We’re only halfway through the year and already we’ve seen some widespread cybersecurity threats and trends which are showing no sign of slowing. It’s important to take a moment to evaluate these trends, understand how to protect against them specifically and also interpret what they mean for 2018 and beyond.
The below list isn’t meant to scare you, or be 100% all inclusive, instead it’s a overview of the threats we continue to face on a daily basis.
As a brief overview, ransomware is when an attacker gains access to a computer and/or server, encrypts the files and holds the encryption key for a ransom of usually a few hundred dollars in bitcoin or other currency.
We’ve already seen WannaCry and now Petya (and variations of both) cripple even the largest of global enterprises. The scale and profitability of these types of attacks will fuel more copycats and follow-ons. Luckily WannaCry was stopped by a cybersecurity blogger but that’s not always going to be the case.
Ransomware is particularly nasty in that not only is the data compromised, but often lost as the encryption cannot be reversed. Sometimes the key is not delivered when the ransom is paid, or even maliciously deleted.
Many of the new ransomware attacks are getting more and more sophisticated, sometimes leveraging tools developed by the NSA and other state-level exploits which have recently leaked, making protecting against them more difficult.
To protect yourself from ransomware, be sure to keep your system up to date, and follow basic email security by not clicking on or opening anything you don’t know. Keep your system backed up regularly, so in the event you do happen to fall victim to an attack, you can restore to a recent snapshot and have minimal downtime and data loss.
Every person and machine on the web uses APIs everyday. They are everywhere connecting sites and applications to services vital for today’s businesses.
For an introduction or refresher on “What’s an API?” Mulesoft has a wonderful intro video.
Many times APIs require a key or token to authenticate the request, so what happens when those keys are lost/stolen?
We recently have a great example with the OneLogin breach. An API key to their Amazon Web Services (AWS) account was compromised and used to access customer data. Even more damaging, the same API key was used to access and decrypt sensitive data stored on the service.
If you utilize APIs in your website or application (hint: you likely are), it is of the utmost importance to keep your authentication tokens and keys secure, and not in an email or on a sticky-note on your desk. Additionally, if you are creating or providing an API be sure you take into account the data which is accessed when deciding to make it open (accessed by anyone) or closed (behind authentication).
This trend is really about the lack of strong encryption used in securing sensitive data. Strong encryption is one which implements approved and validated encryption methods with key storage in a separate system and environment than the encrypted data. Without proper key storage, you essentially tape the key to your front door.
So why is this? With strong encryption technology becoming more and more available and cost effective (free?!) why are we still seeing Personal Identification Information (PII) leaked out from unencrypted sources? To find the answer we can look at the General Data Protection Regulation (GDPR) coming into effect next year in the European Union. GDPR focuses on privacy of data and the concept of Data Protection by Design and Default. This is to push the development community to begin looking at security from the outset in the designing and planning stages of businesses, services and products.
Currently what we’re seeing is a mentality of “bolt-on security” that a system can be secured after it’s been built. By not starting with the mindset of data security, we see these breaches where encrypting data is either not considered or ignored due to complexity/cost. GDPR however, is set to enact stiff penalties for egregious privacy violations, up to 4% of global revenue or 20M Euros whichever is greater.
This trend really should also be titled IoHT (Internet of Hacked Things).
As the Internet of Things (IoT) grows, so does the capability to create massive distributed denial of service (DDoS) attacks, basically overloading a single site or service until the computers running it fail and shut down, and leak sensitive and private data.
We have to look no farther than the attack on Dyn last year which brought the internet to its knees for most of the US. In this attack, a botnet made of hacked IoT devices took down the DNS backbone of the internet. The ongoing threat of more and more powerful DDoS attacks grows each time a new IoT device is widely adopted.
Luckily, there are services available which will help mitigate DDoS attacks for websites and applications. In addition to the threat of DDoS attacks, the more devices society adopts into their lives which are always wired, always on, and always collecting data is the increased risk to privacy. This risk is due to the trends listed above, all of which apply to IoT devices.
Think of it, in today’s “smart home” your devices know when you’re home or away, what you have in your fridge, what you watch on TV (and other devices, and even when your child is sleeping. Devices such as Amazon’s Echo or Google’s Home, and Apple’s upcoming HomePod, are always listening to their surroundings (unless told not to).
It doesn’t take much for a hacker to exploit any of the above trends to begin leaking data out of these devices.
After looking at these trends it may be painting a bleak picture of the future. However, I believe the exact opposite is true! Each day new companies and services are starting to secure the services and products we consume.
Knowing the trends, knowing what to look for, and how to protect yourself and your business are keys to staying safe in our age of connectivity.
Hopefully this provides some insight into the threats we face today, offers hope that all is not lost, and encourages new and emerging technologies to come forward to protect our increasingly connected lives.