We asked the Infosecurity community for predictions and thoughts as to how the information security landscape will evolve in 2016 and were overwhelmed by the response, so we will be adding new predictions each day from industry experts offering insight and thoughts for the next 12 months - it's sure to be an interesting debate.
Prediction: 2016 Will Be the Year of the Human-Based Threat
2015 was another big year for high-profile breaches. The bad guys were able to create some pretty sophisticated attacks, but insider threats (particularly the unintentional kind) were still the dominant root cause. We saw Anthem fall victim to the successful phishing of employees, as did Premera. Rising concerns about human-based threats were confirmed by Black Hat’s 2015 Attendee Survey of security professionals which named employee-based errors as their area of top concern for the upcoming year. There’s no shortage of data to support the role the human element played in breaches in 2015, and we expect to see more of the same this coming year.
We believe 2016 will be the year of the human based threat because the widening cyber skills gap will continue to leave holes in critical security roles. This will force companies to rely more heavily on employees to protect their most critical assets. At the same time criminals will develop ever more sophisticated and ingenious ways of infiltrating personal and company user accounts. In response, cybersecurity providers will continue to develop complicated technical solutions—and humans will need to continually improve their ability to identify the signs of deceit! As user behavior analytics (UBA) grows in sophistication, more organizations will need to apply insights to long-term security training and awareness strategies. This will allow them to create training that better combats problems specific to their organization.
- Cyber Brain Drain Puts Emphasis on Employee Behavior
- Phishing Holes Widen
- UBA Charts New Territory.
- Privacy concerns will Remain a Top Priority (but may not get resolved).
- Adaptive Approach to Employee Security Awareness.
Prediction: Don’t rage against the machine – embrace machine-learning strategies into your security approach
The security industry is facing two major issues that must be addressed in 2016. First, the number of attacks is expected to increase, and at a greater frequency. At the same time, existing security products becoming less effective with solutions from companies, such as Palo Alto Networks, FireEye and others replacing those of industry stalwarts Symantec and Trend Micro. Today we have more attacks, more products to sound alarms, and yet our customers say they feel less secure.
Second, our industry is struggling to hire enough qualified security experts. The hiring gap is a daily reality, one felt by customers everywhere. While many companies are recruiting new college grads, training them to be security analysts and paying them more than $200,000, it will take time for them to develop the hands-on expertise that is required to anticipate and manage ongoing security threats. Too often, these grads move on to a new position as soon as they are trained, so we need to find ways to improve retention while growing the skill sets of these young professionals.
Less effective security solutions and a lack of experts have put tremendous pressure on chief information security officers (CISOs). As an industry, we need to address these critical issues. In 2016, we will see increase focus on machine learning and data science, which promises to help mitigate more attacks with fewer human experts.
- Shortage of qualified security professionals
- Continuing decay of legacy security technologies
- As more products understand and evolve with new attacks, data science-driven security will become more common
- Protection at the endpoint, even when the endpoint isn’t owned, will increase in importance
- Identity management continues to grow in importance in the cloud
Prediction: Hackers Will Have Plenty to Take Advantage Of
In 2016, the trend towards cloud-based security services will enable a shift towards true integration, delivering complete visibility across the organisation’s security position – something not possible with today’s fragmented approach. Cloud-based security services will also enable a transformation from an alert-centric to a truly intelligence-centric approach to security. CISOs will continue to demand best of breed solutions and a move towards open APIs and integration frameworks will enable this to be achieved without critical visibility compromises.
Between the ongoing lack of security covering today's POS devices coupled with the confusion over terminals for the new EMV cards, hackers will have plenty of confusion to take advantage of.
Devices that come and go off the network coupled with BYOD will continue to confound security managers who want to provide security to these challenging groups but lack the proper tools to do so effectively. This leaves the choice of over-restricting access or reducing user functionality. With the transition to EMV card chips, hackers will shift away from physical credit cards, to online fraud. 2016 will also see a dramatic increase in phishing emails targeting login credentials and fraudulent ecommerce purchases.
We are shocked at the amount of Ransomware attacks where the victim actually pays. If there's money in it, we can expect more variants of the viruses that are harder to detect or can travel.
- Cloud-based security services will enable a shift towards true integration in security positions
- More POS device breaches.
- Devices that come and go off the network coupled with BYOD will continue to confound security managers.
- Ransomware will continue to evolve and become increasingly complicated.
- Companies of all sizes, not just large firms, will have to deal with breaches and lost data.
Prediction: The Ghosts of Internet past Will Come Back to Haunt In 2016.
The increase in non-traditional payment methods on mobile devices or via beacons and smartcards will open up the doors for a new wave of retail data breaches. Yet insurance companies will refuse to pay for breaches caused by ineffective security practices, while premiums and payouts will become more aligned with underlying security postures and better models of the cost of an actual breach. Further, to some extent, insurance companies will greatly affect security programs, as requirements for insurance become as significant as many regulatory requirements such as PCI, HIPAA, and SO 27001).
As of November 2015, the number of Generic Top Level Domains (gTLDs) exceeded 700 domains, and about 1,900 more are in the waiting list. As new top-line domains emerge, they will be rapidly colonized by attackers well before legitimate users. Taking advantage of domain confusion, criminals and nation-state attackers will create highly effective social engineering lures to steer unsuspecting users toward malware and data theft.
Like barnacles on a boat, the cost of security maintenance will begin to grow and create massive problems with the internet and security practices. A significant number of the Alexa 1000 are not up-to-date on certificates. Additional problems include: old and broken JavaScript versions that invite compromise; rapid OS updates and new trends in software end-of-life processes that cause havoc and new applications built on recycled code with old vulnerabilities (think Heartbleed and POODLE).
- Hacks Targeting Mobile Devices and New Payment Methodologies will Impact Payment Security More Than EMV
- The Cyber Insurance Market Will Dramatically Disrupt the Way the Security Industry Operates
- New gTLDs will be used in Active Spam and Other Malicious Campaign
- Forgotten and Ongoing Maintenance Will Become a Major Problem for Defenders
- The US Elections Will Drive Significant Themed Attacks
Prediction: Science Fiction Cyber-Threats Become Reality
I see cyber-attacks increasing significantly on two fronts in 2016: the first is the Internet of Things. As more and more machines become connected, we can expect an equivalent increase in cyber-attacks from governments, hacktivists and cyber terrorists all over the world. It’s just too tempting a target to ignore.
The second front is obvious: the financial sector. Of course banks will remain a key target for criminals, because that’s where the money is! With consumers increasingly conducting their banking activities online and via mobile device, they are leaving themselves and their banks very susceptible to cyber criminals.
When banks began investing in multi-disciplinary data scientist teams years ago, they didn’t realize that these experts would end up spending countless hours sifting through huge amounts of data in search of anomalies. But with legacy antivirus and malware detection systems averaging 95% false positive rates, this is exactly what is happening. The result is detection fatigue, which leads to nightmares like the infamous Target breach of 2013. Until more companies are comfortable implementing machine learning for their big data analysis, this problem will continue.
Banks will also be subject to increased loan fraud as they attempt to speed up their loan approval processes to compete with the new spate of online lenders.
- We Have Seen Hacked Cars And Airplanes; Expect More In 2016
- Simplified Bank Robbery
- Detection Fatigue
- Increased Loan Fraud
- Increasingly Active Regulation
Prediction: Classic Concept of the Perimeter Doesn’t Exist Anymore
Our traditional ideas of what a mobile or desktop device have to change – tablets come with keyboards now, and PCs can be carried around on USB sticks. With Windows 10, there are “universal” apps which work across mobile, tablet and PC.
This means security architecture needs to adapt as well: Open ports for web services, VPNs, company Wi-Fi. The ‘perimeter’ has lots of holes and tunnels. Enterprises need to build micro-perimeters which protect individual apps and data stores.
Simply having security equipment or products is no guarantee of safety, those technical solutions need to actually reduce risk. Organisations need to shift their thinking to focus on risk reduction rather than implementation
The password is possibly the single largest security problem on the Internet today. They’re often weak, regularly reused, and if someone accesses your email, they can trigger all manner of password resets. In the future, we foresee a world where everyone uses their smartphone as a multi-factor authentication element
We won’t see mainstream attacks on the App Store, but we will continue to see clever attacks like last year’s XcodeGhost. But we believe we will see more enterprise-targeted iOS attacks, conducted via a combination of malicious apps, exploitation of vulnerabilities in legitimate apps, operating system exploitation, and end-user social engineering.
- Operating Systems and Form Factors Will Converge, Blurring Lines between Pc/Mobile Device
- The Enterprise Network Perimeter Is Going To Die And Be Reborn
- Cybersecurity Effectiveness Will Be Measured By Risk Reduction Not Technology Deployment
- Your Phone Will Become More Important Than Your Password
- Enterprise-Targeted iOS Attacks Will Emerge
Prediction: C-Suite Begins to Really Get Security in 2016
Traditionally, IT security experts have focused on the particular verticals or markets that are naturally security conscious. But with high-profile attacks this year, for example TalkTalk, I expect in 2016 to see cyber security become much more of a priority for all sectors — and not just financial services, retail or healthcare.
We’re also seeing more companies rebalance their IT security. Preventing attacks is only part of the problem, and companies are beginning to focus more on sophisticated detection and response as well. I would expect in 2016 that more than 80–85% of companies will have an insider threat program in place — and those that don’t will be playing with fire.
2016 will see organizations focus more on protecting users from being exploited by hackers — for example through social engineering to gain access to login credentials — rather than organizations blaming their users. Through technology, education and processes, organizations will guide users towards good behavior.
2016 will also see more and more C-level executives wake up to the fact that IT security can help close business deals, build trust with customers, remain competitive and improve relations with partners and the supply chain. User access to data and networks will tighten in 2016 — shifting from simple password access to login credentials that incorporate context-aware rules like location, time, device and security posture. In addition, attributes associated with the user will vary dynamically over time (adaptive access control) — rather than remain just static entitlements.
- IT security will cease to be primarily a vertical-specific problem
- Insider threat will move up the IT security priority list
- Businesses will shift towards “user-centric” security
- C-suite will begin to understand the broader business benefits to IT security
- Unknown access to data and networks will phase out
Prediction: Multi-Factor Authentication By Default
- Passwords
- Ransoware
- Trojans
- Malvertising
- The Insider Threat