Partners are recognised as the weakest link
History suggests that enterprises aren’t doing enough to ensure that trusted partners maintain security to the same standards as their own. In the past we have seen this with the Target breach which occurred when Fazio Mechanical, an HVAC vendor was compromised. Likewise, the Office of Personnel Management (OPM) breach in the United States began with a compromise at KeyPoint Government Solutions.
Enterprises are increasingly outsourcing technology to streamline costs in areas that are not a core focus. For attackers targeting a supplier that often has lesser security controls than the larger entity that it serves, a successful compromise can be a gold mine. Not only does the breach provide a backdoor into the original target, but it also opens doors to other enterprises being serviced by the same vendor. Hackers have learned from successful attacks exploiting such relationships and will accelerate their focus in this area in 2016.
Enterprises need to extend security policies and procedures beyond their own systems and personnel. Trusted partners should be expected to adhere to the same security controls and be subjected to audit and penetration tests to ensure that they are adhering to agreed upon standards.
Ransomware wins the battle for the corporate wallet
Ransomware has managed to hit a sweet spot. Users are all too willing to begrudgingly pay an expensive but not excessive ransom in exchange for the return of their precious data. The wildly profitable CryptoLocker has attracted many clones since it was largely knocked offline following Operation Tovar.
Many of these clones, including more popular variants such as CryptoWall and TorrentLocker largely followed the proven formula but we’re starting to see variations such as ransomware focused on Linux and mobile platforms. The former is especially important as it’s more likely to impact the websites and code repositories of enterprises, who in our experience are also very willing to pay up rather than risk losing critical intellectual property.
Expect ransomware to become increasingly corporate focused in 2016 and as it does, enterprises won’t get away with paying consumer rates. The criminals behind the ransomware campaigns are savvy and once they realise that they’ve locked up source code and financial documents that haven’t been properly backed up, you can expect prices to skyrocket…and be paid.
Android finally cleans up its act
Android is well on its way to becoming the Windows of the mobile malware world. With 99 per cent of mobile infections, Android is the only game in town when it comes to infected tablets and smartphones. Google Play has Bouncer and he’s done a fine job of keeping the miscreants out, but that’s of limited value when users are willing to go to shady Chinese app stores for cut price versions of Candy Crush.
Google began making changes with Marshmallow, the latest Android flavour when it switched to Granular App Permissions to make it more clear what control an app ultimately gains when installed. While cutting off third party app store access altogether would alienate too much of the user base, expect the next iteration of Android to start cracking down on third party app stores. Since Jelly Bean 4.2, embedded cloud based anti-virus scanning was added through the Verify Apps feature. While this is another improvement, it’s clearly not enough. Zscaler regularly identifies and blogs about apps from alternate Android app stores that are malicious in nature. Google will need to restrict the permissions available to apps not vetted through the Google Play submission process.
Expect side-loaded apps requesting administrator permissions to become a thing of the past. Google will also begin to mandate acceptable timeframes for patches and firmware upgrades, which are now largely under the control of the OEM partners. These steps won’t eliminate Android malware, especially with Android’s slow O/S upgrade cycle, but they will raise the bar for third party app stores, just as Bouncer did for Google Play.
Cyber criminals walk into the arms of terror groups
Terror organisations are continually searching for new avenues to instill fear and require significant funding to fulfil their hateful agendas. Skilled hackers can aid on both fronts. Cyber attacks can clearly be used by terrorists to obtain intelligence for future attacks and we’re already seeing early signs of cyber attacks being used to cause physical damage. Last year, hackers caused significant damage to a German steel mill when they disabled systems responsible for controlling a blast furnace.
With almost all industries reliant on computerised systems, the potential attack surface is enormous and hacking has become extremely lucrative. The CrytoLocker ransomware authors for example were able to make millions in just a few short months. Such potential is surely in the sights of terror organisations, especially those such as ISIS, which have shown a new affinity for being tech savvy when it comes to recruiting and propaganda. Additionally, terrorists won’t need to acquire the required skills themselves as there are no shortage of cyber criminals all too willing to rent their skills out to the highest bidder and look the other way.
Encryption is no longer the realm of geek speak
Encrypted communications have long been the bane of law enforcement and those in the intelligence communities. As privacy concerns mount, using strong encryption for messaging and data storage is no longer the realm of geek speak. It is quickly becoming not just an expected security feature, but a differentiating one. iOS now encrypts data by default and Android while lagging behind, is fighting to get there. Popular chat applications like WhatsApp tout encryption as a key feature and Apple’s iMessage app, which features end-to-end encryption and no central key store, is often referenced by law enforcement when arguing for a ‘back door’.
In the coming year this battle will come to a head. While politicians used to dance gingerly around the topic given the privacy abuses exposed by the Snowden revelations, recent terrorist attacks have brought this issue front and centre. Multiple pieces of legislation are sure to be introduced that will propose weakened encryption protocols or procedures to grant law enforcement access to decrypted communications as needed.
However, you can’t be ‘mostly secure’ any more than you can be ‘kind of pregnant’. This is one battle that will have serious repercussions for years to come. Here’s to hoping that Apple, Google, Microsoft, Yahoo! and the like manage to prevail.
Michael Sutton, CISO, Zscaler
Image source: Shutterstock/wavebreakmedia