The cyber security industry has witnessed a significant escalation in the global threat level during 2016. Against a backdrop of increasingly sophisticated attacks as well as political and economic uncertainty, here are my predictions for the year ahead.
1. More widespread use of VPNs to evade new government spying measures
With news that the government’s Investigatory Powers Bill will come into effect by the end of the year, more and more people are likely to turn to Virtual Private Networks (VPNs) to conceal their activity online.
Despite criticism from privacy campaigners as well as major technology and internet companies, the new bill, dubbed the Snooper’s Charter will require, among a variety of new measures, web and phone companies to store records pertaining to their customers’ web browsing for 12 months. This is in order that users’ online habits, subject to a warrant, can be inspected by law enforcement as well as security and intelligence agencies.
VPNs work by routing network traffic across a private tunnel to a server, which can be located anywhere in the world. This process enables web users to conceal their location so that they can surf the Internet anonymously.
The introduction of the Investigatory Powers Bill will likely result in an increasing number of web users turning to VPNs and Tor in 2017 to avoid their use of websites and services like instant messaging applications being disclosed to the authorities. While this part of the bill isn’t designed to detect illegal activity outright - an application to acquire a person’s internet connection records will only be granted following a justifiable case – that won’t deter many users from wanting to use conceal activity on either shadowy or ethical grounds.
2. More industries to introduce cyber security frameworks
Fears around cyber-attacks eroding confidence in UK businesses is likely to place pressure on regulators and leading industry bodies to help their members implement tighter security measures.
Earlier this year, The Society for Worldwide Interbank Financial Telecommunications (SWIFT), announced that, from 2018, it is introducing a set of mandatory security controls for customers of its financial messaging service. The news follows reports of criminals using the SWIFT platform to instigate fraudulent financial transfers, including February’s US $81m theft from the Bangladesh central bank.
Calls for similar programmes to help safeguard vital industries such as telecoms and utilities are likely to be heard in the New Year as organisations struggle to minimise their security risk.
Repeated attacks on key critical services that form the touchstones of the UK economy are likely to lead to more key industries reviewing security standards in 2017.
Cyber-attacks have the potential to cause severe financial and reputational damage so increased focus on the tightening of controls across sectors including utilities and telecoms should be a highly positive development in the New Year to help maintain consumer confidence and support the government’s new £1.9bn National Cyber Security Strategy.
3. Wider calls for product security ratings
The security of smart devices was placed firmly in the spotlight in October after a distributed denial of service attack (DDoS), which brought major internet companies to their knees, was reported to have exploited vulnerabilities in household items such as cameras, video recorders and kettles.
Concerned about the growing issue of security threats targeting these and other Internet of Things (IoT) devices, the government announced, as part of its new five-year National Cyber Security Strategy, that it intends to explore a safety ratings system for newly released products.
A ratings system will help consumers select products that provide greater levels of security and offer warnings when individuals are about to take an action that might compromise their personal information.
Instead of rushing products to market, manufacturers need to take a more responsible approach by making cyber security testing a fundamental part of the launch cycle. By improving the security of software and devices, vendors can help to better protect their customers by reducing zero-day exploits and damaging DDoS attacks that target insecure credentials.
The government’s willingness to consider a product rating system in 2017 is a positive step but there’s an awful lot to consider, such as how will standards apply across categories? The sheer number of questions raised means that a classifications programme is likely to be a long way off.
In the meantime, organisations should make it a New Year’s resolution to harden the security of their products by implementing security testing and rewards programmes that involve a broad range of penetration tests and vulnerability assessments.
4. Increased targeting of drones by hackers
Drones have been used by the military for surveillance and attack for years. Their increasing adoption in commercial and personal life means that the likelihood of these machines being compromised and used for malicious intent is only likely to increase in 2017 and lead to added pressure on the government to regulate their use and activity in UK airspace.
Only earlier this year, online retailer Amazon announced that it has started actively testing drones as a method of delivering orders to its customers. Reports have also surfaced of machines being used to deliver fast food and even drop contraband into prisons.
Doubts concerning how well the security of drones is tested, coupled with the narrow range of frequencies reserved for controlling such devices makes them a prime target of criminals and activists capable of using them as weapons. While drones and unmanned aircraft have great potential to improve the speed and efficiency of everyday services, their ability to inflict injury and damage means that the government and manufacturers need to place more emphasis on enhancing their security in 2017.
With frequent reports of even low-cost, commercially available drones being flown in unauthorised areas, even models used by amateurs are a threat in the wrong hands Plans to update EU safety and privacy rules governing the use of drones, coupled with the introduction of the drone code, will definitely go some way to stem fears. More work will need to be done with manufactures however to ensure that cyber security fears are fully addressed.
Robert Page, Lead Penetration Tester at Redscan
Image Credit: IT Pro Portal