Category: Cybersecurity Predictions

The innovations in today’s digital world continue to advance at a tremendous pace, and 2016 didn’t fail to have its own impact on society. As a hobbyist in remote flight, the introduction of drones to deliver blood and medicines in Rwanda from a Silicon Valley startup was an amazing example of how the Internet of Things can have a hugely positive impact on society. I can’t wait for the completion of the $10 million Tricorder XPRIZE to be announced in early 2017, when fiction is expected to become fact, as a portable wireless device that is anticipated to be able to monitor and diagnose health conditions.

What can we expect in 2017 from a cybersecurity perspective? Personally, I believe 2017 and early 2018 will be the most exciting years in terms of evolving our cybersecurity capabilities as businesses prepare for the May 2018 deadlines imposed by upcoming EU legislation changes. This is a rare opportunity to step back and take stock of our capabilities and validate if they are still fit for their purpose, both for the approaching deadline and thereafter. This is a welcome driver to look to the future as security professionals are often so caught up in enabling the ongoing technology innovations and managing evolving cyber risks.

So here are my predictions for the next 12 months:

1. 2017 is the year businesses need to get prepared for the May 2018 deadline for upcoming EU legislation in the form of the GDPR and NIS Directive.

• This will mean that businesses finally have to gain control of the mountains of data they have gathered and generated, as well as to understand both the value and risks they create for the business.
• We can expect some early examples to be made, as the EU looks to ensure that businesses take their digital societal responsibilities
• Cybersecurity leaders will need to validate that their cybersecurity capabilities are relevant to the risk they face and that they leverage current best practices, referred to as “state of the art,” with clearly documented processes and measures. Too often security experts continue to hold on to legacy practices, perceiving that continuing to do the same things as before is enough; as such, 2017 will be the year for change.

2. Businesses will be vulnerable as they are immobilized by the confusion of what a good next-generation endpoint strategy looks like.

• With the growing volume of unique attacks, organizations have, for a long time, been looking for new solutions to either complement or replace signature-based approaches. However, with many different, new approaches to choose from, businesses are hesitating for too long while they look for validation to define their future next-generation endpoint strategies. With the growth of ransomware, one instance has become one too many, and now is the time when next-generation capabilities are needed.

3. We will see the cybersecurity landscape continue to change.

• Ransomware will continue to have business impact. Expect ransomware to target a broader range of platforms and further leverage historical cyberattack techniques, such as APT-style attacks, as those behind them look to increase their profits. While this threat remains lucrative, it will continue to be a focus for attackers, which could distract them from developing threats leveraging other areas of technology.

• DDoS will refocus on the retail space as retailers become increasingly dependent on online revenue streams.

• Targeted credential theft will allow attackers to move the attack out of the business network. As more businesses in Europe embrace cloud, credential theft – whether through social engineering or attack – will mean that adversaries have to spend little or no time in the business’s network to achieve many of their cyberattack goals.

4. While senior cybersecurity skills are in reasonable shape, practitioners are in demand, and outsourcing capabilities are not scaled for evolving demands (volume of work, hybrid cloud/on-premise services, incident response, next-generation SOC requirements, training and running AI/big data systems).

• With the continuing growth of information to draw on in order to prevent and protect against cyberthreats, we can only expect more security events that need to be managed. The scale of security experts has not and will not keep pace; therefore, businesses must rethink how and where human skills should be leveraged in cybersecurity. Today there are too many siloed human-dependent cybersecurity processes that, with evolving best practices, can and should be consolidated and automated. In a market with limited skills, usability and automation should be treated as equally important as capability.

5. Most companies will confirm whether cyber insurance will become a part of their investment strategy and realize that insurers are a valuable point for CISOs wishing to translate and validate risk to senior executives to help better understand their business’s cyber risks.

6. Cross-domain incidents will stop organizations siloing IoT/OT, and business/home systems, and help them start to realize it is actually one, big cyber mesh.

• It’s likely that essential services will suffer more outages, following the early examples in Ukraine, the recent Mirai bot DDoS attack, and others.
• In recent years, we have seen more attacks on automotive systems, so attackers inevitably will start to look at moving laterally into other autonomous systems, as they grow in popularity. These may vary from driverless city centers to the Amazon button to the increasing use of drones for commercial businesses.

It will be interesting to see how many of these predictions come true over the next 12 months. If experience has taught me anything, some will have been realized in half that time, while others may take a little longer – and, as always, I’m sure we’ll be thrown a few curveballs. The only near guarantee I can give is that the digital world will continue to have an amazing and positive impact on our lives, and I’m proud to be part of the global cybersecurity community that supports its enablement.

What are your cybersecurity predictions for 2017? Share your thoughts in the comments.

Greg Day

[Palo Alto Networks Research Center]

This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017.  

This year saw some notable cybersecurity events in the financial services industry, including thefts from a number of SWIFT (Society for Worldwide Interbank Financial Telecommunication) member banks and from malware-infected ATMs in Asia. As we look ahead to 2017, I predict that we’ll see the following cybersecurity trends in the financial services industry.

Sure Things

• Growing Adoption of Public Cloud – The financial services industry is the final frontier for public cloud computing. After years of saying it will never happen due to information security concerns, the industry has slowly warmed up to the use of the public cloud. Both Amazon Web Services (AWS) and Microsoft Azure already publicize a number of financial institutions as customers. Many organizations have been testing, evaluating, and conducting proofs-of-concept in 2016 with a critical eye on appropriate cybersecurity practices. A significant number of these institutions will finally adopt the public cloud for computing workloads in 2017. Initially, these may include applications that handle less sensitive data. Although there are still pockets of resistance out there in the financial services industry, they are definitely getting smaller. The appeal of agility, scalability, and cost-benefits offered by public cloud computing is irresistible, especially when security can be architected into the solution instead of bolted on.

• Common Use of Multi-Factor Authentication (MFA) – As we saw with the recent fraudulent transactions at several SWIFT member banks, legitimate login and password credentials were somehow stolen and used to initiate fund transfers. This basic authentication technique is prone to compromise and allows account takeover (ATO) attacks. Financial institutions will finally take note and adopt more robust MFA techniques – at least internally for critical applications and sensitive data, and certainly for privileged accounts, such as root, administrator. Although not all MFA techniques are created equally, any form will create another hurdle that the cyber adversary cannot easily clear. MFA techniques are based on presenting evidence – at least two of the following:
  • Something you know (e.g., login/password, PIN)
  • Something you possess (e.g., one-time password token, mobile phone)
  • Something you are (e.g., fingerprint, retina scan)

Long Shots

• Broad Implementation of Zero Trust Networks – Forrester Research first introduced the Zero Trust (ZT) model in 2009, but as of the end of 2016, implementations are still not widely seen. Conceptually, the information security value of restricting traffic to only known, legitimate flows between various portions of the network is difficult to refute. Any malicious activity will then be constrained by the nearest segmentation gateway.  However, the challenges with the ZT model include: difficulty in completely identifying the legitimate traffic patterns (both initially and in perpetuity); necessary cooperation across multiple disciplines (e.g., IT, security, business); and the potential for business disruptions, especially in brownfield environments. In spite of this, financial institutions will warm up to the idea of ZT for their networks and take some big strides in 2017. This will start off with pockets of network segmentation that limit traffic to/from more sensitive portions of each environment. These efforts will limit the exposure and restrict lateral movement after a compromise. In the end, it will be a question of how far down the ZT path a financial institution will go within its own network.

• Blockchain Opens Another Attack Vector – There continues to be significant buzz regarding blockchain technology within the financial sector. Blockchain is certainly bigger than Bitcoin and is a distributed ledger technology that is being considered for payment processing, trade settlement, virtual wallets, etc. In addition to start-ups, traditional financial institutions are actively working to understand this technology and the potential impact on their organizations. Some of the benefits include greater expediency as well as reduced costs for cross-border payments, securities trading, and settlement as a result of cutting out the intermediaries. Other benefits include greater transparency and audit trails for compliance officers, auditors and regulators. Even with the best of intentions in mind, early financial industry adopters of this technology will create another attack vector, despite the inherent mechanisms for cryptography and immutability. Vulnerabilities in nascent implementations of blockchain technology will be discovered by malicious actors who will exploit them in an effort to compromise the security and confidentiality of financial transactions in 2017. This provides a segue to the next prediction.

• Better Results from Coopetition – FinTech start-ups continue to challenge financial institutions for a share of their customers’ wallets. FinTech brings lower costs and innovative approaches to a segment of the banking and investing population. However, they often lack brand recognition, access to a large customer base, and experience with regulatory matters. On the other hand, traditional financial institutions clearly have those qualities, but often lack the agility and capacity for innovation. Traditional financial institutions are trying to embrace cloud computing to remove some of the drag, and some have even launched their own (autonomous) FinTech units. Others have embarked on collaborative efforts with FinTech companies as a means to marry the core competencies of both sub-sectors. This approach may very well be the best path to innovative solutions in 2017, which are industrial-grade in terms of scalability, enterprise architecture, cybersecurity, etc. Ultimately, this will provide lower cost financial products or services and improved customer experiences, but with safety, soundness, and regulatory compliance fully baked in.

What are your cybersecurity predictions for the financial services industry? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for EMEA.

Lawrence Chin

[Palo Alto Networks Research Center]

Palo Alto Networks recently participated in the second Cyber3 (Cyber Connect, Cyber Security, and Cyber Crime) Conference , which was held in Tokyo in late November and included official support from the Japanese government. The conference brought over 300 thought leaders from all over the world to discuss cybersecurity challenges and share best practices. As William H. Saito, Cyber3 Chairman and Special Advisor to the Japanese Cabinet Office, made it clear during his opening remarks, the goal was to keep the forum interactive and contribute to better cyber resiliency.

The conference showcased the strong leadership of the Japanese government to provide a thought-provoking and multi-stakeholder platform that allows leaders in academia, business, and government to network with each other, build trust, and discuss innovations such as artificial intelligence and connected cars and cyberthreat intelligence in an open and frank manner. Japanese Chief Cabinet Secretary Yoshihide Suga was on hand for closing remarks, which underscored the government’s interest in the gathering.

This is a watershed moment for Japan. While Europe and the United States have regular cybersecurity conferences addressing both technical and strategic audiences, such as DefCon and NATO Conference on Cyber Conflict, Japan has not had such a high-level, cybersecurity-focused conference, due to the lack of interest in cybersecurity until the first Cyber3 Conference was held in Okinawa in early November 2015. The atmosphere changed drastically after September 2013, when Tokyo was chosen to host the Summer Olympic and Paralympic Games 2020. The clear deadline and mission to make the games successful sparked the Japanese to craft cybersecurity policies, invest more in cybersecurity human resources development, and move forward the public-private partnerships for information sharing and global collaboration. That is why some of the Cyber3 speakers were surprised to find out during the two-day conference how passionate the Japanese are about ensuring security for Tokyo 2020 and promoting cyberthreat information sharing.

The Japanese government hosted the G7 Ise-Shima Summit in May 2016 and included cybersecurity as a standalone topic for the first time in G7 discussions. The two consecutive Cyber3 Conferences and G7 Ise-Shima Summit’s cybersecurity documents prove the Japanese government’s firm determination to play a leading role in cybersecurity policymaking, thought leadership discussions and global cooperation.

Palo Alto Networks representatives participated in this important conference as a sponsor and as speakers and shared insights regarding automated cyberattack prevention, cyberthreat information sharing, and business risk management. Rick Howard, Chief Security Officer at Palo Alto Networks, was on the “Threat Intelligence, Information Sharing” panel and pointed out that cyberthreat information sharing has not previously worked well because security vendors monetize and compete on their information. However, cyberattacks are increasing and becoming more complicated. To improve cyber defense overall to protect users, security vendors have to pursue a collective defense. That’s why Palo Alto Networks, Fortinet, Symantec, and McAfee launched the Cyber Threat Alliance (CTA) two years ago – an example of vendors that compete directly in the market but, when it comes to shared threat intelligence, have agreed to work together for the greater good of protecting individuals, businesses and governments. U.S. President Barack Obama referred to CTA as a successful example of information sharing during the White House Cybersecurity Summit at Stanford University in February 2015.

Ryan Gillis, Vice President of Cybersecurity Strategy and Global Policy at Palo Alto Networks, moderated the “Human Resources Development” panel. First, Yasuhiko Taniwaki, Director-General of the Global ICT Strategy Bureau, Japanese Ministry of Internal Affairs and Communications, stated that the Japanese government included cybersecurity human resources development in its Cybersecurity Strategy in 2015, as Japan faces a shortage of cybersecurity talent. In July 2014, the Japanese Information-Technology Promotion Agency found that Japan has 230,000 cybersecurity professionals, and that 140,000 of them need further training; it also found that there is a shortfall of 22,000 professionals. Taniwaki encouraged academia, the government, and industries to work together to tackle the manpower challenge and pointed out that people who can bridge business leadership and IT engineers are in dire need. The Japanese government plans to create a human resources development plan by March 2017.

I appeared on a panel titled “Current and Future World, Government, and Organizations Changed by Cyber.” I reiterated the importance of a multi-stakeholder approach, which is the philosophy of Cyber3. Since the damage caused by cyberattacks is not necessarily constrained within a certain sector, a traditional stovepipe approach to combating them no longer works. We must overcome silos and work together beyond the border of organizations, sectors and nations. Several countries in the world are facing political dynamics and administration changes. Cybersecurity, however, is a bi-partisan issue and opportunity – a business and consumer enabler, not just a cost center. We should take advantage of the convenience brought by ICT and ensure security. Cybersecurity is everybody’s problem – individual, company, government, or university. At the same time, cybersecurity enriches our lives and I hope Tokyo 2020 changes our mindset under the tight deadline and creates a positive prototype of multi-stakeholder efforts to increase resiliency.

Noboru Nakatani, Executive Director of Interpol Global Complex for Innovation, pointed out a stark contrast between Japanese and non-Japanese perspectives on cybersecurity. The Japanese tend to frame breaches as information leaks and blame the insufficient cyber defense on the victim organizations. On the other hand, Americans and Europeans tend to frame breaches as hacks and often focus on how to prevent future successful cyberattacks by attackers. The trend is reflected in how the media reports cyber incidents.

Situational awareness supported by full visibility and cyberthreat information would help shift such a mindset. During the Day 2 luncheon, Rumi Horio, Security Consultant, Palo Alto Networks K.K., cited an anecdote of several blind men who touched different parts of an elephant and thought it was a fan, rope or something else. Japanese organizations are inclined to count the number of cyberattacks rather than seek methods to reduce the attack surface and prevent attackers from achieving their goals by cyberattacks. She argued that it is time to take a proactive approach rather than being reactive to damages.

Cyber3 was an insightful cybersecurity conference for mutual learning and finding new ways of partnering and collaborating to take actions based on lessons learned together. Palo Alto Networks appreciates the opportunity to have been able to sponsor and participate in the conference in 2016 and 2015.  We look forward to continuing to work with the Japanese government and global thought leaders.

Mihoko Matsubara

[Palo Alto Networks Research Center]

This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017.  

2016 was the year of ransomware in cybersecurity, and it was especially impactful in healthcare. In this blog post, I’ll lay out a few predictions about the type of threats that the healthcare industry will face in 2017.

Sure Things

1. Ransomware Will Continue to Target Healthcare

I suppose this is an obvious one. Many hospitals were impacted by ransomware this past year. Hospitals in California, Indiana and Kentucky were hit especially hard by ransomware variants that target servers, as opposed to user PCs. A hospital in Washington was impacted to the point where it had to redirect patients to other facilities in order to maintain adequate quality of care.

The bad guys have turned to ransomware as their go-to choice of attack because the Bitcoin payments are anonymous and, as a business model, it is an effective way to get paid without getting caught by the police. They target healthcare because the attack vector for the highly effective SAMSA ransomware variant is through unpatched JBOSS application servers in the DMZ (the internet-facing area of a network).  Hospitals that have many of these servers and are being successfully exploited in increasing numbers.

With any luck, the word has been spread well enough to healthcare organizations so that JBOSS vulnerabilities have been patched or at least mitigated. However, we haven’t seen the last of this trend.  Ransomware will continue to target healthcare throughout 2017 through the standard areas of attack: web-based drive-by downloads, malicious email attachments or links, and unpatched servers in the DMZ.

2. Accidental Oversharing in SaaS Apps Will Increase, Resulting in Losses of Patient Data

Medical staff love to use cloud file-sharing SaaS apps, like Box, Dropbox and Google Drive, because they fill a gap in many healthcare organizations: easy file sharing. The problem with the public versions of these services is that it’s up to the user to control who has access to the files, and it’s quite easy to accidentally configure a file containing protected health information (PHI) to be shared with the entire internet public. Enterprise versions of Box, for example, enable administrators the ability to restrict public access, but many healthcare organizations don’t block the free versions.

I wrote a blog post earlier this year on the topic of SaaS security, along with some recommendations for mitigating the risk. Until healthcare organizations provide a sanctioned method for file sharing, both within and external to their organizations, and proactively block unsanctioned file-sharing websites, we are likely to see losses of patient data due to accidental oversharing.

Long Shots

1. A Cyberattack on a Medical Device Will Cause the First Confirmed Injury to a Patient

Many medical devices used in medical facilities today lack basic security. Often, medical devices lack endpoint protection, and regular patching, functioning on outdated operating systems, like Windows XP. For these reasons, they are prime targets for malware and cyberattacks.

There has been only one confirmed FDA order to pull a specific medical device out of hospitals. I believe the reason we have only seen one is due to insufficient research on and awareness of the problem.  There hasn’t been much research because medical devices are expensive and there is no financial incentive to perform the sort of security research required to find and fix medical device vulnerabilities.

Attackers motivated by money have used ransomware due to the quick payout and anonymity, but there’s a type of attacker who is in the “I did it because I could” crowd. These adversaries hack for fun. To date there have been no confirmed cases of physical harm to patients due to a cyberattack on a medical device, but I believe that it’s only a matter of time before a bad actor takes advantage of the most vulnerable area of hospital networks – medical devices – and wants to make a statement.

What are your cybersecurity predictions for the healthcare industry? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for financial services.

 

This article originally appeared on HealthDataManagement.com 

Matt Mellen

[Palo Alto Networks Research Center]

This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017. 

The endpoint security market will experience some dramatic shifts in 2017. Everything from the disposition of the threat actors to the players in the security vendor space to the nature of endpoints is undergoing significant changes. This will most certainly catch many organizations off guard. But there are options for those security professionals who care to prepare for it. In this post, I will outline four changes that security professionals might see in 2017.

Sure Things

Rapid Consolidation in the Endpoint Security Market

According to the research firm Cybersecurity Ventures, there were more than three dozen vendors and startups in the endpoint security market in 2016. For an evaluator or buyer of security products, that’s too many options, too many disparate approaches, and too much confusion – clear signs of saturation in any market.

Investors also seemed to recognize that the endpoint security market is reaching its saturation point: 2016 marked a slowdown in funding of new security startups, compared to 2015. As fewer (new and existing) startups receive funding, those that cannot deliver enough value to buyers in order to gain a foothold in this crowded market will inevitably die out. Others will be acquired by the traditional antivirus (AV) vendors who recognize the need for rapid retooling of their offerings to stay competitive.

As the pace of cyberattacks continues to increase, so does the pace of this market consolidation. Endpoint security vendors will recognize that they must move fast to keep pace with the threat landscape and the market conditions. These conditions will lead to a rapid, Darwinian consolidation in the endpoint security market.

Dramatic Increase in Use of Exploit Kits

Recent research from Unit 42, the Palo Alto Networks threat intelligence team, outlined the three main reasons cybercriminals continue to rely heavily on exploit kits:

1. Exploit kits present cyberattackers with a much stealthier option for infecting Windows hosts with malware.
2. The exploitation process is automatic.
3. Criminals can use exploit kits to essentially outsource malware distribution.

In other words, exploit kits turn cyberattacks into an automatic, outsourced, and scalable operation for criminals. And with the ability to rent access to any number of exploit kits for a few hundred dollars a month, launching an attack with exploit kits is now far more affordable than ever before.

Information security has always been a “cops and robbers” problem. And with exploit kits, the robbers add automation, outsourcing, and scalability to their side of the equation. This is a trend that will certainly continue to escalate in 2017. The security industry, on the other hand, seems only recently to have recognized that it must match those capabilities or risk losing this battle. Fortunately, there are advanced endpoint protection solutions that already offer these automated, scalable prevention capabilities to forward-thinking organizations.

Long Shots

Marked Increase in macOS-based Malware

In March 2016, Unit 42 discovered KeRanger, the first instance of a macOS-based ransomware. Since then, the team has discovered several new types of malware exclusive to macOS. This is not a surprising trend – what’s surprising is that it took so long.

macOS-based systems present cybercriminals with a perfect set of circumstances:

• A false perception of security among end-users: The traditionally low occurrence of security breaches on macOS-based systems may lead users to be far less vigilant about cybersecurity hygiene, despite risks that are similar to Windows-based systems (for example, these systems share many of the same vulnerable applications, such as Adobe Flash).
• A lack of sophisticated endpoint security solutions: The majority of macOS-based systems either have no endpoint security solutions deployed, or they use the same traditional AV solutions that have proven to be ineffective against today’s cyberthreats.
• Increased organizational adoption of Apple’s technology ecosystem (from iPhones to iPad to Mac computers): In a recent research report by Nomura (October 2016 CIO Survey), the firm reported that 42 percent of the CIOs they surveyed “indicated Apple’s products are becoming more pervasive in their IT infrastructure.”

A large and increasing population of enterprise users who practice poor cybersecurity hygiene and do not have automated, sophisticated endpoint security solutions to protect their systems? Sounds like the perfect target for crafty cybercriminals looking for new sources of ransomware revenue in 2017.

Increased Awareness of IoT Security Flaws

The proliferation of the Internet of Things (IoT) is already underway. According to the research firm Gartner, there were an estimated 6.4 billion IoT devices in use in 2016. The firm forecasts that there will be over 20 billion connected IoT devices by 2020. Despite the large number of devices, IoT security still seems to be an afterthought. This is concerning, considering:

• The increased interconnectivity between IoT devices
• The potential for collecting and sharing data among IoT devices and their supporting data services
• The unknown but potentially significant and increasing number of vulnerabilities within the IoT ecosystem

The IoT ecosystem is still in its technological infancy. The extent and the impact of existing security flaws may not be obvious yet because of the limited computing and connectivity capabilities of the devices in use today.

This was very likely the same argument used to justify distributing unsecure systems in the automotive industry – until researchers demonstrated their ability to remotely hack a car traveling at highway speeds in 2015.

As the IoT device counts and capabilities continue to increase in 2017, the inherent security flaws that may have been ignored in the past will become more prominent, complex and unnerving. Organizations that develop, produce, and host these devices must make a concerted effort to integrate security into these devices and the networks they operate in. Being the first organization to deal with the public repercussions of a breach in IoT security is not a “first mover advantage” in any industry.

What are your cybersecurity predictions around endpoint security? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for healthcare.

Michael Moshiri

[Palo Alto Networks Research Center]