2016 – The Year of the Cyber Exploit

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infosecurity-magazine.com/opinions/2016-the-year-of-the-cyber-exploit/

2015 has been another ‘year of the breach’ with almost weekly compromises
becoming the norm. Cyber-criminals seemed often to be one step ahead of the
security industry, using an evolving arsenal of cyber-attack techniques to
successfully breach networks.

New Vulnerabilities

2016 will be considered the ‘year of the exploit’ as we will see a shift to
higher impact cybercrime. This higher consequence crime is currently on the
rise with nation states and organised criminals continuing to steal IP and
other valuable information to gain economic advantages or cause a negative
economic impact in rival countries.

Groups will become bolder in their hacking operations, not content with
just stealing data, but also affecting the functionality of systems or even
destroying the stolen data so a company can no longer access it.

Next year will also be characterised by a rise in stolen DNA and
fingerprints to commit fraud and identity theft.  We will see the stolen
Personally Identifiable Information (PII) and Intellectual Property (IP) of
organisations exploited to commit fraud, replicate identities and
compromise consumers, commercial organisations and intelligence activities.

This will increase the hacking of organisations that hold DNA and other
data like fingerprints as these unique signatures are increasingly used for
authentication to devices and services.  This growing area of criminal
activity will require a holistic approach to monitoring threat levels
across organisations through specialised cyber-security and intelligence
software.

The final emerging vulnerability is the possibility of losing control of
critical national infrastructure. Already, there is a real threat that the
vulnerabilities of critical national infrastructures could fall into the
wrong hands. Nuclear power plant ‘zero-day’ vulnerabilities for instance,
can be purchased for only $8,000. As computer viruses continue to evolve,
malware could be used to take control of the world’s large scale industrial
control system—eventually even extending to transport.

The evolving cyber landscape

2016 will see continuing skills shortage of people with the right
cyber-security skills. People who have direct first-hand experience in
identifying cyber risks and improving defence are in high demand but low
supply and this will worsen as the size of security teams increase.

With such a big shortfall, companies are starting to adopt Security as a
Service (SECaaS) as a stop-gap measure. This outsources their security to
another company that has more expertise and can scale more cost-effective
security to all of its customers. Companies need to understand that while
they can outsource responsibility they cannot outsource accountability, so
they need to consider the benefits and risks involved.

Countering cyber threats

Governments are finally wising up to the fact that cybercrime,
cyber-espionage and cyber-attacks are a defense issue. The way to combat
the threat is through intelligence, and as many governments do with other
forms of security intelligence, cybersecurity threat information will
increasingly be shared between governments and commercial organizations
alike.

We will continue to see these types of initiatives being adopted by
governments, moving cybersecurity and breaches to a regulatory space.
Commercial organisations and government departments need to be prepared for
the impact, and this conversation will once again become a
board-level/ministerial conversation.

As cyber-legislation tightens and requires increased accountability,
companies will need a better understanding of network compromise. Many are
turning to advanced analytics to identify threats and raise the alarm in
order to discover the three stages of a hack: find what’s coming into the
network, what it’s doing inside the network, where it’s leaving the network
and what it’s leaving with.

This will require a greater investment in cyber-intelligence technologies
that enable rapid detection and response. Companies now understand
sophisticated cyber-criminals have rendered traditional perimeter defences,
like firewalls, VPNs, and anti-virus and malware tools ineffective.  A
priority for 2016 will be to detect threats inside the firewall as they
develop to defend and ultimately prevent significant damage from occurring.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!