Thought leadership. Threat analysis. Cybersecurity news and alerts.
Top 5 Cybersecurity Predictions in 2018
It’s the yearend. It’s the time of the year when we look back at the salient events that made a great impact in the cybersecurity world, and make predictions of what the new year will bring.
Here are the top 5 cybersecurity predictions for 2018:
1. Cryptocurrency Mining
The growth of cryptocurrency this year is unprecedented, with the total value of close to 500 billion US dollars as of December 24, 2017. While Bitcoin is the most dominant cryptocurrency in the market, other cryptocurrencies have soared as well. Cryptocurrency Monero, for instance, has a total market cap of $5.1 billion as of December 24, 2017, with one coin of Monero valued close to $335.
“Mining” is needed for many cryptocurrency coins like Bitcoin and Monero to be processed and released. In the past, Bitcoin could be mined using ordinary computers. Today, Bitcoin can only be mined using specific and high-powered computers, leaving the mining to big companies. Other cryptocurrencies, however, can be mined using ordinary computers. Monero, in particular, can be mined using ordinary computers and even using smartphones.
The people who mine cryptocurrencies called “miners” are given a fair share of the coin value for the computer use. Unscrupulous individuals who want to earn more money from cryptocurrency mining, meanwhile, are scouring the internet looking for vulnerable computers and smartphones to install malicious software (malware) capable of mining cryptocurrency like Monero.
Adylkuzz cryptocurrency malware, which was released into the wild in May 2017, infects computers using Microsoft operating system that fail to install Microsoft’s March 14, 2017 security update. Other cryptocurrency malware that proliferated this year includes Coinhive, Digmine and Loapi. Coinhive is distributed via compromised websites, Digmine via Facebook Messenger and Loapi via online advertising campaigns.
Cryptocurrency mining malware eats up most of the computing power of servers, desktops, laptops and smartphones. This results in the slow performance of computers. The Loapi malware, in particular, is so powerful that it can even melt an Android phone.
“Although attacks that attempt to embed crypto-mining malware are currently unsophisticated, we expect to see an increase in the sophistication of attacks as word gets out that this is a lucrative enterprise,” Imperva Incapsula said in the article "Top Five Trends IT Security Pros Need to Think About Going into 2018”. “We also expect these attacks to target higher-traffic websites, since the potential to profit increases greatly with higher numbers of concurrent site visitors.”
2. Business Disruption
In 2017, the world saw the devastation brought about by ransomware and distributed denial-of-service (DDoS) attacks.
Ransomware is a type of malware that restricts user access to the infected computer until a ransom is paid to unlock it. Two of the notable ransomware this year, WannaCry and NotPetya, are essentially not ransomware in the sense that the code of these two malware were written in such a way that even the attackers themselves can’t unlock the infected computers. Whether this was intentional or not, only the attackers know. But in this sense, these two malware are considered as “wiper” – meant to bring business disruption.
“The WannaCry and NotPetya ransomware outbreaks foreshadow a trend of ransomware being applied in new ways, in pursuit of new objectives, becoming less about traditional ransomware extortion and more about outright system sabotage, disruption, and damage,” researchers at McAfee said.
Another malware that brought widespread business disruption in 2017 was the Mirai botnet, a malware that infected close to 100,000 IoT devices, turned them into robots and launched DDoS attack that brought down the managed DNS platform of Dyn, which in effect, temporarily brought down 80 widely used websites like Amazon, Twitter, Tumblr, Reddit, Spotify and Netflix.
According to Imperva Incapsula, attackers in the upcoming year will probably adopt new business disruption techniques. Examples of these disruptive techniques include modifying computer configuration to cause software errors, system restarts, causing software crashes, disruption of corporate email or other infrastructure and shutting down an internal network (point-of-sale systems, web app to a database, communication between endpoints, etc.).
3. Breach by Insiders
The 2017 Cost of Data Breach Study (PDF) conducted by Ponemon and commissioned by IBM showed that 47% of data breaches were caused by malicious insiders and outsiders’ criminal attacks, 25% were due to negligent employees or contractors (human factor) and 28% were due to system glitches.
According to Imperva Incapsula, illegal cryptocurrency mining operations in corporate servers are on the rise, set up by insiders or “employees with high-level network privileges and the technical skills needed to turn their company’s computing infrastructure into a currency mint.”
4. Artificial Intelligence (AI) as a Double-Edged Sword
In 2018, AI is expected to be used by cybercriminals as a means to speed up the process of finding security vulnerabilities in commercial products like operating systems and other widely used software. On the other hand, AI is expected to be used by cyberdefenders to improve cybersecurity.
“Unfortunately, machines will work for anyone, fueling an arms race in machine-supported actions from defenders and attackers,” researchers at McAfee said. “Human-machine teaming has tremendous potential to swing the advantage back to the defenders, and our job during the next few years is to make that happen. To do that, we will have to protect machine detection and correction models from disruption, while continuing to advance our defensive capabilities faster than our adversaries can ramp up their attacks.”
In 2018, one thing is for sure: General Data Protection Regulation (GDPR) will be enforced on May 25, 2018.
GDPR is a European Union (EU) law that has an “extra-territorial” reach. Businesses that process personal data or monitor the online behavior of EU residents are still covered under this law even if they aren’t based in any of EU countries. Salient features of the law include consent requirement, right to be forgotten, transparency requirement, cybersecurity measures and data breach notification.
“In the corporate world, McAfee predicts that the May 2018 implementation of the European Union’s General Data Protection Regulation (GDPR) could play an important role in setting ground rules on the handling of both consumer data and user-generated content in the years to come,” researchers at McAfee said.
Happy 2018, and Stay Safe!
6 Top Things to Do in Preparation for the GDPR Implementation
May 25, 2018 – is the full implementation of the General Data Protection Regulation (GDPR).
The GDPR is a European Union (EU) law that sets out the obligations of organizations in order to protect the personal data of EU residents. The law also sets out harsh penalties in case of failure to comply.
Even if your organization isn’t based in any of the EU states, the implementation of the GPDR will still impact your organization as this law has extra-territorial scope.
This means that even if your organization is based, for instance, in Canada, this European law still applies if your organization processes personal data of EU residents. For example, if your organization offers goods or services (regardless of whether payment is made) or monitors the behavior of EU residents, your organization is covered under GDPR. And even if your organization is a small one, that is, it only employs fewer than 250 people, it’s still covered under GDPR.
The personal data referred to by the law refers to any information that can be used to identify a person either directly or indirectly, including name, email address, photo, medical information, bank details, posts on social networking websites and computer IP address.
Here are the 6 top things to do in order to prepare your organization for the upcoming implementation of GDPR:
1. Make Consent Process User-Friendly
In GDPR, your organization will no longer be allowed to use long and legalese terms and conditions to request for personal data consent.
Under the EU law, request for consent must be presented in layman’s terms and the purpose of the data processing must also be presented in clear and plain language. There must also be an easy way for customers to withdraw their consent. In the case of minors, parental consent must be given.
2. Delete Data that No Longer Serves Original Purpose
Under the GDPR, the right to erasure, also known as the right to be forgotten, is enshrined. Article 17 of the EU law provides that data should be deleted when the data no longer serves the original purpose of processing and when the data subject withdraws his or her consent. The law, however, provides that the right to be forgotten must be weighed against "the public interest in the availability of the data".
3. Implement Data Protection as Precautionary Measure, Not as an Afterthought
The GDPR calls for “privacy by design” – a concept now made into law that requires organizations to make data protection as part of the preventive measure, instead as an afterthought or reactionary measures.
The law specifically requires organizations processing personal data to implement appropriate technical and organizational measures in order to protect personal data that it processes.
Organizations, under the law, are required to hold and process only the personal data that’s necessary for the completion of its functions. The law also requires organizations to limit the access to personal data only to those who are necessary for carrying out the data processing task.
4. Be Transparent to Affected Individuals
Part of the expanded rights of EU residents under the GDPR is the right to obtain confirmation from organizations as to whether or not their data is being processed, for what purpose and where. Organizations are also required under the law to provide free digital copy of the personal data being processed to the affected individuals.
5. Determine if Your Organization Needs to Appoint a Data Protection Officer (DPO)
Appointment of a Data Protection Officer (DPO) is mandatory under GDPR only if your organization engages in large-scale systematic monitoring or large-scale processing of sensitive personal data. If your organization doesn’t engage in any of these functions, then there’s no need to appoint a DPO.
6. Be Transparent About Data Breach
Under GDPR, there will be no more concealing of data breaches. Notification is mandatory under this law in case where the data breach is likely to “result in a risk for the rights and freedoms of individuals”. This law requires that data breach notification to the concerned agency must be done within 72 hours after first having become aware of the breach. Notification to affected customers, meanwhile, has to be done “without undue delay” after first becoming aware of a data breach.
Penalties for Non-Compliance
Several factors are taken into consideration in calculating the fine under GDPR. These factors include:
The maximum fine that can be imposed for a breach of this law is 4% of the annual global turnover or €20 Million, whichever is higher. The maximum fine is imposed for the non-compliance of key provisions of GDPR such as violating the core of Privacy by Design concepts and failure to get sufficient customer consent to process data.
The penalty of 2% of the annual global turnover or €10 million, whichever is higher, meanwhile, can be imposed in case of non-compliance of technical measures such as failure to report data breach and failure to give affected individuals access to personal data being processed.
"Rapid technological developments and globalisation have brought new challenges for the protection of personal data,” the law states. “The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.”
Steve E. Driz, I.S.P., ITCP