Paranoid Technology All things cybersecurity

28Dec/16Off

10 Scary Security Predictions for 2017

Given the accuracy of DT’s 2016 predictions, it’s exciting (and unnerving) to present DT’s 10 Scary Security Predictions for 2017.

  1. IoT zombie army (the sequel) – from TVs to toasters people are connecting everything to the Internet, a little too carelessly. In 2016 the Internet of Things (IoT) was used as a force-multiplier in DDoS attacks. This was only a dress rehearsal and the attacks will get more sophisticated in 2017. Expect to see:
    • Web Infrastructure Attacks – attacks like DynDNS at a larger scale.
    • Utility Infrastructure Attacks – Thousands of pieces of SCADA & PLC, ICS equipment is unprotected and exposed to the internet. Most of these are connected to critical infrastructure that could impact human life in significant ways. For example, recently a Ukrainian power company was attacked and could not deliver power to its customers. Temperatures that day ranged from 30.2F to 15.8F – nobody was hurt reportedly, but a longer outage without power would be a problem.
    • Human Life-Threatening Attacks –IoT may become an assassination tool this year. Connected pacemakers, insulin pumps and let’s not forget cars.
    • Expect other new forms of IoT activity – swarms of “things” used as relays, conducting passive and active recon activities as an example.
  2. Pre-emptive hacking by government – this happened with no congressional debate or vote. According to this, if you are using TOR or a VPN service or if you are infected by malware the FBI can hack you without a warrant to understand what kind of a threat you are, or in the case of malware infections to identify the culprits (or to fulfill their jump-host quotas to launch attacks to whatever target); and they don’t even have to tell you. It’s the dawn of a new Internet era. Minority Report anyone?
  3. Get ready for GDPR – U.S. companies doing business in the E.U., or with U.S. citizens who reside in the E.U. will need to comply with GDPR requirements. The effective date isn’t until May 2018, but compliance will require planning, investment, and on-going reporting to keep the regulators and consumers happy. Three main things to watch are for are the requirement for each affected company to appoint a Data Privacy Officer (DPO), the fact that data subjects have new rights (including the right to be forgotten, to data portability, and to be informed of data breaches), and that there are steep fines for non-compliance.
  4. Machines learn to hack – machine learning will result in more sophisticated and harder to attribute attacks ranging from phishing and DDoS to Automated Target Selection and others. With Mirai-like IoT attacks, the capacity of humans to respond will significantly diminish and security workflow automation will gain importance. At DEFCON24 this year DARPA had its CyberSecurity Grand Challenge All-Machine Hacking Tournament the goals included reverse engineering unknown binary software, authoring new IDS signatures, probing the security of opponent software, and re-mixing defended services with machine-generated patches and defenses.
  5. Cyber-warfare on the rise – Increasing global tensions, constant use of cyber-warfare to impose political will, and the rejuvenation of nationalism has increased paranoia levels worldwide.  Nations are rightfully improving their defensive positions. In 2017 expect an increase in tensions to the point where citizens will become indifferent to surrendering their freedom in exchange for security. Cyber-gangs will join forces with nation states to deliver intelligence in exchange for a harassment-free work environment. Expect more cyber-mercenaries in the form of “black hat-as-a-service” (BaaS). Despite growing awareness, expect an increase in fake news and perception management operations will be observed.
   
Stop SOPA