Category Archives: Security

Big Banks Increase Cybersecurity Investment to Stop Data Breaches

 

FinanceA recent article in Forbes Magazine reports that big banks including Bank of America and J.P. Morgan Chase are pulling out all the stops when it comes to their cybersecurity budgets. According to the article, B of A CEO Brian Moynihan has declared that cybersecurity is the only area of his company that has no budget constraints whatsoever. Another financial giant, J. P, Morgan reportedly doubled its budget in 2015 from $250 million to $500 million.

The increased investment in cybersecurity should come as no surprise. As Infosecurity Magazine reported last year, the financial services industry is 300 times more likely to be the target of a data breach than any other sector. In another study, insurance company Lloyds of London found that cyber-attacks can cost organizations as much as $400 billion a year.

Putting more focus and dollars into data security is a wise move. However, increasing security posture depends as much on what you invest in, as it does on how much you spend. Like all industries, financial services is facing an increasing number of threat vectors and security challenges, including dependence on cloud-enabled services, an explosion of mobile devices in the workplace, and BYOD, to name a few. These vulnerabilities are being exploited by increasingly sophisticated and connected criminal hacker syndicates and nation-state attacks bent on thwarting whatever security solutions are put in their way. One only has to survey the high profile data breaches in 2015 to realize that throwing more money at blocking threats from gaining entry won’t necessarily solve the problem.

The answer is not to abandon critical preventive measures such as AV/heuristic indexes, sandboxing and IPS. These are important technologies that have a place in a sound cybersecurity strategy. But organizations need to consider adding technology that can protect the network after the evasive malware bypasses security, but before they have to call in the disaster recovery team to assess their losses. One way to accomplish this is to add traffic anomaly detection. This is technology that continuously monitors all outbound network traffic to detect anomalous behavior and contain suspicious data transfers before an active infection is discovered. Such technology can augment preventive measures like sandboxing, but it requires that banks and other organizations first accept that no security tools exists that can stop 100% of malware. Even with unlimited budgets, stronger cybersecurity readiness can’t begin without that acceptance.

NSA Chief Hacker Reveals How He Can Be Kept Away – Part 2

CIA-flag

This is the second entry in a two-part series covering the NSA’s chief hacker’s recent talk at a security conference. Rob Joyce, the head of the Tailored Access Operations program put in place by the NSA to conduct cyberespionage operations on foes and allies alike, briefly revealed how state-sponsored hackers infiltrate their targets’ networks, often successfully.

Rob Joyce quickly ran through a list of to-dos for those who are looking to make his job harder. He could be forgiven for cutting short this particular portion of his talk.

Speaking candidly, the NSA hacker-in-chief explained that special access privileges to critical systems ought to be restricted to a select few. This inherently makes the NSA’s task difficult as the number of targeted are lowered. Furthermore, he nodded toward segmenting networks and vital information and data. Such a move makes it harder for hackers to gain access to what they’re looking for.

The NSA employee also recommends patching systems regularly. Application whitelisting is also important for trust. Hardcoded passwords are a strict no-no and ought to be removed. So too should legacy protocols that aren’t updated and are still functional. More specifically, protocols that transmit passwords in the clear, should be curbed.

Joyce also pointed to roadblocks that make his job significantly harder. One such roadblock is an “out-of-band network tap.” This is a device that continually monitors network activity and maintains logs that can record anomalous activity. When these logs are being looked and read into regularly by a system administrator the game is up.

Another insight revealed by Joyce goes against popular opinion that state-sponsored hackers via the NSA or other agencies around the world. He claimed that the NSA does not rely on zero-day exploits, not extensively anyway. He says the NSA doesn’t heavily look at zero-days, simply because they don’t have to.

“[With] any large network, I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero days,” he says.

There’s so many more vectors that are easier, less risky and quite often more productive than going down that route.

NSA Chief Hacker Reveals How He Can Be Kept Away – Part 1

NSA-seal

The National Security Agency’s hacking chief reveals insights and tips to block the world’s best hackers.

Here’ how NSA’s hacker-in-chief Rob Joyce began a recent security conference in San Francisco.

I will admit it is very strange to be in that position up here on a stage in front of a group of people. It’s not something often done

My talk today is to tell you, as a nation state exploiter, what can you do to defend yourself to make my life hard.

As the head of NSA’s Tailored Access Operations – the team tasked by the government to infiltrate foreign adversaries and allies’ computer systems and networks, even Joyce made light of the awkward situation. He was in a room packed with security professionals, journalists and academics, telling them exactly how they could keep state-hackers like him away from their computers and networks.

The NSA Trap

The NSA isn’t one to look for the login credentials of any targeted firm or organization’s management. Instead, the agency looks for the credentials of network and system administrators, those with high levels of network access and privileges. The NSA, as reported by Wired, also seeks to find hardcoded passwords embedded in software. Similarly, the agency also sniffs for passwords transmitted and used by legacy protocols. Basically, the entire sphere where it detects a vulnerability, none of which goes unnoticed by the agency.

Joyce said:

Don’t assume a crack is too small to be noticed, or too small to be exploited.

If users ran penetration tests of their network and infrastructure to see 97 devices pass the test while three failed, Joyce claimed that those three seemingly harmless vulnerabilities are the ones that the NSA or other state-sponsored attackers will see as sweet spots.

We need that first crack, that first seam,” explained Joyce, noting that every single vulnerability matters. “And we’re going to look and look and look for that esoteric kind of edge case to break open and crack in.”

If a user is approached by a vendor to open the network, however brief, to fix a concern remotely, Joyce advises it. Such a situation is just one of the many opportunities that nation-state hackers are looking for as vulnerabilities, he added.

Surprisingly, Joyce also pointed to personal devices such as laptops that are used by office employees that are running gaming platform Steam, as a favorite attack target of the NSA. When the employee’s kids load Steam games on to the laptops and the works subsequently connect to the organization’s network, an attack vector is opened.

Basically, the NSA and state-sponsored spies and hackers in general are well equipped to get into a user’s network, simply because they know more about the network than most users do.

We put the time in …to know [that network] better than the people who designed it and the people who are securing it,” he stated. “You know the technologies you intended to use in that network. We know the technologies that are actually in use in that network. Subtle difference. You’d be surprised about the things that are running on a network vs. the things that you think are supposed to be there.”

New Law on Sharing Threat Info Aimed at Preventing Data Breaches

Gavel_copy

High profile data breaches seem to occur in an almost predictable cadence and no industry is immune. This has frustrated organizations who want to believe their security is strong enough to keep them from experiencing the bottom-line-bashing data theft they see in the headlines. The fact that the majority of both business and government functions have gone digital opens up doomsday scenarios of which government agencies, from state and local up to the federal level, are well aware.

Another factor that should be cause for alarm is that some of these breaches are generated using malware that’s been around for a while. For instance, reports at the time allege the Home Depot and Target data breaches were caused by variants of the same malware. This goes a long way in validating that organizations aren’t sharing threat information, which is the issue behind some recent legislation, The Cyber Security Information Sharing Act (CISA). The new law is designed to incentivize private industry to share cyber threat information with the Department of Homeland Security (DHS). The incentives for participating include ensuring liability protecting any trade secrets of businesses that choose to participate.

The information being sought includes security vulnerabilities, malware code, damages from past breaches, and the steps the organization took to mitigate known or unknown threats.

While a move to more information sharing as a way to increase cybersecurity seems like a good idea, a recent article in Forbes Magazine entitled, Big Decision Time for Business As Cyber Security And Privacy Collide Again, points out a couple of reasons businesses might resist participation.

  • Proponents of the law can’t point to a single data breach that this legislation would have prevented, begging the question, why do we need this law?
  • Business may be concerned that the information they provide to DHS could be given to NSA, the agency whose history displays a decided lack of concern for privacy rights.
  • Companies may feel compelled to ignore these concerns because not participating in the CISA sharing programs may deprive them of critical threat information they need.

As the Forbes writer points out, making the sharing of threat information a law, is a small but critical step in supporting an atmosphere of intelligence sharing that will benefit everyone in the long run. He also points out that businesses in some industries are already sharing this sort of information which is encouraging. Each of these steps represents an advancement in the war on cyber threats in which we all participate, whether we know it or not. Any action that moves us forward, no matter how small, should be welcomed.

PROPOSED STATE BANS ON PHONE ENCRYPTION MAKE ZERO SENSE

 

Lock_Case
American politics has
long accepted the strange notion that just a pair of states—namely Iowa and New Hampshire—get an outsize vote in choosing America’s next president. The idea of letting just two states choose whether we all get to have secure encryption on our smartphones, on the other hand, has no such track record. And it’s not a plan that seems to make much sense for anyone: phone manufacturers, consumers, or even the law enforcement officials it’s meant to empower.

Last week, a California state legislator introduced a bill that would ban the retail sale of smartphones with that full-disk encryption feature—a security measure designed to ensure that no one can decrypt and read your phone’s contents except you. The bill is the second piece of state-level legislation to propose that sort of smartphone crypto ban, following a similar New York state assembly proposal that was first floated last year and re-introduced earlier this month. Both bills are intended to ensure that law enforcement can access the phones of criminals or victims when their devices are seized as evidence.

If consumers will cross borders to fill a booze cabinet, what’s to prevent New York criminals from foiling surveillance with New Jersey iPhones?

Those two proposed crypto bans have put another twist in an already tangled debate: The privacy and cryptography community has long opposed any such “backdoor” scenario that gives cops access to encrypted smartphones at the risk of weakening every device’s data protections. But legal and technical experts argue that even if a national ban on fully encrypted smartphones were a reasonable privacy sacrifice for the sake of law enforcement, a state-level ban wouldn’t be. They say, the most likely result of any state banning the sale of encrypted smartphones would be to make the devices of law-abiding residents’ more vulnerable, while still letting criminals obtain an encrypted phone with a quick trip across the state border or even a trivial software update.

Crypto Has No Borders

If the New York and California smartphone encryption bans passed, a company like Apple that sells encrypted-by-defaulted iPhones would have three options, argues Neema Singh Guliani, an attorney with the American Civil Liberties Union: It could cease to fully encrypt any of its phones, contradicting a year of outspoken statements on privacy by its CEO Tim Cook.  It could stop selling phones in two of America’s richest states. Or finally, it could create special versions of its phones for those states to abide by their anti-encryption laws.

The last of those scenarios is Apple’s most likely move, says Singh Guliani, and yet would result in a “logistical nightmare” that still wouldn’t keep criminals from encrypting their phones’ secrets. She compares the laws to state-wide liquor regulations: “People will travel over the border to buy alcohol in states with the standards that suit them,” she says. If consumers will cross borders to fill a booze cabinet, what’s to prevent New York criminals from foiling surveillance with New Jersey iPhones? “Nothing would stop those who wanted a more privacy protective phone to get one from out of state.”

In the hypothetical future where the state bills have passed, fully encrypting an iPhone might not even require buying an out-of-state device, but merely downloading out-of-state firmware. After all, it’s unlikely Apple would go to the expense of manufacturing different hardware for its phones to disable encryption in some of them, argues Jonathan Zdziarski, an iOS forensics expert who has worked with police to decrypt phones. “That would be a massive technical change to support this kind of device,” Zdziarski argues. “It would be literally cheaper for Apple to stop selling phones in California altogether.” Instead, he says, it would likely sell the same hardware for all of its devices and merely disable full-disk encryption through a different version of its firmware activated at the time of the phone’s purchase. And nothing in the current bills would prevent Apple from making the fully encryption-enabled version of its firmware available to anyone who restores their device from factory settings.

The technologically savvy will find ways to get encryption, while the average smartphone user’s data will be left more vulnerable.

In other words, that would make the New York and California crypto bans statewide bans on software, an idea roughly as practical as policing undocumented birds crossing the Mexican border. And if Apple were to try to accommodate the spirit of the law by preventing customers from restoring their phone with full-disk encryption inside California or New York, Zdziarski is confident iPhone owners could circumvent any location tracking, proxying their IP address or putting the phone in a Faraday bag to block its GPS. “This legislation is going to be technologically useless,” says Zdziarski. “Anyone who wants a device that doesn’t have law-enforcement-reversible encryption will be able to get one.”

Pressuring Congress

Neither Apple nor Google, which followed Apple’s lead last year by declaring that all devices running the latest version of Android will have default full-disk encryption, responded to WIRED’s request for comment on the California or New York bills. The office of New York Assemblyman Matthew Titone, who introduced the New York bill, tells WIRED that the state-level bill is meant to pressure Congress to follow with its own legislation. “When there’s no national legislation, states take efforts on their own to solve an issue,” says Titone’s chief of staff Chris Bauer. “That can speed the process along to make the federal government take steps.”

Skyler Wonnacott, the director of communications for the California bill’s sponsor Assemblyman Jim Cooper, offered a similar argument. “California is leading the fight…It’s got to start somewhere,” Wonnacott says. “Just because you can drive into Nevada and buy a phone or download software doesn’t mean there isn’t an issue and these phones aren’t used in crimes.”

Congress has yet to introduce legislation to limit full-disk encryption in smartphones, despite several congressional hearings over the last year in which officials, including FBI Director James Comey and New York District Attorney Cyrus Vance, warned of the dangers of allowing criminals access to devices with data they couldn’t decrypt. (Vance said at the time that New York police had been stymied by smartphone encryption 74 times in the nine months before the hearing, out of roughly 100,000 cases it deals with in a year.) A spokesperson in Vance’s office writes to WIRED that the DA’s office pushed for state legislation, and still hopes to find a compromise with device makers. “When Apple and Google announced the switch to full-disk encryption…with no regard for the effect it would have on local law enforcement and domestic crime victims, they left us with no choice but to seek legislative solutions at all levels, state and federal,” writes the district attorney’s director of communications Joan Vollero. “If the companies have a solution, we encourage them to engage in a productive dialogue.”

Constitutional Questions

But even if state laws do put pressure on Apple and Google to cave on encryption, they may do so unconstitutionally, says Andrew Crocker, an attorney with the Electronic Frontier Foundation. He says statewide smartphone encryption bans may fall under the “dormant Commerce Clause,” which gives the exclusive right to regulate commerce between states to the federal government. “States don’t have unlimited power to enact regulations to burden interstate commerce,” says Crocker. “If I’m Apple, this seems like a huge burden on my business.”

Congress, on the other hand, would have the power to ban default full-disk encryption in smartphones—though they’d do so against the advice of nearly every technical expert in the field of cryptography. In July of last year, for instance, 15 renowned cryptographers published a paper cautioning against any deliberate weakening of encryption for the sake of law enforcement. “New law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws,” the paper reads. “The prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.”

And Crocker reiterates that state-level bills wouldn’t be just problematic or risky, but “wildly ineffective,” as those who want encryption will easily get it from out of state—in either software or hardware form. The technologically savvy will use it to defeat police surveillance or to protect their phone from hackers and thieves, while the average smartphone user’s data will be left more vulnerable. “The ones who will actually be impacted are the less sophisticated people who don’t know how to get this protection,” says Crocker. “You’re looking at a cost that falls on innocent people, not criminals or terrorists.”

Organizations Still Paying Breach Costs After Remediation

290x195securityworry2A new report from SANS Institute examines the costs that organizations deal with after they clean up from a breach.

Data breaches often result in myriad costs for victimized organizations and individuals. A new study from SANS Institute, sponsored by Identity Finder, found that even after organizations remediate the immediate cause of a breach, there will still be ongoing cost consequences.

Barbara Filkins, senior analyst at SANS Institute, wanted to take a different tact to the analysis of data breach costs than other reports, notably the Ponemon Cost of a Data Breach and Verizon Data Breach Investigations Report (DBIR). (The 2015 Ponemon Cost of a Data Breach report, sponsored by IBM, found that the average cost of a data breach is $3.8 million.) In Filkins’ view, the other reports focus on the front-end costs of data breaches as opposed to what can be done to mitigate the damage after an attack.

At the top end, the SANS report found that 31 percent of the surveyed organizations incurred post-breach costs of between $1,000 and $100,000 as a result of a data breach, and 23 percent experienced costs of $100,000 to $500,000.

Looking at the root causes of the data breaches, 35 percent of respondents noted that a hacking or malware attack was the primary vector. The study also asked about how long it took organizations to fully remediate a breach, with 38 percent of respondents reporting it took three months or longer.

Going a step further, even after the breach remediation was considered to be complete, most respondents experienced residual issues, including potential litigation, fines and brand reputation concerns. Only 35 percent reported that they had no lingering effects after a breach was considered to be remediated.

As to why some organizations have no lingering effects, Filkins said it all has to do with the nature of the breach and the difficulty of understanding costs. There are some obvious items that are considered to be post-breach costs, including identity monitoring services, but when it comes to the lingering costs, it’s not as easy to quantify the impact on brand reputation and stock prices, for example, she added.

According to Todd Feinman, CEO of Identity Finder, the path to helping minimize the costs of a data breach involves classifying data so that organizations understand where the risks are. The reality is that breaches are now a fact of life and it’s difficult to prevent all breaches from happening, he said. Taking that as a baseline, Feinman suggests that just because there is a security incident, it doesn’t necessarily have to turn into a large-scale data breach.

“If organizations want to minimize the costs of an attack or a data breach, you have to know where the sensitive data is and keep it as small a footprint as possible and make sure that it doesn’t leave the organization,” he said.

Identity Finder develops its own tool for data loss prevention called Sensitive Data Manager, which was updated this week to version 9.0. The new release includes improved data classification capabilities.

“There is no single technology, including ours, that is a silver bullet to prevent data breaches and related costs,” Feinman said. “It’s all about people, process and technology.”

The Danger of Fake Patches

 

chipWe talk a lot about threats to data security on this blog, and personal experience has probably acquainted you with everything from Trojan Horses to phishing.

Here’s a particularly sneaky threat that’s becoming more and more common: fake patches.

Part of what makes them a problem is that, unlike those spam e-mails from people and companies you don’t know, fake patches can look like perfectly reasonable notices from software services or programs you’d expect to receive patches from, like Adobe or Google Chrome. The fake updates display the company logo, so they seem real enough. Just last year, in fact, hackers sent out a fake version of Java Update 11 that contained malware.

How well-equipped you are depends, not surprisingly, on the security measures you have in place. Keeping the auto-update feature on is good practice, provided your software is designed to identify incoming patches and make sure they’re genuine. Even then, it’s possible for malware to use a fraudulent certificate to get around an auto-update program.

There are a number of things you can do to minimize risk. Cutting down on Shadow IT and foreign software on corporate machines makes it harder for hackers to send fake patches. A robust antimalware service is another step.

But at the end of the day, just being smart and cautious goes a long way. Fake patches often look suspicious in the same way spam e-mails look suspicious. They might have misspellings or they just don’t look like a software update you’re accustomed to seeing. They might even ask you to pay for the software they’re asking you to download.

Little things like avoiding pop-ups and scanning and cleaning your computer help, too. And, as always, talk with the IT department and back up your files. Communication and stored, safe files will ensure a small problem doesn’t become a big one.

FTC: Big data and IoT spawn new data concerns

IoTThe ongoing collision of big data and the internet of things raises whole new concerns about maintaining security, privacy, and fairness of personal data, says Julie Brill, member of the Federal Trade Commission.

Brill spoke earlier this month at the Cyber Security and Privacy Summit hosted by Washington State Gov. Jay Inslee.

“The data from connected devices will be deeply personal, and big data analytics will make the data more readily actionable,” said Brill. “Some of these devices will handle deeply sensitive information about our health, our homes, and our families. Some will be linked to our financial accounts, and some to our email accounts.”

However, she added that people won’t change much.

“We as individuals will remain roughly the same. We will not suddenly become capable of keeping track of dozens or hundreds of streams of our data, peering into the depths of algorithmic decision-making engines, or spotting security flaws in the countless devices and pieces of software that will surround us,” she warned.

Faced with a world of uncertainty about which devices are safe and whether they are getting a fair shake in the big data world,  Brill continued, “consumers could use some help.”

Major inroads possible into our lives

This rapidly evolving environment raises issues that have yet to be resolved. Brill divided the issues into the three areas of security, privacy, and fairness:

1. Security

“Because these connected devices are linked to the physical world, device security also is a top concern,” she said. To wit:

No armor. Of the 90% of connected devices that are collecting personal information, 70% transmit the data without encryption.

No expertise or recognition. Traditional goods manufacturers may not have the expertise, or even realize they need such expertise, to secure their new devices.

Cheap as dirt. Many connected devices will be inexpensive and essentially disposable.

Just because the plug fits … Security vulnerabilities may be hidden deep in the code that runs an app or device, which may not become apparent until it is connected to an environment for which it wasn’t designed.

“All of these factors point to the need to take an all-hands-on-deck approach to data security, with security researchers playing an important role in bringing security flaws to light,” Brill said.

2. Privacy

“Consumers want to know—and should be able to easily find out—what information companies are collecting, where they’re sending it, and how they’re using it,” said Brill. She said that information plays an important part in consumers’ decisions about whether to use digital products and services in the first place.

However, obstacles have emerged:

Didn’t know they were watching. Many companies, including data brokers, ad networks, and analytics firms operate in the background with consumer data.

Devices give no clues. Many connected devices do not have a user interface to present information to consumers about data collection.

Queries not answered. Questions have arisen about who should receive disclosures about data collection and use practices; how would consumers or innocent bystanders know when a device is recording images or audio; and how will the collected data be secured.

Brill said that manufacturers of connected devices should recognize that providing transparency will require some creative thinking.

“Visual and auditory cues, and immersive apps and websites should be employed to describe to consumers, in a meaningful and relatively simple way, the nature of the information being collected … and provide consumers with choices,” Brill said.

3. Fairness

 Certain data brokers assemble individual profiles on consumers from various sources which are used for marketing practices.

On such firms specifically, Brill said that “while this kind of information can be used for relatively benign purposes, or even in ways that will enhance financial inclusion, this kind of information has also been used to harm vulnerable consumers.”

Again, pairing big data with internet of things in this area creates new concerns:

Credit scores used beyond credit world. The use of scores, such as credit scores, can go beyond decisions about mortgages, for example, to other major decisions such as whether a prospective employer would extend a job offer to a given applicant, or whether insurance companies would charge higher premiums on auto or homeowners insurance.

Scores grown outside the regulatory zone. The use of many different types of scores has proliferated to make eligibility determinations covered by the Fair Credit Reporting Act, yet they haven’t yet been subject to the same kind of scrutiny that Congress and federal agencies have brought to bear on traditional credit scores.

It all happens in a black box. Scoring algorithms and other forms of big data analytics rely on statistical models and data system designs that few on the outside understand in detail.

“This suggests that testing the effects of big data analytics may be a promising way to go,” Brill said, adding that “companies using scoring models should themselves do more to determine whether their own data analytics result in unfair, unethical, or discriminatory effects on consumers.”

In summary she says, “For now, the rapid changes in big data analytics and the internet of things have made it difficult to meet some of these expectations in practice. The key point, however, is that these are the enduring expectations of consumers, rather than relics of a simpler world.”

Continued Breaches Show Dropbox Not Secure Enough for Small Businesses

data

I’m just going to come out and say it: Dropbox on its own is not secure enough for businesses. Bugs and open-doors leave sensitive files open for viewing and who knows what can happen if your classified information falls into the wrong hands. If you’re sharing files with coworkers by sharing Dropbox links, cease and desist! You are potentially leaving your files open to the masses.

Problem
Dropbox is currently the top dedicated cloud storage provider hitting 200 million users back in November 2013.  Unfortunately for business users, Dropbox is also the most targeted cloud service by hackers and thieves. Remember when hackers held 7 million Dropbox passwords ransom? Not only is Dropbox prone to cyber-attacks, but they also suffer from bugs and leaving open doors. In October 2014, Dropbox released an update with a bug that deleted user files, making backup on Dropbox inadequate for business. File deletion!? Then what’s the point of storing files in the cloud anyway?

Prior to this incident, a cloud-based file locker, Intralinks, found that Dropbox users were unknowingly allowing private data to be read by third parties as their files were being indexed by search engines.  Links that you may have shared with other colleagues were being indexed by Google, Yahoo! and Bing, and if competitors searched for a matching keyword on your link, they could click and open your files without you knowing. As you can see saving sensitive company information with Dropbox offers significant risk for business users.

Challenge
Many employees already use Dropbox to quickly store company files. The more employees that use Dropbox to store files, the more vulnerable the company is to information leaks. Although Dropbox offers server-side encryption for your files, it is not enough to protect your files if there is a security breach as Dropbox provides and controls your files’ encryption keys. Dropbox already accesses your files to provide a file preview, which opens obvious security holes. Dropbox has even changed their privacy terms to give themselves the right to share data collected from your files. Depending on the sensitivity of your data, you may want to consider encrypting your data with a 3rd party security software even before it reaches the Dropbox cloud. This would allow you to experience the convenience and value of Dropbox without compromising security.

Biggest cybersecurity threats in 2016

Cloud

Headless worms, machine-to-machine attacks, jailbreaking, ghostware and two-faced malware: The language of cybersecurity incites a level of fear that seems appropriate, given all that’s at stake.

In the coming year, hackers will launch increasingly sophisticated attacks on everything from critical infrastructure to medical devices, said Fortinet global security strategist Derek Manky.

“We are facing an arms race in terms of security,” said Manky. Fortinet provides network security software and services, and its customers include carriers, data centers, enterprises, distributed offices and managed security service providers.

Here’s how the 2016 threat landscape looks to some experts:

“Every minute, we are seeing about half a million attack attempts that are happening in cyber space.” -Derek Manky, Fortinet global security strategist

The rise of machine-to-machine attacks

Research company Gartner predicts there will be 6.8 billion connected devices in use in 2016, a 30 percent increase over 2015. By 2020, that number will jump to more than 20 billion connected devices, predicts Gartner. Put another way, for every human being on the planet, there will be between two and three connected devices (based on current U.N. population projections).

The sheer number of connected devices, or the “Internet of Things,” presents an unprecedented opportunity for hackers. “We’re facing a massive problem moving forward for growing attack surface,” said Manky.

“That’s a very large playground for attackers, and consumer and corporate information is swimming in that playground,” he said. Many consumer connected devices do not prioritize security. As they proliferate, expect the number of attacks to skyrocket. “A lot of these products and services, oftentimes security will take a backseat, so it puts a lot of information at risk,” said Manky.

In its 2016 Planning Guide for Security and Risk Management, Gartner puts it like this: “The evolution of cloud and mobile technologies, as well as the emergence of the ‘Internet of Things,’ is elevating the importance of security and risk management as foundations.”

Smartphones present the biggest risk category going forward, said Manky. They are particularly attractive to cybercriminals because of the sheer number in use and multiple vectors of attack, including malicious apps and web browsing.

“We call this drive-by attacks — websites that will fingerprint your phone when you connect to them and understand what that phone is vulnerable to,” said Manky.

Apple devices are still the most secure, said Manky. “Apple’s had a good security policy because of application code review. So that helps, certainly, to filter out a lot of these potential malicious applications before they make it onto the consumer device,” he said.

“With that, nothing is ever safe,” he said.

Mobile apps

Are you nurturing a headless worm?

The new year will likely bring entirely new worms and viruses able to propagate from device to device, predicts Fortinet. 2016 will see the first “headless worms” — malicious code — targeting “headless devices” such as smartwatches, smartphones and medical hardware.

“These are nasty bits of code that will float through millions and millions of computers,” said Manky.

Of course, the potential for harm when such threats can multiply across billions of connected devices is orders of magnitude greater.

“The largest we’ve seen to date is about 15 million infected machines controlled by one network with an attack surface of 20 billion devices. Certainly that number can easily spike to 50 million or more,” said Manky. “You can suddenly have a massive outage globally in terms of all these consumer devices just simply dying and going down.”

Malware, spam, virus, cybersecurity

Jailbreaking the cloud

Expect a proliferation of attacks on cloud and cloud infrastructure, including so-called virtual machines, which are software-based computers. There will be malware specifically built to crack these cloud-based systems.

“Growing reliance on virtualization and both private and hybrid clouds will make these kinds of attacks even more fruitful for cybercriminals,” according to Fortinet.

At the same time, because apps rely on the cloud, mobile devices running compromised apps will provide a way for hackers to remotely attack public and private clouds and access corporate networks.

Hackers will use ghostware to conceal attacks

As law enforcement boosts its forensic capabilities, hackers will adapt to evade detection. Malware designed to penetrate networks, steal information, then cover up its tracks will emerge in 2016. So-called ghostware will make it extremely difficult for companies to track exactly how much data has been compromised, and hinder the ability of law enforcement to prosecute cybercriminals.

“The attacker and the adversaries are getting much more intelligent now,” said Manky.

Alongside ghostware, cybercriminals will continue to employ so-called “blastware” which destroys or disables a systems when detected. “Blastware can be used to take out things like critical infrastructure, and it’s much more of a damaging attack,” he said.

“Because attackers may circumvent preventative controls, detection and response capabilities are becoming increasingly critical,” advises Gartner in its report.

 

Two-faced malware

Many corporations now test new software in a safe environment called a sandbox before running it on their networks.

“A sandbox is designed to do deeper inspection to catch some of these different ways that they’re trying to change their behaviors,” said Manky. “It’s a very effective way to look at these new threats as we move forward.”

That said, hackers in turn are creating malevolent software that seems benign under surveillance, but morphs into malicious code once it’s no longer under suspicion. It’s called two-faced malware.

This is at least partially the sheer volume of attacks is so high — Fortinet sees half a million security threats per minute.

“The reason we see so much volume as well is because cybercriminals are trying to evade [detection]. They know about security vendors, they know about law enforcement, they’re trying to constantly morph and shift their tactics,” said Manky.

 

What can companies and individuals do to protect themselves?

“Companies should definitely enforce more security policies,” said Manky. “Security’s becoming a board level discussion, so that’s already happening, and it should continue to happen.”

Part of any cybersecurity strategy should be the use of antivirus software, the education of employees not to click on unknown attachments or links as well as keeping software up to date, also know as patch management.

“A lot of these devices are not going to be patched that quickly or they might not have an update mechanism on them,” said Manky. “Certainly, any time a patch becomes available, companies should enforce that because these are closing a lot of the holes where attackers are navigating through.”

Here is how Gartner frames it for business seeking to protect themselves in 2016. “While some traditional controls have or will become less effective, techniques such as removing administrative privileges from endpoint users should not be forgotten. Similarly, vulnerability management, configuration management and other basic practices have to be priorities in organizations that have not yet implemented them effectively.”

And ultimately, something is better than nothing, advises the firm: “Addressing priorities does not mean striving for perfection, but rather ensuring, at least, that critical exposures are remediated (or, if applicable, mitigated with compensating controls) and that the residual risks are minimal and acceptable (or at least enumerated and tracked).”