We had an interesting year in 2017. If any trend is obvious, it’s that 2018 will continue to be interesting for the cybersec industry. How interesting? Here is are the 18 trends that we think will be making the headlines and should be on your radar for 2018.
The Return of the Spam
In 2004 Bill Gates said that spam would be dead in 2 years. Over a decade later, things are still pretty bad. While we can stop greater than 99.95% of spam email, it’s the very few that do get through that are increasingly sophisticated and preying on user vulnerability. You used to get emails focused on Viagra and reclaiming lost fortunes. Now, the spammer is more interested in having you click a malicious link and getting your password or triggering a ransomware and then doing the real damage from there.
Are we getting more spam today than ever before? We are the highest in a few years. However the spam we are getting, and the tiny amount getting through, is much more dangerous.
Continued Growth of Socially Engineered Threats
We talk a lot about this one. Social engineering is the fastest growing area in cyber crime. From Q2 to Q3 2017, there was a 74% increase in phishing attacks.
As Roger Grimes suggests that nearly 100% of attacks can be attributed to unpatched software and social engineering. “A single unpatched software program has at times accounted for over 90 percent of the web-based exploits” and the rest, save perhaps a single percent, goes to social engineering. There are predictions that Business Email Compromise (BEC) will hit $9 billion in 2018. It’s hard to know how accurate of a prediction it is, but BEC is a very serious and growing threat.
The Growth in Cloud and BYOD
An interesting trend in 2017 was a shift from urgency and fear in spam messaging to more social and rewards-focused scams. With the proliferation of BYOD, mobile and remote work, scammers realize that the value is in accessing the work network, rather than an immediate smaller payoff from an individual. And by enticing you with an e-card or mail order bride, they can arouse enough curiosity via your private email to get into your business network. Watch for email and cyber security measures that will protect devices and cloud networks, not only inboxes
In a similar vein, as businesses continue the shift to the cloud, and the traditional idea of a firewall falls, businesses will look for new ways to secure their IT networks, such as Email Archiving Solutions, Encryption, URL Defense, Mobile Defense and….training! With the growing diversity in how and where employees are accessing networks precludes strong awareness and training with a people-first approach.
The last year saw several big ransomware attacks make headlines. Most of their damage was in reputation, legal cost and confidence to the institutions (though the scammers made their own pay). 2 Interesting drivers of this growth are RaaS (ransomware as a service) where unskilled cybercriminals can launch attacks and a growing underground economy.
Ransomware is also growing in concert with Phishing and social engineering, both big trends we are watching in 2018. It will also be interesting to see how cryptocurrency valuations impact ransomware growth.
Speaking of cryptocurrency, there has already been significant investment in blockchain as security technology. Guardtime, out of Estonia, claims to be the largest blockchain company by revenues (perhaps before the most recent sharp surge in cryptocurrency valuations), and has secured all of Estonia’s medical records using blockchain tech. Blockchain has the potential to eliminate passwords, provide advanced encryption, and create tamper proof infrastructure. This will be a fascinating area to watch in 2018.
The government should play a big role in the internet in 2018. Besides net neutrality and data privacy rights, in the EU GDPR comes into effect in 2018. This will dramatically have an impact data policies on multinationals operating in the EU.
After Uber’s second data breach and lengthy delay in disclosure, it is only fair to expect the US to follow suit at some point and create a national legal framework. Then again, they have a lot on their plate at the moment (and it looks only to be getting busier). National legislation will help companies react more sensibly after attacks.
AI in Response to Social Engineering Attacks
A lot of the hope in curbing some of the email and cyber risk is being placed on AI and Machine Learning. Ideally, we can reach a “singularity-like moment” where our algorithms get so advanced that any attempted scam or attack is known well in advance. It’s very challenging – because social engineering and targeted phishing are where the challenge lies. Human error is probably the biggest source of risk today. Can AI stop human error? Here’s hoping.
Domain Spoofing and Suspicious Domain Registrations
In ProofPoint’s 2017 Q3 threat report they noticed an alarming 20 to 1 ratio of Suspicious domain registrations to defensive registrations. This as suspicious domain registrations grew by 20%. There are a lot of frightening numbers in there. They found malicious URLs up 2,200% Q3, year over year.
There’s a lot in there to be frightened about, perhaps brands believe they are have covered their defensive bases. Perhaps as detection of malicious and spoofed URLs becomes faster and are taken offline earlier, scammers are being forced to do more work (or find more ways to effectively automate it). Either way, spoofing and malicious URLs will be a serious threat for those unprotected – and will certainly make headlines in 2018 for the wrong reasons.
Data borders: Kaspersky, China, GDPR
2017 was an interesting year in cross border cyber security. Kaspersky got banned from UK government systems where sensitive information is present. And then late in the year Trump approved a federal ban on Kaspersky.
There are questions as to whether they worked with or were compromised by the Russian government – at the bare minimum it appears that sensitive data, such as from the NSA was being stored in Russia.
Along with other legislation, we expect more governments to begin looking at companies who are exporting your data out of country of origin. “Data Localism” or keeping data in local data centers is already in place in Russia, China and Brazil.
Breach disclosure and other local requirements are also going to be a big concern in 2018. While data protection is a fast growing concern for many enterprises, the way in which disclosure requirements, “rights to be forgotten” and other legal requirements around data evolve will most likely be determined in 2018.
We probably haven’t seen anything yet. Between apparent Russian meddling overseas, an expanding Chinese sphere of influence, and constant media reporting that the United States is on the brink of war with North Korea, who knows what kind of Cyber Warfare may break out, or what role it will play in more “kinetic” conflicts featuring drones, advanced missile systems, naval warfare and more. Of course, we could already be in the midst of this, with WannaCry apparently being sourced to North Korea.
Industry Specific Attacks
Scammers are increasingly targeting their attacks based on where the largest payout lies. These payouts are two-fold. The first on the single payout, finding large and accessible financial transactions. The second is in value of data.
The financial industry and heavy industrials have the large payout and transfers of funds. The Health industry has very valuable data. These industries will continue to see increasing amounts of attacks.
We’ve written extensively on health and security in 2017. We expect this trend to continue through 2018. One group purported that the majority of email addressed as from a healthcare provide were fraud! All the while, with companies with over $1 Billion in revenue, DMARC was properly used by 2% of companies!
Speaking of DMARC
While it might not be perfect, it is going to see mainstream adoption in 2018. It still has seen very low adoption rates in industries like banking, and when it is implemented, there are still often errors in implementation.
Long shot here, but could quantum computing be the savior of the industry? The simplest way that I see this, if you could make many times the calculations, wouldn’t that mean more attacks would be caught sooner? This will dramatically impact the development of AI (machine learning) and also speed up blockchain capabilities, all linked closely to the future of cybersecurity.
Being hacked is a form of abuse. The trauma can serious negative impacts on its victims. Leaked private pictures. Destroyed credit ratings. All kinds of privacy invasion. 2017 saw what might have been the first conference “supporting victims of cyber crime”. The trauma is enduring. Expect this conversation around cyber crime and mental health to become more prominent.
IoT Botnet Strike Disaster Looming?
IOT has long been discussed as being a risk. Now it seems that Botnets could be hiding on your connected devices. Mirai was one such example – a big reason being the use of default settings. It doesn’t appear that botnets are going anywhere just yet.
Biometric Authentication Compromise
Could the trend to biometric authentication results in a major breach? With iPhone and Samsung both experimenting and launching biometric authentication tools, there’s a lot of risk to be explored. Your partner or the person sitting next to you during a flight may not gain information relevant to your employer, but what are the limits? Could a major breach occur if a socially engineered attack was able to work beyond the constraints of biometric authentication? We might find out soon.
The complex technical environment that the security industry has known can make it seem pretty serious. While security skill ares no longer specialists, much of the available information about security is dense and technical, possibly putting off many of the users who organizations need to “know their stuff”. The reality of training and awareness is that we have to find the weakest links in the security chain and upgrade (no pun intended) their stack (no pun intended). People need plain-english information on security. It’s an imperative as an industry we can communicate in plain english and ensure awareness – to avoid human error as much as possible.
The Clearer Business Case.
It’s not always clear how to calculate a cost benefit on email security. “while 85 percent of firms believe that the economic costs from cyber attacks will increase in the coming year, only 23 percent have adopted a strategic plan to address business risks”. In the near future, any BCDR or security contingency will be based on a risk assessment, much like an insurance policy.
That’s the gist of it.
We aren’t going to bold in our predictions. Though perhaps one last bonus one is in order. We’ll go out on a limb and say if you are reading this, your company is better off. You’ll probably take steps to invest in your cyber and email security – if you haven’t already. The fact that you’ve read to this point makes you aware. And for that, we believe that your 2018 will be a safe and happy year!
This is a Security Bloggers Network syndicated blog post authored by Joey. Read the original post at: Vircom | Email Security Experts