PRINCETON, N.J.—2017 was the year of more cybersecurity—more attacks, more spending, more defenses, more breaches—and 2018 will see more of everything "cyber," plus GDPR enforcement, proxy wars online and more, according to Bank Info Security.
The news outlet shared more about what to expect in 2018. including:
1. More Big, Bad Breaches
As in previous years, 2017 saw a number of big, bad breaches or breach investigation results, some of which pertained to historical mega-breaches.
Bank Info Security pointed out that some of the worst breaches occurred in 2017, such as Equifax, Yahoo and Uber hacks.
"I don't think this was a good year for dirty laundry," said Tom Kellerman, CEO at cybersecurity venture capital firm Strategic Cyber Ventures. He expects yet more breach cover-ups to come to light in 2018, Bank Info Security said.
Australian data breach expert Troy Hunt also says we'll continue to see even more big, bad breaches.
"We're not retiring systems at the rate we're creating them, so we have a larger attack surface," Hunt told Bank Info Security. "When you see the likes of the Pentagon and the NSA [U.S. National Security Agency] accidentally publishing things to Amazon S3 buckets, you think, what hope is there for the rest of us?"
2. More Poor Security Practices
Brian Honan, president of BH Consulting in Dublin, said that for the past eight years, he's opened the Irish Reporting and Information Security Service's IRISSCON annual Cybercrime Conference in Dublin by calling out these five themes:
- Poor passwords
- Lack of patching
- Out-of-date anti-virus software
- Lack of monitoring
- Using vulnerable and old systems, such as ColdFusion, Windows XP, outdated WordPress and the like
He predicts his themes will be the same for 2018, compounded by organizations continuing to use outdated technology, Bank Info Security reported.
3. More Endpoint Security Woes
One of the biggest outbreaks of 2017 was the May WannaCry ransomware attack.
"WannaCry could have been prevented if people just patched," Avivah Litan, vice president and analyst at Gartner, told Bank Info Security, noting that organizations remain challenged by patch management. "Endpoint security is different than IT management.”
Meaning that while it's easy to roll systems out, it's tough to take systems offline for maintenance or prioritize what needs to be patched, Bank Info Security explained.
The result is that there are a massive number of systems that have well-known vulnerabilities. No wonder that "80% to 90% of ransomware uses common vulnerabilities," Litan said.
To help, she says all organizations should be using the "latest and greatest" anti-virus software, because the latest generations include much better detection and response capabilities especially for any product that's tied to the cloud. "They'll see the most benefits," she told Bank Info Security.
4. More Takedowns
2017 saw a number of notable takedowns by law enforcement agencies in the United States and Europe. "This [was] an amazing year for law enforcement in general because of their takedowns and arrests," Kellermann at Strategic Cyber Ventures told Bank Info Security.
With increased sharing of information – via so-called police-led intelligence – security experts say 2018 will hopefully see even more such takedowns, Bank Info Security noted.
5. More Bitcoin Heists
While cryptocurrency values might remain in flux, in recent weeks the value of a bitcoin has been surging.
Cue continuing interest from criminals and cash-strapped nation-state attackers, with North Korea remaining a major culprit as it seeks to deal with continuing sanctions over its missile and nuclear programs, Bank Info Security stated.
"A third of its GDP is projected to come from hacking," Cybereason CISO Sam Curry told Bank Info Security.
"There are at least four very advanced threat actor groups who have been attacking banks in recent years, and about a month ago, they just dropped their activities and moved over to Bitcoin hacking," Gartner's Litan told Bank Info Security, citing information she's received from threat intelligence firms.
Stealing Bitcoins gives attackers a way to generate cash. If they hold onto the cryptocurrency and it rises in value, furthermore, they have even more return on their hacking investment, Bank Info Security said.
"Economic sanctions in the real world" against Russian and North Korean individuals and organizations "are being offset by cyberattacks," Kellermann, told Bank Info Security. "It's high time that we pay attention to the money," he added, including how and where it flows.
6. More Extortion Shakedowns
Experts predict that attackers will continue to double down on ransomware and other attacks that involve shaking down victims to amass cryptocurrency.
"The combination of the spreading use of computer and information devices, including through IoT and for all parts of our businesses, aligned with the now common availability of anonymous payment mechanisms, has enabled the growth of cyber extortion at scale," Philip Reitinger, president and CEO of the Global Cyber Alliance, told Bank Info Security.
As outbreaks such as WannaCry have demonstrated, just one strain of malware can have devastating repercussions. "When a single piece of malware can threaten thousands or millions of businesses with a single click, every business is a target for extortion," Reitinger told the news outlet.
7. Online Proxy Wars
"I'm really worried about nation-states fighting their proxy wars using cyber," Art Coviello, the former RSA executive chairman who's now a venture partner at Rally Ventures, an investment firm in Silicon Valley, told Bank Info Security.
"Unfortunately, you are going to see a big investment in cyber weaponry, certainly in the United States," Coviello said. "We're living in the biggest digital glass house on the planet with the greatest attack surface. So, in our case, the best defense is the most powerful offense. We need to discourage attackers. But I worry that we will be in a never-ending cyber arms race."
There are increasing signs that countries are investing in online attack capabilities. For example, the U.K. Parliament's Intelligence and Security Committee recently released its annual report, which touches on the country's increased investment in "offensive cyber capability," Bank Info Security said.
The report notes: "There has been a wide spectrum of successes."
Coviello's concerns about proxy wars fought online are not an outlier, Bank Info Security said. "I'm tremendously concerned with the dramatic increase in capability from North Korea and Iran, both of which have the resolve to do massive damage and who you would consider in cyberspace to be irrational actors," Kellermann said.
8. Market Consolidation
Many information security industry watchers expect to see plenty of mergers and acquisitions in 2018, Bank Info Security said.
"I see lots of consolidation in the coming year; I think most companies are overvalued," Kellermann told the publication. "You're going to see dramatic plays in IoT security and a repositioning of many cybersecurity companies as a platform."
9. More EU Breach Notifications
The EU's General Data Protection Regulation, which is now in force, won't be enforced until May 2018. It represents a major improvement to Europe's data protection laws, demanding transparency in how organizations use personal information, Bank Info Security said.
Under GDPR, organizations must inform authorities within 72 hours of learning that they may have been breached. They must also stop using personal information upon request, unless they have a valid business reason for continuing to do so.
"I expect with GDPR we'll see a huge focus in how to handle and manage security breaches," BH Consulting's Honan, who advises the EU's law enforcement intelligence agency, Europol, on cybersecurity matters, told Bank Info Security. "If you're a business that already practices good privacy and data protection measures, complying with GDPR is not going to be a huge jump."
10. GDPR Fines
EU privacy watchdogs will have the ability to impose fines of up to 4% of a company's global annual profits, or €20 million ($23.5 million) – whichever is greater – on organizations or individuals who violate GDPR. Compliance experts say these fines aren't meant to be punitive, and they expect that the most severe fines would be reserved for organizations that not only failed to invest in proper information security practices but actively covered up breaches or engaged in other illegal behavior, Bank Info Security said.
"GDPR is going to prove a quick flash of fear, much as any new regulation does," Cybereason's Curry told the publication. "CISOs should not let a good crisis go to waste, but I don't think it's going to change things much. They may get some more budget but then things will return to normal ... unless fines start."