[BreachExchange] Cyber-security in 2017 – brace yourself

[Audrey McNeil]

http://www.itproportal.com/features/cyber-security-in-2017-brace-yourself/

If there’s one thing you can say with certainty about cyber-security in
2017, it’s that many companies are going to fail because they are simply
not doing the right thing. Fundamental flaws still exist.

It's about the business

Until the technical people lift their heads up and see that security and
business are different sides of the same coin, we will inevitably see more
damaging attacks. When security people learn to speak in the language of
business they will begin to understand just where in the organisation they
need to apply their expertise.

This might be smart configuration options, cautious security policies,
vigilance and a willingness to read server logs like some people read the
newspaper in the morning to identify targeted attacks.

Of course, this won’t stem the malware tsunami but it will help defend
against it. Leading the malware charge in 2017 will be ransomware. Like
2016 it will be more of the same, with an important and fundamental
exception; ransomware will be more sophisticated.

Advanced attack vectors

Encryption keys are becoming more complex while ransomware attack vectors
are becoming alarmingly advanced. Ransomware can mount previously mapped
drives, encrypt them, and then unmount them, reaching deeper into the
network.

However, the efficiency of ransomware as a tool for fraud will also be
slowly undermined. One misconception about ransomware is that once the
ransom is paid, the victim receives the keys to unlock their files.
Increasingly we are seeing instances of this not happening. The fraudsters
are simply taking the money and running.

Criminals dumbing down

As ransomware is now available as-a-service, it is reaching down into the
lower levels of the criminal underworld and organised crime networks. The
type of villain who uses the ‘service’ might have previously been involved
with keeping crooked books for instance.

As such they can’t be bothered to send decryption keys which of course will
erode the value of ransomware as victims increasingly refuse to pay the
ransom.

IoT security

Another major area of concern is the security of IoT devices. It’s fair to
say that the existing state of device security isn’t great. Some devices
are managed by web consoles that don’t even have encryption. Some devices
have passwords hard coded into them that you can’t change. It would be good
to see manufacturers take some responsibility but this is unlikely as they
operate with tight margins and are unlikely to take on tasks that eat into
thin profits.

If we’re lucky, we will see the emergence of pressure groups consisting of
industry vendors and third parties who are no longer willing to sit back
and watch major hacks unfold.

Questioning machine learning

Another area to keep an eye on is machine learning. As with any new
technology it’s usually proclaimed with a loud fanfare and over exaggerated
claims that often fall just short of guaranteeing freedom for all and world
peace. In terms of security, machine learning does promise a lot of
potential but when you drill down some serious questions need to be asked.

In 2017 we’re likely to see these questions put forward with some force, as
it becomes apparent that machine learning in the security realm has flaws.
For instance, how are the machines learning, are millions of good and bad
results being fed into the machine to ensure accurate analytics and what
kind of input is coming from security labs and research teams?

These are important questions and with the advent of next-generation
endpoints, such as mobile devices and laptops designed to respond to
machine learning security in depth is vital to ensure success. If machine
learning vendors can’t answer these questions with confidence, then you can
expect to see machine learning and security take a dive.

Shock of GDPR

An area where you can expect to see panic break out is the European Union’s
General Data Protection Regulations or GDPR as it’s more commonly known. At
the moment UK organisations are displaying naivety towards GDPR which comes
into effect in May 2018. Many are hiding behind Brexit and taking the view
that the UK won’t be in the EU come May 2018 so GDPR won’t affect them.
However, if a business operates in Europe, it will.

To meet GDPR requirements, measures need to be put in place in 2017. Many
companies have already finalised budget for 2017 but haven’t made any
provision for GDPR. With no budget provision, there’s going to be an awful
lot of flapping when companies realise that it’s nowhere near compliance
ready.

Big fines, big panic

GDPR also reaches up to the board and any data breaches can result in
enormous fines of up to 4 per cent of revenue. This can and will translate
in some cases, to fines that run into millions of pounds. Are executive
directors aware that if they show negligence in protecting customer data
they’re going to be hit really hard?

In summary, it would be uplifting to say that we’re not going to see any
more major breaches, that fundamental flaws will be addressed, that new
technologies are going to change the security landscape for the better and
everyone is set for GDPR. In reality, while we will see some positives we
also need to prepare our businesses for more breaches and more hacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161205/3966c1e7/attachment.html>