Here at Imperva, we’ve seen a lot in our more than 14 years in the cyber security industry and 2016 was no exception. Data breach after DDoS attack after insider threat…hackers upped their game with all signs pointing to more threats, not less. Armed with our own research, customer engagement learnings, and wealth of crowdsourcing data analyzed from installations around the world, we looked ahead and culled out significant trends IT security pros can expect to see in 2017.
1. Botnet of Things
Carried over from our last year’s predictions, most connectivity growth is related to the Internet of Things (IoT): surveillance cameras, fitness wearables, smart devices of all types, and other connected appliances. Along with their embedded computing and communication abilities coupled with relatively high mobility, they are devoid of professional system or software management. And since default passwords are rarely changed by end users, the devices are ripe for compromise. Mirai-controlled surveillance cameras and ancillary recording devices presented the opportunity this past year.
Depending on the adoption pace of IoT, we expect to see two distinct types of trends. First, we’ll see a surge in botnet numbers and sizes. From a research perspective, we consider botnets to be on par with residential routers, as most IoT devices sit within home networks and aren’t directly exposed to the web. That said, we’ll likely see a few internal incidents that will ultimately be traced to a compromised IoT device having been (inadvertently) brought within the range of the compromised network.
Secondly, we’re going to see even more botnet for hire activity. Sophisticated botnets are easier to rent than ever before; prices are dropping and sizes are increasing. Being so readily available, anyone can launch a fairly sophisticated attack without having any hacking expertise whatsoever. Where there’s opportunity for mayhem, it happens. We’re not expecting to see improvement in the security of IoT devices, so whatever type of new IoT devices penetrate the market in 2017 are likely to be the next botnet platform.
What you can do:
Consumers: Change the default passwords on connected IoT devices! The default password is not just the equivalent of leaving your door unlocked, it’s like leaving it wide open.
Organizations: Clearly the abundance of botnet for hire increases the need for DDoS protection. More organizations of all sizes and verticals are bound to get ransom demands or face network disruption unless they proactively take the right measures. Additionally, compromised IoT devices are going to surface as a new vector for internal compromise, raising the need for an insider threat protection strategy.
2. Ghosts from the Past
While IoT is shiny and new, other still viable threats are stuffed in the back of the closet covered in dust. If there’s one thing everyone learned this past year, it’s that breaches—even the largest of them—can go undetected for years. Troves of data apparently compromised as long ago as 2012 popped on the Darknet in 2016. This means that at least some of it has been circulating for years, as in the recent discovery of over one billion Yahoo! user accounts stolen in 2013. It took three years for Yahoo! to learn of the breach, and only after law enforcement had been made aware of it by a hacker.
Reported in late November 2016, the Madison Square Garden episode is another example, having only been detected when compromised data, including cardholder names, credit card numbers, expiration dates and internal verification codes, were exploited by miscreants. While the stolen account passwords weren’t in clear text, a year elapsed between the leakage and eventual detection, giving the attackers plenty of time to crack most of them.
Incidents related to LinkedIn, Dropbox and Yahoo! user databases teach us that when it comes to covering their tracks, perpetrators remain far more adept than enterprises. Alleged breaches are often only detected when leaked information surfaces on the web, with elapsed time playing a major factor. If enterprises are able to promptly detect breaches, then a lot of the damage can potentially be avoided.
We can expect ghost hacks from prior years to continue to haunt us in 2017—likely in even bigger numbers than has occurred so far (in terms of incidents, not records). It’s more than likely that new breaches occurred in 2016 that we may not even learn about until 2018 and beyond.
What you can do:
While enterprises should remain vigilant in preventing exfiltration of sensitive data, they’d benefit from placing more emphasis on timely incident detection. Take a fresh look—don’t let great be the enemy of good. Organizations don’t have to constrain themselves to real-time detection to shorten threat discovery times.
3. The End of Defense in Depth
The past five years have been a tremendous challenge for security teams; they’ve continually deployed more systems and technologies, only to grow increasingly frustrated by new risks and attack vectors.
At the beginning of 2016, we felt some complacency among security teams that their investments from the prior year would eventually pay off—that they weren’t going to experience major data breaches. Then they found they’d complete one security project only to learn of a new threat requiring deployment of yet another technology. Showering sales prospects with apocalyptic scenarios, multiple solutions were touted by small, nascent security companies and “solution creep” set in.
Many organizations have been buying trends, rather than mitigating risks, and continuing to use outdated solutions out of commitment to a defense-in-depth strategy that no longer serves them. Antivirus is a good example. Security experts have been publicly stating that antivirus has lost its efficacy, ever since Imperva’s study was cited in The New York Times three years ago.
Add to that, threat alert fatigue. In a December 2016 McAfee Labs Threats Report study, 93 percent of 400 security professionals reported that they aren’t able to triage all relevant threat alerts. Between trying to find the needle in the haystack and running around like the little Dutch boy plugging the dike with his finger, they’re suffering from burn out.
We predict enterprises will try to improve usage of their existing security arsenal in 2017 and smarter organizations will rethink their strategy in general.
What you can do:
Develop a comprehensive plan to address your specific business threats rather than the full array of current attack vectors, and finally dispose of dated technologies. Early adopters went through this process in 2016, and are emerging in 2017 with new buying patterns.