Cyber security seems a hard industry to make predictions for, considering that the success of a cyber attack depends largely on it being unpredictable.
Or so it would seem. Because what really seems to emerge from speaking to cyber security experts about the threats on the horizon in 2017 is that the major threats from this year will evolve and continue to wreak havoc.
This year’s Verizon Data Breach Investigation Report found that most attacks exploit vulnerabilities that are known and have not been patched even though patches may have been available for months or years. The top 10 known vulnerabilities accounted for 85 percent of successful exploits, while 63 percent of confirmed data breaches involved using weak, default or stolen passwords.
It is likely that this will continue to be the case until cyber security professionals get their act together and start handling the basics. While awareness of cyber risk is increasing each year, the increasing number of widely publicised breaches in 2016 does not seem to have provided a watershed in adoption of basic cyber security practices.
For example, FireEye CEO Kevin Mandia said at a recent roundtable that sophisticated zero-day attacks are mainly reserved for attacks by nation-backed actors.
A key example of this was provided in 2016 when Citizen Lab and Lookout Security were contacted by Ahmed Mansoor, a member of Human Rights Watch’s advisory committee, who was sent two text messages containing hyperlinks and promising information about detainees in United Arab Emirates prisons.
The firms found that the attack was using three critical iOS zero-day vulnerabilities, collectively termed Trident, that together form an attack chain that subverts Apple’s security environment. The description ‘zero-day’ means that the attack was found ‘in the wild’ or in active use by cyber attackers, rather than discovered by security researchers in a lab.
These attacks exist, but mostly they will be saved for high-value targets like Mansoor. Why waste an advanced cyber attack when the basics are working? Cyber criminals want to maximise their returns just like any other business.
So perhaps it should be no surprise that ThreatQuotient CEO John Czupak identifies spear phishing and ransomware as his top two threats for 2017: attacks that have been prevalent in 2016.
As he says, these attacks remain “easy to do and lucrative”.
Ransomware is malware that encrypts files on a victim’s device and forces them to pay a ransom to the attacker before they can access the files.
Steve Ginty, PassiveTotal co-founder and security researcher at RiskIQ, believes that we will continue to battle ransomware through 2016.
“The minute we come up with good defences, the actors immediately evolve to those defences. But something you will see is more visibility into those attacks.”
Ransomware was a theme on Kaspersky Lab’s list of 2017 predictions. The firm suggested that more threat actors would get into the space, potentially undermining the basic principle of payment in exchange for decryption.
Ginty of RiskIQ also believes phishing will remain a major issue next year.
“Phishing is still successful because it is exploiting humans. We can control for a lot of things: identify phishing sites and phishing emails,” says Ginty. “But we are still relying on our end users to be vigilant and not click things or surf to those sites.
“That’s always going to be a hurdle. Even most of the advanced actors still use email as an avenue into an environment.”
Essentially, until we start challenging cyber criminals we don’t need to expect any big advances in their capabilities.