[BreachExchange] Forecast: 2018 Will Be a Cybersecurity Nightmare

[Audrey McNeil]

https://www.inc.com/adam-levin/why-2018-will-make-
hacks-of-2017-look-small.html

If you think 2017 was bad, hold on for dear life because 2018 is going to
be the worst yet when it comes to cyberattacks. The astounding amount of
personal information "out there" coupled with criminal innovation will
allow cyber incursions of unprecedented scale and sophistication.

There is a confluence of intractable forces informing this prediction.

First, the headline-grabbing data breaches of 2017 cap a five-year run of
hackers relentlessly gutting databases containing personally identifiable
information (PII). Who's been breached? High-profile financial
institutions, media companies, tech giants, merchants, government agencies
and academic institutions, you name it, it's probably been breached. Think
an email address and a name doesn't pose a danger? Think again.

A vast storehouse of stolen consumer data is available on the dark web,
sometimes for sale and sometimes just there for the taking.

While you should be concerned about everything--including breaches where
the only data leaked is name, email address and home address--there are
larger concerns. The information available is not limited to birth dates,
Social Security numbers, answers to security questions, and the like, but
much more granular metadata involving the things you buy, post about on
social media, etc.

These rich data sets will never perish and will forever be available to
crooks who can then triangulate a targeted victim's digital footprints with
stunning precision. That same information can be used to trick you into
turning over the keys to the castle via social engineering, since scammers
can know more than you might think possible, using that knowledge to trick
you into aiding and abetting in self-larceny.

To understand the targeting that is now possible, consider advertising.
Netflix recently singled out 53 of its viewers for mockery as part of a
questionable joke-marketing campaign. Criminals can use that same
information (it's been hacked too). They have the motivation and
programming skills to do so. You're going to get got.

Hacker's recipe

A second ingredient is machine learning. Data analytics applied to large
data sets has become a refined science, thanks in large part to work done
by the financial services sector as well as online advertisers. And more
recently, advanced machine learning techniques are being brought to bear on
network security systems. The trouble is that cybercriminals, as always,
are ahead of the curve. They've been applying machine learning to help them
infiltrate and steal from business networks for a number of years now. They
will continue to make advances in 2018.

That's where the third ingredient - botnets - comes into play. A botnet is
a network of tens of thousands, or even millions, of obedient computing
devices awaiting commands from a single controller. Bots typically are
comprised of personal computers and/or connected devices infected by the
controller via malware or controlled via zero-day exploit, but there have
also been instances of virtual computers assembled by the controller. These
collected devices possess tremendous computing power--literally the
combined strength of all the machines in the controller's network. Botnets
comprise the hub of cybercrime - and they continue to proliferate.

Take one part stolen data, mix in machine learning, pour into a powerful
botnet and we can be certain to encounter more effective ways to pillage
and plunder.

Here are four types of cyberattack campaigns we should expect to see in
2018:

Cryptocurrency hacks.

The combined market cap of Bitcoin, Ethereum, Litecoin and Monero has
eclipsed the $500 billion mark and continues to climb. This makes
cryptocurrencies a viable target for criminally-minded hackers. We are very
likely to see cryptocurrencies get hit so hard values will plummet.

Biometrics vector.

Biometrics readers are now available for not just fingerprints and facial
recognition, but also voice and even the shape of one's heart. The wide
deployment of biometric authentication, leveraging our smartphones, is on
the horizon. This means various parties will be responsible for storing
biometric profiles, which means all of the attack vectors that must be
defended to fully protect stored data will be in play. Persons with
malicious intent are surely studying this. A breach resulting in the loss
of biometric data is inevitable.

Election fraud.

We now know botnets were used by Russian-sponsored operatives to spread
propagandaon Google and Facebook, thus influencing the election of Donald
Trump. And we also know how spoofed identities and access to voter rolls
can be used to smear and obfuscate, as Roy Moore supporters attempted to do
in the Alabama senate race. With so much at stake in each local, state and
federal election across the land in 2018, we will see advancements in these
types of dirty tricks -- iterations that employ machine learning to
leverage stolen metadata, and deploy botnets to scale up attacks.

Critical infrastructure disruptions.

There were a number of  disclosures this year showing how Russia, Iran,
China and North Korea have been proactively probing and, in a few cases,
successfully breaching so-called "operational technology" (OT) - the
dedicated networks that run our utilities and manufacturing plants. It's
equally clear that OT networks of companies operating in certain vertical
industries have emerged as strategic targets in event of an all-out global
cyber war. We will see a rise in successful OT breaches in 2018.

What I fervently hope is that we do not experience is a major disruption
carried out as part of a global cyber war, though I fear this possibility
as well. As jolting as WannaCry/Petya, the Equifax breach and the Uber hack
were in 2017, those incursions may have been mere warm-ups of what's coming
in 2018.

And by the way, Happy New Year!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171226/7d0d1638/attachment.html>