From CIO – by Sharon Florentine

From W-2 scams to WordPress vulnerabilities, ransomware, business email compromises, DDos attacks and allegations of a hacked presidential election — 2016’s been a hell of a year in cybersecurity, and it’s not over yet.

There’s no reason to believe 2017 will be any better. If anything, it could be even worse as cybercriminals continue to push social engineering, find new ways to deliver malware, crack vulnerable databases and leverage mobile technology to find ways to get inside corporate defenses and target individuals.

We asked two leading cybersecurity experts, Matt Dircks, CEO of secure access software company Bomgar and Scott Millis, CTO at secure device management and mobile security company Cyber adAPT, what to expect in 2017.

1. Passwords ‘grow up’

The recent DDoS attack that wreaked havoc on a huge portion of the internet on Oct. 21was at least partly enabled by unchanged default passwords on IoT devices, says Dircks, which hackers were able to exploit. Don’t think you’re immune; how many of your users have simple, common or outdated passwords? In 2017, Dircks says better password management services will gain traction as businesses understand how vulnerable they are.

“I used to do a party trick where I’d go to someone’s house and hack their router. There are so many purpose-built, ‘dumb’ devices out there like the routers used to facilitate the DDoS attack a few months ago, that it’s making hackers’ jobs easy,” Dircks says.

Cybersecurity professionals will struggle to protect critical infrastructure, connected systems and remotely accessed systems and devices while weak password practices remain the norm, but it’s not just external threats that are a problem.

Mitigating insider threats can also be accomplished through better password management, he says. The best way to do so is to implement a solution that securely store passwords that remain unknown to users, and then regularly validates and rotates those passwords to ensure safety and security, he says.

“What we’re talking about is credential vaults. In an ideal world, a user would never actually know what their password was — it would be automatically populated by the vault, and rotated and changed every week. Look — hackers are intrinsically lazy, and they have time on their side. If you make it harder for them, they’ll go elsewhere rather than invest the energy to chip away,” Dircks says.

2. Privilege gains power

Hackers want high-level access, which they get through targeting the credentials of privileged users like IT professionals, CEOs and vendors, Dircks says. And while organizations have applied security to the systems, applications and data that are most critical to their business, these preventative measures simply aren’t enough anymore. In 2017, he says, savvy organizations will finally get serious about protecting not just systems, but privileged users by identifying them, monitoring their access and closing off access to what they don’t need.

“We’ve had some clients who say, ‘Well, I just stick my users or outside vendors on the VPN and they’re fine,’ but they have no idea what they are actually accessing! With privilege management, think of it like an elevator bank, where depending on your role, you can only get to certain floors. It really limits what you can do, especially if you’re malicious. Even if I do have a valid password, if my privilege lets me access floors one and seven, but I try to go to six, then the system will block me and notify someone,” Dircks says.

Addressing this issue, too, will involve organizations willing to provide extensive education and training on the potential dangers involved, especially in an increasingly mobile workforce where many individuals would rather sacrifice privacy and personal data for access and believe their security will be taken care off by the third-party services providers and application creators, he says.

“Especially in the last few generations of digital natives, people are more than willing to give up their personal information and data for access to apps, connectivity, information — this can easily be exploited. And they are willing to trust that these app developers, these providers, will make sure they’re safe and secure. That’s dangerous. Combine the cybersecurity skills gap, talent shortage, mobile workforce, app-centric environment, more sophisticated hacking and it’s a perfect storm. We think it’s just going to get worse before it gets better,” Dircks says.

3. The security blame game will heat up

The IoT and increasing reliance on security solution providers means companies may not be able to easily account for ownership or origin once a breach happens, he says. Who is responsible for securing, maintaining and patching the various technologies? Worse yet, has a product been connected to internal systems that can’t yet be patched? A number of IoT devices are often overlooked because they fall outside of IT’s traditional purview, but that means exposure to threats.

“With the integration of IoT, automation and the cloud, no one seems entirely sure who’s actually responsible for maintaining security of all these various pieces: the IoT device manufacturer? The security services provider? The internal IT department? Individual users? You’re only as secure as the least-secure device or relationship,” Dircks says.

When a breach occurs, even with layers of security, the question of who “owns” it and who had or has power to do something about it will create intense reactions and finger-pointing, he says.

Companies can head off this blame game by ensuring open communication between IT and business leadership to understand the potential threats, options for security and safety and the challenges and constraints that exist within the organization, Dircks says.

“Part of the problem is that, as a CSO, a CISO or even a CIO — anyone with security responsibility — you’re either invisible, if you’re doing your job right, or you’re on the hot seat. If you come up with great policies, procedures and security measures, then you often leave those to IT to operationalize. But if those fail because you didn’t understand the business needs, the budgets, the requirements, then you’re not really helping,” he says.

4. Ransomware will spin out of control

Since January 1, 2016, Symantec’s Security Response group has seen an average of more than 4,000 ransomware attacks per day: a 300 percent increase over 2015, according to its 2016 Internet Security Threat Report.

Most organizations rely on low-overhead prevention techniques, such as firewall and antivirus solutions or intrusion prevention to mitigate threats like these, says Cyber adAPT’s Scott Millis. However, these tools are insufficient, and breach data shows that detection and incident response must be improved.

And as attackers continue to use social engineering and social networks to target sensitive roles or individuals within an organization to get to data, the need for comprehensive security education becomes even more critical, he says.

“If security policies and technologies don’t take these vectors into account, ransomware will continue to seep in. There’s also the issue of detection. Some attackers can reside within a company’s environments for months, often moving laterally within environments, and silos between network, edge, endpoint and data security systems and processes can restrict an organization’s ability to prevent, detect and respond to advanced attacks,” Millis says.

Finally, new attack surfaces — for example, IaaS, SaaS and IoT — are still so new that organizations haven’t yet figure out the best way to secure them, he says.

5. Dwell times will see no significant improvement

Dwell time, or the interval between a successful attack and its discovery by the victim, will see zero significant improvement in 2017, Millis says. In some extreme cases, dwell times can reach as high as two years and can cost a company millions per breach.

“Why so long? In my view, this is annoyingly simple — there’s little or no focus on true attack activity detection. At the advent of the ‘malware era’, companies, vendors and individuals were rightly concerned about ‘keeping out the bad guys’, and a whole industry grew quickly to focus on two basic themes: ‘Defense-in-depth’, which I view as layering prevention tactics in-line to make penetration from the outside more difficult; and ‘Malware identification’, which manifested itself as an arms race towards 100-percent-reliable identification of malware,” Millis says.

While response technologies and remediation capabilities, improved, victims were able to isolate and repair damage very quickly. The problem is these technologies didn’t help reduce dwell time; unless response teams stumbled upon something malicious or randomly discovered an anomaly, Millis says.

Nowadays, security pros are using network device log files to search for clues as to whether an attack has been attempted or has succeeded, but storing and sorting through the massive amounts of data needed for this approach is costly and inefficient, Millis says.

“The need for huge data stores and massive analytics engines drove the new security information and event management (SIEM) industry. While SIEM is a great after-the-fact forensics tool for investigators, it still isn’t effective in identifying attacks in progress. What we — and some other companies — are doing now is developing products that focus on analyzing raw network traffic to identify attack indicators. Finding attackers as soon as possible after they have beaten the edge or device prevention gauntlet, or circumvented it entirely as an innocent or malicious insider, will dramatically shorten dwell time,” he says.

6. Mobile will continue to rise as a point of entry

At least one, if not more, major enterprise breaches will be attributed to mobile devices in 2017, Millis predicts. A Ponemon Institute report found that for an enterprise, the economic risk of mobile data breaches can be as high as $26.4 million and 67 percent of organizations surveyed reported having had a data breach as a result of employees using their mobile devices to access the company’s sensitive and confidential information.

People and their mobile devices are now moving around way too much, and much too fast, for old-fashioned cybersecurity strategies to be effective, Millis says. Add to that an increasing sense of entitlement by users with regards to the devices they choose to use, and you have a situation ripe for exploitation.

“Many users feel they can protect their privacy while having secure, uninterrupted access to business and personal services. And still many people subscribe to the view it is not they who are accountable for security breaches; if they can work around ‘security’ to improve their user experiences, they will. CISOs, CIOs and CEOs view this as a complex challenge to the implementation of their enterprise security strategies, and one that won’t be solved by having email and calendar data delivered over SSL to a single, approved OS,” Millis says.

Mobile payments, too, will become a liability. MasterCard’s ‘selfie pay’ and Intel’s True Key are just the tip of the iceberg, he says. Individuals should understand that they need to treat their biometric data just as carefully as they do other financial and personal data; again, that comes down to education and training, he says.

“Wouldn’t it be nice if public Wi-Fi access providers were required to put up the internet allegory to the warnings on cigarette packs? Something like, ‘Warning: This public access connection is not secure and information you send and receive while connected may possibly be viewed, collected and subsequently used by criminals to steal your assets, identity or private information,'” Millis says.

7. Internet of threats?

IoT vulnerabilities and attacks will rise and will increase the need for standardization for various security measures — hackers at this year’s Def Con found 47 new vulnerabilities affecting 23 devices from 21 manufacturers.

And, of course, in October 2016 the massive DDoS attack on major global websites including Twitter, Netflix, Reddit and the UK government’s sites — was reportedly powered by the Mirai botnet made up of insecure IoT devices.

“A lot of attention is focused on ‘smart devices’ as proof of IoT’s growing influence. The reality is a connected device doesn’t make it a smart device. The ‘things’ that are being connected often ‘fire-and-forget’ in their simplicity, or are built-in features and tools we may not even know are there — like the routers used in the Mirai botnet. This leads to a mindset of ignoring these ‘dumb’ devices without paying attention to the fact that these devices, while inherently ‘dumb’, are connected to the biggest party-line ever made: the internet,” says Bomgar’s Matt Dircks.

This isn’t just a problem for smaller consumer devices, or even for connected homes and cars. Dircks isn’t even particularly focused on the possibility of another DDoS attack. What’s more troubling is the potential for an attack on large, widespread infrastructure systems like the power grid, or even avionics or railway systems, he says.

“I’m not worried about things like, if my connected showerhead turns on hot or cold. I think there’s a fairly significant chance we’ll see a major hack on power grids or on transportation systems like rail in 2017. This is the ‘dumb’ IoT that’s still out there — the technology from the 1950s and 1960s that’s powering these critical infrastructure systems that is almost totally unsecured,” he says.

This is a perception problem; the general public doesn’t tend to see these systems as being similar to the IoT devices they use with increasing frequency — even mobile phones can fall into that category, says Millis.

“Like smart-phones before them, IoT devices are assumed to be new, separate, and not subject to the same limits, as older technology, but think about it. It’s nonsense: Smartphones are the most plentiful internet device around. IoT is the next hyper-jump in scale. Some organizations are wisely ahead of the curve a little bit this time, trying to head off the same security issues that mobile devices are facing now. So far, activity here has all come down to prevention yet again, but we believe every device and/or connection can be compromised. Shortening dwell time and securing IoT depends on being able to tell when that inevitably happens, as quickly as possible and with the highest level of confidence,” Millis says.