In its latest Trends paper, titled Security Held Ransom, ESET has identified nine key areas in information security that are likely to have a notable impact in 2017. If there is one overarching theme, it is the challenge posed by the presence of more devices and technologies, many of which are coming together courtesy of the Internet of Things.
Below we capture some of the key ideas discussed in the paper. For more detail and insight, we recommend you get yourself comfortable and read the report in full. It’ll certainly put you in a more informed position when it comes to information security for the year ahead.
Ransomware of Things (RoT)
In 2017, we’re likely to see more instances of ransomware, an upswing in DDoS attacks and more attacks against Internet of Things (IoT) devices … on a bigger scale. Troublingly, notes Stephen Cobb, “there is potential for cross-pollination as
Particularly worrying is the future growth of the Ransomware of Things, whereby cybercriminals hijack a connected device and demand payment for access to be restored to the user.
“TO STOP THE IOT BECOME HOME TO THE ROT, A NUMBER OF THINGS NEED TO HAPPEN, IN TWO DIFFERENT SPHERES OF HUMAN ACTIVITY.”
“To stop the IoT become home to the RoT, a number of things need to happen, in two different spheres of human activity,” Cobb explains.
“First is the technical sphere, where the challenge of implementing security on a vehicular platform is considerable … the second sphere … is policy and politics. The outlook here is not good because so far the world has failed abysmally when it comes to cybercrime deterrence.”
Security education and social responsibility
Needless to say, cybercrime isn’t going anywhere, with 2017 likely to be characterized by a ruthless streak that began to take shape last year. As Camilo Gutiérrez notes, it is more critical than ever for everyone, personally and professionally, to develop a better understanding of the risks.
What is especially important, is for all stakeholders – security experts, companies and educators, to name but a few – to tackle the weakest link in the security chain, the end user.
“Educating users regarding current threats and how they spread can make all the difference in reducing the impact of cybercrime in the future,” states Gutiérrez.
“We should not forget that security is the responsibility of everyone and not exclusive to those of us working in IT. These days, information is equally critical whether handled by a reporter or by an executive.”
The evolution of mobile devices was expected to follow a similar pattern to that of desktops. However, as we’ve seen with smartphones and tablets, the experience, the potential and the technology of these devices is taking us down another altogether exciting road.
Unfortunately, it’s a road littered with obstacles and threats, and it’s set to be another tough year for mobile security, says Denise Giusto Bilić. Malware targeting these devices, in all sorts of sophisticated ways, will be evident in even greater numbers, meaning more effort is required in delivering proactive and reactive security.
“The growth of mobile malware is an undeniable reality, one that we have been predicting since 2013 and which is gaining strength as we speak,” Bilić notes.
“During 2015, new variants of malicious code created for Android averaged 200 a month; during 2016, this number rose to 300 new monthly variants (in iOS the number is 2 per month). We would not be surprised to see this increase continue over the next year, averaging 400 new mobile malware variants per month for Android by the end of 2017.”
As we know, vulnerabilities are one of the ways in which cybercriminals exploit security barriers. The good news is that the number of instances of this kind of compromise is decreasing, after hitting a historic high in 2014.
However, as Lucas Paus explains, this does not tell the full picture, as when it comes to “critical” vulnerabilities, these are in the ascendancy. For example, at the end of October, “the number of critical reported vulnerabilities corresponded to 40% of total vulnerabilities”.
“Both security solutions and the management of both updates and vulnerabilities will continue to play a leading role in the mitigation of [threats],” Paus states.
“These have the objective either of minimizing or eliminating both gaps in defensive measures and information leaks in the coming years.”
Next-gen security software
Working towards a future where there is improved understanding about the perceived differences between so-called first-generation malware detection and next-generation signature-less detection technology, is needed. There is far too much myth-making surrounding the latter, which is not helpful.
“IT’S CLEAR THAT THE DISTINCTIONS BETWEEN ‘FOSSILIZED’ AND ‘NEXT-GEN’ PRODUCTS ARE OFTEN TERMINOLOGICAL RATHER THAN TECHNOLOGICAL.”
Consider, as David Harley does, the purported distinctions between the two are “terminological rather than technological”. If you cut out all the marketing spin and get to the root of it, you can see that next-gen products approach malware in much the same way as the first-gen products – the wording that describes it, however, creates a sense of newness. He adds:
“Similarly, when next-gen vendors talk about behavioral analysis as their exclusive discovery, they’re at best misinformed: the term behavioral analysis and the technologies taking that approach have both been used in mainstream anti-malware for decades.
“In fact, almost any detection method that goes beyond static signatures can be defined as behavior analysis.”
While there were fewer major and successful cyberattacks aimed directly at organizations operating within healthcare in 2016, make no mistake, the threat remains very real. Cybercriminals are keener than ever to launch ransomware attacks within this space, while new technology – think the Internet of Things – is opening up new avenues for malicious activity.
Lysa Myers draws attention to the reality of improper implementation of security, which is inconsistent, flawed and insecure. Detailed assessment of risks is required, backups need to be regularly carried out and a better understanding of the vulnerabilities in equipment is paramount. Professionals also need to be cyber-aware.
“The security of the healthcare industry is likely to be in the spotlight for the foreseeable future,” Myers goes on to say.
“Despite the current troubles, the opportunity exists to make a significant transformation that could serve as a model of positive change for other industries, as the Internet of Things makes its way into our homes and workplaces.”
Threats to critical infrastructure
Cyberattacks on critical infrastructure made the headlines in 2016. It’s a clear trend, and one that has devastating potential (critical infrastructure, as its name suggests, encompass vital assets that allow a country to function effectively – any serious incapacitation/destruction can have severe implications).
Cameron Camp and Cobb are of the opinion that in 2017, some cybercriminals will be looking to focus their attention on these kinds of attacks, especially via the internet infrastructure. Likewise, bolstering security is also on the top of the agenda, with inroads already being made (in the US, for example, there are now 24 ISACs).
“We sincerely hope that efforts like this, and others around the world, get the backing and resources they need to succeed; however, for this to happen it will take more than good intentions,” they both commented.
“It might even require political pressure from the folks most likely to suffer from cyberattacks on critical infrastructure, the electorate.”
Challenges and implications of cybersecurity legislation
As we’ve become accustomed to a world increasingly defined and shaped by technology, we’ve started to see the wider world begin to tackle the legal challenges and complexities surrounding cybersecurity.
From any perspective, let alone a global one, the task at hand is far from easy, discusses Miguel Ángel Mendoza, as “there are various tensions, positions and counterpoints” that decision makers have to contend with. As the highly publicized stand-off between Apple and the FBI has shown, people have very different ideas about what is right or wrong.
“In the light of these challenges and tensions, we can see the need to define clear rules for all stakeholders, perhaps based on international, regional or local agreements, which consider all parties,” Mendoza suggests.
“The objective [is to make] legislation truly effective, capable of being applied and executed.”
When it came to security, computers games did not really enter into the equation. However, with gaming moving online and onto mobile devices, cybercriminals have gravitated towards this immersive and popular environment.
Money laundering, as a case in point, has migrated to the virtual world, explains Puodzius, while big gaming companies are attacked, malware is deployed and gaming networks knocked offline.
“THE EVER-INCREASING NUMBER OF PLAYERS, IN CONJUNCTION WITH IN-GAME MONETARY TRANSACTIONS, POSES MAJOR SECURITY CHALLENGES FOR THE FUTURE.”
“The ever-increasing number of players, in conjunction with in-game monetary transactions, poses major security challenges for the future,” Puodzius states.
“On top of that, integrated networking of gaming consoles with computers and mobiles is growing fast, this can have a significant impact on gaming’s information security in the coming years.”