Paranoid Technology All things cybersecurity

28Dec/16Off

10 Scary Security Predictions for 2017

Given the accuracy of DT’s 2016 predictions, it’s exciting (and unnerving) to present DT’s 10 Scary Security Predictions for 2017.

  1. IoT zombie army (the sequel) – from TVs to toasters people are connecting everything to the Internet, a little too carelessly. In 2016 the Internet of Things (IoT) was used as a force-multiplier in DDoS attacks. This was only a dress rehearsal and the attacks will get more sophisticated in 2017. Expect to see:
    • Web Infrastructure Attacks – attacks like DynDNS at a larger scale.
    • Utility Infrastructure Attacks – Thousands of pieces of SCADA & PLC, ICS equipment is unprotected and exposed to the internet. Most of these are connected to critical infrastructure that could impact human life in significant ways. For example, recently a Ukrainian power company was attacked and could not deliver power to its customers. Temperatures that day ranged from 30.2F to 15.8F – nobody was hurt reportedly, but a longer outage without power would be a problem.
    • Human Life-Threatening Attacks –IoT may become an assassination tool this year. Connected pacemakers, insulin pumps and let’s not forget cars.
    • Expect other new forms of IoT activity – swarms of “things” used as relays, conducting passive and active recon activities as an example.
  2. Pre-emptive hacking by government – this happened with no congressional debate or vote. According to this, if you are using TOR or a VPN service or if you are infected by malware the FBI can hack you without a warrant to understand what kind of a threat you are, or in the case of malware infections to identify the culprits (or to fulfill their jump-host quotas to launch attacks to whatever target); and they don’t even have to tell you. It’s the dawn of a new Internet era. Minority Report anyone?
  3. Get ready for GDPR – U.S. companies doing business in the E.U., or with U.S. citizens who reside in the E.U. will need to comply with GDPR requirements. The effective date isn’t until May 2018, but compliance will require planning, investment, and on-going reporting to keep the regulators and consumers happy. Three main things to watch are for are the requirement for each affected company to appoint a Data Privacy Officer (DPO), the fact that data subjects have new rights (including the right to be forgotten, to data portability, and to be informed of data breaches), and that there are steep fines for non-compliance.
  4. Machines learn to hack – machine learning will result in more sophisticated and harder to attribute attacks ranging from phishing and DDoS to Automated Target Selection and others. With Mirai-like IoT attacks, the capacity of humans to respond will significantly diminish and security workflow automation will gain importance. At DEFCON24 this year DARPA had its CyberSecurity Grand Challenge All-Machine Hacking Tournament the goals included reverse engineering unknown binary software, authoring new IDS signatures, probing the security of opponent software, and re-mixing defended services with machine-generated patches and defenses.
  5. Cyber-warfare on the rise – Increasing global tensions, constant use of cyber-warfare to impose political will, and the rejuvenation of nationalism has increased paranoia levels worldwide.  Nations are rightfully improving their defensive positions. In 2017 expect an increase in tensions to the point where citizens will become indifferent to surrendering their freedom in exchange for security. Cyber-gangs will join forces with nation states to deliver intelligence in exchange for a harassment-free work environment. Expect more cyber-mercenaries in the form of “black hat-as-a-service” (BaaS). Despite growing awareness, expect an increase in fake news and perception management operations will be observed.
7Jan/16Off

8 Scary Security Predictions for 2016

2016 Security Predictions
1) Back Doors Open in Corporate Encryption

Paranoid Technology has already opined on why “opening” encryption is bad for businesses and citizens alike, but not much has stopped calls from Washington for a “magic bullet” to let the good guys in and keep the bad guys out.  What’s concerning is the predictions of those like Robert S. Litt, general counsel in the Office of the Director of National Intelligence, who wrote “the legislative environment [for passing a law that forces decryption and backdoors] is very hostile today, it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”; it’s an eery and potentially prescient comment; right now strong encryption is winning, but it’s true that certain events would likely sway public opinion.

2) National Privacy Laws Weaken (Again)

While 2015 finally saw the USA Freedom Act passed, reining in NSA surveillance (including bulk collection of phone records) as of November 29th 2015 (but still not going far enough in the eyes of many civil liberties groups), the end of 2015 also saw Republican lawmakers introduce a new bill that would roll back the USA Freedom Act and reauthorize the government’s collection of phone records through 2017; that said, many lawmakers feel that the rollback is not enough, and senators like presidential candidate Marco Rubio would actually prefer to see a permanent reauthorization of key provisions of the Patriot Act.  The Republican response is a bellwether of what to expect in 2016, especially if there are terrorist or criminal events that demonstrate mass surveillance would have made some difference (see Litt’s crystal ball, above). 

17Nov/15Off

Cyberinsurance – why security fundamentals & service offerings matter

targetThe cost of cybercrime has become staggering with companies like Home Dept ($234M), Target ($264M), Sony and others being hit, CEOs are revisiting their cyberinsurance policies and wondering if they're doing enough.  While cyberinsurance definitely belongs in the CEO's risk management tool kit, avoid reacting to the latest panic about cybercrime.  Overspending on cyberinsurance means under-spending on critical functions - such as information security, risk, and even human resources - that
may be even more important to protecting your business than insurance.

If you're interested in cyberinsurance, know that insurers will look at your "proof of insurability", meaning the strength of your policy application and their estimate of your organization's risk across key categories.  They expect that you'll have done an in-depth review of your organization risk based on security measures in place and existing gaps.  Remember that you'll pay extra for coverage of weaknesses in your security program, so better to address security hygiene before you apply.

There's a long list of things cyberinsurers will want to know before signing you up.  For a full list, read the Derivative Technology white paper, "Protect your business from cybercrime the cost-effective way: with targeted cyberinsurance".  Or keep reading for more details ...

   
Stop SOPA