Every year seems to come with record-breaking amounts of new malware, and a few surprise attacks that nobody saw coming. It seems like 2014 has been filled with more than its fair share of major data breaches–beginning with the remnants of the fallout of the Target breach from late 2013, all the way up to the recent epic breach of Sony Pictures. The up side–even if it’s an after-the-fact trial-by-fire–is that organizations are quickly learning the importance of two-factor authentication, and streamlining incident detection and response processes.
The rise of the Internet-of-Things (IoT), 3D printers, tracking devices, and continued shift toward cloud and mobile all present significant security challenges that businesses and consumers will have to address in the year to come, but that is really just the beginning of what’s in store. In addition to more of the above, I also expect to see a rise in the following security issues in 2015.
Unlike malware, muleware solicits the participation of the user and offers incentives to play a small role in the attack campaign. Up until this point, cybercriminals have attained their resources by exploiting and compromising devices. But wouldn’t it be more efficient and much more profitable to pay for these resources and turn thousands of would-be victims into part of the attacker’s supply chain? I envision that this new form of muleware will be based on the anonymity of TOR networking, and commerce conducted via cryptocurrency such as Bitcoin. Marketplaces will connect the demand with the supply, and cybercrime will rise to an entirely new level, a level that we are not prepared to defend against.
The good news on this front is that authentication methods are getting stronger and the adoption of two-factor authentication is defeating historical brute-force password attacks. The bad news is that attackers are innovating and finding weaknesses in the re-authentication processes where standards are not widely adopted, and one service provider’s metadata may be used as another service provider’s validation secrets.
In 2012 we watched as tech journalist Mat Honan was compromised, costing him the loss of his digital journal. And in 2014, we saw call-forwarding features were used to subvert Google’s two-factor authentication. In both cases, the attacker posed as the victim claiming they were locked out of their account. Some systems use a series of questions to re-authenticate, others require you to disclose private information. But it appears that a very persistent and irate customer can almost always get their way, and this is not good when that person is the attacker.
In 2015, we will see a rise in this type of reflective re-authentication attack as attackers look for weaknesses along the authentication chain. Authentication systems in general focus on authenticating users, but when that user is in a state of recovery because they have been locked out for some reason, there is just too much flexibility in getting this unauthenticated user back to an operational state, and attackers will continue to defeat these methods until they are stronger.
Ransomware remains profitable, and cyber criminals are always looking for areas to grow their business. To date, victims have mainly been individuals with data from their computers or smartphones being held for ransom. But one industry at great risk here is healthcare. Three factors make it a highly attractive target for ransomware expansion in 2015 — the mandate to move to electronic records, the sensitive nature of healthcare data, and the immaturity of the information security practices that exist in the healthcare industry today. This is a scary notion because we rely so heavily on the availability and accuracy of patient records. The cost of a compromise could range from an inconvenience to loss of life.
Ransomware has mainly been about holding your data captive through encryption, and unless you pay within a window of time – typically 48 hours – your data will be erased and you will not see it again. This would not matter if you had things backed up properly, but that remains to be a problem for everyone.
Extortionware is an expansion on ransomware whereby unless you pay a certain amount to the attacker, the data will be made public for all to see (or for more targeted disclosure). What if the data contains evidence of infidelity, for example? The list of possible incriminating data goes on and on, but you can see how this differs from ransomware. Much like spear phishing, this attack will be much more targeted, but attackers will yield a higher take per victim, and those victims are less likely to involve law enforcement due to the sensitive nature of the data.
As I stated last year, while all of this is truly frightening, the good news is that security technologies and best practices are constantly improving as well. It is up to all of us to stay on top of the latest attack trends and continuously update our security strategies and arsenals to respond more effectively.