By: Glen Ogden, Regional Sales Director, Middle East at A10 Networks
2015 was a memorable - although not a devastating - year for cyber security. We witnessed less widespread, panic inducing vulnerabilities in 2015 than in years past; while 2014 will go down in the security history books as the year of Heartbleed, ShellShock and point-of-sale malware, 2015 was comparatively tame. However, trends like the Internet of Things (IoT) and cloud networking did generate a host of new threats. Researchers revealed attacks that could compromise connected devices such as cameras, cars and rifles. Stagefright was at the top of the list of mobile security risks, allowing malicious users to exploit Android devices simply by sending a malicious MMS message. It is important for IT professionals and security specialists to understand emerging threats in 2016 so that they can protect against them.
With the blurring of network boundaries and the increasing number of connected devices, A10 Networks predicts even more attacks and vulnerability disclosures in 2016. Glen Ogden, Regional Sales Director, Middle East at A10 Networks provides insights into the top 5 security predictions for 2016 along with advice for regional organizations to protect against these threats.
Security Predictions: #1 - Attacks Hidden in SSL Traffic Will Exceed Attacks in Clear Text
Over the past few years, SSL encryption has become all the rage for both application owners and hackers and for good reason. Encryption improves security by providing data confidentiality and integrity. Unfortunately, encryption also allows hackers to conceal their exploits from security devices like firewalls, intrusion prevention systems and data loss prevention platforms. Some of these products cannot decrypt SSL without degrading performance, while others simply cannot decrypt SSL traffic at all because of their location in the network. Today, encryption accounts for roughly one-third of all Internet traffic, and it’s expected to reach two-thirds of all traffic next year when Internet powerhouses like Netflix transition to SSL. As a result, encrypted traffic will become the “go-to” way of distributing malware and executing cyber attacks simply. Whether sharing a malicious file on a social networking site or attaching malware to an email or instant message, many attacks will be cloaked in SSL. On top of this threat, movements like “Let’s Encrypt” make it even easier for hackers to generate SSL certificates to sign malicious code or to host malicious HTTPS sites. To counter the threat posed by SSL encryption, organizations can decrypt and inspect inbound and outbound traffic for cyber attacks. A dedicated SSL inspection platform enables third-party security devices to inspect encrypted traffic and eliminate the blind spot in corporate defenses.
Security Predictions: #2 - IoT will gain notoriety as both an attack target and an attack source
With the continued rapid growth in the Internet of Things (IoT), we expect to see an increase in both the number and severity of active exploits of connected devices. Analysts predict that there will be over 5 billion connected “things” by the end of 2016, and as the number of devices leveraging personal information grows, we’ll start hearing about exploits targeting consumer-oriented IoT devices. This will lead to more vocal advocacy for consumer protection through government regulation, or more likely, industry-driven mandates similar to those defined by Payment Card Industry Data Security Standard (PCI DSS).
IoT-specific threats are exacerbated by a number of factors:
The number of connected “things” is outpacing the ability to secure them.
Many devices have little to no security built in.
There is no formalized process for securing IoT devices.
An increasing number of devices provide access to personal information.
Meeting demand for capabilities will continue to be a higher priority than security
For those looking for more information about IoT threats and mitigation, resources are available. The OWASP Internet of Things Project has identified the top attack surface areas of vulnerability for IoT devices and has issued the following recommendations, as well as specific guidance for testing and security to manufacturers. They also recommend that consumers take the following steps to protect themselves from IoT-related threats.
Security Predictions: #3 - Attackers will target mobile app vulnerabilities
2016 will see a continued rise in the number of attacks targeting mobile devices - something that probably won’t come as much of a surprise to anybody. But the scope of the problem and the potential for damage will. The sheer volume of mobile devices, the amount of malware (20 million apps by the end of 2016, according to Trend Micro), and the inherent vulnerabilities present in even legitimate mobile apps means that a major breach is bound to happen, potentially on a massive scale.
To put it into perspective, Cisco recently released an advisory about a vulnerability in its WebEx for Androids app. This particular flaw leaves the app vulnerable to an exploit that could allow a secondary malicious app to acquire the same permissions as the WebEx application. Typically, an app will ask for permissions, effectively tipping the user to its intent. But by exploiting this vulnerability, the app can gain access without any notification. And with millions of potential targets (as many as 5 million may have downloaded the app), it’s only a matter of time before a vulnerability like this results in a major incident. Fortunately, at this time there are no reports of this particular exploit resulting in a breach. Additional threats exist in spear phishing attacks that exploit the fact that mobile users are more likely to click on a malicious link simply because it’s harder to identify it as suspicious on a smaller screen. And malware designed to look like valid apps can convince unsuspecting users to enter login data that can then be used to gain access to legitimate sites storing detailed personal and financial data. Mobile device users, particularly Android owners, need to remain diligent in validating what apps they choose to download and the attachments they choose to open.
Security Predictions: #4 - Cloud services will increase attack surface and burden perimeter security
Back in the good old days, networks were relatively well-defined. Servers were provisioned in the data center or the DMZ. Organizations could lock down their sensitive data and carefully monitor access to servers with data center and intranet security tools.
Those “good old days” are gone. Today, many organizations are migrating their application servers to the cloud or they are ditching their existing applications and moving to software-as-a-service (SaaS) solutions such as CRM, HR, email and file sharing apps. Organizations are also embracing cloud productivity apps such as Microsoft Office 365 and Google for Work.
The transition to cloud services has slashed costs and allowed easy access to business apps from any location. However, cloud applications have also introduced new security challenges, including:
An increased attack surface: Before, attackers needed to gain access to the corporate network before they could probe and attack applications. With applications hosted in the cloud, malicious users can now attack apps from any location and any device.
Uneven data monitoring and auditing: Organizations should track access to sensitive data to detect and stop suspicious activity and for forensics. But it is much more difficult to monitor access to third-party SaaS applications than internal apps because apps are hosted in the cloud and application traffic is often encrypted.
Limited control over security: Organizations must rely on SaaS vendors to implement strong defenses and fix vulnerabilities that arise quickly. While many SaaS vendors have undergone rigorous SAS 70 or ISO 27001 audits, they are also under pressure to rapidly innovate and to support Application Programming Interfaces (APIs) for third-party integration; business demands could lead to more vulnerabilities.
Increased traffic at the network perimeter: The adoption of cloud-based services will inevitably increase the load on secure web gateways and perimeter firewalls. Since much of this traffic is encrypted (see security prediction #1), businesses must ensure that their security devices can keep up with demand.
Security Predictions: #5 - Drone-related threats will grow
Consumer drones are big now and they will get even bigger in 2016, with expectations to generate over $1 billion in revenues. But their increased popularity will also introduce new cyber security and physical security risks.
Drones serve a myriad of purposes, from military to agricultural to surveillance applications to even delivering packages from the sky. However, drones also present a wide range of risks, from privacy invasion to corporate espionage to terrorism.
Star Wars movie executives are already developing plans to prevent drone owners from taking photos of their upcoming movie sets. Executives in other industries should also take heed. For example, oil exploration companies should be wary of competitors using drones to learn where they are drilling for oil. And IT administrators should make sure that drones do not gain access to corporate Wi-Fi networks by providing closer proximity for the use of sniffers and other snooping tools.
While drones do not pose as serious a threat as other cyber security attacks such as malware, IT administrators should consider any potential cyber security or physical security risks that drones pose for their organization in 2016.
What Enterprises Can Do to Prepare for 2016
While it is challenging to predict which threats will cause the most damage in the future, we believe that trends like encryption, IoT, mobility, cloud and Internet-connected drones will introduce dangerous security risks in 2016.
To prepare for these risks, organizations should implement a multi-layered defense that can protect servers and endpoints, whether those servers are hosted in a data center or in the cloud and whether endpoints are traditional computers or mobile devices. While employees cannot always predict the future, organizations will be ready to handle future risks with the right security technologies and processes in place.