As more and more devices become connected to the public Internet, in a Cloud or in isolation, the attack surface and opportunity for criminals becomes huge. We think it is vitally important that our customers understand the value of what they have, not necessarily to them, but to the people who can use and sell it.
We urge you all to think about the threat, identify the value in what you have and protect it appropriately.
Here are some of our thoughts:
Yet more data breaches
2015 will be shown to be the tip of the iceberg! Organisations that store customer data and don’t understand its value to The Mob will be eviscerated. The new European Data Protection Regulation is still in development, not to be implemented until 2017, so other than the reputational risk (you would think that would be enough wouldn’t you TalkTalk?), there is nothing to punish the guilty and sloppy.
Organisations with poor controls, unpatched infrastructure and unencrypted data will be breached.
More connections, more opportunity
As more devices are connected including cars, trucks and trains (what could possibly go wrong?), increasingly sophisticated attacks will be developed to breach them and use them to breach other connected devices over the secure control channels that they use.
It was interesting to see the announcement by NVIDIA of a water-cooled super computer on a board early this year called the Drive PX 2, capable of 25 trillion operations per second (you read that right) and designed to be able to handle the complexities of driving cars automatically in a multitude of unpredictable situations using ‘deep learning’ and neural networks.
The automation arms race will have to be supported by effective security strategies from day one, which we all know is very unlikely to happen.
2015 saw a massive rise in exploits against the mobile devices – you will recall the sneaky version of Apple’s Xcode (XcodeGhost) complete with factory fitted malware, well expect more of the same and worse.
The target will be absolutely anything stored on the device that offers even the minutest value to the perpetrators and their associates. This is a numbers game and with more mobile devices than inhabitants of the planet, the numbers are big and interesting to the villains.
It won’t matter if you have Android or iOS, the big guns are out to get them and weaponisation of mobile threats is imminent.
The Market in Financial Instruments Directive (MiFID II) regulation has been delayed from January 2017 until 2018 or possibly beyond (it was agreed in 2014, welcome to Brussels). Until this time the current regulations around trading will remain as is. Whilst this gives the technology folks more time to develop solutions to the onerous demands of MiFID II, it leaves the markets vulnerable to manipulation.
We predict that data breaches (such as the breaches of market newswire data in the USA last year) will be used to manipulate markets. If anybody gets caught, that is a different matter.
ITC is reviewing the technologies being developed to support MiFID II and will be ready to hit the ground running if the starter gun ever goes off!
One thing we can guarantee is that you will get bored of us warning you about Clouds being breached. As organisations exploit the convenience of clouds and move from proof of concept to production without the intervening security architecture and without good practice guides and controls, we will see more Cloud breaches and Cloud infrastructure being used as a way in.
Those meddling security architects just held you up unnecessarily anyway, didn’t they?
ITC has developed and will continue to update best practice guides for the major cloud vendors (AWS and Azure currently) and are well positioned to help you bypass the storm.
Ransomware will not go away
In fact it will get more evasive, more nasty and more prevalent. 2015 saw the bad guys becoming wise guys and rather than demand unfeasibly large ransoms, start demanding more reasonable amounts – from MORE people.
This will hit you, your parents, your grandparents and increasingly small to medium sized businesses who already had a tricky 2015. Let’s hope that best practice security and security awareness can be implemented before rather than after the event.
Another year of the Phish
The momentum behind really sophisticated Phishing attacks will continue to grow. We are now so far from the days of ‘send me yo bank account details and I will wire you the monies’.
Phishing and the more targeted so-called ‘Spear’ Phishing will continue to be the primary vector for infection across the board. As more sophisticated automated defences are developed, so the attacks will evolve and continuous user awareness will become an imperative.
Microsoft will fix everything
Microsoft will release a new version of Windows, built from the ground up, with no legacy leaky libraries on April the first.
** Today’s announcement about a piece of Malware draining Japanese bank accounts which has the capability of intercepting authorisation codes sent to SmartPhones has started the ball rolling for 2016.