Security predictions that could make or break your company

Here are some best guesses about 2016 from more than a dozen vendors and analysts.

00 predictions title
Credit: Thinkstock
Look deep into my crystal ball

Not that those in the industry – even the best informed – have an infallible crystal ball. But an accurate prediction of what is on the horizon next year can help an organization protect itself better. A wrong one can mean less ability to prevent or respond effectively to a breach that can damage reputation, the bottom line and more. So, here are some best guesses about 2016 from more than a dozen vendors and analysts.

IoT, heal thyself
Credit: N i c o l a
IoT, heal thyself

(Rapid7) The lack of security plaguing the Internet of Things will reach a critical level of both awareness and accountability. Pressure from the Federal Trade Commission and growing coverage in mainstream media will force vendors of IoT devices to take real responsibility for the security of their devices. The mass consumer market will drive creative and realistic solutions to the problems of old software, old build processes, and the fractured patch pipeline.

The perimeter is dead. Long live the micro-perimeter
Credit: ravas51
The perimeter is dead. Long live the micro-perimeter

(Lookout) The enterprise network perimeter is going to die and be reborn. This death has been widely exaggerated in the industry, but it will happen, and enterprises will start building micro-perimeters that protect individual applications and data stores.

ICS in the crosshairs
ICS in the crosshairs

(Amit Yoran, RSA) – Weak security in the connected and automated industrial control systems in the chemical, electrical, water, and transport sectors have led to a 17-fold increase in intrusions over the last three years. That weakness, combined with the growth in the use of cyber technology for terrorism, hacktivists and other actors makes a critical breach of an ICS in 2016 increasingly likely.

Embedded trumps persistent
Credit: Tim Simpson
Embedded trumps persistent

(Kaspersky) Advanced Persistent Threats as we know them will cease to exist, replaced by deeper, embedded attacks – memory-resident or fileless malware – that will reduce the traces left on an infected system and will therefore be harder to detect and trace back to the perpetrators.

Shake out the snake oil
Shake out the snake oil

(Amit Yoran, RSA) Foolish venture capital investments in strategies and technologies that are little more than snake oil will end. Organizations are learning that claims of being able to prevent advanced threat breaches are nothing more than fantasy. Expect to see a shakeout in the security industry as organizations’ understanding of advanced threats matures, and drives their security investment decisions.

Hacking back goes public
Hacking back goes public

(DomainTools) At least one high-profile, successful, counterattack will occur. A breached organization will identify, target, and compromise the hacker who breached them and will publicly acknowledge doing so.

Insider threat rising
Insider threat rising

(Imperva) Edward Snowden is the highest-profile example of the risk that insiders pose to organizations. Since then, other high-profile breaches have solidified the threat as real—for both attackers and organizations—resulting in an increase in malicious insider behavior as well as innovation in solutions for protection.

Machine Learning imperatives
Credit: KamiPhuc
Machine Learning imperatives

(Palerra) Most enterprises have harnessed the power of Big Data to create better internal and external insights, but now companies must gain more value from that data, with an emphasis on real-time and predictive analytics. This is where machine learning will grow as it allows companies to do more with the data they have. In 2016, its use will become imperative.

Disrupting the disrupters
Credit: bfishadow
Disrupting the disrupters

(DataVisor) In 2015, the war between online-to-offline (O2O) companies heated up. Uber invested more than $2 billion to expand in China and India. Rival car share service Didi invested over $2 billion in China and is also funding Lyft in the U.S. and Ola in India.

But this has come with a huge volume of user acquisition fraud, where drivers make hundreds to thousands of dollars per month in subsidies by registering multiple driver accounts and conducting fake rides. That will grow in 2016.

Dark Web’s bright future
Dark Web’s bright future

(Booz Allen/Amit Yoran, RSA) The cyber threat facing the corporate sector – historically driven by state-sponsored attacks, organized crime and “hacktivists,” – is poised to grow exponentially, due to an increasingly open, accessible market for cyber-attack tools on the Dark Web. With tools and services increasingly commoditized, the cost of attacking an organization is dropping dramatically, enabling more attacks that do not have financial gain as the primary focus. Sophisticated hacktivist collectives like Anonymous will be joined by relatively unsophisticated cyber vigilantes.

Your card is safer. You aren’t
Your card is safer. You aren’t

(Javelin) Card-Not-Present (CNP) fraud will grow from $10 billion in 2014 to more than $19 billion in 2018. The increasing adoption of EMV cards and digital wallet solutions, such as Apple Pay and Google Wallet, will reduce point-of-sale system fraud and counterfeit credit cards. Unfortunately, that will push more fraudsters online to monetize fake and stolen credit cards.

IoT for ransom
IoT for ransom

(ThetaRay/Palerra/Blue Coat/LastPass) The Internet of Things will become an ever more fertile attack surface for governments, mercenaries, hacktivists and even terrorists. Many IoT devices lack significant memory space or OS capability, so treating them like endpoint agents will fail. Ransomware will gain ground on banking Trojans and extend into smart devices like coffee makers, refrigerators, baby monitors, cars, wearables and medical devices, often owned by wealthier and therefore more lucrative targets.

ALSO ON CSO: More predictions for the security space for 2016

Extortapalooza
Extortapalooza

(RSAC Advisory Board/Kaspersky/ThreatStream) DOXing – public shaming and extortion attacks – which rose in 2015, will spike exponentially in 2016, as everyone from hacktivists to nation states embraces the strategic dumping of private pictures, information, customer lists, and code to shame their targets.

Ghosts of Internet Past
Credit: Raúl A.
Ghosts of Internet Past

(Raytheon|Websense) The structure of the Internet is aging – forgotten and deferred maintenance will become a major, increasingly expensive problem for defenders. Among them: Alexa 1000 certificates not up to date; old and broken JavaScript versions that invite compromise; rapid OS updates and new trends in software end-of-life processes that cause havoc and new applications built on recycled code with old vulnerabilities (think Heartbleed and POODLE).

At your criminal service
At your criminal service

(Kaspersky/Seculert) The profitability of cyber-attacks means sophisticated criminal gangs with modern organizational models and tools will replace common cyber criminals as the primary threat. That, in turn, will draw mercenaries to meet the demand for new malware and even entire operations. The latter gives rise to Access-as-a-Service, offering up access to already hacked targets to the highest bidder.

Malicious e-commerce goes social
Malicious e-commerce goes social

(DataVisor) Many traditional social networking sites such as Pinterest, Facebook and Twitter have announced plans to add “buy” buttons to their platforms in an effort to increase stickiness with their users and help monetize their user base. This will attract criminals looking to conduct fraudulent transactions on these platforms.

Passwords pass away
Passwords pass away

(Identity Automation) "No password" authentication methods will no longer be a pipe dream. Organizations will begin offering authentication methods that are a quicker and more seamless experience for users than passwords. They will include biometric, geolocation, Bluetooth proximity and pictographs.

The power of prediction
The power of prediction

(Seculert) Prediction will emerge as the new Holy Grail of security. Prevention is passé, and even detection technologies will be supplanted by prediction, with machine learning becoming a key tool to help organizations anticipate where hackers will strike.

Cloud Wars
Credit: betancourt
Cloud Wars

(DataVisor/Blue Coat) As more organizations store their most valuable data in the cloud (customer and employee data, intellectual property etc.), the bad guys will find a way to gain access to this data, using computation infrastructure, which allows them to hide easily behind legitimate network sources and thus remain anonymous.

Hackers will use credentials to cloud services as a major attack vector. Social engineering tactics will focus on mimicking cloud login screens to gain credentials.

Crime piggybacks politics
Crime piggybacks politics

(Raytheon|Websense) The U.S. elections will drive significant themed attacks. Attackers will use the attention given to political campaigns, platforms and candidates, as an opportunity to tailor social engineering lures. Others will focus on hacktivism, targeting candidates and social media platforms.

Getting physical
Credit: martin
Getting physical

(Seculert/Imperva/DomainTools/ThreatStream) 2016 will witness the world’s first openly declared cyberwar, where the primary goals of the attackers – hacktivists, nation states or terrorists – are not financial but to cause physical damage in support of terrorist or geopolitical agendas. That will put infrastructure, priceless artifacts and more at risk. Transnational terrorist groups such as ISIS will attempt to attack a SCADA system or critical infrastructure with the goal of inflicting either economic damage or mass casualties.

Smaller won’t be safer
Credit: Miguel Vaca
Smaller won’t be safer

(AT&T) Hackers will no longer target just large organizations, as they can get equally valuable information in other places through analytics on the data they are collecting and combine data to make it more valuable. That means smaller organizations are more likely targets.

Cybercrime goes even more global
Cybercrime goes even more global

(Blue Coat) Smaller, developing countries that weren’t big on cybercrime want in. It doesn’t take a big military to cause big damage. Some – like Nigeria – are already entering the fray with more sophisticated attacks. Conflicts throughout the world will bring with them hardware-connected attacks.

Divide and conquer the juncture
Credit: BTC Keychain
Divide and conquer the juncture

(Kaspersky) The appearance of a balkanized Internet, divided by countries, which would make any region vulnerable to attacks on the service junctures that provide access across different boundaries. Such a landscape could lead to a black market for connectivity.

Get thee an MSSP
Credit: Mike Mozart
Get thee an MSSP

(Blue Coat) The failure of organizations and countries to build up cyber talent will become a huge problem. Demand for information security professionals is expected to grow by 53 percent through 2018. Because of this, security jobs will be filled by MSSPs, and the cost will not decrease.