Just like those running legitimate businesses, hackers and cyber-criminals alike will be making New Year’s resolutions to improve their efficiency and hone their techniques to get a bigger impact for their efforts, according to cyber-security experts.
Expect 2014 to be a year where we see less malware overall, but more potent and effectively crafted malware that targets individuals with pinpoint accuracy. Cyber-criminals will continue to glean personal information from social networks, be willing to hold your data ransom for a price or destroy it, and be rushing to exploit unpatched and outdated software flooding the business market, Websense Inc. says in its 2014 Security Predictions Report. Other security experts agree with the likely threats that businesses should be ready for in the year ahead.
Businesses have to progress past the early 2000s security mantra of creating a hardened perimeter, counting on limited access to ensure a secure environment, says Nick Galletto, a partner with Deloitte Enterprise Risk Services. Hackers are learning to be patient, pick their moments, and steal the credentials of employees to access those secured environments.
“You may have very strong passwords, but if people are willing to give those up, it’s not very good protection,” he says.
1. The overall volume of malware will decrease
While at first glance the fact that Websense is seeing a big decrease in malware volume through its ThreatSeeker Intelligence Cloud looks like a good thing, it’s actually being intentionally done by cyber-criminals. Hackers have figured out that high-volumes of malware run a higher risk of detection and are instead using lower volume, more targeted attacks to evade defenses at businesses.
Think of it as trading a shotgun for a sniper rifle, says Jeff Debrosse, Websense director of security research. The bad guys are going from a widespread blast to crosshairs targeting. “If someone is shooting randomly, they’re spending a lot on bullets. In this case they’re making each one count.”
Galletto says organizations must track the latest method of attacks, as well as the latest malware code being used to succeed at attacks. More than half of the types of breaches seen today by Deloitte are spear phishing exercises, using tactics like a well-crafted e-mail message to fool someone into giving away a password or becoming infected. “People are the weakest link and the easiest to target,” he says.
2. There will be a major data destruction attack
It is common for hackers to try and get data out from behind an organization’s firewall that has some value – perhaps financial credentials or proprietary IP – and sell it on the black market. But now hackers are also finding ways to profit simply by destroying data. A method using ransomware sees data encrypted by a hacker so its owner can no longer access it. A password will unlock the data, but a ransom must be paid to the hacker to get that code. If the fee isn’t paid, the data is deleted.
“Once someone is exposed to an attack like this, remediation is very difficult,” Debrosse says. “Typically they either pay or they lose their data.”
3. Hackers will target cloud data
With more organizations storing data in the cloud, with providers like Amazon EC2, for example, hackers will turn their attention to cloud providers as a way to get at data. Hackers simply follow the trail of where critical data is being stored, and in some cases they may find that cloud providers are easier to exploit than the enterprises using them.
Make sure your cloud provider includes good security practices as part of its agreement with your company, Debrosse advises. “It’s not across the board that every company that hosts your data is also going to provide you with encryption mechanisms.”
But organizations must also be diligent to make sure their own environments aren’t breached, Galletto says. Practice proactive threat management combined with an incident response plan on how to deal with a network breach once it occurs.
“It’s not if, it’s when something will happen,” he warns.
4. The race is on in the exploit kit market
Hacking is such a commonplace activity now that some cyber-criminals try to make money by packaging together known exploits that exist in software and selling them off in kits to other hackers. That way a hacker that’s looking to get a piece of malware onto a system can just use this pre-cooked solution instead of finding their own exploits to target. A typical kit will contain hundreds or thousands of different exploits that can be targeted.
Blackhole is arguably the most successful exploit kit in history. But this year its author, known as Paunch, was arrested in Russia and the kit was shut down. Now hackers are in a race to replace it as the dominant exploit kit on the market. Neutrino and Redkit are just a couple of alternatives that could fill the void.
“We’re keeping a very keen eye on this to see who becomes the larger player in this space,” Debrosse says.
5. Unpatched Java software will pose a major risk
Anyone who has Java installed is familiar with how often it asks to be updated. Its especially a problem for those working under an organization IT structure that only pushes out patches on a regimented schedule. But it’s not the only piece of aging software that could potentially be targeted by hackers as a vulnerability.
“You still occasionally see Windows NT servers. That exists today,” Galletto says. Windows XP will also see its end of support date come up April 8, 2014, meaning many existing business users will be open to any security flaws discovered and unpatched. “Many organizations don’t have it on their product refresh lifecycle for next year,” he says.
Organizations may shudder at the costs of updating all that software, Debrosse says, but consider the costs of the risk being taken by not updating it.
6. Hackers will turn to professional social networks
LinkedIn and other professional networks may become popular to use by hackers who create fake accounts with the intent of getting closer to corporate executives, Websense says. It’s a piece of cake to create a profile and fill it out with keyword-laden, fake information and start connecting with other users.
“It’s interesting to see how successful those efforts are because people can be very quickly and easily manipulated,” Debrosse says. Some successful methods seen in the field involve posing as a recruiter that is offering high compensation jobs.
It’s a good reason that companies should start monitoring social feeds for discussions about their company, Galletto says. It could reveal that employees are giving up too much information, or communicating with sketchy accounts.
“Social engineering will probably continue to be one of the more aggressively pursued attacks,” he says.
7. You are the weakest link? You’re hacked.
If hackers can’t penetrate the security defenses of a well-prepared company, it will look at who that company does business with and try to break into the network chain there. Outside consultants, contractors, vendors, and anyone who shares information with large corporations or government may be a potential pathway into a secured network.
“Some small contracters could be a one person team,” Debrosse says. “Infiltrating that network gives you a stepping stone into a larger one.”
To guard against attacks coming through a third-party, Galetto says a company must monitor who it is communicating with and whether those sources are legitimate. This is a practice that should be embedded in ongoing risk assessments.
8. Mistakes made in ‘offensive security’
Perhaps not many have actively tried this yet, but more companies are considering a model of offensive security, Websense says. If an attack source is identified, then efforts are made to attack that source and bring it down to cease the attack. Governments in particular have threatened retaliatory strikes against anyone targeting them.
The risk lies in a case of mistaken identity. Often hackers are clever about covering their tracks and routing attacks through other points on the grid. If a company were to take down a router that another firm relies upon, it could be breaking the law.