In between dreams, you hear the alarm on your mobile phone ring. You open your eyes and turn it off from your smartwatch. Your Smart TV welcomes you with the daily news and you look for the weather forecast: it is a freezing winter’s morning. Your car is waiting outside, just like any other day, but you know that if you don’t warm up the engine, it will hardly work. To save some time, you grab your smartphone, open the car app and try to remote start the vehicle from the comfort of your kitchen. But it does not start. Instead, a notification on your screen says: “Your car has been locked! If you want to use it again, follow the instructions and pay 0.5 bitcoins”.
Is this kind of thing possible? Can the Internet of Things be vulnerable to attacks or threats like ransomware? As security researchers at ESET, we have asked ourselves both these and many other questions. Now we’ve collected our combined thoughts to produce our new report, Trends 2017: Security held ransom.
As in years past, ESET has anticipated the coming trends in terms of threats and cybersecurity, combing through the main events to analyze how cybercrime will shape itself in the near future. Our latest paper is based on our constant monitoring of the global threat landscape and the search for patterns necessary to understand its next moves and possible evolution.
The structure of the report follows previous editions, with eight of our researchers examining the speed at which new technologies emerge and attack surfaces widen. In this context, we consider where security risks will migrate and what companies, experts, governments and users can do to face them.
An overview of the cybersecurity landscape for 2017
If 2016 was the year of ransomware, 2017 could perhaps be the year of jackware, as Stephen Cobb suggests. It means that this could be the year in which the ruthless threat of ransomware migrates to other platforms beyond computers and smartphones, whose primary purpose is not data processing or digital communications. Connected cars, as in the situation above, are an example.
However, smart devices will not be the only viable targets acquired through the internet: attackers will surely use it to probe critical infrastructure and will continue to look for ways to cause damage, deny service, or hold data hostage. Attacks on critical infrastructure, which Cobb and Cameron Camp analyze in a section of the report, relate to the compromise of data and services that are essential for systems related to physical, economic or national security. In short: those vital for the everyday stability and development of a society.
And if we talk about things that are vital, what could be more important than protecting the systems that support the functioning of the healthcare industry? As it becomes increasingly computerized, more practitioners and patients are using internet-connected medical and fitness devices that are full of sensitive information. However, security and privacy are often an afterthought, explains Lysa Myers in her section, indicating that the future of healthcare will possibly continue to bring significant challenges.
There is another sector where device integration is increasingly common: videogames. Cassius Puodzius describes the potential risks of integrating consoles to computers, in a system that is increasingly internet-dependent and could lead to the exploitation of vulnerabilities, or malware infections aimed at stealing personal, financial and even the game play information of gamers.
It is true that the exploitation of vulnerabilities will continue to be an important attack vector, just as it has always been, but we should not lose sight of the trend in this regard. Lucas Paus points out that although the number of vulnerabilities reported in 2016 does not yet equal the number recorded in 2015, nearly 40% are critical – and this is a larger proportion than in previous years. So why are there less flaws reported, but more of them proving critical, and what does this mean? In this section, we analyze this paradox and the consequences it might have.
Finally, among the various topics covered, we discuss the reality of mobile malware in the context of unstoppable technological developments, which imply new attack scenarios. The truth is that the rise of virtual reality technology raises new security risks that affect not only digital information, but also users’ physical wellbeing. While these applications collect and store increasingly sensitive data, mobile malware is constantly growing and becoming more complex, therefore reinforcing the importance of, and need for, safe development practices.
Trends 2017: Security held ransom, also details the factors that introduce difficulties to the implementation of internationally effective legislation on cybersecurity. Although significant regulations exist, state-level actors, companies and citizens around the world still face many challenges, as Miguel Mendoza analyzes in his section.
As for the anti-malware industry itself, David Harley walks us through the current view that assumes a split between “traditional” malware detection and “next-generation” signature-less detection. Thankfully, he tears down the myths around the latter.
Vulnerabilities in systems and … in people?
There is an element that cuts through all of these topics. It’s a need that’s bigger than ever and vital to users, companies and vendors in understanding current and future risks, and furthermore, draws attention to the fact that in the era of connectivity, a significant change of mindset is needed.
The common denominator across all sections of the report is the human factor. Consequently, we need to keep working until people stop being the weakest link. If we don’t, we will remain at a stage in which we have users using latest generation technology, but with security concepts from decades before.
As we conclude in the report, it’s not just about educating the end user; governments need to adopt legislative frameworks that promote cybersecurity issues ranging from providing formal education on security issues, to properly protecting critical infrastructure. In this sense, it is also imperative that businesses commit to carrying out proper information security management and that developers do not prioritize usability over the security of their products.
Our Trends 2017: Security held ransom report is also available on our White Papers section. Don’t forget to read it in order to define what 2017 will bring in terms of information security.
by Camillo Gutierrez Amaya, ESET We Live Security