Cybercrime to evolve in sophistication, experts warn
Cyberattacks reached new heights in 2014, including what many consider the most destructive cyberattack in U.S. corporate history, when hackers stole over 100 terabytes of data from Sony, including the personal data of thousands of employees.
The attacks got the attention of corporate America, and IT security will be front and center for businesses in 2015.
Experts warn that cybercrime will become more sophisticated this year, continuing to expand from simple network password fraud to large-scale espionage attacks.
Three-fourths of chief information officers (CIOs) surveyed by investment bank Piper Jaffray ranked IT security as the top spending priority in 2015, saying they would increase spending on protection. Fifty-nine percent had indicated they would increase spending on cybersecurity at the start of 2014.
According to research from PricewaterhouseCoopers (PwC), global cybersecurity incidents are predicted to increase by 48 percent this year. PwC said company employees are the “most-cited culprits of incidents.”
“If we don’t learn from 2014, 2015 will not be any better,” said Stephen Cobb, senior security researcher at IT security company ESET.
2015 Cybersecurity Forecast
A growth in targeted attacks on retailers, increased data privacy regulations and a widening cyber skills gap are some of the trends expected for corporate IT security in 2015, experts said.
“The scale of targeted attack activity will be higher than ever,” predicted Cobb. Retailers are under attack from multiple directions, including point-of-sale system attacks and SQL code injection attacks, he said. According to the most recent IBM retail intelligence report, there were fewer attacks on retailers during the 2014 holiday season, than in the past, but they were more efficient.
“The shotgun approach is giving way to more sophisticated attacks,” Cobb said. They will continue even as chip cards take over, he added, referring to the transition from traditional magnetic strip credit cards to cards with chips implanted that require a PIN to make purchases. “The transition period from traditional cards could actually offer a new point of entry for hackers. Stolen credit card data will still be useful for online fraud after chip card implementation,” he said.
Attackers in 2015 will likely increase focus on new mobile payment systems such as Apple Pay, bitcoin and digital wallets. “Cybercriminals will be looking for flaws in these systems, but the present designs have several positive security features,” said James Lyne, global head of security research at computer security firm Sophos. “Expect cybercriminals to continue abusing traditional credit and debit cards for a significant period of time as they are the easier target for now.”
The Internet of Things will continue to grow and become more attractive and vulnerable to compromise. “In 2014, we’ve seen more evidence that manufacturers of Internet of Things devices [wearable gadgets connected to the Internet, such as Google Glass or fitness trackers] have failed to implement basic security standards, so attacks on these devices are likely to have nasty real-world impact,” Lyne said.
The security industry will need to learn to deal with these new devices. “A lot of organizations still haven’t got their traditional bring-your-own-device [BYOD] security policies and procedures in place,” said Cobb.
As more workers use their personal devices to do their jobs, companies are seeing more information security risks, said Steve Durbin, managing director of the Information Security Forum (ISF), in an article on the CIO website. “These risks stem from both internal and external threats including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications,” he said.
Ransomware, a type of malware which restricts access to the victim’s computer system until a ransom payment is extracted, will become increasingly sophisticated, according to McAfee’s 2015 Threat Predictions report.
“We predict ransomware variants that manage to evade security software installed on a system will specifically target endpoints that subscribe to cloud-based storage solutions such as Dropbox, Google Drive and OneDrive. Once the endpoint has been infected, the ransomware will attempt to exploit the logged-on user’s stored credentials to also infect backed-up cloud storage data,” the report said.
Encryption strategy will be important in 2015, said Cobb. Lessons from the Sony cyberattack include removing unencrypted audit reports from e-mail inboxes and using unencrypted e-mail to send sensitive information, he said. “Don’t take corporate e-mail for granted. Even if you encrypt it on the server, if someone hacks into company e-mail accounts, it’s not encrypted to the reader.”
2015 is a good time to examine use of the cloud, Cobb noted. “You don’t want to be faced with a data breach and you don’t know where your data is stored. Check your cloud provider’s use of encryption between data centers, make sure data is secure in transit, and know where your data is and that it is secure if using a cloud provider.”
In addition to data-storage providers, security and HR should be concerned about any and all third-party providers, as they can serve as the entry point to valuable and sensitive information. Target was hacked in 2013 through a web services application that the company’s HVAC vendor used.
“Over the next year, third-party providers will continue to come under pressure from targeted attacks and are unlikely to be able to provide assurance of data confidentiality, integrity or availability,” Durbin said. “Organizations of all sizes need to think about the consequences of a supplier providing accidental, but harmful, access to their intellectual property, customer or employee information, commercial plans, or negotiations. And this thinking should not be confined to manufacturing or distribution partners. It should also embrace your professional services suppliers, your lawyers and accountants, all of whom share access oftentimes to your most valuable data assets.”
Attacks taking advantage of weak passwords such as seen in the 2014 iCloud and JPMorgan breaches will continue to be a big risk in 2015. Brute forcing, where hackers try usernames and passwords over and over again, is ongoing and will continue, Cobb said, including “constant hammering of anything password-protected,” and new techniques to get around firewalls. “2015 is likely to be the first year when the password starts to be phased out in favor of a number of different multifactor options,” cyberthreat intelligence company Digital Shadows told CNBC.
The JPMorgan hack was a simple two-factor authentication fail, Cobb said. The financial company had set up a two-factor authentication safeguard on all entry points but one, according to reports. “Make sure you have two-factor authentication on all your public facing servers,” said Cobb.
Data Privacy, Security Laws
The regulatory landscape will force greater disclosure and liability, particularly in Europe. Many governments are issuing regulations on the security and use of personally identifiable information, with penalties for companies that fail to sufficiently protect it. As a result, Durbin noted, “organizations need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and business costs such as reputational damage and loss of customers due to privacy breaches.”
Privacy rights issues will stay top of mind in 2015, said Cobb. The European Union’s Data Protection Regulation, due later this year, will impose stiffer fines for noncompliance.
“California is constantly ratcheting up privacy security regulations,” Cobb added. And expect more Health Insurance Portability and Accountability Act auditing in 2015, he said. President Barack Obama announced Jan. 12, 2015, a proposal for a federal data-breach notification law. The Obama administration’s cybersecurity framework, rolled out in February 2014, is widely seen as a standard in data security and will be important in the years ahead, Cobb said. “The start of the year is a good time to make sure your IT security policies are up to date, but remember that compliance is not the same thing as security,” he added.
Political stalemate and lack of trust will hamper efforts to share data between government and the private sector. Cyberthreat information-sharing legislation has once again been introduced in the new Congress. “Hopefully we can also get an increase in spending for cybercrime deterrence,” Cobb said.
Preparing for Threats
The global skills gap continues to increase, according to computer security firm Sophos, with incident response and education a key focus. “As technology becomes more integrated in our daily lives and a supporting pillar of the global economy, the cybersecurity skills shortage is becoming more critical and broadly recognized by governments and industry,” said Lyne. “This gap is growing larger with some governments forecasting a widening gap through the year 2030 given the present scarcity of qualified IT security professionals.”
As it has become more difficult to exploit Microsoft Windows due to the software company’s investment in exploit mitigations, attackers are moving back to social engineering, and focusing on non-Microsoft platforms, according to the Sophos report.
“From Heartbleed to Shellshock, it became evident that there are significant pieces of insecure code used in a large number of our computer systems today. The events of 2014 have boosted the cybercriminals’ interest in typically less-considered software and systems, so businesses should be preparing a response strategy,” the report said.
Lastly, promoting information security awareness will continue to be a losing proposition, said Durbin. “As we move into 2015, organizations need to shift from promoting awareness of the problem to creating solutions and embedding information security behaviors,” he said. “Instead of simply making people aware of their information security responsibilities and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in ‘stop and think’ behavior becoming a habit and part of an organization’s information security culture.”
Roy Maurer is an online editor/manager for SHRM.
To read more HR news on shrm.org, please click here.