It’s customary at this time of year to look back at the previous 12 months and try and predict what may be on the cards for the coming year. However this time we felt we should just focus on what may be coming, what to budget for and how to deal with it.
Back to basics
There are a lot of new regulations on the cards for 2018 in many countries around the world, and in lots of different verticals, many with bigger fines and stricter controls. This will lead many organisations to look again at what they do now and how they do it and for many this means going back to basics. Backups, patching, testing, recording.
Documentation and evidence are going to be vital, as it will be required by various organisations, from an auditor point of view, a supplier/customer point of view or for regulatory compliance.
Backup and Recovery has come into focus more recently thanks to ransomware and disruption events (such as NotPetya) that have been seen throughout 2017. Several high profile organisations were hit with these and their failure to recover quickly has highlighted the need to ensure system and data backups are good and that you can restore them. These events will also force organisations to look again at their Disaster Recovery and Business Continuity Plans, but are they enough? Probably not and this is discussed further under the ‘Here and Now’ banner.
Patching and Vulnerability Management will be back under the spotlight. Many of the exploits that have been, and are being, taken advantage of and causing the chaos that has been seen, is from known and largely avoidable vulnerabilities.
However, with increasing requirements to be more efficient, for companies to have less down time, and greater availability, the time allowed for maintenance and patching is being reduced.
Some organisations also run shifts which hamper or prohibit scheduled tasks being completed in a timely manner. Then there are client deadlines, which often mean that scheduled work gets cancelled at the last minute and never rescheduled. There’s also the other situation where all the main patches get applied (main applications and operating systems) but an underlying core of vulnerabilities never get touched.
The number of vulnerabilities grow steadily throughout the month as weaknesses and vulnerabilities are identified and publicised. They are patched (using something like WSUS or SCCM) during the maintenance weekend and the level drops. However, there is often an underlying level of vulnerabilities due to unapplied firmware updates, updates for switches, routers, printers and other network connected devices. This is what the threat actors and criminals are likely to try and exploit (see Back to the Future).
As pressure on I.T. departments increases to save money, deliver more and become more agile, that underlying threat level is likely to rise.
The Here and Now
Whilst doing a ‘Year in Review’ wasn’t planned, it is somewhat interesting to look back at what has happened, or is happening, as that often dictates where effort and budgets will be focused. In summary there was ransomware and business disruption, hacking and lots of phishing. Yet despite all the finger pointing (and there was a lot of that) there were few arrests.
One of the best quotes seen in 2017, which highlights the problems being faced, was:
“While an attack […] originates in the cyber domain the most serious impacts occur in the physical world”
Richard Wyman, Cyber Security: A Peer-Reviewed Journal Vol. 1
This was brought into sharp focus for several businesses in 2017 where operations at their international terminals were impacted, resulting in delays and disruption that lasted weeks and cost them millions.
This all lends itself to better Incident Response which is an area that is massively overlooked. There is a misconception that because Disaster Recovery (DR) or Business Continuity Plans (BCP) are in place then all is well. Wrong! Incident Response is a separate but necessary discipline that should have more focus, more importance and more budget. Incidents can be anything from a mis-addressed email (more about that later too) to a full-on data breach or disaster. Many organisations typically have either a DR plan or a BCP, some even have both. But few have an Incident Response Plan that is written, communicated and tested. With the Supply Chain coming a key part of any organisation the need for all three to be in place and tested is likely to become a prerequisite to doing business, especially with larger organisations.
Data Management is another area that will likely come under the spotlight for several reasons. Knowing what data is stored and where, protected. It will also allow them to remove data that is no longer required or allowed to be stored (see commentary under Compliance) which could, in turn, improve the back-up and recovery cycle.
Compliance will be a big part of 2018, not only for the EU General Data Protection Regulation (GDPR) but other regulation such as MiFID 2, EU ePrivacy and the US Security Breach Notification Laws. Other countries are also bringing in laws to govern data usage, data transfer and citizens (electronic and privacy) rights. Companies will need to look at what systems they have in place to manage subject (data) access requests, the right to be forgotten and data transfer/portability requests. Companies will only be able to achieve compliance if they;
- know where their data is and
- have a documented process in place to deal with it
The last two of the ‘Here and Now’ are closely related: continued Phishing campaigns and Business Email Compromise (BEC). Phishing is becoming easier and can be launched by anybody, anywhere, at not much cost. Distribution lists are readily available and highly affordable. Well-crafted emails using these lists can direct the unsuspecting recipient to malicious websites or elsewhere, where malware can be downloaded, or fake or non-existent goods purchased.
Business Email Compromise takes this one step further. Extremely well crafted and very specifically targeted mails are directed at employees in order to fool that employee in to specific action. These often look like they come from senior Executives and are sent to employees who often have the ability to transfer monies from an organisations account without further authorisation. This has been noted in other circumstances too, where the wife of a travelling executive received a mail, purportedly from her husband, to transfer monies to an account “for a surprise”. Luckily the Bank intervened and made her check. Needless to say, her husband hadn’t sent the mail.
In another example, Kevin Mitnick, once described as the FBI’s most wanted and a well-known hacker, has even managed to get people to mail him SECRET documentation through Vishing, by pretending to be part of the organisation working on the same project. This shows how much information we can get through Social Media, a little bit of insight, a few calls, a bit of self-confidence and a lot of nerve.
Back to the Future
It’s almost impossible to predict what’s going to be the next big thing but there are indicators based on the past and the present. So, what else might be seen happening?
With more and more companies moving to the Cloud, and becoming reliant on it for their day to day operations, it’s likely to be a new target. The likes of Amazon, Google and Microsoft spend millions of dollars protecting their infrastructure, but badly designed implementations and unsecured applications are going to leave organisations open to compromise. Classic penetration testing will need to evolve, and people will start asking about, and requiring evidence of, (web) application testing. This will also bring in to focus software development (again) and secure coding practices.
Many data breaches occur as a result of compromised credentials and this is another trend likely to continue. More organisations will introduce multi-factor authentication (MFA) for all staff, especially when out of the office or trusted environment. Identity and Access Management (IAM) will feature more as companies look to try and better identify and control the access of their employees.
Since lost or stolen credentials are hard to spot when used there will also be more attention on those accounts that have elevated privileges, as these are the ones that are most desirable. Service Accounts and Administrator Accounts are changed less frequently (if at all) due to the difficulty in managing them successfully. Privileged Access Management (PAM) tools will be adopted by many organisations to relieve the pressure of password management and password rotation. This will be even more important where the Cloud is concerned. A compromised Cloud Admin account, going undetected, could leave an organisation vulnerable, as well as going undetected, for a long period of time.
All the above relate to another growing area of concern which is Business Process Compromise (BPC). Whilst this is not a new phenomenon, it is one that is likely to gain more notoriety. Back in 2013, a system in Antwerp’s Seaport was modified to hide and redirect a shipping container full of drugs.
Toward the end of 2017 there were some examples where Industrial Safety Systems had been interfered with. This resulted in the whole system shutting down but, it’s believed, that was by accident and that the real end goal could have been much worse. This shows that not only is it necessary to look at traditional endpoint computing but also at Industrial Control Systems. Luckily many of the traditional vendors have, or are actively developing, solutions to look at network traffic and baseline normal behaviour.
Normal behaviour is another of those areas that will help businesses understand and identify when something abnormal happens and help ring alarm bells. Understanding User (and Entity) behaviours (UEBA) through the use of analytics will inform the business when there is an issue. However, this relies on monitoring end users and devices connected to the network and some people may feel uncomfortable about this. Work will need to be done on educating the workforce that this is to protect them and not spy on them.
Since a lot of work is done (via email and messaging) through mobiles, there is likely to be an increase in malware for mobile devices, much of which may come from African countries that are developing rapidly. Africa, because of its size and lack of infrastructure, has a large dependency on mobile devices and will therefore be at the forefront of this area, though it is likely to spread rapidly due to the wide adoption of mobiles. App stores, like Google’s Play and Apple’s iTunes will need to be extra vigilant as Apps with built in malware or exploits become more numerous.
Encryption will become mainstream as organisations look to secure their data and comply with regulation. However, this isn’t just encryption of data on laptops and desktops (though that will be the easiest to deploy and demonstrate). It also means putting in place controls for data at rest on the network and elsewhere and also data in transit. This includes to and from websites. HTTPS is already widely adopted but there is likely to be attacks on certificate authorities and spoofed certificates to try and intercept traffic. Messaging (Instant and email) may also undergo changes as organisations look to secure personal data in transit. However, this will need to be looked at with a view to law enforcement and there are lots of predictions about the volume and uptake of devices being connected to the Internet.
Gartner predict that by 2020 “IoT technology will be in 95% of electronics for new product designs”
This will lead to a massive opportunity for new income streams for the criminal community. Many of the items released over the last few years have no mechanism for easily updating them and this is going to mean that those devices will be vulnerable for their lifetime. Attackers will work out how to monetise these IoT vulnerabilities. Imagine watching Netflix, or a Pay-per-View Fight at home, when the TV displays a pop-up “Pay $10 to continue watching”.
Another by-product of devices connected to the Internet will be the upsurge in data collection and the monetisation of that data. Knowing who’s doing what, when and where. It will also mean those people collecting that data (Data Aggregators) are likely to become bigger targets than they are currently.
Blockchain is talked about widely and will feature prominently but not just for Crypto-currencies. It will start to feature as a means of digital and product authenticity. Digital footprints will be verified by blockchain as will the authenticity of any digital asset, be that a .JPEG picture or complete software application. The various checksums and hashes in use today will cease to be the de-facto standard and will be challenged by new technologies using blockchain.
Whilst there has been massive progress in Artificial Intelligence (and Machine Learning) it is likely that the attackers will use this against organisations and that they will use it to identify and maximise exploits. Attackers will be able to quickly work out how a company is defending itself, what combination of tools are in use, how often they are checked and updated and then write tools to penetrate an organisation and then either obfuscate their movements or avoid detection. Other reports suggest that AI will also be a catalyst for creating jobs and that more jobs will be created than lost.
Some things aren’t really going to be a surprise and don’t really warrant that much of a mention. There will be more Fake News, though it will be much subtler with its messaging. This will make it much harder for those that police the more widely used social media sites to identify and remove it. It’s also likely to have a more subtle influence on the general public at large as it will be harder to identify and report. With so many Polls and Elections due in the next 12 to 18 months it is expected that the Nation States will have their hands full with propaganda stories.
Lastly, what of the predicted skills shortages? With low unemployment in various markets there are likely to be some challenges around filling positions, and not just in the security profession. Apprenticeship schemes are making a comeback and there are lots of initiatives underway to try and fill the gaps.
However, these schemes take time to filter down and for the results to be seen, so 2018 may be a difficult year. This may also lead to higher salaries which may help attract more talent. In the meantime, however, companies are likely to look at various options for outsourcing including Managed Security Services, Managed Detection and Response or Incident Response Services.
Providers who supply these services have the skills and processes in place to be able to deliver best of breed or best practice solutions as well as potentially being easier to justify and relieve the pressure on IT Departments instantly.
Whilst there are a dozen things listed above, and this may seem like a lot, many of the potential pitfalls are related to each other e.g. vulnerability management, patching and IoT devices. Some of these threats will evolve and change whilst others will be dealt with by the device manufacturers or the security community. Underlying many of these is the need for good solid process and this should always be the cornerstone of any security program.
People will obviously have their own views about 2018, technology and emerging threats. It will be interesting to look back in a years’ time and see how many of these predictions came true.