Each year, the Information Security Forum, a nonprofit association that researches and analyzes security and risk management issues, releases its 'Threat Horizon' report to provide a forward-looking view of the biggest security threats over a two-year period. Here are the top nine threats to watch for through 2019.
The information security threat landscape is constantly evolving. To help you navigate the terrain, each year the Information Security Forum (ISF) — a nonprofit association that researches and analyzes security and risk management issues on behalf of its members — puts out its Threat Horizon report to provide members with a forward-looking view of the biggest security threats over a two-year period. What follows are the nine biggest threats on the horizon through 2019 that your organization may have to manage and mitigate.
Organizations today depend of instant and uninterrupted connectivity, smart physical devices and trustworthy people. But that dependence makes them vulnerable to attacks on core internet infrastructure, devices used in daily business and key people with access to mission-critical information.
"We've been dependent on the internet for so very long," says Steve Durbin, managing director of the ISF. "We've gotten to the point where we view it as any other utility. If you suddenly cut of the electricity, it's a major issue. Corporations have backups in place for other utilities — generators for instance. No one has really done that for the internet. They just assume it's going to be there."
To defend themselves, Durbin says, organizations need to rethink their defensive models, particularly regarding business continuity and disaster recovery plans. Plans that rely on employees working from home won't survive attacks that remove connectivity or that target key individuals. ISF recommends that revised plans cover threats to physical safety as well as periods of operational downtime caused by attacks on infrastructure, devices or people.
As conflicts across the globe increase in number and severity, ISF predicts that within the next two years, nation states and other groups will seek new ways of causing widespread disruption, including internet outages at the local or even regional level. Commercial and government organizations are likely to be considered legitimate targets, and industries stand to lose millions of dollars if communications systems fail and trade grinds to a halt.
Given the increasing prevalence of 'just-in-time' supply chain models, even brief disruptions can lead to shortages, Durbin says. Financial services institutions are also vulnerable, and outages that target them could lead to cascading failures. For instance, if clearing houses (institutions that settle payments) lose connectivity, organizations across all industries may lose the ability to initiate or receive payments for the duration. Even government services like law enforcement depend on connectivity for communications.
Attacks in this realm could involve physically cutting cables (possibly under sea where repairs could take significant time), rendering root DNS or datacenters useless, distributed denial of service (DDos) attacks that harness massive botnets or even manipulating internet addresses and routes to ensure traffic doesn't arrive at its stated destination.
ISF says containing the chaos caused by such an attack will require coordination by central governments through their national critical national infrastructure programs. Individual organizations must also understand the extent of their reliance on the internet and have plans in place to address the risk of attacks that recur on a relatively frequent basis.
The ISF recommends you do the following:
Criminals are increasingly profiting from ransomware — encrypting a victim's data and then demanding payment for the encryption key. According to a report released by Symantec last year, the average ransoms for data demanded by criminals jumped from $294 in 2015 to $679 in 2016. And the U.S. Federal Bureau of Investigation (FBI) estimated last year that cybercriminals would generate about $1 billion in revenue from ransomware by the end of 2016.
The ISF believes that over the next two years, cybercriminals will increasingly focus their ransomware efforts on smart devices connected to the Internet of Things (IoT). Attackers may hold specific devices for ransom, but the ISF believes they will also use the devices as gateways to install ransomware on other devices and systems throughout organizations.
Such attacks have the potential to disrupt business operations and automated production lines. But they could also prove deadly if they affect medical implants or vehicle components.
"Medical devices, manufacturing, we've put all of these 'things' out there," Durbin says. "Driverless cars, transportation, railways, financial services. We've embedded smart devices in all these areas, but we never really thought things through to this next stage. All of these things are out there in the real world. It's a bit like shutting the stable door after the horse has bolted."
Durbin says manufacturers of connected devices need to work with their customers to address security vulnerabilities and, at minimum, ensure that basic security features are always enabled. All organizations need to identify how they currently use connected devices, how they plan to increase use in the future and what the impact would be if one or more devices are affected by ransomware.
The ISF recommends you take the following actions:
Your business may be high-tech and digital, but your employees exist in the physical world, and that makes them vulnerable to blackmail, intimidation and violence. The ISF says that over the next two years, well-funded criminal groups will combine their global reach and digital expertise with the very real threat of violence to threaten privileged insiders to give up mission-critical information assets (e.g., financial details, intellectual property and strategic plans).
These privileged insiders may be senior business managers and highly placed executives, but they could also be their personal assistants, systems administrators, infrastructure architects, network support engineers and even specific external contractors. Extreme cases could involve "tiger kidnapping" of the insider's family.
ISF believes criminal gangs are likely to turn to these methods for these three reasons:
To protect yourself against these threats, ISF recommends you take the following actions:
To make good decisions, your business depends upon accurate and reliable information. If the integrity of that information is compromised, so is your business. This issue has risen to prominence recently with the 'fake news' that has begun swirling around major politicians. The ISF believes that over the next two years, attackers will spread lies or distort internal information in the hope of gaining a competitive or financial advantage at the expense of targets' reputations or operational effectiveness.
"With volumes of data increasing to the levels that they are, we've reached a point where it's absolutely impossible for anybody to really, absolutely ensure the integrity of data," Durbin says. "How do we work with the business to ensure we make the information they're using to make decisions as accurate as possible? We're going to see this change in the way that the CISO, in particular, is viewed within the enterprise. We've for so long assumed this is an IT security thing, but CISOs have been talking about their role and how that has evolved much more to reflect the business; it's more akin to risk management in the information space."
Durbin says organizations can reduce the effect of misinformation through proactive means: Monitoring what others say about the organization online and keeping track of changes made to internal information to provide early warning signals.
Advances in artificial intelligence (AI) personas allows for the creation of chatbots that will soon be indistinguishable from humans. Attackers will be able to use these chatbots to spread misinformation targeting commercial organizations: Without ever breaching an organization's digital boundary an attacker could damage that organization's reputation by spreading convincing misinformation about its working practices or products. A single attacker could deploy hundreds of chatbots, each spreading malicious information and rumors over social media and news sites.
Attacks won't just target reputation. Fake news can also be used to manipulate a company's share price. German payments company Wirecard AG found that out the hard way in February of last year, when a fake report 'detailed' fraudulent activities by the company. While the report was later proven fake, the company's share price plummeted and took three months to recover.
You won't be able to stop chatbots from disseminating misinformation about your company, but recognizing the threat and incident response planning can mitigate the damage.
To protect your organization, the ISF recommends you do the following:
Organizations are increasingly reliant on data to drive their decision-making, and that means criminals and competitors can add information distortion to their toolbox of threats. The ISF believes three types of attack on the integrity of information will become commonplace over the next two years:
For instance, consider a utility company which analyzes data from smart meters to balance the amount of electricity it generates against the current demand. An attacker could manipulate smart meter data to falsely show high demand. Such manipulation could cause a surge in electricity generation. If that surge is significant enough, it could cause the electricity supply grid to fail.
Bogus or distorted data could also significantly affect pharmaceutical research, which is increasingly turning to big data analytics to improve the speed of modeling and trialing new drugs.
Durbin says organizations need to start preparing now to ensure information risk assessments address the likelihood and impact of attacks on integrity.
To prepare, the ISF recommends you take these actions:
Many organizations are exploring blockchain technology because it promises to ensure the integrity of transactions without the need for a trusted third party at the center of the exchange.
In an article for Harvard Business Review last year, Don Tapscott and son Alex Tapscott, authors of Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, And the World, argued, "our two-year research project, involving hundreds of interviews with blockchain experts, provides strong evidence that the blockchain could transform business, government, and society in perhaps even more profound ways."
The Tapscotts suggest 65 percent of top global banks will have large-scale blockchain implementations in place by 2019.
But Durbin notes that like any technology, blockchains will be vulnerable to compromise. Potential vulnerabilities include weak encryption, hashing and key management; poorly written programs; incorrect permissions; and inadequate business rules. In the event a blockchain is compromised, ISF says customer, senior management and user trust in the affected process will be shattered, and will require substantial effort to rebuild.
A compromised blockchain could lead to unauthorized transactions or data breaches, diversion of funds, fraud and even validating fraudulent transactions.
To avoid that fate, Durbin says attention must be paid to building information security into the design, build, implementation and operational phases of blockchain-based applications. Close collaboration will be required between business managers, developers and information security professionals.
The ISF recommends you do the following:
Over the next two years, the ISF believes that rapid advances in intelligent technologies and the conflicting demands posed by heightened national security and individual privacy will erode organizations' ability to control their own information.
New surveillance laws intended to improve national security will require communications providers to bulk-collect data that could reveal corporate secrets, Durbin says. Organizations won't be able to define the security arrangements around these data reservoirs, and they could become attractive targets for attackers who have the knowledge and capability to extract and exploit the data stored in them.
At the same time, Durbin says, new data privacy regulations like the European Union's General Data Protection Regulation (GDPR) will make it more difficult for organizations subject to them to monitor the behavior of insiders. The GDPR requires that organizations be transparent about their use of tools to monitor user behavior, which Durbin says will give malicious insiders exactly the information needed to bypass such controls.
Meanwhile, technological innovation will continue to outpace regulations. Durbin says increasingly mature AI in automated systems will start to make independent decisions that will contradict defined business rules, disrupt operations and create new security vulnerabilities.
While many of these factors will be out of the direct control of your organization, Durbin says business and security leaders can prepare for these threats through considered risk assessments, open and honest negotiations with communications providers, taking legal counsel to understand the effects of new regulations and building a workforce ready for the adoption of advanced technology.
Some governments have already begun creating surveillance legislation that requires communications providers to collect and store data related to electronic and voice communications. The ISF anticipates that the trend will continue over the next two years.
The intention of such legislation may be to identify and monitor terrorists and other such groups, but the data collection will necessarily sweep up a great deal more information, including sensitive data from organizations.
The ISF notes motivated attackers will quickly recognize the value of this data, know where it is and how to get it, and have the capability to analyze, interpret and exploit it. Such information could reveal things like plans for mergers and acquisitions, IP under development and details of new products in the pipeline.
The ISF argues that five factors will combine to make it a question of when, not if, data stolen from a communications provider will expose secrets:
To protect your organization, ISF recommends you take these actions:
According to a study released by McAfee in 2015, 43 percent of data breaches in that year were caused by insiders: users, managers, IT professionals and contractors. It should come as no surprise, then, that User Behavior Analytics (UBA) tools, which flag anomalous user behavior, have become increasingly popular: a 2016 report by MarketsAndMarkets Research predicted sales of UBA tools would increase nearly 600 percent from $131.7 million in 2016 to $908.3 million by 2021.
But the ISF says new privacy regulations like the GDPR, South Korea's Personal Information Protection Act (PIPA), Hong Kong's Personal Data (Privacy) Ordinance and Singapore's Personal Data Protection Act, have the potential to constrain the use of such tools. They stipulate that an employers' use of such tools must be controlled and transparent to the user. Under GDPR, for instance, all profiling of employees is forbidden unless the employee is informed of the logic underpinning the process. While Durbin notes that transparency and creating a culture of trust is good, these regulations will position malicious insiders to circumvent UBA.
To address the insider threat and the implications of new regulations, the ISF recommends you do the following:
AI systems represent a major innovation in terms of automation. The ability to learn independently will allow them automate increasingly complex and non-repetitive tasks in areas ranging from manufacturing to marketing and consulting. But Durbin notes that while AI are no longer in their infancy, they're only likely to reach adolescence in the next two to three years. And that makes them prone to errors: learning from wrong or incomplete information can lead to inaccurate conclusions, for instance.
When leveraged in environments where outcomes can affect an organization's reputation or performance, AI could function unpredictably. Examples include the following:
To protect your organization against this threat, the ISF recommends you take these three steps:
Gartner has positioned Vodafone as a "Leader" in its Magic Quadrant for Managed M2M Services, Worldwide report 2017, for the fourth consecutive year