From Ashley Madison to TalkTalk, Stagefright to dodgy root certificates, 2015 was a memorable year for cyber security.
Growing trends like the rise of drones and the Internet of Things (IoT) generated a host of new threats. Researchers revealed attacks that could compromise connected devices such as cameras, cars and smart watches. Stagefright was at the top of the list of mobile security risks, allowing malicious users to exploit Android devices simply by sending a malicious MMS message.
On top of this, we have seen a vast increase in cloud take-up, opening up attack vectors and burdening perimeter security. With the blurring of network boundaries and the increasing number of connected devices, we are going to see even more attacks and vulnerability disclosures next year.
Attack of the drones
On top of wearables and sensors, 2016 is going to see the rise of a potentially more dangerous form of connected device: the drone. Consumer drones are big now and they will get even bigger in the year ahead. Expectations are that they will generate over £670 million in revenues. However, their increased popularity will also introduce new cyber security and physical security risks.
Drones serve a myriad of purposes, from military to agricultural to surveillance applications to even delivering packages from the sky. During the torrential December floods in Chennai, India, police used drones to locate and rescue 200 stranded citizens. While drones hampered efforts to battle a Los Angeles freeway fire this past summer, they could be used to detect and even drop water on fires in the future.
However, drones also present a wide range of risks, from privacy invasion to corporate espionage and terrorism. While news headlines tell of drone owners that have spied on their sunbathing neighbours, drones can also be used to snoop on confidential projects or gather competitive intelligence.
During the filming of The Force Awakens, Star Wars movie executives tried but failed to prevent drone owners from taking photos of their movie sets. Executives in other industries should also take heed. For example, oil exploration companies should be wary of competitors using drones to learn where they are drilling for oil. And IT administrators should make sure that drones do not gain access to corporate Wi-Fi networks by providing closer proximity for the use of sniffers and other snooping tools.
While drones do not pose as serious a threat as other cyber security attacks such as malware, IT administrators should consider the potential cyber or physical security risks that drones pose for their organisation in 2016.
IoT will gain notoriety as both an attack target and an attack source
The continued rapid growth in the Internet of Things (IoT) will not be limited to drones. We are going to see an increase in both the number and severity of active exploits of connected devices.
Analysts predict that there will be over five billion connected “things” by the end of 2016. As the number of devices leveraging personal information grows, we’ll start hearing about exploits targeting consumer-oriented IoT devices. This will lead to more vocal advocacy for consumer protection through government regulation, or more likely, industry-driven mandates similar to those defined by Payment Card Industry Data Security Standard (PCI DSS).
IoT-specific threats are exacerbated by a number of factors:
- The number of connected “things” is outpacing the ability to secure them
- The fact that many devices have little to no security built in
- There is no formalised process or standard for securing IoT devices
- An increasing number of devices provide access to personal information
- Meeting demand for capabilities will continue to be a higher priority than security
The cloud’s open
Connected devices’ need for flexible access to services means that today, many organisations are migrating their application servers to the cloud. Others are ditching existing applications and moving to software-as-a-service (SaaS) solutions such as CRM, HR, email and file-sharing apps. Organisations are also embracing cloud productivity apps such as Microsoft Office 365 and Google for Work.
The transition to cloud services has slashed costs and allowed easy access to business apps from any location. However, cloud applications have also introduced new security challenges.
- An increased attack surface: Before, attackers needed to gain access to the corporate network before they could probe and attack applications. With applications hosted in the cloud, malicious users can now attack apps from any location and any device.
- Uneven data monitoring and auditing: Organisations should track access to sensitive data to detect and stop suspicious activity and for forensics. It is much more difficult to monitor access to third-party SaaS applications than internal apps, however, because apps are hosted in the cloud and application traffic is often encrypted.
- Limited control over security: Organisations must rely on SaaS vendors to implement strong defences and fix vulnerabilities that arise quickly. While many SaaS vendors have undergone rigorous SAS 70 or ISO 27001 audits, they are also under pressure to rapidly innovate and to support Application Programming Interfaces (APIs) for third-party integration; business demands could lead to more vulnerabilities.
- Increased traffic at the network perimeter: The adoption of cloud-based services will inevitably increase the load on secure web gateways and perimeter firewalls. Since much of this traffic is encrypted, businesses must ensure that their security devices can keep up with demand.
What you can do to prepare for 2016
While it is challenging to predict which threats will cause the most damage in the future, we believe that trends like IoT, cloud and Internet-connected drones will introduce dangerous security risks in 2016.
To prepare for these risks, organisations should implement a multi-layered defence that can protect servers and endpoints, whether those servers are hosted in a data centre or in the cloud and whether endpoints are traditional computers or mobile devices.
While employees cannot always predict the future, organisations will be ready to handle future risks with the right security technologies and processes in place.
Kasey Cross, Senior Product Marketing Manager, A10 Networks