This is the ninth in our series of cybersecurity predictions for 2016. Stay tuned for more through the end of the year.
As 2015 comes to a close, it’s time to look ahead to next year and consider the sorts of changes we can expect in the threat landscape. Predictions of this nature are almost always based on two main factors:
Predictions based on continuing trends are highly likely to come true, while those based on significant shifts are more uncertain. Reluctant prognosticators, like myself, prefer to rely on data rather than speculate broadly about the future, but that doesn’t lead to very interesting predictions. So, this year, I’m going to split the predictions into two sections: “sure things” and “long shots” – and spend more time on the latter.
Based on the patterns I’ve seen in the last year, the following are “sure things” in 2016:
Now that the easy bets are out of the way, let’s move on to predictions that probably aren’t better than a coin flip but will be more interesting for you to discuss with your colleagues at the water cooler.
While U.S. citizens don’t vote online (like Estonians), there are many ways that a cyberattack could impact the outcome of the election either directly or indirectly. For example:
The impact on the election may not tip the scales in the favor of one candidate or another; but, between now and November 4, the political process could experience a significant cyber “nudge.”
Passwords are the keys to nearly every lock on the Internet, yet attackers steal them every single day. Authentication systems that require only a username and password for access are known as “single factor.” “Multifactor” authentication systems require an additional form factor, typically something you “have” (a token) or something you “are” (biometrics.) These additional factors are most-often used by systems that require higher levels of security; but, in 2016, they may finally make it to the mainstream.
The most common form of two-factor authentication (2FA) in place today involves tokens that generate random numbers every 30 to 60 seconds. These are either physical tokens, which you might attach to your keychain, or software tokens installed on your smartphone. They are offered by a multitude of companies, sometimes for free, and offer an excellent mechanism to prevent a simple password theft from resulting in an account compromise. In other cases token 2FA systems are replicated using SMS messages that contain the token code and offer a similar level of protection. Companies across nearly every industry offer 2FA options, but some still lag behind.
How often do you use a fingerprint reader? If I’d posed this question at the end of 2014, a small number of people may have said occasionally, but very few, daily. With the addition of fingerprint readers to the iPhone 5S (announced 3 years ago) and many more smartphones since, this technology has begun proliferating widely, and I suspect many readers have a fingerprint reader in their pocket right now.
At the moment fingerprint readers are mostly used as a convenient way to avoid typing a pin code. Fingerprints generally should not be used as a primary form of authentication (you leave fingerprints everywhere); but, as these devices become ubiquitous, they will offer a two-factor opportunity that was not previously feasible at scale.
While biometric authentication is unlikely to become ubiquitous in 2016, demand for 2FA options will force more and more companies to support token-based systems and some will require 2FA to keep their users safe. Widespread adoption of 2FA would be one of the greatest blows the security community could deal to cyberattackers around the world.
Data theft is always in the headlines. Organizations are breached, and attackers steal private information for their own benefit. Of course, “theft” isn’t the only action an attacker can take once they enter a network. Some attackers destroy log files or modify records to cover their tracks, but what about those who have no intention of stealing information in the first place?
Director of National Intelligence, James Clapper, recently stated that he expects the next wave of attacks to manipulate or delete data, rather than just steal it.
A data destruction attack, like the Shamoon malware attack against Saudi Aramco in 2012, could temporarily or permanently shut down an entire organization. Viewers of Mr. Robot (I highly recommend it.) will note that the fictional attack that plays out in the first season is all about destroying the financial records of a major corporation to erase debt and throw the financial system into chaos.
Subtle data manipulation attacks are much less common (or less publicized). Students break into school district systems to change their grades, but this likely isn’t the type of attack that worries General Clapper. The OPM breach disclosed earlier this year is a more likely concern. Modification of OPM records could be used to help someone gain, or to be denied, a top-secret security clearance.
While I don’t expect these types of attack to surpass data theft in volume, we may find that the top cyberattack headline of 2016 isn’t about how many records were stolen, but how many were silently modified or deleted.
Want to explore more of our top 2016 cybersecurity predictions? Register now for Ignite 2016.