The progression of cybersecurity mostly occurs in step with the continued evolution of technology in order to ensure that every innovation is as secure as it is functional. As time passes, the level of complexity of information and communication technology continues to introduce new vulnerabilities, presenting cybersecurity professionals with unique challenges.
Let's take a look at some of the top cybersecurity trends that lie in wait in 2016.
The old stereotype of the lone wolf huddled over a keyboard in a dark basement, frantically typing away in his efforts to hack the mainframe, is on the way out. The new face of cybercrime isn't really a face at all, but rather a collection of faces that hide behind masked IP addresses and regularly convene to orchestrate attacks that are as elaborate as they are ambitious. Take the example of the notorious Russian hacking group that has made off with an estimated $1 billion in stolen U.S. and European bank assets since 2013. According to USA Today, Kaspersky Labs has noted that the hackers will stop siphoning money from a given bank once they have reached $10 million. This limits their chances of being detected quickly, giving them enough time to cover their tracks. The lesson here is clear: Hacking groups are becoming more organized and more sophisticated, resulting in their ability to pilfer more money and data, and to stay at it for a long time without getting caught.
Hacking organizations present an especially significant threat, but this it not to undermine the threat that lone wolves and smaller groups still pose - especially when real-world subterfuge is incorporated into technical wizardry. For example, a teenager recently managed to hack the personal email account of CIA Director John Brennan by calling Verizon, and posing as one its employees in order to get access to sensitive customer information. According to Wired, he then used the information about Brennan to reset his AOL password, and gained free reign over the high-ranking official's personal email.
Needless to say, hackers are getting really creative, and this is a trend that will continue well into 2016 and beyond.
The Internet of Things is slowly but surely transitioning from buzzword to a business reality. By 2020, the IDC predicts that there will be more than 28 billion IoT units installed. These will include a diverse array of devices, ranging from basic household appliances to manufacturing components and wearable technology. Everything will be connected, and this means everything will be vulnerable.
In a recent feature article, Forbes contributor Kalev Leetaru paints a frightening picture of what can be accomplished through the use of basic, connected devices. He gives the example of how baby monitors and televisions with cameras and microphones can be accessed for nefarious purposes. Even traffic signals and consumer drones can be targeted by cybercriminals, and be overridden and controlled with malicious intent. Many of Leetaru's examples are already applicable - consumer drones, connected TVs, smart baby monitors, among a plethora of other devices - and they can be used as entry points into networks.
In 2016 and beyond, cybersecurity experts will have to find new ways to authenticate users of the billions of connected devices to prevent privacy breaches or worse, because hackers won't be going for the mainframe. They'll be going for cars, security cameras and even critical infrastructure such as the electric grid. One possible way to prevent breaches is through the adoption of biometric-based authentication. When applied to wearable technology, connected cars and other smart devices, this form of multi-factor authentication can, at the very least, make it nearly impossible to hack a system via credential theft. A user's retina or fingerprints are very difficult to replicate.
"Phishing is highly targeted, and that's why it continually works."
One of the most effective ways to breach a system also happens to be fairly simple by comparison to some of the extraordinarily complex hacks organizations have faced in the past few years: the tried-and-true phishing scam - or more aptly, the spear-phishing scam. Much like the old pastime of casting out and waiting for a bite, phishing entails the use of clever bait tactics to lure users into downloading and installing malware, or freely giving away important credentials. However, unlike fishing - and the reason that the "spear" modifier makes more sense - phishing is highly targeted, and that's why it continually works, and also why according to NBC, it will be one of the top cyberthreats in 2016.
A slightly more nuanced form of targeted attack called a watering-hole attack also aims to trick users into letting their guard down. As the name suggests, watering-hole tactics entail setting up traps in Web destinations that a hacker knows a given target regularly visits - virtual water holes, so to speak. This is accomplished by infecting a legitimate website or Web portal with malware designed to siphon information from a specific target that can subsequently be used to orchestrate a more complex cyberattack. Like phishing, watering-hole tactics are highly targeted.
Phishing and watering-hole attacks are difficult, but not impossible, to defend against. In some cases, phishing attacks can be nipped in the bud with two-factor authentication. For example, a common tactic is to create a false domain in order to trick a user to input login information. Alternatively, scammers might send out an email posing as an account provider (i.e. Facebook or Google) or financial institution in order to gain access to deeper information about a target. Two-factor authentication foils these tactics by adding a second layer of identity verification, such as a text message, that a botnet or hacker cannot compromise. Work-related accounts can be protected through similar means that incorporate the use of 4kens, and even biometric verification.
From the perspective of the target, there is little that can be done to defend against a watering-hole hack other than to avoid illegitimate or suspect webpages that are more easily compromised. The easiest way to do this is to stay off any website that does not have an SSL certificate. The HTTPS domain can be fabricated, but visiting unprotected webpages only augments the risk of falling prey to a watering-hole scam. Furthermore, website hosts can ensure that they don't accidentally become an involuntary accessory in a scam by leveraging SSL encryption.
The year ahead will undoubtedly precipitate new cybersecurity challenges. But as long as IT experts keep each new hurdle in sight, organizations can hopefully look forward to a happy, hack-free 2016.