Terminator) said, “The future has not been written. There is no fate but what we make for ourselves.” As security experts, we develop defensive and offensive strategies to combat cyber-attacks and these predictions will probably come true in the next year or so simply based on the trends that appear every day in our industry. As the end of the year approaches, now is the time to evaluate your cyber security practices!
So, how do these predictions jive with your own? Let us know!
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.