What 2017 has in store for cybersecurity
- 19 December, 2016 22:22
There is much uncertainty surrounding the security industry for 2017, and according to experts in the field, a lot of the trepidation is directly connected to what the nation’s next president will do.
Here's what security vendors and analysts are predicting for the year ahead.
John B Wood, CEO of Telos Corporation, cites a need for cooperation between the government and the private sector. President-elect Donald Trump took a break from his “thank you” tour to meet with tech executives to smooth over a contentious time between the two sides during his campaign.
“President-elect Trump has been vocal about the need for a stronger and more aggressive cyber security posture, and I’m confident that he’ll work with leading members of Congress. Many non-political cyber experts throughout the government, various agency CISOs and [Federal Chief Information Security Officer] General Touhill will also be great resources to further refine cyber security policies to protect U.S. interests in the face of constantly changing threats,” Wood said.
He also noted the renewed focus on U.S. Cyber Command. The President-elect has promised to eliminate the threat of defense sequestration and to spend more on the military. “This needs to include working to roll back the budget caps for defense spending and providing additional resources for cyber security, including more money for U.S. Cyber Command, which I believe is grossly underfunded,” Wood added.
Speaking of funding, Wood does not believe that a change of administration will automatically lead to a change in regulatory policy.
“Although there will certainly be a big push by the Trump administration to roll back or modify overly burdensome regulations, I don’t see this affecting cybersecurity regulations, like the NIST Cyber Security Framework that has been developed in consultation with the private sector,” he commented.
Reuven Harrison, CTO and co-founder of Tufin, a provider of network security policy orchestration solutions for enterprise cybersecurity, said the thought of a Trump administration inevitably failing to uphold regulations will keep IT departments tossing and turning at night. “If Trump implements his deregulation promises, and penalties for non-compliance with industry-wide security regulations are relaxed, security teams will need to be self-disciplined to maintain a high level of security by turning to outside resources for security best practices,” he said.
Carson Sweet, co-founder and CTO at CloudPassage, said privacy will take center stage over security.
“Trump’s administration will create a fundamental shift in concerns as it pertains to security. There’s a new sheriff in town, and many posit that he has less regard for privacy concerns than the current administration. Case in point, Trump supported the FBI in its battle with Apple over iPhone privacy and security,” Sweet stated. “If this new administration demonstrates in their policies a value for law enforcement and intelligence access over citizens’ privacy, they’ll double or triple down on the government’s right to inspect data. The impact of such a reality would extend to the use of online services, cloud providers, even personal computing devices and IoT.”
What that impact would be is very hard to know, but it’s safe to bet that it won’t be positive, he said. The wars around PGP and personal encryption come to mind (anyone remember the Clipper chip?).
John Bambenek, threat systems manager at Fidelis Cybersecurity, said he never would have predicted last year that we would be talking about the DNC and hacking of elections.
“Ransomware will be on the upswing and evolve in new unforeseen ways. It will be more targeted and focus on more valuable targets as we saw with healthcare. And it will continue to attack new, more damaging industries like we recently witnessed with San Francisco BART and Muni,” he said.
While 2016 found the election under scrutiny because of alleged hacking by foreign powers, 2017 will continue the trend of identity theft and ransomware.
Forrester predicts that within the first 100 days, the new president will face a cybercrisis. The momentum of winning the election gives new presidents the public's support to follow through on key initiatives of their campaigns. However, the 45th president will lose that momentum coming into office by finding the administration facing a cybersecurity incident.
Forrester suggests that the administration prepare for nation-states and ideologies looking to disrupt and degrade. They believe the U.S. should be on the lookout for China, North Korea and Iran.
“Political ideologies use electronic means to both recruit and spread information. DDoS attacks using IoT devices are becoming a common means of disrupting operations for companies or individuals that threat actors disagree with. A company can become a target not just because of its size or global presence but also because of its political donations or public statements. If you’ve never factored geopolitical concerns into your security risk analysis, you ignore them at your own firm’s peril.”
Civilian “casualties” in the Cyber Cold War
Corey Nachreiner, CTO at WatchGuard Technologies, follows Forrester’s way of thinking. “Whether you know it or not, the cyber cold war has started. Nation-states, including U.S., Russia, Israel, and China, have all started both offensive and defensive cyber security operations. Nation-states have allegedly launched malware that damaged nuclear centrifuges, stolen intellectual property from private companies, and even breached other governments' confidential systems. Countries are hacking for espionage, crime investigation, and even to spread propaganda and disinformation.”
Carson Sweet, CTO, CloudPassage
He believes 2017 will be much of the same: Behind the scenes, nation-states have been leveraging undiscovered vulnerabilities in their attacks, suggesting that these countries have been finding, purchasing, and hording zero-day flaws in software to power their future cyber campaigns.
“In other words, the nation-state cyber cold war is an arms race to discover and horde software vulnerabilities — often ones in the private software we all use every day,” he said.
In 2017, expect to see a civilian casualty from the nation-state cyber cold war, Nachreiner said. “We expect to see at least one private business or citizen become a victim of a zero-day flaw that a nation-state held secret in their arsenal,” he said.
In an effort to combat terrorism and expand surveillance at least one Western government will follow Russia’s lead and mandate access to encryption keys and certificates, foresees Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
“Widespread government access to encrypted communications has the potential to demolish internet privacy and devastate security. Encryption is the backbone of secure and private communications on the internet — it protects online banking, shopping, all manner of consumer services that our economy and critical infrastructure rely on. Once we allow governments universal access to encryption the likelihood of abuse and misuse skyrockets. It’s time to stand up against governments' efforts to hijack privacy and trust online,” he said.
Scott Millis, CTO of mobile security company Cyber adAPT, believes that by next year every adult in the U.S. will know a relative who has had their identity stolen. The Internal Revenue Service reported that 2.7 million people had their identities stolen in 2014, and according to TransUnion 19 people fall victim to identity theft every minute.
George Ng, co-founder and CTO of Cyence, believes many companies don’t realize even the smallest things can expose personal information and make them more likely to be targeted. For example, a job listing for a CSO or CISO indicates a lack of senior leadership for cybersecurity. “[Personal identifiable information] continues to be a target for hackers and criminals and is very tangible information that can be sold easily on the dark web, just as easy as credit cards. PII records will continue to be specifically targeted because they fetch a higher price and are more versatile in their usage for hackers.”
With privacy in mind, Forrester said surveillance marketing will blur the line between online and offline customer behavior. “The online ad world has been chipping away at people’s ability to keep their online and offline habits separate for years.”
New rules for U.S. internet service providers will unleash a flurry of lawsuits. Earlier this year, the U.S. Federal Communications Commission (FCC) determined that ISPs like AT&T, Comcast, and Verizon would be classified as “common carriers” — the same designation as landline telephony providers. On Oct. 27, the FCC voted on a set of rules that place limits on how these providers are allowed to monetize customer data. The carriers say that the FCC is restricting fair competition, since companies like Facebook and Google have no such rules.
“2017 will be a year of legal battles — between the internet giants and against federal regulators — while the promised consumer protections will fall short on enforcement,” Forrester writes.
More data breaches
Of course predicting more data breaches is not a real shocker. Forrester estimated that a Fortune 1000 company will succumb to a cyberbreach and ultimately close down.
There will be no improvement in the time companies take to react to a breach, Millis said. Ponemon Institute found that when a breach was identified within 100 days, average costs were $5.83 million per breach. However, if a breach went undetected for more than 100 days, costs rose nearly 40 percent.
Healthcare breaches will become as large and common as retail breaches, Forrester believes. The 2015 breach of Anthem that affected as many as 80 million patients will become commonplace. As a result of mergers, acquisitions, and other partnership arrangements, large healthcare insurer and provider conglomerates are only increasing in size — as is the critical patient information they store. The consolidation of providers leaves security fragmented with varying security levels.
Second, patient data carries unique, permanent information, such as genetic markers, and biometric data, such as fingerprints. For malicious attackers interested in ransom, blackmail, and espionage, this data will be too tempting not to grab. Given the critical nature of the services and the sensitivity of the data at risk, healthcare firms should spend on par with other critical infrastructure industries.
Mike Patterson, vice president of strategy at Rook Security, said there will be a billion-dollar breach. Costs for Anthem's breach reached hundreds of millions of dollars within a few months of its early 2015 disclosure that affected nearly 80 million accounts. Yahoo's acquisition by Verizon could see a devaluation or termination of the $4.8 billion deal value as a result of Yahoo's recent breach disclosure.
“If we are at the point where a big breach at a large enterprise can quickly generate hundreds of millions of dollars in costs or cost shareholders hundreds of millions of dollars in share purchases, we aren't far from a new breach in 2017 taking us over the $1 billion mark,” he said.
By contrast, Justin Giardina, CTO at iland, believes the “little guys” will be the next targets. “While historically, it was the biggest organizations with the most attractive data that got hacked, increasing numbers of malicious attacks targets smaller, often weaker, targets. So, we’ll see medium-sized enterprises raising their security and business continuity efforts.”
There will be a shift in focus from broad-based attacks to more targeted attacks against specific firms or individuals, says Scott Petry, CEO at Authentic8. The best evidence of this is the intellectual property theft against law firms, insider spoofed spear phishing to finance and HR people, ransomware targeting healthcare after Methodist paid out.
Speaking of paying out, Rick Tracy, CSO and senior vice president at Telos Corporation, said cyber insurance needs to mature. “Cyber attacks have increased over the past few years and will only get worse. Because cyber is so new, relatively speaking, there isn’t a great deal of actuarial data to help insurance carriers underwrite cyber risk,” he said.
The aggregate effect of cyber risk and the financial liability it poses are concerns for the insurance industry. For example, as bad as the Target breach was, what if there had been multiple, similar breaches that occurred simultaneously? What impact would this have had on the insurance carriers providing cyber liability coverage to these companies?
“Moving forward, not only will it be important for insurance companies to better understand the risks facing individual clients, but they will need to view this data over their entire portfolios to understand aggregate risk and ensure they are not over extended,” he said.
He added, the good news is that the insurance industry is beginning to rely on the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) to help standardize the view of cyber risk and ultimately manage aggregate, or portfolio, risk.
In the next year we are going to see a rebalancing of spending from traditional security solutions to data protection and recovery, said Paul Zeiter, president at Zerto. “While security spend protects the perimeter fence, there are simply too many cases of breaches getting past these defenses to not have a plan B in place.”
CIOs and CEOs are starting to recognize that millions of dollars in IT security investments, while critically important, are just not enough when a disaster such as a hack or ransomware breaks through the perimeter or a natural disaster like a hurricane floods their data center.
Paul Zeiter, president at Zerto
“In the wake of a disaster, companies quickly come to the realization that without the right investments in a disaster recovery solution, their businesses are exposed. To be proactive, companies need a plan and tools in place to recover from any disaster very quickly with as little revenue and end-user impact as possible. Even if an organization has implemented the best preventative security technology, disasters can and do still happen,” he said.
CloudPassage’s Sweet predicts DevOps teams will own security implementation (or, DevSecOps will gain traction).“History doesn’t repeat itself, but it rhymes. In this case, the rhyme is that the primary technology owners will also own security control implementation — even if they don’t operate it,” he said.
As distributed computing and TCP/IP took hold in the early 1990’s, the information security world revolved around RACF and TopSecret — mainframe access management. Distributed computing and network security had never been issues before, so there were no skilled security practitioners to get the job done. The result… network security was owned by the network organization. The same thing happened when web application security became a demand; the web developers were responsible for implementing security controls (e.g. WAMs) even though central infosec was providing guidance and standards, he said.
Just as network security ownership defaulted to network teams in the 1990s, the same will be true for agile security and DevOps teams in 2017. “Cloud and agile technologies are being adopted faster than ever, and the industry doesn’t have time to wait for infosec to develop the needed skills. Therefore, DevOps teams will be on the hook for implementing actual security controls,” he said.
The successful security team will recognize this and seek to provide tools that work with this trend instead of fighting it. In so doing these teams will maintain high degrees of visibility and create leverage for their already-stressed resources, he added. We’ve said for over a decade that security should be built in, not bolted on — here’s a prime opportunity to move towards that reality.
Tufin’s Harrison agrees about the importance of DevOps in the security process, ensuring compliance to internal and external security rules without slowing down the primary mission of the DevOps team. This will be a challenge, as security is not inherently baked into a DevOps culture of “move fast, break stuff.” “In 2017, DevOps oversights could be the new data breach. We may see a major breach that gets tracked back to the DevOps approach, causing DevOps and security teams to become new best friends.”
- Need to rethink endpoint security. Rick Grinnell, co-founder and partner at Glasswing Ventures, says in 2017 the industry will need to rethink the focus on security at the endpoint and instead begin to think about security at what he calls the "middle point" — or layers of security between the exploitable surface area of the internet of things (IoT), and the assets, data, and services that we need to protect. From a VC perspective, there are various areas that are ripe for innovation in this middle point, including new product areas (e.g., the detection and profiling of all connected devices) as well as improvements in existing solutions (e.g., next-generation security information and event management that can better analyze all of the output of new middle point and existing solutions).
- Moving away from security sprawl and towards true automation. Joerg Sieber, director of products at Palo Alto Networks, said to counter the malicious activities coming at them, security operations teams need to be more agile than ever, which means more visibility into what’s coming at them, a reduction of noise, and automating for faster response. Traditionally, security teams have bolted on additional security solutions to address new threats. This has led to management frustration, coordinating security resources (oftentimes manually) from a variety of security solutions and vendors where the components don’t talk to each other or share knowledge. Security organizations will start to migrate toward solutions that are more contextually aware and security platforms that can share information across the attack surface, utilizing analytics for automated detection and response.
- Critical firewall vulnerabilities will continue to be ignored. Chris Morales, head of security analytics at Vectra Networks, said the firewall is the most trusted device in a data center. The Shadow Brokers’ treasure trove of exploits stolen from the Equation Group was a wake-up call that advanced adversaries and nation-states had access to tools that provide access to eavesdrop on even encrypted communications traversing firewalls. According to the Shadow Server website, there are still more than 816,000 Cisco firewalls connected to the internet that are vulnerable, undermining the inherent trust placed in firewalls.
- Services instead of products. The security industry will accelerate the development of service-based offerings, offering packaged services rather than simply selling hardware, according to Monica Hallin, CEO of Vindico Group. Security companies will need to be flexible and agile in a time of great and rapid changes in the world and the industry. These changes increase the demand for new products and services. Security providers who lack the ability to rapidly change their businesses and offerings will face a difficult time. Even customers need to manage their risks and track their incidents more often, and be much quicker to revise and adapt to their needs.
- Phishing still on the hook. “Phishing will continue to be the number one attack vector for spoofing, malware and other malicious activity," says Ng. "Email, both personal and corporate, continue to be used at various enterprises with very little oversight. We will see attackers utilizing various email framework protocols to launch attacks that cause data breaches well into the next five years.”
- More bug bounties. “We will see a large trend of organizations offering bug bounties for vulnerabilities, which will offset the cost of selling the same vulnerability on the dark web," Ng adds. "Companies will be more open and transparent in their vulnerabilities and encourage attackers to break them.”