By Alex Cherones, Director of Threat Security Solutions, AT&T
No one can know for sure what the next big cyberattack will be, but experts have some predictions about the biggest potential cyberthreats of 2016.
One of the great challenges of cybersecurity is that there always seems to be a new or growing threat on the horizon. Of course, our job is to offer protection against these cyberattacks. Through constant, vigilant monitoring of our networks, and those of our customers, we monitor about 100 petabytes of traffic every day. That allows us a certain amount of visibility into where the attacks are coming from and, to a certain extent, where they’re heading. No one can know for sure what the next breaches will entail, but we can make some logical predictions. In watching cybersecurity trends year over year, some of the biggest cyberthreats for 2016 could include:
The Cloud is wonderful as a business tool, and personal tools, for that matter. Cloud computing, also referred to as on-demand computing, offers storage solutions, internet-based computing, shared resources and information and a variety of web-based tools and applications. Many businesses are moving their transactions online and to the cloud, along with their critical applications and services. Making the move to the cloud may be good for customers and employees, but it’s also usually good for hackers – clouds can also mean no physical security to overcome. All the new business and data moving to the cloud makes it very attractive to attackers.
But not all clouds are created equal. Debates continue over whether clouds in general are more or less secure than traditional networks; in fact Google and other companies have done away with conventional perimeter defenses in lieu of application-level container security. The fact remains, though, that clouds are growing in use and should be closely watched and monitored.
A national survey by Consumer Reports found that 34 percent of all smartphone owners don’t lock their phones with passcodes or passwords. That’s a lot of sensitive information – bank account information, contacts, PINS, credit card numbers – that’s up for grabs if a cell phone gets lost or stolen. Malware is also a very real possibility, especially for Android users. Stolen phones also act as good spear phishing devices for friends and family members.
The Internet of Things (IoT) concept of network devices no longer just includes phones and tablets, but homes, appliances, televisions and automobiles. Connected cars are full of impressive gadgets, such as cameras, built-in GPS, entertainment and informative dashboards that connect to the driver’s phone apps. These vehicles are already on the road, and cybersecurity is already raising concerns – Chrysler recalled 1.4 million cars in July of 2015 for being “hackable.”
The computer chip embedded into MasterCard and Visa credit cards is an added security measure that guards against fraud. It also offers a new target for hackers. The U.S. is a bit late to the game on the EMV credit card chip – implementation here went into effect in October of 2015. Nearly 80 countries around the world who had previously upgraded to the chip have seen the desired reduction in theft and counterfeit cards. Unfortunately, those countries that have internet traffic comparable to the U.S. have seen a sharp uptick in Card Not Present (CNP) fraud that is widely seen in online shopping. In Canada alone, online fraud has nearly doubled since the implementation of EMV cards. There is good reason to suspect the same type of EMV credit card cyberattacks could happen here.
Phishing is not new. In fact, it’s one of the longest-running and most prevalent online scams. But the attacks are getting more sophisticated and more personalized. One of the latest incarnations is called “spear phishing.” It uses online data to extract personal information to create very personal phishing emails that prove almost irresistible to the victim. The victim opens the phishing email, and then if a link is clicked or personal information is inadvertently revealed, the hacker can do whatever malicious deed he or she wants – unleash malware, create a botnet, steal identities… just a whole host of online badness. Phishing and spear phishing have also become a big problem for businesses, where unsolicited emails can be much more common.
These are also not new threats, but they seem to be increasing in number and sophistication. Malware is a mashup of “malicious software.” It’s transmitted when someone mistakenly downloads malicious code through a phishing email, a malevolent link, a fraudulent download, opens an infected file, disk or flash drive or visits a harmful website. Sometimes the attackers design the malware to operate undetected, fleecing the victim’s private data for weeks or even months before it is noticed.
Ransomware is a type of malware that has reportedly extracted millions from businesses and individuals. The virus locks the screen and encrypts all files, demanding a fee before providing an unlock code allowing the files to be decrypted. “CryptoWall” is a notorious type of ransomware that’s been making news in 2015.
Wearable technology is already spreading from the Apple watches and FitBits on our wrists to our whole bodies – athletic apparel that records biometrics, baby onesies that report vitals to mom and dad. The applications are moving beyond fitness and parenting as well. Google has announced electricity-conducting yarn that will convert garments into touch screens. UnderArmor has indicated their next wave of smart clothing will offer temperature control. Unfortunately, the more popular that wearable tech becomes, the more vulnerable we are to cyberattacks. The accompanying apps offer vulnerabilities for spear phishing or some other unforeseen threat, as seen previously with the connected cars.
As we saw after the hacks of Ashley Madison, Sony, Anthem and TalkTalk, it wasn’t just about the security breach. It was also about the marketplace for the stolen data. There is always a craving for information, and we have seen some of it go to the highest bidder. Other pilfered material has been sold off by the page, by the credit report, by the email or by other category. At any rate, it’s likely there will be an even more robust market for hijacked merchandise in 2016.
In August of 2015, the Department of Homeland Security (DHS) and the Federal Drug Administration (FDA) recommended that medical facilities cease use of a certain computerized medicine pump because of its vulnerability to hacking. The pump had the potential for an authorized user to control the device remotely and alter the dosage of the medication delivered to the patient. While there were no reports of any hacks into the pumps, the threat sent shockwaves into the medical community whose previous concerns had been limited to health information privacy. Now with devices that actually deliver medicine and other healthcare delivery technology going online – some healthcare facilities already use tablet-controlled robotic physicians to round on patients and interface with medical records – pervasive threats for medical devices could include ransomware or even Stuxnet-type attacks where hackers tap into administrative privilege capabilities and wreak havoc by altering their functions or codes.
Just days after ISIS attacked civilians in Paris, the hacktivist group Anonymous released a video threatening cyber-retaliation. The best-known hacktivist group, Anonymous has targeted businesses, governments, social organizations – anyone whose ideology or tactics they oppose. Depending on skill level and resources, any organized group with an ax to grind can attack with distributed denial of service (DDoS) offensives, breach corporate or government networks or find other ways to harm systems. Hacktivists often publicize their attacks or offer warnings (as seen with Anonymous). Cybersecurity firms have begun identifying and tracking known hacktivists more closely, so the frequency of their attacks may decline. But that doesn’t mean their attacks will stop – they may actually become larger, more focused, more strategic and grander in scale.
In the summer of 2015, the U.S. Office of Personnel Management (OPM) was breached. The personal information of 22 million Americans was hacked. Many victims had security clearance, so the data theft wasn’t just a privacy violation; it was a national security breach. Nation-state criminal espionage is a serious threat to the U.S. government and American businesses with access to sensitive government contracts or related data.