What cybersecurity surprises does 2018 hold?
One thing’s for sure: securing ourselves and our organizations will only get more difficult this year.
Bitcoin, the General Data Protection Regulation in Europe and the Internet of Things (IoT) are just three recent developments that will present security professionals with new challenges in 2018. That’s in addition to the usual raft of malware, DDoS attacks and database thefts that have dominated the headlines for some time.
To get a handle on what to expect, we asked two Keeper Security experts – Director of Security and Architecture Patrick Tiquet and Chief Technology Officer Craig Lurey – to peer into their crystal balls to find what 2018 holds. Here’s what they saw.
IoT has been on Patrick’s mind a lot lately, not just because it represents a vast expansion of the attack surface, but also because it opens whole new types of data to compromise. “Every aspect of your everyday life is potentially accessible to anyone anywhere in the world in seconds,” he says. “All your conversations can be accessed, captured and converted.”
Vulnerabilities have already been reported in voice-activated personal assistants, and attackers years ago figured out how to turn on smart phone microphones and cameras without the owner’s knowledge. “We will see a major IoT security disaster this year, and I think it will be bigger than the Dyn hack of 2016,” which originated with printers, security cameras, residential gateways and baby monitors,” Patrick says.
New attack vectors
New attack vectors have also been on Craig’s mind, particularly in light of recentdisclosures of hardware flaws in microprocessors. “There’ll be more activity by hackers around hardware-based attacks that go after the memory of the device,” he says. Particularly concerning is that “Spectre and Meltdown took advantage of hardware flaws but were able to abstract them to the software level.” That makes them harder to stop with conventional anti-malware protections alone. Hardware vulnerabilities may demand a whole new type of protection.
GDPR has many people spooked because of its onerous penalties – violators can be fined up to four percent of annual revenues per incident – as well as the strict set of controls the regulation imposes upon keepers of personal information. Will the European Union enforce GDPR to the full extent of the law, or will the scope of the penalties cause regulators to pull their punches? Patrick thinks it’s the former. “It’s in the EU’s best interest to aggressively enforce the regulation,” he says. “If they don’t, then people will ignore it.” He expects the EU to penalize an assortment of large, medium and small companies “to show that just because you’re small, you don’t get to skate.”
Many smart phone makers have lately been showing off alternatives to passwords, such as biometric security controls. While these technologies have some promise, they also create new targets for attackers, Craig believes. Cyber criminals will turn more attention to compromising systems that are supposedly super secure, such as two-factor authentication (2FA), he believes. “Meltdown opened up new ways to get in,” by showing how hardware can be exploited he says. “Attackers will look for ways to sidestep 2FA.”
Emergency warning systems
Another intriguing new target for the bad guys is emergency warning systems. Just since the first of the year, citizens in Hawaii and Japan have received false notifications of impending missile attacks. In both cases, human error was the culprit, but attackers will no doubt look for opportunities to create mayhem using the same channels. Imagine the security implications of being able to clear out entire neighborhoods or cities for burglars to mine. “It’s social engineering on a large scale,” says Craig.
Now that the bitcoin bubble is beginning to melt away, practical applications of blockchain will emerge, Patrick believes. So will questions about the security of various blockchain-based technologies. Crypto currencies will be a viable medium of transactions in the future, but Patrick doesn’t believe bitcoin will be the winner. “It relies on massive amounts of electricity, and I don’t think it’s sustainable,” he says. “What makes a currency valuable over the long term is its stability. Bitcoin looks more like a Ponzi scheme right now.” As an alternative, he suggests Digibyte, which is billed as a set of “digital assets that cannot be destroyed, counterfeited or hacked.”
Our experts also shared these quick predictions:
“The security skills gap will become even more pronounced. Companies will be less time available to patch quickly, which will create even more opportunities for ransomware authors.” –Patrick
“More sites will require strong passwords and start defaulting to much longer generated passwords. There’ll be more attention paid to 2FA, but that approach will also be under fire.” –Craig
“State-sponsored hacking will grow and continue to be a concern. I don’t think it’s going away.” –Patrick
“There’ll be a lot more work around security at the software development stage. New cybersecurity degrees and programs will pop up in this area. It deserves its own field of study.” –Craig
One thing is clear from our experts’ prognostications: Securing ourselves and our organizations will only get more difficult this year.