Top 10 Predictions for 2016: Read It, This Is A Good One



crystalball.jpgAt the end of the year I spend a few days reading all the IT security pundit's 2016 predictions and synthesize them with my own perspective. The Crystal Ball issue is the shortest of the year and takes the longest to write, but it's fun.

Most people in this industry are very smart, and sometimes their predictions are outright hilarious. Here is one: "Toaster DDoS Attack On Coffee Maker Ruins Morning". Those short 9 words describe a whole world of Internet of Things vulnerabilities in a very funny headline.

As usual, I'm donning my asbestos undies, so you can safely flame my poor behind after reading the new 2016 predictions. And again, we go gazing in the crystal for the coming 12 months, but remember, the future ain't what it used to be. It's already here, but unevenly distributed. Good riddance of terrible 2015 which was the year of the data breach.

Unfortunately in most respects, 2016 won’t change much: users will still click on malicious links and open infected attachments. IT will still have trouble with patching. The bad guys will still attack and bad news from data breaches will continue. Cyberattacks will become increasingly destructive. What matters most is whether your organization will be a victim or not. Of course you could do nothing, and be lucky. But the only way to control your fate is make your organization a hard target based on a top-down, security-first culture.

To start off, also as usual, I'm repeating the tradition of my same New Year's Wish as a newsletter editor since 1996: "A world without war, crime and insanity, where honest people can flourish, prosper and reach greater heights".


 

Quotes of the Week:

"Do not dwell in the past, do not dream of the future, concentrate the mind on the present moment." - Buddha

"The distinction between the past, present and future is only a stubbornly persistent illusion." - Albert Einstein

"I like the dreams of the future better than the history of the past." - Thomas Jefferson


Here are the Top 10 predictions for 2016 in alphabetical order

1) BOARD ROOM

Boards of directors will finally appreciate that information security risk management should be treated as an enterprise risk equivalent to financial, reputational, and legal risk. Too often board members see the light only after
a data breach. Having understood how security risk impacts the business, in 2016 they will make sure to change corporate culture into the direction of a good security risk management program. Next year will be a very important
year for cyberinsurance, boards are going to ask for this. PwC predicts that the cyber insurance market will triple in the next five years and this will force boards to take a long, hard look at the cost of their continued insecurity.

2) BUDGET SURVIVAL TIPS

The things that will get approval are projects designed to cut the cost of doing business. Smaller-scale IT security initiatives that have a quick ROI, e.g. new school security awareness training which combines training with simulated phishing attacks, will be popular with management and boards.

3) CEO FRAUD aka BUSINESS EMAIL COMPROMISE

Looking at the rapid uptrend of CEO Fraud over the past year, this will be the new scourge in 2016 following ransomware, hitting consumers, small and medium enterprise and large enterprise with competing cyber mafias specializing in verticals like financial institutions, healthcare and manufacturing.

4) INTEGRITY ATTACKS 

Think Stuxnet for the Financial Industry. The data breach attacks we have seen by the hundreds are loud and obvious. They expose data which causes embarrassment, inconvenience, and financial losses.  Integrity attacks are stealthy, selective, and can be much more devastating. Instead of doing damage or making off with vast amounts of sensitive data, they instead focus on carefully changing particular elements within transactions, communications, or data to gain a significant benefit.

In 2016, you will see an integrity attack in the financial sector in which millions of dollars will be stolen by cyber thieves who will modify selected data in the transaction stream, resulting in a significant redirection of payment to anonymized accounts. How they'll get in? Spear phishing.

5) INTERNET INFRASTRUCTURE

2016 is the year that passwords will start to disappear. Biometrics like voice and face recognition go mainstream and 2-factor tech like authentication code generators on mobile phones will spread exponentially. For your own
infrastructure, look at containers that host similar 2FA micro-services that you can integrate in your own apps. Nation-states will continue battling for the domination of Internet backbone and infrastructure components.

6) INTERNET OF THINGS

6.4 billion connected “things" will be in use globally by the end of 2016, but IoT standards related to security are a hodge-podge. There are literally hundreds of standards that potentially touch IoT and precious few that directly accommodate IoT. It's early days and there is no consensus. As long as vendors' #1 concern is "time to market" and not "security by design" you will see a flurry of attacks on IoT devices like Talking Barbie and others. Cutting edge criminal hackers will create the very first BoT - Botnet of Things. Don't leave any kind of Wi-Fi enabled devices or toys in the master bedroom!

7) MALICIOUS E-COMMERCE GOES SOCIAL

Many traditional social networking sites such as Pinterest, Facebook and Twitter will add “buy” buttons to their platforms in an effort to increase stickiness with their users and help monetize their user base. It's going to be heaven for cyber criminals who will social engineer themselves into millions.

8) MOBILE MALWARE

Mobile malware, specifically mobile banking Trojans, are on a trajectory to become much more prevalent for banks and financial institutions in 2016. There will be an increase in malware families that are gaining root access rights on users' devices. These attacks will pose a significant problem for many financial institutions, who have thus far mostly ignored the threats mobile devices pose. Commercial malware authors will continue to reinvest at ever greater rates, bringing them towards the "spending power" of nation-state activity. This includes purchasing zero days. The bad guys have lots of cash and they are smart investors.

9) RANSOMWARE
  • A ransomware crime wave will surge across America.
  • The use of Cryptowall 4.0 will explode, and Cryptowall V5.0 will add an actually working "feature" that TeslaCrypt only threatened with: extortion by potentially publishing private personal or business files on the Internet.
  • Cyber mafias will focus on professional services firms and local government using Cryptowall as their tool and extort tens of thousands of dollars from organizations that don't want their business disrupted or their intellectual property compromised.
  • Cryptowall will be the first strain of ransomware to hit the billion dollar in damages.
  • Ransomware is the new APT: "Annoying Persistent Threat", as it will be increasingly used in double payload attacks combined with other scams.
  • Ransomware attacks doubled in 2015 and will double again in 2016. The U.K. is to some extent a bell-weather for the U.S. as they function as a beta test site for Eastern European cyber mafias who can test malicious code in their own time zone. Well, over half (54%) of all malware targeting UK users in 2015 contained some form of ransomware. Buckle up.
  • Ransomware-as-a-service hosted on the TOR network and using Bitcoin for ransom payment enables a new generation of cybercrime newbies to make their mark.
  • A new sleeper ransomware variant will start to stealthily encrypt data, pull your critical files onto a C&C Server, and wait until a backup been made. At that point they will yank the encryption key and demand a much larger amount of ransom than the current 500 bucks.


10) SOCIAL ENGINEERING

IDG asked hundreds of high-level InfoSec pros the following question: "What will be the single biggest security threat of 2016?" The number one answer was: "people". With events like the presidential election drumming up a frenzy of social media activity in 2016, you can expect attackers to use the attention given to political campaigns, platforms
and candidates as an opportunity to tailor social engineering lures.

To quote Corey Nachreiner, CTO of WatchGuard: "The single biggest threat you’ll face in 2016 is your own people." Check out their video and recommendation. Could not have said it any better myself:
https://www.youtube.com/watch?v=4rJdYBcvxqs


WILD-ASS Guesses For 2016:

  • Disabled murder suspect claims his exoskeleton was hacked and he didn't do it.
  • In the next 12 months we will see a new cyber-insurance offering with the marketing slogan "for cybercrime by cybercrime". Bad guys need insurance too.
  • The iPhone 7 and 7 Plus which are expected in September will be delayed because of an NSA-compromised supply chain partner which enables Apple encryption to be hacked.
  • Microsoft's Cortana turns out to have been penetrated and it is social engineering users to give it credit card numbers and passing these off to criminals.
  • For a change, Tesla's Model 3 is on time and will cost 34,900 dollars for a 300-mile range electric vehicle. They will get hundreds of thousands of people ordering one and Tesla will be overwhomped.
  • In 2016 it will be found that both fantasy sport sites DraftKings and FanDuel were hacked in 2015 and have been penetrated for more than 9 months. All personal and credit card data is sold in the undergroun economy and will be used for highly personalized spear-phishing attacks.
  • A developer in India making 20K a year will build a zero-day vulnerability in the code of a mainstream U.S. app and share the 6-figure bug bounty with his pal who will claim it.
  • The combination iPhone and iWatch will be compromised and you are forced to use Apple's iPay to make the ransom payment. Or it will be the combo Android phone / Wear smartwatch. Don't think it can't happen. Most wearables which collect personal information lack even basic security features.
  • The 2015 car-hacking exploits were only the beginning. The attack surface of cars is ginormous and you will see this used by cybercrime in 2016 - paying a micro-ransom to get into you car is not too far off.
  • Ransomware gets bundled with worm-like malware to "brick" all the Windows endpoints and servers of a targeted organization. Cybercriminals will use this technique on a large scale, demanding millions in Bitcoins from their victims and may even offer innovative payment terms with protection terms.
  • Either the NSA, Google or China will have a breakthrough in Quantum Computing which will make any kind of encryption useless. By the way this superpower race for a working quantum computer is as critical for cyber security as the race for atomic weapons in WWII.
  • A popular website will be breached for the sole purpose of a fully automated mass personalized extortion scheme - pay in Bitcoin or your highly personal, sensitive information will be sent to your family and friends.

FAVES:

John Cleese Picks the Most Gut-Busting Monty Python Sketches:
http://www.esquire.com/entertainment/tv/news/a40493/john-cleese-favorite-monty-python-sketches/

Every winter, a magical snowman puts on a show for a little girl. But over time, life pulls them apart. Will she remember to take the time for what she loved?
http://www.flixxy.com/lily-and-the-snowman.htm?utm_source=4

James Corden amazes the The Late Late Show live audience with a magic trick
by making a bottle inside a paper bag disappear:
http://www.flixxy.com/james-corden-performs-a-magic-trick-at-the-late-late-show.htm?utm_source=4

Tesla Celebrates a Merry Model X-Mas by Syncing the Lights and Doors of Three of Their Cars to Christmas Music:
https://youtu.be/JkT2fozqPjc

LaFerrari Review - Top Gear - Series 22 - BBC
https://www.youtube.com/watch?v=C_E3bSFi8lI

CGI gives us the first glimpse inside Porsche’s electric Mission E
http://arstechnica.com/cars/2015/12/cgi-gives-us-the-first-glimpse-inside-porsches-electric-mission-e/

Balls of steel: Driver calmly dodges TOW missile headed straight for his pick-up
https://www.rt.com/news/326732-car-avoid-missile-tow/


Sources:

- Over Half of UK Malicious Files were Ransomware in 2015:
http://www.infosecurity-magazine.com/news/over-half-uk-malicious-files/

- Tools used by Cyber-Criminals against Businesses in 2015:
http://www.informationsecuritybuzz.com/articles/tools-used-by-cyber-criminals-against-businesses-in-2015/

- What will be the single biggest security threat of 2016?:
http://www.idgconnect.com/abstract/10693/what-single-biggest-security-threat-2016

- Over Half of Firms Report Spike in Whaling Attacks:
http://www.infosecurity-magazine.com/news/over-half-firms-report-spike/

- Insight: The face of cybercrime in 2016
http://www.idgconnect.com/blog-abstract/10704/insight-the-cybercrime-2016

- 6 Technology Predictions for 2016:
http://www.informationsecuritybuzz.com/articles/6-technology-predictions-for-2016/

- Most anticipated tech of 2016:
http://www.cnet.com/pictures/most-anticipated-tech-of-2016/

- What security pros want for the new year
http://www.csoonline.com/article/3014060/security/what-security-pros-want-for-the-new-year.html?

- Prediction: 2016 to Ratchet Up IoT Vulnerabilities, Ransomware:
http://www.scmagazine.com/prediction-2016-to-ratchet-up-iot-vulnerabilities-ransomware/article/461608/

- TechNewsWorld Fantasy Sports Sites Will Be Hacked:
http://www.technewsworld.com/edpick/82876.html

- CyberSecurity Predictions for 2016:
http://www.informationsecuritybuzz.com/articles/cybersecurity-predictions-for-2016/

- Hot Hacker Targets in 2016: Fantasy Sports, Professional Services:
http://www.technewsworld.com/edpick/82876.html

- McAfee 2016 report:
http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf

- Network World - a few cybersecurity predictions for 2016
http://www.networkworld.com/article/3015442/security/a-few-cybersecurity-predictions-for-2016.html

- Health Data Management:
http://www.healthdatamanagement.com/news/five-cyber-security-predictions-for-2016-51633-1.html

- Forbes Cybersecurity Predictions 2016:
http://www.forbes.com/sites/forbestechcouncil/2015/12/10/cybersecurity-predictions-2016-choosing-leadership-over-luck/

- Inc. Magazine Cybersecurity Predictions for 2016 - The Experts Speak:
http://www.inc.com/joseph-steinberg/cybersecurity-predictions-for-2016-the-experts-speak.html

- A Few Cybersecurity Predictions for 2016:
http://www.networkworld.com/article/3015442/security/a-few-cybersecurity-predictions-for-2016.html

- 10 Data Security Trends That Will Impact You In 2016
http://www.information-management.com/news/security/10-data-security-trends-that-will-impact-you-in-2016-10027899-1.html

- Top 15 security predictions for 2016
http://www.csoonline.com/article/3013060/security/top-15-security-predictions-for-2016.html?

- EMEA Predictions for 2016
http://www.informationsecuritybuzz.com/articles/predictions-for-2016/

- 5 Data Breach Predictions for 2016
http://www.legaltechnews.com/id=1202745514548/5-Data-Breach-Predictions-for-2016?cmp=share_email

- 5 Cyber Security Predictions for 2016
http://www.informationsecuritybuzz.com/articles/5-cyber-security-predictions-for-2016/

- Expect Phishers to Up Their Game in 2016
http://krebsonsecurity.com/2015/12/expect-phishers-to-up-their-game-in-2016/

- 10 Cybersecurity Predictions For 2016
http://www.cxotoday.com/story/10-cybersecurity-predictions-for-2016/


Topics: IT Security



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews