The year 2017 was ripe with news of malware, social engineering attacks, and big data breaches. The most infamous of these are the claims of state-sponsored attacks involving Russia’s interference in the 2016 French and U.S. presidential elections, attribution of the massively successful “wanacry” ransomware to North Korea, and news of a data breach at Equifax involving the personal information of more than 143 million people. What is not so famous, but likely experienced by nearly every person in the U.S. at some point over the past year is the many, many scams executed through email and phone calls aimed at obtaining personal information or money. Scams that claim to be “help desk”, the “IT department”, Microsoft security, the IRS, county or state prosecutors, as well as many other pretexts trying to scare people into opening their pocket books, providing personal information, or even granting remote access to computers.
Compared to each consecutive year prior, 2017 followed the trend reported in detail by Verizon, McAfee, Symantec, FireEye, Microsoft, IBM, and others that have shown a year-over-year increase in the total number and severity of attacks. Given that there have not yet been any major advances in more secure technologies, major security-focused legislation, people’s expressed willingness to make security a priority, or the fact that many of the breaches and other incidents rely on the fallibility of human trust, 2018 is not likely to break this trend. Here is what I think the world will experience in the coming year:
Far-reaching attacks
The fact that security researchers continue to find and report on more and more advanced vulnerabilities, as has already been shown with the revelation of the Meltdown and Spectre processor flaws, continues to provide malicious attackers more creative ways to exploit mass numbers of systems. Documented vulnerabilities simply give attackers new challenges to strive to overcome. Once a working exploit is released, as happened with “wannacry”, government and independent hackers are fast at work trying to figure out exactly how they can use them to their fullest extent.
It is already known that adoption rates for patches maintain a relatively low level. Many individuals and organizations simply do not regularly apply patches, for various reasons, leaving their systems completely vulnerable to the flaws that the patches are meant to correct. The longer a vulnerability has existed, the more likely it is to be exploited. Hackers know that large numbers of vulnerable computers exist, so they continue to try to exploit these vulnerabilities long after their fixes have been published. The greater number of systems a vulnerability applies to, the greater number of potential targets attackers have, and the vulnerability becomes much more appealing to attempt to exploit.
Big corporate and government data breaches
Compromising the personal information of employees and customers held by large corporations can accomplish several goals for an attacker. It can provide them with a treasure trove of information that can be sold and used for identity theft. Large breaches can also be used by state and politically motivated hackers to drive government regulation through embarrassment or the threat of releasing data that was stolen. These incidents can also be used to damage corporations through share prices, reputation, and blackmail.
Over the past several years, we have seen Sony, Neiman Marcus, Target, Home Depot, Michaels, UPS, Blue Cross Blue Shield, vTech, T-Mobile, U.S. Office of Personnel Management, Ashley Madison, Equifax, Yahoo, Amazon, and many thousands of others companies fall victim to massive data breaches. So far this year, Forever 21, the U.S. Department of Homeland Security, and the Agency for Health Care Administration have already announced sizable breaches and we’ve barely made it a week into January.
Social engineering scams
In its most basic form, social engineering is simply applying influence to get your way. This can be a good thing that is often used by people as they interact with each other. Fraudsters, though, have long used deception and manipulation in social engineering to victimize other people. The proliferation of technology around the world has provided a platform for these malicious social engineers to practice their nefarious deeds with far less risk of being caught than traditional con-artists running scams like “Dirty Rotten Scoundrels”.
The Internet provides the ability for social engineers to target many thousands of people through email and even telephone scams while taking payments on the spot. It also allows them to cover their tracks better than ever before. Fraudsters who purchase their leads from the actors involved in big data breaches, like those mentioned previously, can even personalize their scams to the extent that they can be fairly convincing. This makes Internet-based fraud very lucrative and attractive.
Social engineers who are able to employ ransomware or run successful scams that allow them to demand payments from their victims are further supported by the legitimacy of Bitcoin and other unregulated and hard-to-track crypto-currencies. These allow them an ever easier way to take payment and move their ill-gotten gains without easily being tracked by law enforcement.
IoT botnets
The rapid adoption of the shiny new internet-connected gadgets and “smart home” devices pose and interesting case study for cybersecurity. Very few of these devices have much, if any, security mechanisms built-in to protect them from malicious intruders. They are relatively easily compromised and used by hackers to spy on people or to simply act as another zombie device in a larger botnet that can be used for larger scale attacks.
At the beginning of 2018, there are more Internet of Things (IoT) devices than ever before, but very little is being done to secure them from those who would like to exploit them. They currently cannot and do not run security software like a typical computer, so they must be designed with security mechanisms built-in or protected by external measures. Though there are a couple new products on the market with this goal in mind, very few homes and businesses have yet deployed IoT security measures.