Four experts weigh in on the most significant security trends anticipated for next year and share advice on how IT solutions providers can best protect their customers.
As 2016 comes to a close, it’s hard to imagine that security threats could increase as rapidly next year as they did this year. Proofpoint released a quarterly threat summary report earlier this year stating that new ransomware threats were up 600 percent over 2015. In 2014, CryptoLocker netted cybercriminals $18 million, then $325 million in 2015, and an estimated $1 billion this year, according to the FBI.
David Nathans, director, SOCSoter
And ransomware is only one subset of the myriad security threats businesses are facing. As IoT (Internet of Things) becomes more mainstream, it’s taking security concerns to a whole new level. In October, for example, a hacker launched massive distributed denial-of-service (DDoS) attacks using a botnet of 100,000 unsecured IoT devices infected by Mirai malware, shutting down internet access for millions of users.
To get insights on what MSPs can expect to face next year as well as tips for how they can minimize their customers’ vulnerabilities, I spoke with security experts from SOCSoter, SolarWinds MSP, Sophos, and Webroot.
Social Engineered Phishing Attacks Projected To Increase
One of the most common ways cyberattacks are executed is through phishing, which most often occurs via email. “Years ago you could spot phishing emails easily because there were always lots of misspellings and other grammar errors, and the storylines were often farfetched [e.g. dethroned Prince of Persia],” says David Nathans, director, SOCSoter. “Today’s phishing emails look very similar to those coming from well-known banks, government agencies, shipping companies, and retailers.”
Another form of phishing, social engineering, involves the criminal posing as a trusted company — often via a phone call or email — and building rapport with the victim over time. “The common phishing email will gain in sophistication next year and morph into more creative business email compromise [BEC] attacks,” says Ian Trump, global security leader at SolarWinds MSP. “BEC is a ‘back to the basics’ attack that is more similar to a con job than a cyberattack and bypasses almost all technological security in favor of exploiting the recipient user. Cybercriminals have made huge paydays by simply asking or tricking businesses to fraudulently wire-transfer money to offshore banks.”
Chester Wisniewski, principal research scientist at Sophos, concurs, adding, “We’re also seeing a shift from simply using exploit kits for distribution to using social engineering over email. This is much harder to protect against using technological measures, requiring organizations to spend more time on user education and next-generation tools to stop ransomware in its tracks. There are many types of phishing, and they all seem to be provably easier to execute than attempting to find zero day exploits in software. We have and will continue to see a shift in this direction as criminals can rely on users to click first, think later. For example, in wire transfer scams there isn’t anything to detect to protect the organization; these scams rely nearly 100 percent on exploiting business processes and human weariness.”
Dave Dufour, Webroot’s senior director of security architecture, says phishing attacks will remain the primary method of gaining access to both enterprise systems and personal information in 2017. “Technically speaking, the cybersecurity industry has not made huge gains in protecting users against phishing, so for 2017 we will continue to see more of the same.”
Ransomware Is Moving To The Cloud
Wisniewski believes we will continue to see ransomware proliferate next year, but “I think we might have hit a peak in terms of volume,” he says. “As long as victims continue to pay, there will be someone there to take their money, but only the truly industrious will stick with the scam for the long run. Law enforcement is turning up the heat, and that will likely flush out the weak and the incompetent.”
Ian Trump, global security leader at SolarWinds MSP
Thwarting the remaining cybercriminals is going to require security teams or managed security service providers (MSSPs) that are in business for cybersecurity, says Nathans. “One trend we’re going to see with SMBs is more ransomware that’s browser based. Lots of SMBs have resources in the cloud, so ransomware will encrypt data as it’s going to the cloud, then remove the encryption key from the browser, leaving the data that’s stored in the cloud encrypted. The threat is not only to the data but also to the systems that are used to create the data.”
Network monitoring is going to become a must-have for businesses of all sizes, say the experts. “Anomaly detection will become a very important tool for cybersecurity teams in 2017,” says Dufour. “These tools will provide insight into network behaviors never before seen, allowing teams to identify and isolate threats that may not be seen by traditional cybersecurity solutions. Couple this with sophisticated machine models and next-generation endpoint solutions, and an organization begins to have a chance to protect its network infrastructure from continuous attacks by bad actors.”
How IoT Threats Are Evolving
In the last few months of 2016, we’ve seen a rise in the use of IoT devices to conduct DDoS attacks. And this is only going to increase next year, says Trump. “Large numbers of compromised devices have been used in cyberattacks to force websites and services offline — ‘Tango Down’ in the language of malicious actors. Knowledge and awareness of the security problem of IoT is rapidly taking hold, but the regulatory landscape is not equipped to address IoT security. Through most of 2017, we will see IoT DDoS attacks take place — many stronger than anything seen before. I suspect this will evolve to include more ransom demands from cybercriminals threatening DDoS attacks on institutions, especially in social media, banking, and online commerce platforms.”
Nathans concurs and adds, “IoT will increase in feature, function, and storage next year, leading to a bigger platform for more attacks. It’s important for IT solutions providers to understand what devices are doing on their customers’ networks. This is a key step in mitigating these threats.”
It’s not the actual IoT device that is causing trouble in the security industry but rather the IoT gateways or routers, says Dufour. “Significant numbers of new IoT gateways have entered the market using off-the-shelf OEM hardware and software, which has shown to be vulnerable to attack,” he says. “Many manufacturers of these devices have little understanding of cybersecurity, so these gateways are providing soft targets for hackers. Until this is resolved industry-wide, there is no real incentive to move the actual device because it is much easier and faster to do damage at the aggregation point.”
This will likely get far worse before it gets better, warns Wisniewski. “On the bright side, security thought leaders are beginning to collaborate and establish IoT industry standards, but positive outcomes are not going to be seen for quite some time. Criminals will continue to look into IoT as a tool for DDoS, spying and potentially disrupting industrial and critical infrastructure applications.”
However, this is a huge opportunity for MSPs and IT solution providers to choose robust devices for their customers and identify vulnerabilities in vendors’ devices, say the experts. As trusted advisers, MSPs and IT providers can have a massive impact on protecting their customers from the many dangers within the security landscape.