As the year comes to an end and we reflect on our individual lives and recount the year’s major events we can plan, prepare and make resolutions for the new year. This retrospection during the start of the year is a great time for cyber security reviews as well. We can review the revelations from the last year or two and analyze trends and temper our expectations coming into 2016. We can even make some resolutions to implement the security practices we all know we’re lacking or even shed a few extra pounds closing out some of those pesky risks that we should have closed up the year prior. In this light wanted to take the time to review some major trends and items from the last two years as a basis for what we can expect in the year to come with an emphasis on the items I think will make major news throughout 2016.
The continued expansion of mobile software and the integration of these devices into our daily lives are hardly something new and certainly explain the expansion of mobile device malware. With Apple Pay, Samsung pay, Google Wallet, and offerings from PayPal and Intuit among others we see our personal threat surface, our exposure to risk, increasing with more vulnerabilities often with very little expansion into personal security by consumers. The reward for hackers is so great that every year the industry grows the development of malware also increases usually significantly more. As such McAfee estimates the total cost of cybercrime in 2014 being anywhere from $375 billion to $575 billion.
It will likely be a month or two for all of the 2015 statistics to be fully researched and released however, Symantec who monitors these events estimated at the end of 2014 that 17% of all mobile apps were malware with 168 new known mobile vulnerabilities listed versus the 127 from the year before. Kaspersky who also monitors these events estimates that in 2015 14% of all known vulnerabilities used in cyber-attacks were on Android devices. As such we should all expect the statistics to continue to grow as more criminals attempt to gain access to the information and flow of money through these mobile devices.
Highly profitable Ransomware schemes seem to be commonplace now and 2016 will be no exception to the new status quo. Ransomware has become such a huge problem that the FBI has weighed in. At the 2015 Cyber Security Summit in Boston FBI Agent Bonavolonta informed participants that if the data is important to them that they should just pay the ransom to get their data back. Complex cyber-criminal gangs have popped up throughout Eastern Europe and Asia. These gangs have setup call centers and have 24 x 7 customer support to decrypt your hard drive when you are infected and help the “customer” pay them through bitcoin. Often they have a timeframe before the drive is lost forever. A famous Ransomware known as CryptoLocker used advanced encryption that was only recoverable through a private key stored on a botnet. Though the FBI was able to arrest some individuals involved derivatives of this type of attack are in full swing and assessments by Kaspersky and Symantec indicate that this will continue to be a booming business in 2016. Estimates have put revenue as high as several hundred million per year paid in bitcoin to these various Ransomeware providers.
C-Level spear fishing
An interesting development that is sure to increase in 2016 is the targeting of corporations C-Level executives through Spear Fishing, RAT’s, Remote Access Trojan’s, and Social Engineering. Cyber gangs are targeting the C suite for their ability to transfer or otherwise have access to the authorized transfer of Millions. Several corporations have been targets of such attacks. Targeting executives near major sale times (June – August and November – January) seem to be the height of such attempts. As many executives have high-level access to funds and are often times relatively simple to research online they have a large attack surface for social engineering which could lead to a direct attack against them or through their bank. This is potentially a highly profitable though high-risk attack.
This level of attack is especially interesting because of its roots in identity theft and systems intrusion. Hackers are using various methods of attack to develop complex Social Engineering campaigns relating to targeted Spear Fishing of executives and exploitation of information or access to corporate internal mail through Remote Access Trojans or “RATs” such as Zeus and its clones. It seems these are related to APT, “Advanced Persistent Threat”, groups which may or may not be connected to various governments. I fully expect high-level intrusions as well as social engineering attempts at all levels of the C suite going into 2016.
The revelations that Chinese, Russian, and Iranian hackers (likely government sponsored) have all had access to various systems within the U.S. power grid for years should be no big surprise to anyone within the cyber security community. However, many outside of the industry will be shocked to hear this information. What is surprising overall is the expansion of Internet connected systems that connect to unprotected or under protected devices that have historically been air gapped, systems that are not connected to the Internet or other networks. The intrusion into the power grid and other systems spanning from 2014-2015, such as the OPM and the Anthem breaches, demonstrates the growing prominence of government funded intrusion especially against targets within western countries and namely the U.S.
This year should see an increase in these breaches whether new exploits of zero days or realizations of older breaches. A surprise coming in at the end of 2015 that is sure to bring forth more breaches through 2016, and probably longer due to unpatched systems, is the Juniper backdoor and SSH compromise. This breach is highly suspected to be from a foreign government but built upon the speculated NSA backdoor within Junos. These types of backdoors will continue throughout the next few years. I suspect we will see a number of exploits and breaches relating to the Juniper breach as well as new government related backdoors throughout 2016 until legislation or further cooperation exists within the security sector.
An ounce of prevention
Ending our holiday season and getting into the New Year with new budgets, new technology, and new information we can address spear fishing, mobile malware, ransomware and government intrusion. By implementing standard update and patching cycles and implementing industry tools such as Data Loss Prevention “DLP”, Anti-Malware / Anti-Virus, as well as further developing Threat Intelligence capabilities we can thwart or reduce the impact of the above threats. The biggest element to Systems Security is training at all levels of the organization to be aware of such threats and how to spot and prevent social engineering and spear / fishing e-mails and campaigns. The industry is in full swing attempting to reduce the risk of these attacks. Taking the time to reduce your threat surface and mitigating the above risks with standard practices and deploying a defense in depth strategy is well worth the time and expense when compared to the potential losses caused by a breach and the subsequent pound of cure.