Last week, I spent an evening at my local BCS branch meeting, where Scott Bullock (Cloud Trust Officer at Forcepoint Cloud) was presenting Forcepoint’s 2017 Security Predictions.
For those who aren’t familiar with Forcepoint, they were formed from a combination of Websense, Ratheon Cyber Products and Stonesoft. Most of us have heard of Websense (and maybe Ratheon) but it seems Forcepoint have a suite of email, web and data protection products. They cite metrics like 27 globally distributed data centres, 5 billion web transactions a day, and 400 million emails processed per day. Those numbers may be a fraction of those processed by Microsoft (it would be interesting to compare with Symantec) but they are still significant.
What follows are my notes from Scott’s talk. My observations are in the square parentheses [].
A look back at 2016
Before looking at the 2017 predictions, Scott took a look at last year’s score card:
- US Elections will drive significant themed attacks – A+
- Mobile wallets and new payment technologies introduce increased fraud risks – C
- New GTLD domains provide new opportunities for attackers – B
- These are mostly spelling errors on recognised sites – for example rnarkwilson.name instead of markwilson.name. With the number of GTLDs in existence now, it’s harder than ever for companies to register all of the domains associated with their brands/trademarks.
- Cyber insurers will require more evidence for coverage – B+
- It’s no longer good enough to forget about implementing security measures and rely on insurance.
- DLP adoption will dramatically increase – B
- Data loss prevention is coming back into favour [I’m not sure it ever went away…]
- Forgotten technology will increase risks to organisations – B
- [Technical debt is never good]
- IoT will help but also hurt more – B
- Worm took over DVR and DoS…
- Social views of privacy will evolve – great impact to defenders – B
Forcepoint give themselves a B+ overall… and you can read what you like into whether that means the predictions are worth taking note of (Matt Ballantine has some comments on that in his WB40 podcast with Chris Weston where he discusses Foxes and Hedgehogs). Nevertheless, let’s see what they are predicting for this year…
So what’s in store for 2017?
- The digital battlefield is the new cold (or hot?) war
- Enhanced NATO policy on collective defence (article 5 – if one nation is attacked, then will work together) could lead to military responses to cyber attack
- The potential and consequences of misattribution could lead to destabilization of the policy.
- Essentially, cyber warfare could have physical impacts. [Worrying]
- Millennials in the machine
- The digital generation know how to mix business and pleasure – millennials bring an understanding of the digital realm into the workplace.
- Millennials are used to over-sharing information. [So they are also used to the consequences.]
- The potential for accidental data leakage has risen (e.g. take a picture of a whiteboard at work and it’s automatically uploaded to iCloud)
- [I’m calling BS on this one – if indeed there is any difference in the ways that each generation uses tech – which I doubt – then it’s more likely that there is a bigger issue with Generation X and Baby Boomers not being as cyber-savvy as millennials.]
- Compliance and Data protection convergence
- EU GDPR is around the corner and will come into place in May 2018
- Businesses will redefine their organisational processes to accommodate new controls
- The onset of new data protection controls will incur costs for businesses and that impact will be most felt by large enterprises that have not yet begun to prepare:
- Companies need to appoint a Data Protection Officer
- Fines can be 4% of global annual turnover…
- Will apply on top of DPA (enforced by Data Protection Office)
- Rise of the corporate-incentivised insider threat
- Corporate abuse of PII will increase; business goals will drive poor decisions resulting in bad behavior
- Corporate-incentivized insider abuse of customer PII – is it just too tempting?
- Regulations will further restrict corporate and personal access to digital information
- Corporate abuse of PII will increase; business goals will drive poor decisions resulting in bad behavior
- Technology convergence and security consolidation 4.0
- Mergers and acquisitions change the security vendor space
- Cybersecurity corporations are buying up smaller vendors
- Vendors that are not consumed or do not receive venture capital funding will exit the market
- Products will stagnate/orphans as a result of mergers and acquisitions
- Adjustments in employee base will benefit the cyber security skills shortage
- [Whilst I can see the convergence taking place in the security sector, I have to take this prediction with a massive pinch of salt, bearing in mind its source!]
- The cloud as an expanding attack vector
- Cloud infrastructure provides an ever-expanding attack vector with possibilities for hacking the hypervisor
- [I’d suggest this is more of an issue for so-called “private clouds” as the major players – Amazon, Microsoft, Google cannot afford a breach and are investing heavily in security – Microsoft spends over $1bn annually on security-related R&D and acquisitions]
- Organisations will combine on premises and cloud infrastructure – a hybrid approach
- [Yes, but this is for much broader reasons than security]
- DOS of cloud providers will increase so ask what anti-DDoS protection they have and check that you have the right to audit…
- [Isn’t that just due diligence?]
- Cloud infrastructure provides an ever-expanding attack vector with possibilities for hacking the hypervisor
- Voice-first platforms and command sharing
- Voice-first AI and command sharing bring a new level of convergence
- Voice activated AI will radically change our interactions with technology
- AI will be able to distinguish between individuals and their patterns of behaviour
- For example it will know when you’re at home, tech in house, when to burgle you!
- AI will influence our normal or default settings
- The number of voice-activated apps will rise significantly in 2017 – and so will attacks
- [I already mute Alexa in my home office when I’m working – do you really want your conversations being overheard and used for analysis?]
- AI and the rise of autonomous machine hacking
- The rise of the criminal machines
- Automated hacking machines vs. AI cyber defence machines
- Widespread weaponisation of autonomous hacking machines will occur in 2017
- State actors could use such systems to overwhelm rival national cyber defences
- Ransomware escalation
- Ransomware is here to stay
- [Just look at last week’s attack on a hotel in Austria where the guest rooms were locked until a ransom was paid]
- Data will be held to ransom, and traded
- Ransomware will morph to gain data exfiltration capabilities
- Taken to another network and sold to others… pay multiple times…
- Ransomware is here to stay
- Abandonware vulnerability
- Legacy tools leave holes in your defences
- [This is not new. We call it technical debt!]
- End-of-life abandoned software will lead to data breaches
- Lapsed domains are bought up and used to inject code into software that phones home for updates
- Systems are not patched
- Businesses will start to consider the perils of abandonware
- [And some will continue to ignore it, at their peril!]
- Legacy tools leave holes in your defences
In conclusion
Security challenges arise from the convergence of the digital and physical worlds and treating each world as insulated is an obsolete view.