Cyber- Security Issues for 2018
I remember when we advised citizen how to protect themselves against computer thieves. We advised them to uniquely mark their computers with an etching tool with a unique identifying number. This would enable police officers to identify it later on if your home or officer were ever broken into; and the police found the item at the local fence or pawn shop. We even offered community service officers who would go to your home and etch the info for you in order to protect your valuable electronics. Now computer security has morphed into cyber security and into a multi-billion dollar industry. A simple ID number etched on a computer won't stop a cyber-criminal. Organized crime networks and street gangs have shelved their weapons and now routinely fund themselves through cyber-crime. The famous criminal Willie Sutton was once asked why he robbed banks, and his response was simple, eloquent, and humorous:
“Because that’s where the money is.â€
Today's cyber criminals are of the same mindset. This year I was asked by a friend what my New Year’s resolutions were going to be. I responded, "This year I resolve not to make any resolutions." They pointed out I already failed.
If you are tasked with ensuring your company's cyber information you should not treat you assignment lightly as many of us our New Year's promises to lose weight, work out, go back to school, etc. It needs to be a concerted effort to protect, evaluate, and remediate challenges when they come your way. Make no mistake they are coming. If anyone tells you that they can ensure your network and data absolutely they know not what they speak. You should do your homework to identify and address problem areas in your cyber security program. Develop a plan that includes robust monitoring of systems and training of personnel. Make every effort to lower your risk for attack. You also need to be nimble with a robust breach response plan when you find you have been victimized.
A few predictions for the challenges that we could see this year as predicted by Kroll's CISO Wayne Peterson
Security Advisory: 2018 Information Security Predictions
This year continued to be a challenge in the information security realm. The Equifax breach, WannaCry ransomware attacks, and Russian manipulation of social media were just some of the lowlights. How will 2018 pan out? Here are some thoughts from your Kroll InfoSec team:
The Good, the Bad, and the Ugly
IoT (Internet of Things). This will continue to be a point of worry in 2018. Consumers and business will continue to implement IoT in daily life as these offer many benefits and conveniences. However, as we have seen this past year, not many vendors are baking security in, or have the ability to apply patches to, these different devices. Apart from using IoT devices for DDoS (distribute denial of service) and ransomware attacks, malicious actors will exploit these devices in consumers’ homes to maintain constant access to their victims’ networks. This means that no matter how many times victims remove malware from their computers, because of the IoT entry point, criminals will always have the opportunity of using this backdoor to get back into the compromised network.
Cloud “great migration†continues. The ever-increasing move to cloud services is being called the great migration. We’ll see even more services and workloads move to cloud-based platforms. Remember all those articles this past year about misconfigured AWS buckets being found? We will continue to see more of these cloud-related spillages.
GDPR (General Data Protection Regulation). GDPR comes into effect on May 25, 2018. According to this new set of regulations, both U.S. and European organizations will need to demonstrate compliance in how they manage, store, and share data – no matter how large the data sets are. Specific to breaches, organizations will have to report data breaches within 72 hours of their knowledge of them. We will see U.S. organizations that are not in compliance facing some high fines and heavy public scrutiny. We will also see the creation of a formalized Data Protection Officer position at organizations.
Ransomware will be more targeted. Threat actors will be smarter about which people and companies they target so they can extort as much money as possible. We will thus see more sophisticated malicious emails as cyber criminals perform greater research on their targets. Conversely, we will see law enforcement and the security industry join forces on a much larger scale to aggressively detect and respond to these incidents, leading some malicious groups to move away from this type of attack.
Bitcoin hacks. Despite the latest crash on December 22, Bitcoin has been steadily surging in price. There are other cryptocurrencies that have had rapid gains as well in the market. This success is expected to trigger crime of grand proportions. Hacking, already a problem, will rise as attacks on investors, exchanges, digital wallets, mining companies, ICOs, and hosting providers increase. Losses here due to fraud or theft are quite unlikely to ever be recovered or reimbursed as cryptocurrency, unlike funds deposited in U.S. banks, is not protected by the U.S. Federal Deposit Insurance Corporation (FDIC).
Machine learning. This will be developed into a well-honed art. Online advertisers and vendors are becoming better and better at using data analytics in conjunction with large data sets. Malicious actors will use this same technology to target victims.