2017 was the year that the Shadow Brokers’ released a set of sensitive exploits, hoarded by the NSA. Quickly, these exploits were written into malware and a stream of powerful ransomware outbreaks such as WannaCry, NotPetya and BadRabbit followed.
2017 also saw some of the highest profile data breaches yet, with Equifax seeing the breach of countless millions of personal records including names, addresses, drivers licence numbers and social security numbers; and in doing so, joined the likes of LinkedIn, MySpace, eBay, Adobe, Uber and other large organisations who have leaked data in recent years.
The meteoric rise in Bitcoin prices from $1000 in January 2017 to just over $19000 in December has led to an increase in ransomware attacks, due its popularity as the unregulated currency of choice for the ransom demands, resulting increase in profitability of such attacks. The rise in price of Bitcoin and other ‘alt-currencies’ has also led to new threats, including the unauthorised mining of coins using malware and browser plugins. One such app for Android was so intensive it resulted in the physical blowing up and catching fire of the device battery. Vendors have scrambled to patch these holes, but this is a burgeoning industry, netting hundreds of millions of dollars for the organisations behind the attacks.
These factors, and others, have set the stage going into 2018; so, what lies ahead for us in the land of cyber security and SME IT?
Ransomware will continue to get worse
As the price of Bitcoin and other digital currencies remain high and powerful exploits remain unpatched across huge swathes of computers, criminals will continue to reap the profits of ransomware attacks. Ransomware-as-a-service brings this powerful malware within the reaches of low-skilled criminal organisations for a small monthly fee, where once it was the exclusive domain of highly-skilled hackers. As always, the best protection comes in the form of ‘standard’ best practices:
- regularly and quickly patching all devices, operating systems and applications (including mobile devices);
- regularly backing up your data and testing restores;
- using class-leading malware and ransomware protection such as Sophos Endpoint Protection Advanced with Intercept-X;
- managing user privileges, not using administrator accounts for day-to-day work;
- employing class-leading spam protection to filter out malicious ‘phishing’ emails;
- educating users so they understand the risks posed by ransomware, phishing emails, malicious links and downloads.
As always, further protection can be achieved by using next-generation firewalls, SIEM and other specialise tools; however, without the basics in place these solutions lose their effectiveness.
Cryptojacking (unauthorised use of machines for mining cryptocurrency) will increase
The concept behind generating cryptocurrencies like Bitcoin is that they are ‘mined’ by computers solving complex cryptographic problems to ‘find’ coins. Once these coins have been found they can be added to your wallet and traded or spent. Mining cryptocurrencies requires a huge amount of computing power and hence, huge amounts of electricity, hardware and cooling. If done legitimately, this represents an up-front investment for the miner.
Cryptojacking is the use of browser plugins, for the likes of Chrome, Internet Explorer, Firefox, or Opera, to run mining code on your computer whilst you browse the internet. It can also take the form of malware that is downloaded and run on your computer to mine for cryptocurrencies. For the hijacker, the cost of mining goes down to zero, as they are using your computer and hundreds like you, to mine for the coins. For the user, the most noticeable impact will be in performance, with a secondary impact in additional power usage and heat generation, as their processors are used intensively to solve the cryptographic problems required to mine the coins.
Antivirus vendors and browser developers are racing to catch up, writing ‘anti-mining’ plugins and updating their software to block this type of code. Even so, I see this as the thin end of the wedge as cyber-criminals find new ways to profit from the increasing value of cryptocurrencies.
Mobile malware will increase
With more of us using our mobile devices for email, social media, banking, shopping and carrying out our business and mobile devices becoming more powerful year-on-year, it is inevitable that mobiles will become increasingly targeted by cyber-criminals.
Whether it is to steal our data, hijack our financial transactions, hold our data to ransom, or use our processing power to mine for cryptocurrency, mobile malware is here to stay. Mobile device management and anti-malware apps are gaining in popularity in the enterprise, but take-up has been slow in small businesses and individuals. This mirrors the experiences gained in the 1990s and 2000s with Windows viruses.
I can see 2018 as being a year where mobile malware becomes much more prevalent and smaller organisations will increasingly protect their mobile devices in response.
GDPR will have an impact
The EU GDPR, replacing the Data Protection Act, will become enforceable on 25th May 2018 and it will have an impact. There are many myths surrounding GDPR; Elizabeth Denham has written a series of blogs to counter these myths. These are available on the ICO website.
The ICO recommends 12 steps to prepare for GDPR: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf and there are a number of certifications available which will help to demonstrate compliance with Article 32’s requirement to ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’.
That being said, many businesses do not know exactly what data they hold, where is it held, and what their legal purpose for processing the data is. In addition, many small businesses have never undertaken an information security risk assessment, and many are lacking the basic policies and procedures to adequately control and protect their information.
Multi-Factor Authentication will increase in popularity
The username and password have been the enduring authentication mechanism of the IT world for decades, often used as the only method of logging into a system or service. This system is problematic for several reasons:
- the number of accounts we need to log into is increasing, with some users having 50+ accounts;
- password hacking is getting more efficient, leading to the need to have longer and more complicated passwords;
- regular breaches of username/password information from online vendors means that we need to have a different password for each account, so that one breach does not render all of our accounts at risk;
- humans are poor at remembering large numbers of long, complex passwords, so very often passwords are not long enough, get reused across multiple accounts, or get written down.
One method to improve the security of a system or service, without increasing the length or complexity of the password, is to add a second ‘factor’ of authentication. This could be a fingerprint, a smart-card, or a one-time-passcode delivered by a smartphone app such as the Google Authenticator. So, you need the username, the password and the second factor. This is a powerful protection against hacking user accounts when implemented correctly. 2017 already saw many cloud services giving users multi-factor authentication as an option, I can see 2018 following this trend.
Attacks using compromised IoT (Internet of Things) devices will increase
The last few years have seen an exponential rise in the number of internet connected devices in our lives. From voice activated assistants like Amazon Echo and Google Home, to smart meters, security cameras, baby monitors and cars; devices connected to the internet are rapidly increasing. Forbes predicted in 2017 that there will be more than 80 billion internet connected devices by 2025.
Through a mixture of poor design and implementation, millions of these devices can be very easily hacked and used in botnets (large groups of compromised devices) to launch denial of service attacks on services and organisations.
Whilst some manufacturers of devices and members of the security community are working hard to implement robust security in IoT devices, I hope that 2018 brings a more widespread adoption of best practices, awareness exercises and regulation in this field. I fear, however, that this will not be the case.