While 2016 has seen wave after wave of cybercriminal activity, it's time to prepare for a 2017 tsunami.
As we make our valiant kick to the finish line in 2016, it's simply too tempting to glance over our shoulders at some of the more noteworthy hacker activities of the past year. That is, before we set our sights on what's to come.
Here's just a sampling of what we've seen thus far this year:
- January: The IRS was hacked again, this time by attackers using malware to automatically generate E-File personal identification numbers to assist them in stealing tax refunds.
- February: A hacker published information that exposed 9000 DHS employees and approximately 20,000 FBI employees.
- March: Hackers hit Verizon Enterprise Solutions stealing information from 1.5 million customers.
- April: MedStar Health (a 10-hospital chain) was hit with a ransomware attack when hackers compromised an unpatched JBoss application server.
- May: Authorities discovered that more than 270 million user names, passwords and email accounts were stolen and up for grabs in Russia's criminal underworld.
- June: Wendy’s fast food chain discovers additional malicious cyber activity regarding the previous malware-laden data breach on their POS systems.
- July: The Democratic Congressional Campaign Committee (DCCC) was hacked with 20,000 emails leaked to the public.
- August: Oracle's MICROS System was attacked by hackers, impacting more than 330,000 cash registers around the world.
- September: Hackers breach Yahoo! and steal at least 500 million accounts.
- October: Hackers utilized a DDoS attack to take out huge swaths of the Internet using infected IoT devices.
- November: AdultFriendFinder.com was targeted by hackers for a second time in two years, affecting more than 400 million users.
- December: ???
What will 2017 bring?
1. Healthcare data breaches will rise
A Google search for ”healthcare breach” will yield roughly 23,100,000 results, while a Google news search returns 154,000 news articles. Obtaining sensitive medical information is white-hot in the hacker world, where personal healthcare information (PHI) is the crème de la crème of information theft in the underground.
With healthcare organizations struggling to integrate newer technologies with legacy systems that still run unsupported operating systems (like Windows XP and Windows 2003 Server), the emerging vulnerabilities of medical devices will be continue to be exploited by cybercriminals.
In early October of this year, for example, Johnson & Johnson sent letters to patients using the OneTouch Ping insulin pump with a warning that the device contained a cybersecurity flaw. Even though the company downplayed the risk, a hacker could potentially reprogram the device to administer additional doses of the diabetes drug, upping the security flaw from ‘minimal’ to life-threatening. Johnson & Johnson’s product website states - in small print - OneTouch requires an IBM-compatible PC running Windows® 2000 or XP. It is not compatible with Windows® Vista® and Windows®.
This should be a clear wake-up call for the healthcare industry to realize that along with protecting patient data, protecting the patient from critical cyber attacks via medical devices is, literally, critical.
2. Insider threats will increase
Last summer, security researchers at Kaspersky Labs found the top attack vector against Cellular Service Providers (CSPs) and Internet Service Providers (ISPs) was in hiring or blackmailing an insider. According to researchers, cybercriminals used two methods to accomplish this:
- Enticing or coercing individual employees with relevant skills
- Searching underground message boards to find an appropriate current or former employee
3. More Internet of Things (IoT) exploits
Business Insider predicts there will be 34 billion devices connected to the Internet by 2020. IoT devices will account for 24 billion and traditional computing devices (e.g. smartphones, tablets, smartwatches, etc.) will comprise 10 billion.
Carl Herberger, VP of Security Solutions at Radware wrote at HelpNetSecurity:
“2016 brought the opening shots in the long awaited IoT threat, from the largest-ever DDoS attack to a botnet of 25,000 video recorders and CCTV cameras sending 50,000 HTTP requests per second. These connected devices have unlocked the 1 Tbps DDoS era.”
What's to come in 2017?
“IoT platforms will need security in mind from the ground up, not simply added as an afterthought, as has been common until now.”
With exponential IoT growth expected, hackers will latch onto vulnerabilities just as they did when Microsoft Windows dominated the playing field. The recent DDoS attack that affected 80 major websites is just one example of how easy it is to enslave (factory default usernames and passwords) IoT devices into a botnet.
4. Attacks on new mobile malware will continue to grow
According to McAfee Labs, total mobile malware has grown 151% with the highest levels recorded in Q2 of this year.
Easy Solutions reflected in their latest report, The Fraud Beat 2016 – Taking the Pulse of Cybercrime:
“Fraud is in a constant state of evolution to stay a step ahead of the defenses deployed to stop it. Eyeballs have moved from desktops and laptops to mobile devices, and cybercriminals have adapted their strategies, launching attacks on the apps and social networks where users increasingly spend their time.”
5. Fake retail and product apps are all the rage
During the past few weeks, hundreds of fake retail and product apps have been popping up on Apple’s App Store and Google Play.
- Be judicious in deciding what app to download. Better safe than sorry.
- If you do decide to download an app, the first thing to check is the reviews.
- Apps with few reviews or bad reviews are a big red flag.
- Never click on a link in any email to download a new app. Only go to the website of the retailer to get a link to the app on App Store or Google Play.
- Give as little information as possible if you decide to use an app.
- Be reluctant to link your credit card to any app.
What's the takeaway?
In this case, there are several: Manufacturers must build security measures into medical devices that include the software lifecycle; employees should receive ongoing training regarding potential insider threats and companies should implement newer technologies to address this threat; IoT devices should be designed with ‘security in mind’ (from the ground up) and these devices should contain unique usernames and passwords with consumer education enclosed in the packaging; and more vetting and vigilance is required with mobile app downloads.
The 2017 threat landscape will very likely prove to be both daunting and ominous if businesses fail to address the weakest links in the security chain today.
So let's get to work!