Strap in for a bumpy ride this year as cyber criminals step up their efforts to attack businesses both big and small, a security technology company warns.
Cyber security is a crucial area for SMEs in this era of increasingly complex technology with the hacking, phishing, ransomware and other nefarious online activities it has spawned. Much research released last year noted that many small businesses believe such attacks are aimed at corporations. In fact, smaller organisations are often the target because they do not have defences in place.
So business owners can be forewarned and forearmed, Inside Small Business asked Sylvain Lejeune, WatchGuard Technologies’ Asia Pacific/Japan VP for sales, about the company’s IT security predictions for the year ahead. They include such security issues as IoT botnets, system attacks, cyber insurance sparking more ransomware attacks, the commoditisation of wireless attack tools, and cryptocurrency risks.
Here are WatchGuard’s predicted IT security trends for this year:
Authentication is the weakest link in security. Verizon’s latest data-breach report says that 81 per cent of hacking-related breaches resulted from stolen and/or weak credentials. If an attacker gains access to the credential of just one employee, they can breeze right past your security controls as a “legitimate” user.
Constant breaches and password database thefts show that password best practices are too difficult for average users. As a result, the industry has moved toward other authentication factors, such as biometrics. While these will help solve the usability issue, they have their own security concerns. Most security experts agree that multi-factor authentication (MFA), which involves at least two factors to authenticate users, is the most secure authentication option.
Unfortunately, effective MFA systems have remained largely out of reach for the average small- and medium-sized business. While enterprise multi-factor technology is quite mature, it often involves complex on-premise technology and expensive hardware tokens that most small businesses can’t afford or manage. However, the growth of software as a service (SaaS) and smartphones has introduced new MFA systems that are inexpensive and easy to use. Many SMEs will adopt these systems to secure their more privileged accounts and users. It will be the year of MFA for SMEs.
The Mirai botnet in 2016 showed the world just how powerful an army of IoT devices can be. Attackers used Mirai to launch record-breaking distributed denial of service (DDoS) attacks against such websites as Netflix, Reddit and Twitter. As IoT device adoption continues to skyrocket, adding billions of network endpoints every year, attackers continue to target these devices because of weak or non-existent security. They have already started improving on the Mirai source code, which will mean larger and stronger botnets this year. For example, the Reaper botnet exploits common vulnerabilities to gain access to the devices. As attacks become more effective, the damage they cause will grow until the IoT manufacturing industry is forced to add stronger security to its products. Be on the watch for a major IoT botnet attack this year that may finally cause governments to address IoT security.
Regulations will most likely affect manufacturers of consumer-grade IoT devices first, as the end users do not have the knowledge to secure their own devices. These regulations will likely mirror liability-oriented regulations in other industries, where the manufacturer is held at least partially accountable for flaws in its products.
WatchGuard’s quarterly Internet Security Report shares details about malware and network exploits its products detect and block internationally, as well as the results of research by the WatchGuard Threat Lab. A recurring trend in its reports has been the growth of attacks on the Linux operating system, largely targeting IoT devices. For instance, Linux incidents comprised 36 per cent of malware attacks in the first quarter of last year. This continued in the second quarter, and research from the Threat Lab subsequently uncovered many attacks targeting Linux-based systems, similar to the Mirai IoT botnet.
This leads WatchGuard to believe there will be a dramatic upswing in attacks on Linux systems this year. The company’s research confirms that increased criminal focus on Linux is driven by a desire to target IoT devices. While IoT devices are technically diverse, many are inexpensive with embedded Linux systems and highly insecure defaults. Attackers are expected to continue to take advantage of these insecure devices to fuel their botnets. In fact, WatchGuard expects Linux-specific attacks to double this year.
Cyber insurance has been around for more than a decade, but the growing number of publicly disclosed breaches and successful ransomware incidents has caused awareness of it to grow significantly in the past few years. In countries where breach disclosure is mandatory, cyber insurance helps cover the costs and sometimes resulting lawsuits. Insurers have started promoting optional extortion insurance packages that cover the costs of ransomware and other cyber extortion. In some cases, the insurers even pay the ransom to help the victim recover their information.
WatchGuard expects SMEs to continue to adopt cyber security insurance, including optional extortion packages. This can help reduce the costs of security incidents and help businesses recover, especially SMEs that might otherwise be driven out of business. That said, cyber insurance does not and should not replace security controls and best practices – it should complement them. WatchGuard predicts insurance companies will implement stronger guidelines that require companies to have security controls in place as a prerequisite for insurance. When combined with other layers of security, cyber insurance is a great addition to a company’s cyber security strategy.
However, there is a risk that some types of cyber insurance will actually encourage ransomware. It is a concern that insurers sometimes pay ransoms to recover client data. It is an understandable business decision. Short term, the cost of ransom may seem much smaller than the cost of recovery for victims that do not have backups, however insurers have no long-term actuarial data for cyber incidents and ransomware. Does paying a ransom encourage this criminal business model? Will it lead to more incidents or the ransom price being raised?
WatchGuard predicts that ransomware criminals will target extortion insurance customers this year and also increase their demands. Compared to spam messages, which typically have less than a 1 per cent success rate, most studies show that at least a third of ransomware victims pay. This has already caused ransom prices to go up, resulting in fewer victims paying (as in the WannaCry case). This means ransomware criminals will target organisations they know are more likely to pay. As insurers will often pay if the situation demands, smart ransomware authors will target insurers to find which organisations have extortion insurance, then target those companies directly with ransomware.
The commoditisation of attack tools with simple user interfaces has made it possible for curious amateurs to perform advanced Wi-Fi attacks. Amateur Wi-Fi hacking has attracted a large following; there are nearly 3 million “how to” tutorial videos online on how to perform man-in-the-middle attacks using commoditised attack tools to steal sensitive information out of the air.
The same trends that spurred the expansion of Wi-Fi hacking are now spurring criminal activities involving other wireless standards. These trends are possible because of the affordability and availability of software-defined radios (SDR), a radio frequency (RF) technology that allows a device to talk and listen to a broad range of wireless frequencies. SDR-based attack tools have already been introduced to the market, and the community of YouTube videos is growing quickly with “how to” topics ranging from unlocking luxury-car doors to spoofing GPS signals.
At the same time, demand for wirelessly connected devices continues to grow sharply, and equipment vendors are incorporating wireless connectivity into products ranging from cars to gas/water meters, personal health devices and alarm systems. This creates many interesting new targets for wireless hacking.
Expect attacks this year using SDR technology to intercept and decode traffic from a variety of wireless devices, including Bluetooth.
When most people think of cryptocurrency and blockchain technology, the first thing that comes to mind is Bitcoin. While this was the first cryptocurrency and is still the most popular, there are actually many different crypto coins such as Ethereum, Litecoin and Monero, all of which maintain total market capital exceeding $1 billion.
Each new cryptocurrency brings innovations to their respective blockchains. Ethereum’s blockchain, for example, acts as a fully decentralised computer capable of running applications. However, these extra blockchain features introduce additional security considerations. Ethereum saw its value drop nearly halve in 2016 when hackers exploited a vulnerability to steal more than $50 million in Ethereum cryptocurrency. Bug bounty programs and public code reviews have since become a major part of blockchain development, yet the attacks continue, including one that hit an Ethereum multi-signature code wallet and made between $100 and $500 million in Ethereum permanently inaccessible.
As the value of these cryptocurrencies grows, they will become appealing targets for cyber criminals. WatchGuard predicts hackers will find a vulnerability severe enough to completely wipe out at least one cryptocurrency by destroying public confidence in its security.
“Mandatory data breach notification legislation is imminent” says Lejeune. “Time is fast running out for businesses to ensure they have systems and processes in place to comply.
“As well as this new law casting its shadow over the security minefield this year, I have no doubt we will also see cyber criminals harnessing even more internet-connected devices to create greater havoc. Ultimately, the only way businesses will be able to stay one step ahead is to maintain comprehensive visibility and automated mitigation capabilities across their networks so everyday attacks can be instantly detected and blocked.
“However, security is not just an IT problem. It has now become a risk-management issue for many Australian organisations. As a result, we would expect this year to herald an environment where people, processes and technologies are combined to ensure businesses take every measure possible to protect themselves from threats.”