IT Matters: Security in 2016

by Kevin Squires
Kevin Squires is Vice President, Business Technology for the Econo-Rack Group of companies (Konstant, RediRack, Econo-Rack, Technirack.)
Kevin Squires is Vice President, Business
Technology for the Econo-Rack Group of companies
(Konstant, RediRack, Econo-Rack, Technirack.)

There are many who believe that security will be in the forefront of the corporate mindset in the coming years. This is largely due to the exponentially growing number of devices (and therefore hackable entry points) that are flooding the market as a result of the Internet of Things (IoT) and other factors.

One of these factors is the Internet—specifically, the aging of its supporting infrastructure. This is reflected in forgotten and deferred maintenance of the various components since upgrades have become an increasingly expensive problem for defenders. Among them: Alexa 1000 certificates not up to date, old JavaScript versions that are easily compromised, the stream of rapid OS updates and new trends in software end-of-life processes that cause havoc and new applications built on recycled code with old vulnerabilities (recent examples of this are Heartbleed and POODLE.)

According to a report from Intel Corp’s McAfee Labs, cyber attacks are expected to rise significantly in 2016 where malware holds the user data/system “hostage” as hackers focus more on companies and increasingly advanced software is able to target more types of data.

“Ransomware” is malicious software that allows a hacker to access a computer, encrypt and freeze sensitive data then demand some form of payment to release it—essentially holding the data or system hostage until the person or company meets the payment demands. A recent example was the hack of Ashley Madison.

The McAfee Labs report goes on to state that McAfee Labs researchers saw more than four million samples of ransomware in the second quarter of 2015, including 1.2 million that were new, and expects those instances to grow in 2016. That compares to fewer than 1.5 million total samples in the third quarter 2013, when less than 400,000 were new.

Ransomware’s most lucrative target—The Internet of Things (IoT) will become an ever more fertile attack surface for governments, mercenaries, hacktivists and even terrorists. Many IoT devices lack significant memory space or OS capability, so treating them like endpoint agents will fail. Ransomware will gain ground on banking Trojans and extend into smart devices like coffee makers, refrigerators, baby monitors, cars, wearables and medical devices, which are often owned by wealthier and therefore more lucrative targets.

Cloud Services
Cybercriminals could target corporate security policies established to protect cloud services which have become weak, outdated or ignored. The Cloud has become home to an increasing amount of confidential business information and, such services, if exposed, could compromise organizational and individual business unit strategies, portfolio strategies, next generation plans for innovation, financials, acquisition and divestiture plans, sensitive and personal employee data and a host of other areas. This is sure to give even the most optimistic C-suite executives pause when looking at “what if” scenarios.

With the increase in automotive wireless systems, researchers will continue to focus on potential exploitation scenarios for systems lacking foundational security capabilities or failing to meet best-practice security policies. Security vendors and the auto companies will work together to identify and develop guidance standards and technical solutions to protect potential entry points such as vehicle access system engine control units (ECUs), engine and transmission ECUs, advanced driver assistance system ECUs, remote key systems, passive keyless entry, USBs, remote link type apps and smartphone access, to name a few.

As many of you have realized, the age of wearable gadgets is upon us. From fitness trackers to watches, glasses, health aids and more, it is a sector that is growing exponentially. With that growth comes significant security risk since, to be most effective, we have to give these gadgets access to a lot of our personal data.

Although most wearable devices store a relatively small amount of personal information, wearable platforms could be targeted by cybercriminals working to compromise the easier target: the smartphone we use to manage them. Ultimately, the key is to be sure that security is thought about and built in from the start and not treated as an afterthought further down the line when risks are already compromising user data and, if used as an entry point, company data.

With the continued threat of IT security expected to rise in 2016, the failure of organizations and countries to build up cyber talent will become a huge problem. Demand for information security professionals is expected to grow by 53 percent through 2018. Because of this, many security jobs will be filled by managed security service providers (MSSPs), and the cost will not decrease.