From fake ads to AI enabled social engineering, the security landscape is set for another turn in 2017. Here are some predictions we have collected from three information security companies.
If it’s December, we know it’s time for next year’s predictions. Perhaps no other area in IT has CIOs and business stakeholders alike worried, than security. Understandably so. Security breaches that were breaking news earlier are now becoming ‘yet another’ in a trend. This is game of counters – threats evolve, prompting advances in security, which in turn makes the bad guys innovate. Let’s run through some of the predictions that have come from information security companies.
Not all of these changes will be seen in entirety in 2017 itself, but the year could well mark the beginning of a trend or a wider acceptance of some new security practices.
Just as the world was beginning to breathe easy about cloud (in)security, there might just be an increase in cloud attack, not because of any new vulnerability, but simply because hackers are likely to target cloud more.
According to data shared by Intel Security (formerly MacAfee Labs), over the last three years, trust in the cloud has ‘greatly increased’ by 15 percent, and ‘somewhat increased’ by 37 percent. Cloud adoption itself is seeing rapid growth. When viewed as size of market, from $87Bn in 2015, the projection for 2020 is a whopping $236Bn. This offers a wider range of cloud targets to attackers.
Does this mean businesses will, or should dial back on their cloud plans? Not quite. Rather, this is a call to cover all bases when it comes to cloud security. The cost, as well as agility benefits of cloud are too high to let go off, and this is all the more reason to not take cloud security for granted.
Anti-virus and firewalls may soon be passé, going by one of the observations shared by Selcore Technology Pvt. Ltd., a Mumbai based Enterprise Rights Management company.
Since today’s pace of business requires information to be location- and device-agnostic, the hitherto common endpoint security tools like anti-virus and firewalls are no longer sufficient in protecting data. In the words of Selcore, “The free flow of information will warrant a paradigm shift in the InfoSecurity community, who will be unable to assure the security of data as it moves across and outside of corporate boundaries. Instead, the InfoSecurity teams will shift their focus to securing the data itself, striving to achieve persistent security through solutions that control granular usage policies regardless of where the information resides. We predict that 2017 will be the year that organizations acknowledge the need to secure the data itself, and not just infrastructure and devices.”
With increased reliance on third parties, as well as employees themselves often being required to work from home or remote locations without losing access to their files, enterprises will need to start looking at security beyond the conventional anti-malware and firewall.
New targets for attacks
Taking on from the previous point of shifting security to the data level from the current device or perimeter level, attackers are also shifting their targets, from OS level to infrastructure software and virtualization software, according to Intel Security. Other related new attacks in the company’s prediction include:
- Hardware and firmware will be increasingly targeted by sophisticated attackers.
- IoT malware will open backdoors into the connected home that could go undetected for years (more on IoT further in the article).
Hackers are also likely to start targeting industries which have been making only low investments in security, according to Seclore.
Another observation made by Selcore revolves around third-parties such as advisors, vendors, sub-contractors and business partners who pose a huge risk to organizations because they require access to systems and data to conduct business, yet there is no accountability in the way they handle a company’s data.
“Besides unsecured systems, there is also the issue of sub-contractors stealing intellectual property. 67% of independent contractors and employees take IP with them for the express purpose of leveraging it at a new position, costing organizations more than $400 billion in annual loses. With on-going pressure to achieve profits, organizations will become ever more reliant on third-party vendors and processing partners in 2017”, Selcore said.
Malware gets AI
Many fears about AI are unfounded or are exaggerated. However, that of intelligent malware is a valid concern. According to Fortinet, threats are getting smarter and are increasingly able to operate autonomously. In the coming year we expect to see malware designed “human-like” with adaptive, success-based learning to improve the impact and efficacy of attacks.
Social engineering is one of the oldest tricks in the hacker’s book. Now, the old trick will soon get a huge AI boost, warns Intel Security: machine learning will accelerate the proliferation of and increase the sophistication of social engineering attacks.
No Respite from Ad Fraud
Intel Security warns us of fake ads and purchased “likes” that will continue to proliferate and erode trust. Ad wars will escalate and new techniques used by advertisers to deliver ads will be copied by attackers to boost malware delivery capabilities.
IoT – major road to cover
The weakest link in cloud security is not in its architecture, but lies in the millions of remote devices accessing cloud resources, says Fortinet, expecting to see attacks designed to exploit endpoint devices, resulting in client side attacks that can effectively target and breach cloud providers. If IoT manufacturers fail to better secure their devices, the impact on the digital economy could be devastating should consumers begin to hesitate to buy them out of cybersecurity fears.
Intel Security agrees, saying “during the next two to four years, we will see more instances of IoT devices used as gateways to data and intellectual property theft, critical infrastructure disruption, and other major attacks.”
Intel Security is not optimistic about privacy with IoT. “There are simply too many IoT devices watching, listening, recording, accumulating, and otherwise paying close attention to consumer actions”, the company said in its report.
Sources: Intel Security (formerly MacAfee Labs), Fortinet, and Selcore Technology Pvt. Ltd.
Compiled by Kailas Shastry