2017 is promising to be another difficult year for cyber-defenders who are protecting company and government networks from attack. Here are what I think will be the top attack vectors this year.
Business Email Compromise
CEOs and other C suite officers will increasingly be targeted for email account hijacking. This is an easy exploit to run because high ranking employees and officers often are not the most computer savvy people, and can easily be tricked by a well researched and customized spearphishinig email. Once in control of the email account, the attackers will wait for an opportunity to send a wire transfer request from the CEO to the CFO, accountant, or bookkeeper. These attacks generate payouts from $50,000 into the millions. I predict as ransomware attacks become more difficult for cyber-criminals, they will shift their focus to this exploit.
Ransomware
We saw a continuing rise in crypto-ransomware attacks last year, and some non-encryption data stealing ransomware variants. Ransomware will continue to be a problem this year, but security software companies such as Sophos are bringing effective anti-ransomware security software solutions to the market. As these new products are adopted and installed on business and personal computers, I predict that 2017 will be the year we get a handle on crypto-ransomware. As a result, we can expect to see cyber-criminals migrate to more successful and lucrative exploits, such as the Business Email Compromise or non-crypto ransomware attacks.
Internet of Insecure Things
We saw some very large distributed denial of service attacks that used insecure Internet connected devices such as web cameras, Internet home and office routers, and other IoT devices. Most of these DDoS botnets were automatically assembled using clever code. In addition to becoming a launch platform for DDoS, the hijacked devices would scan the Internet for other devices like themselves, and then recruit (inflect) them into the botnet. Bruce Schneier has a longer post on this topic on his blog. The main culprit is the hastily written insecure code that is running on a rudimentary Linux platform on these devices. In the rush to market, these manuafacturers are not giving security any sort of consideration. Recent legal actions by the FTC against D-Link for this problem is an encouraging sign, and may make other manufacturers start to consider the importance of secure code writing for these IoT devices.
Stolen Credentials and PII
User IDs and password, and other personally identifiable information (PII) such as tax and medical records, will be top targets this year for data exfiltration gangs. There is an active marketplace for this information on the Dark Web, so if your information is breached, it may be in play for a long time, involving several incidents. Long passwords coupled with two-factor authentication can provide some protection from credential theft. Credit monitoring may provide additional protection for your PII.
The Long Hack
Cyber-criminals and nation state-sponsored actors are setting up shop on commercial and government networks for the long haul. Called Advanced Persistent Threats, these exploits are designed to be stealthy and quiet, and look like normal traffic to any security devices present on the network. Often when we are involved in an incident response, we find that the attackers have had access for several months to a year or more. This provides plenty of time to work on finding and exporting the important information on the network, from personnel records and customer profiles, to intellectual property and business plans.
These will be the primary exploits you can expect to encounter in the coming year. If you are a defender, you will need to up your game. Hopefully you were given a budget that is large enough to be effective.
ShareMAR
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com