Is your organization prepared for the reality of cyber crime in 2016?
Be prepared to spend more time on cyber threat analysis as criminals become more sophisticated and emboldened in their demands, and unique threat vectors emerge.
By Michael H. Howland, CEO of Armored Cloud
As the CEO of a cybersecurity firm, I pay attention to what my industry’s experts are predicting for 2016. After reading nearly two dozen 2016 prediction papers, clear trends have emerged. I thought it might be useful to summarize what experts are saying and save you the time and effort it takes to review everyone’s thoughtful and excellent work.
Cyber crime is increasingly more complex and sophisticated
The sum of what I read for the most part is not completely new. What’s different overall in the predictions is the increasing scope of the cyber threat for 2016 in terms of complexity and sophistication. All agree that the Internet is an increasingly attractive playing field for criminals, social and political activists, terrorists, and nation state bad actors to engage in illegal or illicit activities.
Bad actor objectives vary depending upon their goals, but most are motivated to make money, get their cause noticed, cause disruption, or do harm to someone or something.
All experts agree that 2016 will see a higher degree of collaboration and cooperation among bad actors, along with a higher degree of technical competency.
This suggests cyber threats are going to get more dangerous and the cost of failure will increase to perhaps even catastrophic levels for some organizations.
Cybersecurity is now a C-level priority
The good news is, despite 2015 seeing a massive increase in reported cyber crime and large scale attacks, these events forced corporations to stop viewing cybersecurity as purely an IT problem. Corporate boardrooms are starting to demand their “C” leadership find new and expanded resources to deal with the problem, but in a proactive rather than reactive manner.
Computerworld’s Forecast 2016 survey of 182 IT executives showed 50% plan to increase spending on cybersecurity in the coming year. In fact, 2016 looks to be a banner year for the cybersecurity industry as a whole, and good for cybersecurity professionals who are in fairly short supply.
Due to this relatively short supply, skilled professionals will continue to command large compensation packages. The downside is this trend will place these professionals out of reach financially for many who need them the most. The net-net of this increased focus on cybersecurity means 2016 bodes well to be the year the good guys get ahead of the bad guys.
Cyber crime as a weapon for both criminals and activists
As mentioned above, the tricky part here is that the bad guys have gotten smarter and we are seeing increased cooperation among them.
Just a few years ago, the industry was primarily dealing with amateurs who occasionally shared information and code on the dark web. 2015 saw the advent of bad actors within international criminal organizations and a dramatic increase in reports of nation-states or quasi-national actors engaging in cyber crime, espionage, or use of cyber as an offensive weapon.
It is difficult to say which of the above is more alarming. Cyber criminals are crooks motivated to steal money. Their main tools of cyber ransom and extortion are at the most basic level no different than classic street gang extortion of businesses. The main difference is the dollar value of the extortion and little or no threat of physical violence. Nation-state or terrorist bad actors have different objectives. Their goal is to cause massive social or political disruption and for some the loss of life is an end goal.
With these overall themes in mind, here are eight top trends for 2016 as I see them:
1) The use of secondary networks as vectors for attacks.
Based upon their success in 2015, bad actors will increase their use of secondary networks as a venue for attack in 2016. For example, supply chain relationships are a critical component of business operations, especially for large global organizations. A wide range of sensitive corporate IP and customer information often resides on supplier networks that may not have the same level of protection as their more sophisticated and security-conscious clients. This makes the suppliers’ networks an attractive and effective route of attack.
A prime example such an attack was against the retail store Target. The cyber crooks exploited a web billing application used by Target for invoicing HVAC services, eventually compromising 40 million payment cards and 70 million other records and leading the CEO to resign. The massive hack of the Office of Personnel Management (OPM) is another example where bad actors got into the network through the compromise of a contractor network.
2) An increase in attacks on “softer” networks that contain massive amounts of citizen private data.
Cyber crooks will increase their exploitation of “softer” targets that contain high amounts of citizen personal information for use in targeted financial or other scams. As obvious high-value organizations tighten their networks or pull customer data off line, bad actors will aggressively move to softer targets.
For example, 2015 saw over 100 million American citizen personal health records stolen. A person’s health records are rich in personal information ranging from identification data, personally sensitive medical material, and vital information on family members. Stolen medical records have a higher value on the black market or dark web than credit card numbers because they have a longer shelf life and it can be months before a theft is detected. Stolen personal identification information and medical data are showing up in tax refund, insurance, and Medicare fraud cases, to name just a few.
According to the FBI, a credit card number costs about $1.00 on the dark web, while a complete medical record goes for between $100 to $3,000 depending upon to whom it belongs. The full extent of the use of stolen medical records is still unfolding. Some creative examples we are starting to see include scams targeting the terminally ill or their family members with offers for expensive medicine at reduced prices or access to special treatment trials.
Bad actors’ ability to steal medical records is partially the result of various pressures to make them more portable, while cybersecurity takes back seat to convenience.
Think about the last time you saw your doctor use a paper record or the number of offices that use some type of Wi-Fi network device to check you in.
The medical field is not the only industry under pressure to make vital records more accessible. As this pressure for portability and convenience increases, look for cyber criminals and other bad actors to be right behind to exploit any cybersecurity vulnerabilities.
3) Larger scale extortion campaigns targeting individuals and organizations.
2016 will see cyber crooks and other bad actors moving uptown in enterprise ransomware use and extortion. Successful use of these methods against smaller targets during the past year has emboldened bad actors who will now use these same tools and methods against larger organizations or high-value, high wealth individuals such as public figures and corporate leaders.
Ransomware costs, which for the most part have been in the thousands, will trend toward the millions as larger targets are hit. There will also be a trend toward traditional street thug methods, where targets are held hostage financially for long periods with installment payments required.
2015’s Ashley Madison and Adult Friend Finder network attacks where entire user databases were made public or used for ancillary extortion schemes will increase in 2016. Sony Pictures Entertainment’s hack is another example where exposure of embarrassing emails caused the loss of at least one top executive’s job.
Expect to see more large scale extortion schemes where entire spools of internal email, text messages, and other sensitive and likely embarrassing documents are released with the intent to embarrass or discredit prominent individuals or organizations, and monies are paid to keep this damning information private. Political operatives, in both the private and public sectors, have become consumers of embarrassing emails as witnessed by the New Jersey George Washington bridge closure scandal.
Not all cyber bad actors are motivated by money. 2016 will see cyber extortion used to damage or destroy businesses’ or individuals’ reputations. Corporations, groups, or individuals operating in contentious or politically sensitive areas will increasingly become targets of cyberattack by social or political activists. Intent will be to stop or change activities, or in some cases simply enact pure revenge.
4) An increase in credential exposures.
2016 will see a massive increase in credential (username and passwords) exposures either posted publicly or offered for sale on the dark web. The value of credentials is great because of the rampant reuse of passwords and lack of Multi-Factor Authentication (MFA).
The Hollywood-based fuss over alleged compromise of Apple’s iCloud, where personal photos were exposed, turned out to be nothing more than use of stolen credentials and reuse of passwords. There was no technical security breach of Apple’s network, however the damage to Apple’s reputation in the public eye was significant.
The scope of this problem and potential for cyber criminal use will force industries that provide services like free email, social media sites, photo sharing, etc. to eventually move to MFA. Companies like Google have already moved in this direction, as they track and analyze IP addresses, geolocation, and specific device use for account authentication.
5) Cyber insurance industry will boom.
According to industry experts, the 2015 estimated US market for cyber insurance was approximately $2.5 billion, as provided by about 50 firms. 2015 saw a growth in the market for cyber insurance of around 35% over the previous year. Given the increasingly prominent data breaches and cyber issues of 2015, several of which are described here, 2016 growth is expected to be as high as 45% as companies try to reduce their exposure. Industry experts say that this market will more than triple in the coming five years.
Despite the cost, insurance can be worth it. The Target hack in late 2013 is estimated to have cost the company $252 million in gross expense—which was reduced to $162 million thanks to insurance compensation. Of course, word to the wise—once an insurance claim is made, expect insurance premiums and deductibles to rise. This is just one more bottom-line reason for companies to make proactive rather than reactive investments in cybersecurity.
6) The Endpoint Detection and Response sector will continue to grow and begin to incorporate prevention tools.
Endpoint Detection and Response (EDR) was the big growth cyber winner for 2015, and that trend is expected to continue in 2016. According to Gartner, Inc., there are currently over 40 main vendors of EDR systems. They vary in functionality but all have one soft spot: they alert consumers to, but do not prevent, a cybersecurity breach.
Another downside of EDR systems is the high rate of false alarms. The Ponemon Institute estimates that a typical large enterprise spends up to 395 man-hours per week processing false alarms—almost $1.27 million per year.
Cyber bad actors are aware of this high false alert rate, and are starting to exploit it with the same results as a homeowner who experiences a high rate of false alarms. They expect companies to stop paying attention, which then makes their fortress easier to breach.
EDR systems are best paired with a solution to thwart or mitigate attacks, and I expect to see companies with compatible tools working together to provide more comprehensive solutions in 2016.
7) Continued growth of the Internet of Things (IoT) sector.
2016 will continue to see the rapid growth of IoT in all aspects of consumer life as the number of interactive, connected products rises exponentially. Everything from home automation, physical security, televisions, printers, cameras, to smart cars are included here. Gartner estimates the number of connected consumer products will increase to 4.9 billion units in the US by the end of 2016, representing a 30% increase from 2015. Each IoT device is a target for exploitation as a network entry point by cybercriminals or other bad actors.
As with making health records more portable and accessible, companies will have to balance the novelty and convenience of networked consumer goods with the potential for security breaches. Cybersecurity will need to be baked in early to these products and their associated IoT networks, rather than layered on as an afterthought.
8) The use of cyber as a terrorist or nation-state weapon against critical infrastructures.
2015 saw hundreds of terrorists or terrorist-related incidents across the world. All of these attacks were physical. In 2016, we will continue to witness the emergence of transnational and cyber savvy quasi-State like terrorist groups. In 2016, expect to see these cyber bad actors increase the use of cyber crime as a weapon against critical infrastructures such as public utilities and other “connected” critical infrastructures.
In our ever increasing connected world, potential targets range from digital oilfields, law enforcement and emergency management systems, national cellular phone networks, and so on. Just imagine the panic that could be caused in a major metropolitan area by a false “Amber” type weapons of mass destruction alert. Even false alarms by motivated activists can be enough to sow the seeds of discord and distrust against the government or major corporations within the public’s mind.
The Stuxnet event in 2010 that caused considerable physical damage to Iran’s nuclear infrastructure is the best-known example of the use of cyber as a weapon. More recently, in late December 2015, the Wall Street Journal, citing former and current US Homeland Security officials, reported that Iranian hackers breached the control system of a flood control dam just outside of New York City. The breach happened in 2013, but was just recently reported when the Iranian hackers gained access to a cellular modem attached to the dam’s control system. While no harm came as a result this incident, it illustrates concerns that many in our industry have about aging cyber systems controlling vital infrastructure. A significant number of these systems use nothing more than default login credentials for protection. Will it take an actual catastrophic breach of one of these out of date public infrastructures to foster change? Again, both governments and corporations can avoid disaster by thinking of cybersecurity in proactive rather than reactive terms.
The good news here is most cyber bad actors are motivated to make money, and their success in doing so will turn their focus away from targets where little or no financial gain stands to be made. Aside from potentially blackmailing managers of critical infrastructure with threats like the sale of access credentials on the dark web, there is no financial fast track in this type of cybercrime. However, nation-state actors or quasi-state terrorist groups do have an interest in attacking critical infrastructures and will likely be very strategic in their targeting. Like we have seen in attacks against the medical and health industry, they will go for the soft targets first and expand from there.
Experts agree that unless significant improvements are made, the vulnerability of critical infrastructure will continue to increase in 2016. A recent survey by a leading cybersecurity firm reported 48% of its respondents stated it is extremely likely that the future will bring a successful cyberattack against critical infrastructure that will result in the loss of life. However, most experts quickly add that because most cybercriminal activity is done by cybercrooks, the volume of attacks against critical infrastructure will remain relatively low. The bottom line is critical infrastructure attacks are low incident rate, but conceivable high-impact events are a risk.
Proactive Cybersecurity is Key for 2016
The greatest takeaway from these eight trends is for governments, organizations, and corporations to take a strong proactive stance against cyber crime. Waiting for the worst to happen and shoring up defenses only after holes have been exploited by criminals, then relying on insurance and public goodwill to soften the blow will only embolden the bad guys.
Each successful attack, each public figure’s embarrassment and downfall, and each dollar made from ransomware or the sale of sensitive medical information will only serve to embolden and better finance bad actors, making the cyber fight that much more difficult for the rest of us.
I have summed up my thoughts on how to proactively approach cybersecurity in the whitepaper “Five Ways Executives Can Rethink Cybersecurity”. In this paper, I describe the mindset necessary to strategically take on bad actors as if they are enemies in a war, using examples from Sun Tzu’s legendary work “The Art of War”. You can download the paper immediately from this website, or I welcome you to contact the Armored Cloud team at (877) 978-1688 to discuss a demo or trial of our own cybersecurity solutions.