It’s that time of the year when the information
security industry takes part in its annual tradition: coming up with cybercrime
predictions and trends for the next 12 months. These lists usually
range from the mundane to the bizarre, to the lighthearted and the dire
(perhaps depending on the predictors’ consumption of eggnog and/or dystopian
sci-fi media). Many have about as much accuracy as one might expect of people
who are experts but not psychics. Still, you never know.
As regular readers of We Live Security will know,
every December the ESET researchers put together their own predictions and
trends for the coming year. In 2014, the emphasis was on APTs (advanced persistent
threats) and attacks targeting the corporate world. This year, we’ll be offering a
deeper analysis on a variety of topics such as IoT, ransomware, crimeware,
haxposure, Windows 10, and critical infrastructure among others.
The full article will be released soon and you’ll
be able to download the full version directly from our white paper
section. What now follows is a brief, occasionally tongue-in-cheek view from a
number of ESET researchers on what they expect 2016 will bring.
From David Harley:
·
More
convergence between tech support scams and real malware, especially ransomware.
·
Increased
targeting of platforms other than Windows for pop-up fake alerts and for ransomware.
·
In the UK at
least, NHS sites will continue to be slammed by security bloggers for
squandering their pitiful resources on direct healthcare instead of upgrading
computer systems.
·
More toys
will follow the Pink Fink (aka Hello Barbie) into the Internet of Things (IoT), despite
concerns about privacy and the continued attention of researchers probing for
scareworthy vulnerabilities.
·
Understandable
panic about terrorist attacks and other manifestations of physical violence
will be translated into calls for the weakening of encryption and the
abolishing of privacy.
From Aryeh Goretsky:
·
We will see
an increase in the usage of virtualization technology by home and SOHO (small office/home
office) users, followed by an increase in attacks on them.
·
Adobe Flash,
PDF and Oracle Java will remain targets of opportunity. (Keep ‘em patched,
folks!)
·
Web
frameworks (Drupal, Joomla, Typo3, WordPress, etc.) will also be targeted, and
exploits for them will increase in value.
·
Web
performance, optimization, analytics, personalization and other related service
networks (think Newrelic, Optimizely, Parsely, etc) will be increasingly
targeted via both sophisticated attacks (i.e. code injection of specific
customers) and unsophisticated attacks (DDoS).
·
Windows will
still be a target.
From Bruce Burrell:
·
High-visibility
breaches will continue. This will be across all sectors, of course, but the
press (and hence the public) will probably pay the most attention to the ones
in retail and healthcare. The organizations affected will take restorative and
preventative measures in the short run — then they will revert to
NIMBYism.
·
Elsewhere,
there will be lots of corporate board handwringing and, in some businesses,
perhaps even occasional increases in security funding.
·
Unaffected
end users will be anxious, until the next news cycle. Afflicted users, of
course, will stay anxious longer, when they realize their identities have been
stolen, or funds drained, or that they can’t get health insurance because …
·
Regrettably,
if 2016 unfolds like previous years, not enough will happen, as far as end
users and businesses actually doing anything to protect themselves.
·
Legacy
devices will continue to be used in healthcare, because there is a perception,
real or imagined, that it is not viable to move away from them. New
devices will not have anywhere near sufficient security baked in until long
after the 2016 timeframe. The exceptions will be few and far between — but we
should do everything we can to encourage those vendors who ‘do it right’.
From Stephen Cobb:
·
In 2016,
healthcare IT managers will be under pressure from 3LAs on three sides: fresh OCR HIPAA audits and penalties; more aggressive FDA action on vulnerable medical devices
and pseudo-medical apps; and at least one FTC action against a wearable or IoT device or app used in
wellness programs.
·
2016 may also
see the responsible disclosure debate hit healthcare IT, just like the live Jeep hack demo hit the automotive industry in 2015. Many
security experts oppose risky public demonstrations, but there is no denying
the power of a video showing a car being disabled on the highway, which
accomplished what several previous parking lot demos did not: a whole new level
of public and congressional attention.
From Cameron Camp:
·
IoT security
will continue to make headlines, but if your digital ‘e-bear’ toy gets hacked
you are in no certain peril, aside from a trip to the store to return it.
Expect 2016 to be the year of the full-frontal assault on all things IoT
though, where cybercriminals will find new ways of attacking unsuspecting
victims through their new flock of ‘digital doo-dads’. But it will still take
more time to find the ‘killer bad app’ nemesis for the IoT.
·
SCADA
(supervisory control and data acquisition) hacking becomes nation state day job
for more people. After years of tinkering and poking the doors of unsuspecting
industrial players, nations will pride themselves on having SCADA digital
chops.
·
Credit cards
will still get hacked – despite EMV. Where’s there’s money, there will be hackers, no matter
the technology. Still, EMV raises the bar a bit and makes hacking more
expensive, which is good.
From Lysa Myers:
·
Governments
around the world will continue to pass laws that belie an understanding of
technology, especially encryption and networked communication.
·
Companies
will continue to pump out toys, fitness devices, ‘smart home’ devices, apps,
etc, that leak personal information like Snoqualmie Falls in an El Niño year.
·
Healthcare
companies will continue to lead the Breach Parade, as medical device manufacturers continue
selling equipment with woefully outdated software and operating systems, and
electronic health records are implemented without sufficient risk assessment.
·
(Hopefully)
more device manufacturers will publish responsible disclosure procedures for reporting
vulnerabilities in their products.
·
More devices
and accounts will add simple – and perhaps novel – authentication techniques that allow people to
increase their security
·
More chip and
signature terminals will come online in the US, and be closely followed by
complaints from retailers that they’re significantly slower than magstripe
cards.
Each of us had our own area of concern, according
to our particular specialties, but we all predict many of the same outcomes for
next year. From the 10,000 foot view, this could best be summarized as ‘things
will continue along the same trajectory’. This could be considered a fairly
pessimistic view, and yet a rather obvious one.
That said, the upcoming year – as with all years –
brings the possibility for many learning opportunities, which offers plenty of
scope for improvement. Unspoken jokes about job security aside, we very much
hope this coming year yields greater transparency and understanding of security
issues, which generates more and substantial improvements in privacy and
security for everyone. Please stay tuned to We Live