InfoSec Professionals Reveal the Top Information Security Concerns for 2018 & Beyond
30 infosec pros discuss the top information security concerns for 2018 and beyond.
Information security professionals must stay up to date on the latest threats and concerns facing the industry to prevent security breaches and rapidly mitigate threats. From increasingly sophisticated ransomware techniques to the human element risks that exist for organizations today, there is a broad landscape of potential concerns infosec pros should be thinking about as 2017 draws to a close.
To gain some insight into the most pressing infosec concerns companies should be considering for 2018 and beyond, we reached out to a panel of security experts and asked them to weigh in on this question:
"What are the top infosec concerns for 2018 and beyond?"
Meet Our Panel of Security Professionals:
Find out what our experts had to say about the top infosec concerns for 2018 (and beyond) by reading their responses below.
Andy is a Special Project Lead at Mosaic451, a managed services provider that focuses on maintaining and protecting critical IT systems. Andy has built and managed multiple security programs for numerous large and small organizations throughout his 10-year career. He uses lean and agile methodologies to create demonstrable value within complex infrastructure and security programs.
"Here are our predictions for the threats we’ll see in 2018 along with ways that you can prepare today..."
Unintentional Insider Threats
Users are still users. The result of our humanity is that we all make mistakes. To combat this, we have started leveraging technology to help us make less mistakes. As we consider phishing attacks along with unsafe browsing habits, technology cannot prevent every mistake we might make.
Another rising trend is the evolution from “bring your own device” to “bring your own identity”. Cell phones that support both personal and professional lives are a perfect working example of this. A compromise to one side will likely impact the other. In the past, CISO’s and other executive leaders could draw a boundary for endpoint devices. Today, this approach will need to be rebuilt because a person’s digital identity cannot be easily segmented.
- Ensure you’ve defined your organizational policies to include restrictions for the use of personal data and identity on organizational devices.
- Create different and longer passwords for each service you use.
- Use protective controls for email and web proxies.
- Leverage software defined network segmentation to restrict untrusted devices from accessing trusted zones.
Denial of Availability
Ransomware has evolved multiple times in 2017 with the popularized “WannaCry” variant. Ransomware in 2018 will continue to evolve due its continued profitability by malicious actors.
However, being impacted by Distributed Denial of Service (DDOS) attacks in the form of the Mirai-Dyn attack was something we didn’t expect. While botnets aren’t new, the size of this botnet was able to significantly degrade services or create outages for web services. Newer botnets like Reaper could be just as impactful or more for organizations that heavily rely on SaaS and cloud services.
- Continue to backup your shared information stores to prevent a loss of critical information. Additionally, periodically test your backups to ensure you can restore from them if needed.
- As a protective control, make sure critical security patches are installed.
- Heuristic endpoint protection controls should be used as a reactive control.
- Use DDOS protection technologies and web-page load balancers to help maintain your availability during targeted attacks. This can help hold the tide while you contact your ISP to block the attacks further up the path.
- Test your incident response plans to help prepare all of your operational teams quickly address incidents that affect your availability.
Wire fraud is expected to continue because of the large payoff for a malicious actor if they are successful. Malicious actors spend a lot of time silently searching for potential attack vectors they can use. These attack vectors are unique to every organization but many of them do start will a hurried fraudulent email from your CEO asking you to send out a wire transfer.
The Equifax breach may potentially open up more tax fraud cases due to the large amount of Personally Identifiable Information (PII) that was breached. Tax Return Fraud is hard to detect until after you try to submit your own tax returns and receive a letter from the IRS indicating the problem.
- Do Periodic Security Awareness Training for all users along with enhanced targeted training for financial approvers.
- Use baseline email monitoring for financial approvers to monitor for abnormal wire transfer requests.
- Use SWIFT or FEDLine two-factor authentication controls to ensure wire transfers cannot be fraudulently performed.
While the Equifax breach was significant breach, it will not be the last breach we see. Organizations are not purposely negligent or have a desire to disrespect the sensitive information they use to run their business. The problem is that there are so many points in an organization where hidden gaps can exist. Two common examples that we see today are poor application code or design and misconfigured cloud environments. During the post-breach retrospective events, the gaps are often not complicated and point back to basic technical controls.
- Integrate application security practices into your DevOps processes
- Perform continuous vulnerability scanning to help identify gaps in your patching and configuration programs.
- Leverage PenTests to simulate how a malicious actor could get into your network along with what sensitive data they are able to find
- Use cloud technologies like CloudChecker to help identify configuration issues with your cloud environments.
Rise of Virtual Fake Personas
Identity theft will likely continue to rise as more of our PII and Personal Health Information (PHI) is breached. Sadly, the new reality that many people face is that they’re now desensitized by all the breaches, which because we cannot regain our privacy, might mean they might become careless about protecting it even further.
Internet of Things (IOT) devices are beginning to saturate corporate organizations as well as consumers. These devices seek to automate and simplify our lives; however, they are often neglected when it comes to administratively maintaining them. While a vendor may recommend applying new firmware updates, they are not applied unless the device starts misbehaving and someone applies the update to troubleshoot the issue.
The last type of threat is the prevalence of fake or phantom social media accounts that are used to push a political or organizational agenda. These types of “marketing” campaigns are expansive and there are currently no systems to separate real user opinions from paid responders. While Reddit is the most common example, this type of behavior is also seen on Amazon product reviews as well. Amazon has updated its policies to combat this but the fight for authenticity of online reputation and opinion is long from over.
- Freeze your credit and utilize free credit monitoring
- Track IOT devices in your asset inventory and regularly check each IOT for firmware updates
Paul Love is the Chief Information Security Officer at CO-OP Financial Services, a provider of payments and financial technology to credit unions. Love brings more than 25 years in risk management, financial services and technology experience to CO-OP, including his most recent role as Senior Director of Governance, Risk and Compliance at Freddie Mac. Previously, he has held other information security positions with Ernst & Young and Ally Financial, and has banking industry experience as Assistant Vice President of Security Operations for Fifth Third Bank.
"The biggest issue, hands-down, is distraction, which exacerbates the ongoing problem of the shortage of security professionals...."
With so many shiny new “toys” on the market, security teams can get distracted from deploying the basics of information security. They are inundated with disparate tools that address trendy, of-the-moment threats. Now, that's not to say some of these one-off solutions don't have a place. Many of them are incredibly well-built and do an outstanding job of protecting against the threat for which they were designed. But, what happens, especially for small and even mid-sized organizations is the security lead is pulled in too many directions. Complicating matters is most of these disparate tools and solutions are difficult to “plug in,” requiring a lot of work to integrate, to train staff, to execute strategy around. My advice to security teams, particularly those with limited resources, is to focus on the basics.
You can work on solving IoT (Internet of Things), ransomware, DDoS (Distributed Denial of Service) and other vulnerabilities, but don’t do so without also covering the fundamentals, and doing so on an ongoing basis. Make sure systems are patched and that you’re getting the necessary alerts from your vendors and associations to understand when and how those patches need to happen. Get your firm locked down with some rock-solid identity and access management systems, policies and procedures. Make sure passwords are changed on a regular basis. These are not the trendy, rock-star initiatives that will blow up your LinkedIn profile, but they are the ones that will keep your organization safest.
A veteran of cybersecurity, Paul Shomo currently serves as Sr. Technical Manager, 3rd Party Technologies of OpenText, a provider of Enterprise Information Management (EIM). Shomo joined OpenText through the acquisition of Guidance Software in 2017. Shomo has more than 15 years of experience as a software engineer working in security and forensics, networking, and storage, and several years managing strategic partnerships and advising on M&A activity.
"Last year’s DefCon saw new black hat tools employing machine learning and genetic algorithms to obfuscate malware and foil next-gen anti-virus solutions..."
In 2018 expect new AI based obfuscation tools to be released. Intelligence analysts are calling the battle of artificial cyber-intelligence a “Hyperwar.”
Perhaps the most deadly avenue for black hat AI, or machine learning, is in probing vulnerabilities. Imagine AI tools “fuzzing” applications or automating the finding of security weaknesses. Nefarious tools along these lines will be released in 2018 and escalate cyber warfare.
After traditional AV died, we spent years spotting anomalous activities to detect malware. In 2017 some bad actors started adjusting by abandoning “unique snowflake” malware. Instead they employed known commodity crimeware and even adware. Their rationale? Hide among the deluge of less threatening alerts and fall below InfoSec’s priorities. Expect this trend to continue in 2018.
In 2018, cyber operations will still be mostly used for information warfare and acquiring intelligence, for example, to manipulate the media narrative with irresistible information releases.
Joseph Carson is a cyber security professional and ethical hacker with more than 25 years' experience in enterprise security specializing in blockchain, endpoint security, network security, application security & virtualization, access controls and privileged account management. Joseph is a Certified Information Systems Security Professional (CISSP) and serves as Chief Security Scientist at Thycotic.
"Ransomware will evolve to cross platform and payments will be single click..."
Ransomware is going to be platform agnostic and can lock people out of any device or system. The financial payment for ransomware is going to evolve significantly so that it will be as easy as clicking once to pay the ransomware. It will target time sensitive systems and events, so watch out if you are taking part in the World Cup next year as cyber-crime will always be looking for major events to trick and take advantage of people wanting to get access to their favorite sport or concerts. RansomScare will also be the next threat which will become a life and death situation unless a ransom is paid.
John K. Adams
John K. Adams is the CEO at Waratek, a Dublin, Ireland-based application security company.
"2018 will be the year of virtual patching and the year that improving patch cycles for enterprise applications becomes a priority..."
The ability to rapidly apply a patch that functions like a physical patch without taking the vulnerable app out of production or making any code changes - must be an evaluation (and ultimately, deployment) priority in 2018. We have seen this issue arise as a recent study by CA Veracode found that only 14% of high severity code flaws - the kinds that lead to headline stealing security breaches - are fixed in less than 30 days. That means 86% take longer than 30 days. This is too long of a time to address these issues as it takes less than a week for malicious hackers to set up shop inside an organization after exploiting a known vulnerability. This issue needs to be addressed head on in 2018 in order to avoid more breaches that are sure to come if vulnerabilities are left unpatched.
Jack Miller brings more than 25 years overall experience and 18 years' experience as a CISO from a variety of industries to SlashNext. Prior to SlashNext, Jack held an executive in residence role at Norwest Venture Partners where he contributed to the SlashNext evaluation and funding decision.
"We first need to fill the growing shortfall of qualified security experts who have the necessary skills and experience to solve these problems for organizations of all types and sizes..."
Hiring and training enough skilled security workers will continue to be one of the biggest challenges facing CISOs in 2018 and beyond. Due to this lack of trained personnel in-house, we expect that more companies will leverage external managed security service providers (MSSPs) to help fill this need in the New Year.
Steve Durbin is Managing Director of the Information Security Forum
"Organizations will adopt IoT devices with enthusiasm..."
Not realizing that these devices are often insecure by design and therefore offer many opportunities for attackers. In addition, there will be an increasing lack of transparency in the rapidly-evolving IoT ecosystem, with vague terms and conditions that allow organizations to use personal data in ways customers did not intend. It will be problematic for organizations to know what information is leaving their networks or what data is being secretly captured and transmitted by devices such as smartphones and smart TVs. When breaches occur, or transparency violations are revealed, organizations will be held liable by regulators and customers for inadequate data protection. In a worst-case scenario, when IoT devices are embedded in industrial control systems, security compromises could result in harm to individuals or even loss of life.
Assaf Harel, co-founder and CTO at Karamba Security, has broad experience with embedded, networking, security and mobile technologies. Previously, he was Senior R&D Manager at Check Point Software Technologies, overseeing the development of emerging endpoint security products. Assaf served in the elite intelligence unit of the IDF and received a B.Sc. and M.Sc. Cum Laude in Computer Science from Technion and MBA Cum Laude from Haifa University.
"The recent NSA/CIA leakages show that intelligence agencies focused a great deal of their efforts in breaking into IoT devices and using them as tools for intelligence gathering and targeted attacks..."
These IoT devices could be target defense systems, but also countries' and states' infrastructure (electricity grids, water supplies, etc.), transportation systems, vehicles and even smart home devices such as smart TVs.
History shows us that it takes less than a decade between the use of such tools by intelligence communities and when these technologies find themselves at the hands of terrorist and criminal groups.
In the coming years, we're going to start witnessing a shift of cybercriminal campaigns from their comfort zone of enterprise crimes to more complex IoT driven attacks. These attacks will have the same desired goal of holding a person or organization ransom until they pay, but the means for the ransom attack would shift to the person's hospital bed, smart home appliances, or connected car. Large organizations and countries will be held hostage when their entire fleet of devices will stop reacting to their commands, and even turn against them, until they pay the ransom.
Unfortunately, this can be of even of greater impact at the hands of terrorist groups that can learn how to control autonomous transportation systems from afar, turn a defense system against its sender or even shut down a country's critical infrastructure such as power or water supply. We already started hearing about such cases in Australia and in Ukraine.
Kyle White is the CEO & Co-Founder of VeryConnect - Membership Management Software.
"The top concerns in 2018 and beyond will remain the people who use systems..."
Humans are almost always the most vulnerable part of the system: choosing insecure passwords (including re-use), taking insecure copies of data, falling for social hacking ploys, etc. The general public is also becoming increasingly numb to hearing about yet another hack and release of millions of people’s data.
From the system’s perspective: with the rise of connected devices, IoT and an explosion of data and online services, companies must remain vigilant and at the forefront of the rapidly evolving security requirements. Most companies struggle to keep apace with the latest developments in this field.
Rick Deacon is the founder/CEO of Apozy, a cybersecurity company created NoHack, which stops phishing, ransomware, and other web-based attacks in the browser. They're a YCombinator company and prior to founding Apozy, Rick worked as an ethical hacker for 8 years. He spent a lot of time hacking Fortune 500s and has used that knowledge to create NoHack and protect them.
"In 2018, I expect that the largest concerns will continue to focusing around IoT and attacks that target individuals..."
With IoT growing larger and more devices becoming connected to the internet, the concern will be around data, privacy, and backdoor access. Further, as these devices end up on corporate networks, people will need to address the obvious security concerns.
Device manufacturers will also need to work secure development into their devices with a transparent position available to explain what they're doing for security.
The second and more important concern will continue to be attacks on individuals and companies that involve social engineering. Phishing and malware attacks continue to grow with very few products that move the needle to solve the problem. Companies will need to continually implement a layered approach to security including security awareness and endpoint security.
Lev Lesokhin is the EVP of Strategy and Analytics at CAST, a leader in software analysis and measurement.
"The biggest concerns in information security in 2018 and beyond are..."
1. The future of cybersecurity with Smart Homes
There is no shying away from smart homes becoming a reality, and consumer acceptability towards smart home devices is growing for convenience reasons. Amazon’s ‘Key’ service is a move in that direction.
However, there are cybersecurity threats that consumers should watch out for, especially with the data Amazon Key will collect from the video recording feature inside the home. As with any company consumers share data with, the question becomes how is this video footage being stored and protected from malicious hackers? How long is this video footage being stored? Could it be accessed through stolen passwords, etc?
2. The holiday season is here, the retail and travel industries should start preparing to steer clear of the next big data security breach, especially given the data that might be vulnerable.
Airlines are prone to data security breaches, as in the case of Virgin America and United Airlines in the recent past. With the holiday season just around the corner, could airlines be more prone while handling large amounts of passenger data? A new source of risk is likely to be the use of ‘Electric Flight Bags’ (EFBs). How can airlines prepare their systems to avoid data breaches from EFBs this holiday season?
Airline check-in systems continue to fail and are causing long lines and a customer service nightmare at airports. Those are the information systems that continue to crash and cause flight delays and travel woes for consumers. There is an apparent software resiliency issue, where the application cannot effectively scale to handle the increased volumes of travel around the holidays. What airlines should do is conduct a quick scan of these check-in applications to make sure they are working properly before the holiday travel rush begins.
According to PwC’s 2015 Global Airline CEO Survey, 85% of airline CEOs in the study view cybersecurity as a significant risk. The industry continues to see major technological advances that contribute to the complexity of protecting data and assets. Two of these are tablet-based electronic flight bags (EFBs) and the installation of in-flight entertainment and Wi-Fi connectivity systems (IFEC). Many airlines do not have a targeted plan in place to safeguard the security of EFBs. These systems greatly increase the number of connections, vendors, and technologies involved, which in turn creates more hacking opportunities. The threats posed by EFBs and IFECs need to be managed holistically, with airlines closely cooperating with other carriers, hardware and software providers, aircraft OEMs, and other industry stakeholders.
3. Can the healthcare industry improve their data security?
The healthcare industry has consistently been on top of the charts with data breaches in the last few years. Why is this industry so vulnerable to data breaches? Blame has been placed on human error, but healthcare organizations should also bolster their security systems. Many times hackers will gain access to applications via a network vulnerability and will sit there dormant, until they decide to commandeer it and cause the application to crash – after they’ve stolen useful data about the company or even social security numbers, depending on what they’ve gained access to. In the past five years, we’ve seen healthcare data breaches grow in both size and frequency, with the largest breaches impacting as many as 80 million people. A February 2017 survey from Accenture reveals that healthcare data breaches have affected 26% of U.S. consumers, or more than one in every four Americans. Additionally, the survey also found that 50% of breach victims eventually suffered medical identity theft, with an average of $2,500 out-of-pocket costs. Healthcare exposed the most SSNs compared to all other industries (ITRC Data Breach Report 2016), and the most records exposed by employee error or negligence were in the healthcare sector. The healthcare industry was hit hardest by hacking, skimming and phishing attacks.
"The most talked about data privacy development in Europe is without question the introduction of GPDR (General Data Protection Regulation) and is of global concern...”
A significant change to how personal data will be stored, it's still yet to be determined how companies will interpret the guidelines on how much data they keep based on having a 'legitimate interest' vs that of requiring explicit 'consent'.
I think the key [to GDPR compliance] is to have appropriate controls and risk mitigation in place, alongside robust reporting and response procedures.. It's likely to be the Data Protection Officer (DPO) or whoever takes on that responsibility and in some organizations it may be the Information Security Lead. Ultimately, data privacy is everyone's responsibility and staff need to be educated and monitored accordingly.
The person assigned must also work 'hand in glove' with your internal legal representative or General Counsel, as some of the laws come down to interpretation of data that is specific to your industry and you will need legal opinion. However to ensure compliance you should initially undertake a data audit, with regular re-audits to ensure ongoing compliance.
As an organization, to ensure complete information confidentiality and regulatory compliance, you should determine which security framework best suits your business, based on industry regulations and geographical markets. Then, audit your existing security design against this framework to produce a gap analysis. These processes will provide the foundation for your security roadmap and allow you to prioritize based on risk. This will bring security to the 'heart' of business change and ensure compliance with your overall information security strategy.
Michael Fimin - the accomplished expert in information security, is CEO and co-founder of Netwrix, the company that introduced the first visibility platform for user behavior analysis and risk mitigation in hybrid IT environments. Netwrix is based in Irvine, CA.
”When talking about the most common concerns across organizations of all sizes, industries and regions, the first thing we should mention is..."
Insufficient awareness of activities happening in the IT environment and analytics that would provide actionable insight on it. This being said, organizations do understand the need for improvement in these areas. When the threats are infinite and often unknown, it is important to be able to detect them on time, before any substantial damage is done. Many organizations perceive their own employees as the biggest threat to security, but only few are fully aware of employee activity in the environment. Nevertheless, the dynamics over the past few years are positive and security efforts are aimed at bridging the gap. The uptrend is most likely to remain, meaning that we will see more organizations improving visibility into activity in their environments and analytics capabilities to eliminate the major concerns for 2018: data breach, intellectual property theft and fraud.
The efforts all organizations have been investing into security are explained by tightening security regulations around the world, greater penalties, and desire to protect trade secrets, innovations and so on. Security breaches crush carriers and businesses, they have a direct impact on market valuations and company value. Preventing them from happening has become everybody's business: from IT staff to senior management and investors.
Adam Sbeta is a Cyber Security analyst in charge of HIPAA and PCI Compliance assessments at RCE. He's been tracking virus behavior and penetration since a young age, and traveling the world seeing different attackers and end-user activities helped him keep his eye open to potential risks to mitigate.
"The increasing trends that I'm seeing are..."
1) Executives are aware of security concerns but still not taking proper action.
Our business life in-general is increasingly getting technology-dependent in everything we do. The more people there are expecting certain types of emails and electronic communications, the more attackers there will be taking advantage of such norms to easily get around all of the traditional security features. Security awareness is very important, as humans now need to be the next-generation firewall.
Accordingly C-level executives need to not only have a single individual deciding a security practice, but also encourage departments to collaborate and get involved in the decisions around what risks are acceptable and what needs to be mitigated. Corporations need to listen to cyber security advisors who would have more exposure than their internal staff and reduce relying on the IT department to provide s uch security, where IT is usually looked at as a budget and not a factor that can cost a business their reputation or clients in case of a breach.
2) Companies' inability of restoring from an attack in a timely manner.
With the advancement of ransomware and growing availability of sophisticated hacking tools available for rent/sale in the dark web, we have seen a growing number of attacks on valuable information and more intelligent attacks that disable companies' backup systems first. Having backup is one thing, but are the backups themselves secure and available when needed? Companies end up paying the ransom and opening the door for more attacks.
Building proper Disaster Recovery Plans and Incident Response Plans is key to be ready for unseen future attacks.
3) People's love to share files.
Employees including medical practices love spreadsheets and sharing files in-between the teams. These files can be wrongly shared if you don’t have a standard technology to manage and protect unintentional distribution of files.
There are technologies available that make file live collaboration and sharing natural, but at the same time add more protection to files and the ability to remotely delete them as well. There needs to be more strategic technology decisions. Giving employees the ability to randomly bring in the technologies they use at home increases the risk of misuse and unintentional consequences.
Pieter VanIperen is a Founding Member of Code Defenders a collective the protects the long tail of the internet, an Adjunct Professor of Code Security at NYU, a Certified Penetration Testing Engineer (Ethical Hacker) and a Certified Secure Web Application Engineer. He is a veteran programmer and security expert. He is currently a resident software architect and secure coding expert for a major online discount brokerage. He has also consulted for multiple financial, insurance and law enforcement institutions. He has worked in over 20 programming languages and is the author of the HAZL programming language. He has also served as the CTO of several digital companies and has advised multiple startups.
"One concern that is mentioned in general is the previous large data breaches like at Equifax..."
This is mentioned as identity theft exposure and usually reported with a credit freeze. While that is an very valid concern, another that is not talked about much is how that vital personal information is used in systems to prevent repudiation and verify account recovery. We all know the power of social engineering, but if already breached info can be used to gain access to additional systems, the spread of these breaches can be exponential in creating additional breaches. So, how do you verify an account holder at a bank if your account holder has a 1 in 2 chance of their SSN and DOB being compromised? As we move forward beyond discussions around replacing SSN at a congressional level, the InfoSec community is going to have to come up with other ways to verify users that rely on some inclusion of non-compromised info that is also difficult to gain through social engineering. This will require unique systems and a change in deeply ingrained process patterns.
As the Chief Technology Officer for Kudelski Security, Andrew Howard is responsible for the evolution, development and delivery of the organization’s technology strategy and solution architecture, including selecting and validating third party technologies and managing research, development and labs. Prior to joining Kudelski Security, Andrew was a Laboratory Director at Georgia Tech, spearheading the information security research and advisory programs.
"There has been a dramatic increase in cyber security spends over the past several years, yet the number of attacks continue to increase..."
For this reason, return on investment is top of mind for most CIOs and poor performance in this arena is a threat to their job. Most organizations cannot afford to spend at their current levels and continue to be breached. The pressure is on them to identify smart investments and work with reliable subject matter experts in a heavily diluted marketplace. Complicating this space is new reporting requirements for public companies that will likely increase external scrutiny on technology decisions.
Isaac Kohen started out in quantitative finance by programming trading algorithms at a major hedge fund. His time spent in the financial world and exposure to highly sensitive information triggered his curiosity for IT security. He worked as an IT security consultant for several years where he spearheaded efforts to secure the IT infrastructure of companies with masses of confidential data. He decided to focus on algorithms targeting user behavior to find outliers within the companies he consulted with to help detect insider threats, founding his company Teramind.
"A top concern for businesses in 2018 should be this..."
With developments in technology and evolving ecosystems of data, it's time for managers to start thinking in a preventive mindset instead of a reactive mindset. Legacy systems and traditional software has been a security concern, and will continue to be in 2018, the new initiative should be to work these traditional systems out of the business infrastructure and adopt more preventive systems that actively navigate data and insider threats. Monitoring software, employee training and such are great tools to adopt for this journey.
Hoala Greevy is the Founder CEO of Paubox. Hoala has 17 years experience in the email industry and is the architect of the Paubox platform.
"Hybrid ransomware attacks through email is going to increase in 2018..."
We've already seen how email continues to be a top threat vector for ransomware in 2017 and that trend will only continue. This is particularly true in healthcare, where breaches caused by email was the top breach type for September and October according to the Department of Health and Human Services (HHS). While user education detecting phishing attacks remain important, there's still going to be a segment of business users that will open any email attachment. That human element makes email security a continuing concern for any CIO.
Adnan Raja is a VP at Atlantic.Net, a web hosting solution that provides HIPAA-Compliant, Managed, Dedicated, and Cloud hosting.
"One of the top information security concerns for 2018 and beyond is the adoption of new technology and how that can greatly increase various threats..."
Businesses are utilizing the Internet of Things (IoT) at a quickly growing pace, but the devices aren't always secure. This can create a way into an organization for hackers and thieves. There are also quite a bit of privacy concerns when dealing with IoT that a lot of users may not realize due to confusing terms and conditions. This can allow personal data to be taken and used in ways that users were not intending.
Oliver Tavakoli is chief technology officer at Vectra. Oliver is a technologist who has alternated between working for large and small companies throughout his 25-year career. Prior to joining Vectra, Oliver spent more than seven years at Juniper as chief technical officer for the security business.
"In 2018, ransomware attack trends will bifurcate based on motives..."
Ransomware as a disruptive or destructive attack will increase. Cyber warcraft is the new oil - in essence, total control of corporate networks or industrial plants have become as valuable as energy resources and motivate nation states as such. However, ransomware purely for financial gain will decrease due to fewer victims paying.
Chris Goodwin brings more than 20 years of enterprise software design and development experience to his role as CTO of LockPath, where he is responsible for all research and development. Goodwin previously served as the product architect of the Archer SmartSuite Framework and managed the R&D team of Archer Technologies, which was acquired by RSA, the security division of EMC, in 2010.
"Within the business continuity and disaster recovery space, 2018 will see an increased prevalence of the conversation on reorganization and/or consolidation of these disciplines..."
Business continuity management planning, disaster recovery, incident response and crisis management are all similar and related disciplines. Traditionally, these disciplines fell under the BC/DR umbrella, and were functions of corporate IT business units; however, there has been contention over the accuracy and utility of centralizing BC/DR ownership under the corporate IT apparatus. Some factions are arguing that the disciplines might actually lend to a broader umbrella concept or discipline, such as Business Resiliency, that more firmly establishes an organizational responsibility, as opposed to an IT responsibility, to establish, maintain, recover, and improve business operations in the wake of adversity.
Ajit Sancheti is co-founder and CEO at Preempt, a San Francisco, California behavior-based authentication security company.
"In 2018, enterprises will need to embrace a continuously adaptive approach to information security..."
Because in an increasingly digital business world, binary decisions - black or white, allow or block - do not work. Enterprises have to think about how to enable transactions when all the information is not available or there is a known level of risk. Making adaptive decisions based on identity, behavior and risk will enable more effective threat prevention.
Dan Lohrmann is an internationally recognized cybersecurity leader, technologist and author. Lohrmann joined Security Mentor, Inc. in August, 2014, and he currently serves as the Chief Security Officer (CSO) and Chief Strategist for this award-winning security awareness training company.
"Industrial Control System (ICS)-specific malware will surface that goes well beyond Windows-based vulnerabilities currently affecting companies that operate critical infrastructures..."
ICS technologies include, supervisory control and data acquisition (SCADA) and distributed control systems (DCS), industrial automation and control systems (IACS), programmable logic controllers (PLC), programmable automation controllers (PAC), remote terminal units (RTU), intelligent electronic devices (IED) and other sensors. Targeted malware will be written against many of these specific systems. At least one well-known utility will be hacked - impacting customer service delivery.
Mark Lambiase is CTO of Fox Technologies, an authorization and access management vendor, specializing in privileged access management for Linux and UNIX.
"Phishing is still the dominant entry point for hackers, with blown admin credentials at the source of many..."
Do not expect past solutions to solve future problems. Expect failure and accept workarounds. Make sure staff are properly trained because low-security awareness among personnel and lack of trained employees is cited as the top reason for lapses in security.
Lenny Zeltser is Vice President of Products at Minerva Labs, an Israel-based provider of endpoint security solutions. Zeltser is a seasoned business and tech leader with extensive experience in IT and security. He is also a senior instructor at SANS and the primary author of FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques, a course he designed as an on-ramp into the malware analysis field.
"In 2018, the popularity of crypto-mining malicious software will continue to increase..."
Established criminal groups will use malicious crypto-mining to supplement their revenue stream from activities such as ransomware infections. Newcomers will see this practice as an easy way of getting into the field, in part because some might view such activities as a victimless crime.
Dan Moyer is the Marketing Manager for Cal Net Technology Group. They've been working with small businesses to manage and improve their IT and cybersecurity for over 20 years, growing into Southern California's premier managed services provider.
"Businesses depend on real-time, uninterrupted connectivity, mobile devices, and trustworthy employees, but it's exactly that dependence that makes them vulnerable to attacks on their IT infrastructure..."
With 'Bring Your Own Device' policies in the office and employees given access IPs and crucial data, organizations need to rethink their defensive models and get proactive with their approach to IT, especially in regards to disaster recovery plans. A plan that relies on employees working from home won't survive attacks that target key individuals or remove connectivity altogether. Recovery plans not only need to address threats to physical safety, but periods of operational downtime caused by attacks on infrastructure, devices, or employees as well.
In 2018, cybercriminals will increasingly focus their ransomware efforts on smart devices. Attackers may hold specific devices for ransom, but they will also use those devices as keys to install ransomware on other systems throughout organizations. That means your entire infrastructure needs to be hardened down to individual devices, and employees need to be trained on the best practices to avoid compromising your organization's security.
Attacks like these have the potential to disrupt operations and automated production processes, costing businesses millions - if not billions - in potential revenue.
Because organizations have become increasingly reliant on data to drive their decision-making, criminals (and competitors) are starting to distort the integrity of information, including big data sets used by analytics systems, financial records and reports, and bank account details. Organizations need to start preparing now to ensure technical assessments address their vulnerability to attacks like these.
Maja Mekic works for Ceedo LTD, a company providing threat prevention solutions for small businesses.
"This year was marked by the rise of ransomware threats that financially drained small businesses who didn’t focus on threat prevention..."
To prevent the attacks from happening again in 2018, companies will have to do a deep analysis of their systems and develop a new approach to data protection.
2018 is going to be all about prevention. Infosec companies will need to start educating businesses on how to adopt healthy security habits. We will have to seriously think of how to approach this topic from a psychological perspective.
Hacking of biometric data. Biometrics are not hack proof. If somebody is using fingerprint authentication, retinal scanning or advanced facial recognition in a company they have a tendency to believe that their data is safe. But you will leave your fingerprint on a public transportation or even in a cafe. If you are an infosec consultant in such a company, creating a recommendation for secure company behavior will be a challenge.
If IoT devices are all connected to the cloud, the security vulnerability is multiplied by the number of devices that can access that server. Unfortunately, this problem will become obvious to companies after an attack happens.
Isabelle Dumont is a Vice President at Lacework, a cloud security company. Dumont brings to Lacework 20 years of experience, focused on go-to-market strategies and category creation.
"Organizations are moving their infrastructure to the cloud with AWS and Azure both growing at unprecedented rates..."
In 2018, the industry will move more towards automation, API's, and cloud services at scale. It's more about continual compliance, configuration checks, and response at scale than it is about point-in-time signatures, Firewalls, policies, and rules. Lastly we need to remove the complexities and management burden away from the user and provide security that is simply powerful.
Ashwin Krishnan is a technology industry expert with over two decades of experience in cybersecurity and cloud technologies. The author of Mobile Security for Dummies, Ashwin is currently a Senior Vice President of Products and Strategy at HyTrust, a late stage security startup. His speaking engagements include Mobile World Congress, RSA Security Conference, VMWorld, Telecom Industry Association, and Product Camp Silicon Valley.
"My 5 predictions for 2018 are..."
- The consumer will be finally wake up to become the ‘security savvy consumer’. How? They will experience ransomware hitting their WiFi-enabled doorbell or Denial of Service of their Internet-enabled TV.
- Encryption will not be enough – quantum computing will become the weapon of choice for the man-in-the-middle attackers.
- Cyber insurance will become available to consumers. Why? See #1.
- The average tenure of the CISO will go down from 18 to 12 months. Equifax, SEC, Comcast ….
- AI security will detect AI attacks. For example – to detect ‘fake videos’ created by software, AI will come to the rescue to slow the spread of fake news.
Swapnil Deshmukh currently works as an Sr. Director at Visa. He is a global head responsible for attesting security for emerging technologies such as IoT, mobile, and cloud. He has also coauthored the Hacking Exposed series and is an active member of OWASP. In his prior work he has helped Fortune 500 companies build secure operations centers with on premise, cloud, and hybrid models. You can also find him on Medium.
"A few cyber security concerns for the upcoming years are..."
Cyber Protection: Lack of intelligence-driven defense and response to cyberattacks of consequence.
DevOpsSec: Providing continuous security or on-demand security to production-ready source code.
Cognitive Detection & Response: The need to pre-emptively identify, disrupt, and respond to attacks.