2015 was an extremely bad year for security, and 2016 will be worse.
Phil Harris, Head of Mobility (AMA) in Check Point Software, responsible for mobility solutions for Check Point across Asia Pacific, Middle East & Africa, explained that hackers and their methods have matured in recent years, hence the rise in attacks. "Expert hacking skills are not required anymore. Anyone with sufficient money and malicious intent can rent or purchase malware... It has become a lot simpler and easier to steal data. Criminals are using personal information to commit identity theft or sell it to those who will use it for that purpose," he said.
The Head Geeks at SolarWinds* agree. "Advanced persistent threats (APT) was a term that went mainstream in 2014, but the sheer volume of APTs over the past year has taken everyone by surprise. The sophistication of attacks, number of zero day vulnerabilities exploited, and general lack of preparedness have made these breaches agonising," noted the SolarWinds Geeks.
"Well publicised breaches also caused financial losses. This forced many companies to reflect on their oversight which highlighted the notion that we not only need to consider the cost implications of the breach but (that) they also face the liability of negligence to customers when it comes to unsecure environments."
Sean Duca, Vice President and Regional Chief Security Officer, Palo Alto Networks Asia Pacific, has seen the trend as well. "Over the past few years, cyber attacks have escalated and gotten more aggressive and successful. Not only have we seen it become easier and cheaper to launch successful attacks, it has eroded our digital trust in online systems. That trust also extends itself to the failure of legacy security architectures, due not only to an outdated assumption that everything on the inside of an organisation’s network can be trusted, but also the inability of legacy countermeasures to provide adequate visibility, control, and protection," he said.
Enterprises are fighting back
Craig Nielsen, Managing Director, Southeast Asia, Intel Security, said businesses had not been passive in 2015. "As cyber threats continued to evolve in complexity, so did the sophistication of the cyber security strategies and the measures taken up by enterprises. Enterprises’ growing focus on cybersecurity has been supported by the influx of trained security professionals, technology innovations and initiatives by the local government to protect citizens and businesses from advanced cyber threats. As the cyber attacks became more target-driven, so did the enhanced security measures, with majority of security breaches readily detectable and stopped in time by end to end security solutions," he noted.
"In 2016, businesses will continue to improve their IT security posture by implementing the latest security technologies, creating effective policies, and remaining vigilant. Cybercriminals will continue to repeatedly target cloud services and virtual data, finding loopholes in corporate security policies to take advantage of. Application vulnerabilities and payment methods would continue to fuel the threat of ransomware."
Duca of Palo Alto Networks said businesses will have to approach security differently. "We expect to see more organisations adopting new security models, such as 'Zero Trust' where it is intended to remedy the deficiencies with perimeter-centric strategies and the legacy devices and technologies used to implement them. It does this by promoting 'never trust, always verify' as its guiding principle. This differs substantially from conventional security models that operate on the basis of 'trust but verify'; essential security capabilities are deployed in a way that provides policy enforcement and protection for all users, devices, applications and the communications traffic between them, regardless of their location. We expect this will continue across Asia Pacific in 2016."
 |
| Source: Hillstone Networks. Teo. |
Teo noted that monitoring and management tools will play an even greater role in data centre operations in 2016 due to the rise of internal threats. "Tools that offer application identification and user identification can offer insights into what each virtual machine does, as well as the interaction and communication between the virtual machines," he said.
It is now a world where anyone can be a target, however. Amit Yoran, President of RSA, noted that cyber-attack tools and services are increasingly commoditised. This allows cyber criminals to target more companies. "...The cost of attacking an organisation is dropping dramatically, enabling more attacks that do not have financial gain as the primary focus. Sophisticated hacktivist collectives like Anonymous have been joined by relatively unsophisticated cyber vigilantes. Organisations need to realise that financial gain is no longer the only or even the biggest driver of some of their adversaries. Security operations and risk managers should evolve their understanding not only of the threat, but also of what, why, where, and how they are being targeted," he said.
Yoran believes that most businesses have been guilty of hoping that the security strategies that used to work will continue to work. "(2015) was characterised by enterprises recognising the need to monitor and defend their digital environments differently, but continuing to centre their security programmes on the same technologies and approaches they have been using – hoping for a different outcome, but not acting differently," he noted.
"2015 saw threats continuing to evolve faster than most organisations’ ability to detect and respond to them. What was considered an 'advanced' threat in years past has become a commodity today with sophisticated malware and exploits available for the price of a movie ticket. As troublesome as these observations seem, the most impactful evolution goes almost entirely unreported and misunderstood. The threats that matter most, today’s pervasive threat actors execute attack campaigns comprised of multiple compromise methods and multiple back doors to assure persistence. Incomplete incident scoping has become a critical failure point.
"We’re starting to see progress in some areas as security investments begin to shift from a maniacal focus on prevention, toward greater balance on monitoring, detection, and response capabilities. It’s become cliché to say that breaches are inevitable and that faster detection and more accurate incident scoping is the way forward, but too many organisations are trying to do these very different tasks using the technologies and processes they have on hand…not designed nor capable of answering their need," he said.
Cyber criminals are working to thwart known defences, Fortinet points out. In its New Rules: The Evolving Threat Landscape in 2016 report, Fortinet's threat research division, FortiGuard Labs, makes annual predictions of the most significant trends in malware and network security going into 2016. "Rombertik garnered significant attention in 2015 as one of the first major pieces of 'blastware' in the wild. But while blastware is designed to destroy or disable a system when it is detected (and FortiGuard predicts the continued use of this type of malware), ghostware is designed to erase the indicators of compromise that many security systems are designed to detect. Thus, it can be very difficult for organisations to track the extent of data loss associated with an attack," FortiGuard researchers said.
Another technique, sandboxing, may become less effective, FortiGuard added. "Many organisations have turned to sandboxing to detect hidden or unknown malware by observing the behaviour of suspicious files at runtime. Two-faced malware, though, behaves normally while under inspection and then delivers a malicious payload once it has been passed by the sandbox. This can prove quite challenging to detect but can also interfere with threat intelligence mechanisms that rely on sandbox rating systems," the researchers from FortiGuard said.
Machine learning and analytics to the rescue
The latest tools in the security arsenal revolve around machine learning and analytics, vendors said. “In 2015, the capability of machines to provide a full view of and automatically learn what is normal and abnormal within a network, as well as identify in-progress cyber attacks, has been an important innovation for the cyber defence sector, especially when it becomes humanly impossible to keep up with every component within an organisation’s expanding network. In 2016, companies that aim to be successful in proactive cyber security will need to embrace this model of ‘immune system’ technology, which continually looks out for network abnormalities and alerts the security team in real-time, before serious damage is done,” said Sanjay Aurora, Managing Director, Darktrace APAC.
 |
| Source: CA Technologies. Arredondo. |
"Security can no longer be an afterthought. It has to be baked into every aspect of application design, development and deployment. Accelerating development cycles means security must be in on the ground floor of any project or development process. Today’s breach rates, financial impact and board-level attention will demand security’s starring role. For 2016, all roads lead to the emerging idea of 'agile security'. Bringing security into the fold early, together with DevOps and agile practices, adds the much-needed third pillar to high-speed software development at scale."
Brocade, on the other hand, calls for security that is integrated into networks. "New IP networking solutions allow organisations to deploy more advanced security that is designed into the network from the start, not bolted on at edge to existing infrastructure. The network itself can be pervasively vigilant and track behaviour on and not just access to the network, to quickly identify and prevent unwanted activity. Security services can be virtualised, enabling organisations to distribute security wherever it is needed and customise security at various levels—by geography or location, function, group or individual, or application," the company said. Machine learning-based anomaly detection is quickly becoming a crucial part of network security, Brocade added.
Fear, uncertainty and doubt
This year will be a year where the cyber criminals go all out to exploit the human factor in different ways, including via mobile devices and through ransomware.
"Attackers are also likely to shift their focus and attack enterprises through their employees, by targeting, via the pervasiveness of bring your own device (BYOD), employees’ relatively insecure personal gadgets to gain access to corporate networks. The increasing ability of attacks such as encrypted infiltrations and credential theft to avoid traditional security systems and remain undetectable, will continue to benefit attackers, making security battles a tremendous challenge for security solutions providers," said Intel Security's Nielsen. "The rise in the Internet of Things (IoT) and cloud computing adoption will also increase potential targets and expand attack surfaces. Enterprises should consider a connected security approach of 'protect, correct and detect', bringing together expansive IT networks and endpoints together to form a strong defense against IT threats.""Mobile malware will continue to affect users in China due to the availability of third-party platforms and channels that offer free app downloads. Given the user behaviour in application stores such as Google Play, there is no stopping the exponential growth of mobile malware at a rate that's projected to reach the 20 million mark by the end of 2016," Trend Micro has forecast.
Mobile threats will grow, Sophos Labs agrees. "In 2016, an increase in Android exploits becoming weaponised can be expected (as opposed to bugs like Stagefright which was heavily reported earlier in 2015 but was never fully exploited). There are significant vulnerabilities on the Android platform, which can take months to patch. Although Google claims that nobody has actually exploited these vulnerabilities to date, it will ultimately be an invitation that is too tempting for hackers to ignore," researchers from the company warned.
Check Point's Harris explained that smartphones are an enticing new opportunity for criminals. "As users cram tons of personal information into their phones and use them at work, hackers are pouncing on cracks in the underlying technologies to steal and compromise vital data assets. According to the Check Point 2015 Security Report, there is a 50% chance any network with more than 2,000 connected devices will have at least six mobile devices infected by malware," he said. "Hackers are borrowing conventional attack methodologies from the wired world to extend access into corporate networks via vulnerabilities inherent in today's smartphones."
"Smartphone users however need to be aware of potential security risks. For example, man in the middle attacks can hide malware in apps until, for example, a device user uses the phone for banking. The malware then intercepts and steals personal identity information. Today, there are specialised technologies to solve such issues and banks and organisations are putting attention towards securing both their online banking and mobile banking infrastructure. Individuals will also need to take heed as unlike previously, where cybercriminals attack large institutions like banks, cybercriminals today are targeting apps used by users to infect devices," Veloo said.
Android malware can be complicated and consumers cannot necessarily trust the App Store to detect these vulnerabilities in every instance, Sophos Labs added. Sophos Labs has already seen samples that go to extreme lengths to avoid App Store detection and filtering—giving apps a better chance of surviving on App stores. "For example, some hackers will design an app that loads harmless games if it thinks it is being tested, but then loads the malicious payload when it detects it is ‘safe’ to do so. And more recently, mobile users using third-party app markets were tricked into granting malicious apps from the adware family Shedun with control over the Android Accessibility Service. Once they have handed over control, the app has the ability to display popups that install highly intrusive adware, even if a user has rejected the invitation to install it. Because the apps root the device and embed themselves into the system partition, they cannot be easily uninstalled," researchers from Sophos Labs said.
According to Sophos Labs, the Apple App Store also got hit a few times in 2015, once with the InstaAgent app which snuck through the vetting processes, which both Google and Apple pulled from their respective app stores, and before that, with XcodeGhost, which tricked Apple app developers into incorporating the code into their apps, thereby infecting them but cleverly hidden behind what looked like Apple code.
"With more and more apps coming onto the market (both Apple and Google have more than a million apps each in their official marketplaces to date), it is not hard to imagine more criminals trying their hand at getting past the existing vetting processes. Nevertheless, the nature of Android, in particular support for the flexibility of third party markets will continue to contribute towards Android being an easier target than iOS," Sophos Labs researchers commented.
Pay.. or else
"In 2016, online threats will evolve to rely more on mastering the psychology behind each scheme than mastering the technical aspects of the operation. Attackers will continue to use fear as a major component of the scheme, as it has proven to be effective in the past," the company said.
Sophos Labs citing a PwC report about 74% of SMBs experiencing a security issue in the last 12 months. "Ransomware is one area where criminals have been monetising small businesses in a more visible way this year. Previously, payloads – such as sending spam, stealing data, infecting websites to host malware – were far less visible so that small businesses often did not even realise they had been infected. Ransomware is highly visible and has the potential to make or break an SMB if they do not pay the ransom. This is why, of course, criminals are targeting SMBs. Expect to see this increase in 2016," said Sophos Labs researchers.
"Lacking the security budgets of large enterprises, SMBs often apply a best-effort approach to security investments, including equipment, services, and staffing. This makes them vulnerable as hackers can easily find security gaps and infiltrate the network. On average, a security breach can cost a small business anywhere up to £75,000 (approximately S$158,800) – a significant loss for any business."
Duca from Palo Alto Networks also highlighted ransomware as a security threat to watch in 2016. "Ransomware will continue to evolve its methods of propagation, evasion techniques and continue to hide its communication and the targets it seeks. As reported by the Cyber Threat Alliance, ransomware has been very lucrative for cyber criminals to launch campaigns and in a short period of time derive large revenue streams. Today, the value of credit card data is so low compared to ransomware, where higher value can be extracted from more victims. Research by the Cyber Treat Alliance reported that CryptoWall v3, generated more than US$325 million for the group behind it. This will drive further versions of ransomware style attacks to be released, allowing more cyber criminals to extort users to pay the ransom to get the decryption key for their data. We predict to see this crossing over to other platforms, such as OS X and mobile operating systems," he said.
The insider threat is very real, added Aurora of Darktrace. "We have observed breaches within organisations that have gone unnoticed for up to 200 days, before the vulnerability was brought to light. On that note, companies need to accept the new reality – the threat is, by default, inside organisations, and must be kept in check by continual monitoring and advanced detection,” said Aurora.
"The US Office of Personnel Management hack in June and the recently reported VTech hack are sharp reminders that attackers are having an impact on trusted organisations at scales almost unimaginable. These incidents have shown us yet again that once perimeter defences have failed, many organisations remain blind to in-progress attacks for long periods of time, until the business and reputational damage becomes impossible to contain.”
Sophos Labs also said that growth in the use of VIP spoof wire transfers to dupe can be expected in 2016. "Hackers are becoming increasingly talented at infiltrating business networks to gain visibility of personnel and their responsibilities, followed by using this information to trick staff for financial gain. For example, sending an email to the finance team that appears to be from the CFO requesting the transfer of significant funds. This is just one of the ways criminals will continue to target businesses," Sophos Labs researchers said.
CEOs have to take charge
Security is now the C-suite's problem because of all the collateral damage that could ensue from a security breach. "...cybersecurity will become a business problem and no longer merely an IT issue. IT security—a task that could once be delegated to the IT staff—has become a top-level strategic issue because the consequences of failure can ruin a business. Any organisation may be only a few hacks away from disaster," commented Veloo of F5 Networks.
Regionally, cyber attacks are estimated to have cost APAC businesses US$81 billion in the past 12 months** Darktrace shared. To safeguard revenue, reputation and intellectual property, the issue of cyber security has become a common topic during boardroom discussions, with policies being constantly developed to address ongoing cyber threats***, Darktrace said.
"Recent high profile hacking incidents are a wakeup call for CEOs and CIOs. It is a realisation that without security, modern companies cannot operate. It is no longer a responsibility simply held by the IT department. C-level executives have to establish a security framework which defines how employees respond, and with an audit processes in place to ensure maximum protection. When done right, no matter where the threat comes from, staff performance will not be inhibited," Harris of Check Point said.
Regionally, cyber attacks are estimated to have cost APAC businesses US$81 billion in the past 12 months** Darktrace shared. To safeguard revenue, reputation and intellectual property, the issue of cyber security has become a common topic during boardroom discussions, with policies being constantly developed to address ongoing cyber threats***, Darktrace said.
Concerns have gone national, said Aurora of Darktrace. “In 2015, we saw countries like Singapore and New Zealand introduce cyber security toolkits for SMBs – this is a good step in educating employees beyond the IT department on the sophistication and seriousness of today’s threats. In 2016, cyber security will move further toward the boardroom as a corporate issue and become a continual process of risk mitigation, rather than a problem left for the IT department to independently resolve. As a result, security professionals must become more conversant with business risks and business objectives, rather than remain as narrow and deep technological experts,” said Aurora.
Industry collaboration is essential
Cybercrime legislation will become a global movement, adds Trend Micro in its 2016 Security Predictions. "We have seen it in the continued arrests and sentencing of various individuals like the Russian national behind the CITADEL malware and another Russian cybercriminal who pleaded guilty of targeting payment processors, both in September 2015," the company stated.
Duca of Palo Alto Networks said closer industry-wide collaboration over threats would occur in 2016. "Efforts have been around for years to share threat intelligence in some verticals and we predict that 2016 will mark a year where the private sector and security vendors look to share more of this than they ever have in Asia Pacific. Today, many adversaries often write one piece of malware and send it to multiple organisations, with only minor changes made to make it undetectable. However, if we, as a community, can force cyber adversaries to create multiple unique attacks each time, it will force their costs to go up. And if we can share the information, the defender costs go down. The benefits grow exponentially if we automate this process whereby organisations do this in real time, whilst preventing the attacks. By knowing what kinds of actors are targeting you, the tools that they have available and the tactics they employ allows organisations to defend their networks more effectively," he said.
"Although the debate continues on how effective these regulations will be, Asian governments should look to foster the sharing of threat intelligence and organisations should think about how they can share in their vertical and go cross vertical in their efforts. We should ensure that there are responsible privacy protections in place, for the purpose of identifying, preventing, mitigating and responding to cyber threats, vulnerabilities, and malicious campaigns. The faster organisations can share this information, the better we can serve to protect each other and push the cost back to the attackers."
Duca also noted that more cyber crime legislation is on the horizon this year. "Asia Pacific has often operated under very lax regulations when it comes to cybersecurity. It is a global issue, however regulations to safeguard businesses and consumers are still evolving across the world. It’s unsurprising that the US is taking the lead on this front, given the number of high profile attacks reported to have targeted US firms in recent years.
"This has resulted in cybersecurity becoming a focus for policy, most recently seeing the introduction of The Cybersecurity Information Sharing Act (CISA), which aims to help US companies to work with their government to combat hackers. Similarly, the European Union has also laid out 14 actions to improve cyber security readiness, along with a policy on Critical Information Infrastructure Protection (CIIP), which aims to strengthen the security and resilience of vital ICT infrastructure by supporting high level of preparedness, security and resilience capabilities, at a national and EU level.
"We expect that will see a significant shift in the mindset of governments and regulators in Asia Pacific to take on an even more active role in protecting the Internet and safeguarding its users. Cybercrime laws will be in discussion, and changes to out-dated cyber security standards will be mandated to bolster an improved stance on security."
RSA has a different, darker take. Yoran says is that security vendors claim to be able to prevent advanced threat breaches when the reality is, they cannot.
"Our industry has been awash in venture capital and as a result, foolish investments have been made in strategies and technologies that are little more than snake oil. As organisations’ security programmes continue to mature, they are learning that claims of being able to prevent advanced threat breaches are nothing more than fantasy. Expect to see a shakeout in the security industry as organisations maturing understanding of advanced threats increasingly drives their security investment decisions," he said.
Interested?
Read the TechTrade Asia 2016 predictions on:
Citrix outlines cloud, IoT and security trends for 2016
What will happen to cloud computing
Vodafone M2M Barometer shows increased adoption for M2M
New challenges for the Internet of things in 2016
What will happen to cloud computing
Vodafone M2M Barometer shows increased adoption for M2M
New challenges for the Internet of things in 2016
Read the TechTrade Asia blog post describing the results of Gemalto's survey of what consumers think about data breaches
*SolarWinds comments were made by the SolarWinds Head Geeks: Patrick Hubbard, the IT Management Geek and Technical Product Marketing Director at SolarWinds. Leon Adato is the Network Management Geek and Technical Evangelist at SolarWinds, Thomas LaRock is the Database Management Geek and Kong Yang is the Virtualization Management Geek.
**Grant Thornton. The Grant Thornton International Business Report, September 2015.
***Forty-five percent of boards now participate in the formulation of security strategy, with that number set to increase in 2016. PwC, CIO and CSO. Global State of Information Security Survey 2016, October 2015.
No comments:
Post a Comment