For this year’s edition of our annual Cyber Security update, we are taking a somewhat different approach. In addition to covering “cyber security”, we are also taking a broader look at related subjects. To put this white paper together, we have researched the thinking of a great many experts in a number of fields. We have read what seems like countless papers, columns, blogs, etc. As always, we are going to start with an analysis of cyber security as we head into 2018, but then we are going to look at other topics that are directly and indirectly relevant to security issues, including IoT (the Internet of Things), AI (Artificial Intelligence), crypto currency, and even “fake news”. (We also highly suggest you read last year’s paper on Cyber Security 2017, as the content of that piece is still highly relevant today.)
When companies such as Anthem, the Federal Office of Property & Management and Equifax were breached, a tremendous amount of meta-data was stolen and we expect that this data will be used highly targeted cyber attacks based on psychographic and demographic algorithms created by cyber criminals employing artificial intelligence to create them. But the data collected from an unknown number of smaller unpublicized breaches will certainly be added to the data of the larger attacks to create “big data algorithms” to precision target spear-phishing to influence purchasing, behavior and, yes, democratic institutions. This is in addition to DDoS, ransomware, and other attacks that will harm businesses and governments alike. This paper is structured to help you fight back. That said, not everything in this paper may be directly related to your own company’s cyber security, but we sincerely believe that in today’s highly interconnected digital world, it is incumbent on every business owner and executive to be on top of at least the basics of digital technology and the risks involved.
Data breaches have been in the news for several years. Last year saw breaches that stole information related to healthcare, government clearances, financial institutions, etc. We also saw one small company that warded off literally tens of thousands of cyber attacks until one got through, with devastating consequences. While that was a ransomware attack that could have been prevented by a qualified managed IT support provider, we are concerned about small company breaches that will lead to consumer losses, and will lead back to lawsuits against the breached company. While 100% protection may never be completely possible, we do believe that the legal standard will be to provide all reasonable protection and those that do not will find themselves subject to serious legal and financial problems.
Many cyber security experts are also concerned that this will be the year the USA will see the same type of infrastructure attack as Europe has suffered during the last two years, where power grids as well as manufacturers have been attacked. Near the end of last year (2017), both the Department of Homeland Security and the FBI advised that they were seeing continued and persistent activity indicating the targeting of critical infrastructure such as water, energy, avionics, construction, and others. They have also signaled their concern that major companies in these sectors are not prepared to ward off such attacks. These attacks could come from bad actors with specific political motives, or with schemes to steal and/or defraud their way to other people’s money.
There are new industries that the cyber-criminal is starting to attack. Healthcare, while it has been attacked before, is one that may see significant increases in the number and types of attacks because the technology that serves this industry is still catching up. Security experts are predicting ransomware attacks that lock-down patient records and can affect patient care. The travel industry is another, as travel sites often have wide-ranging personal details such as passport numbers and credit card info, along with home addresses and personal preferences…and often information on when people will be away from home.
The European Union has introduced a comprehensive set of cyber security regulations entitled the General Data Protection Regulation (GDPR) and with it the EU has become the world leader in such privacy laws. If your company does business with any EU countries, it is imperative that you become familiar with these rules. Many experts expect other countries to adopt similar regulations, although the USA seems to be waiting to see how this plays out.
The reality is that many EU companies are struggling with the enormity of meeting the May 25, 2018 deadline (remember Y2K?), but heavy fines have been promised against those firms that fail to meet the deadline and are then victims of such attacks. We expect that among the companies singled out will be multi-nationals who fail to meet launch targets, especially if they cannot show good faith attempts to complete the work. Smaller multi-nationals may not be exempt, particularly if consumer damage results.
In a blogpost we published last year, we discussed the vulnerabilities that exist in IoT devices, but with Congress essentially ineffective in dealing with cyber security issues, tied together with powerful lobbying efforts, we doubt that much regulation is in the near-term future…at least not until potential problems turn into real problems. (What’s an IoT device? Click here, but note that this article will NOT go into the potential dangers of IoT) The GDPR regulations discussed above deal with IoT, but we will have to wait and see how strictly these are enforced. If they are tough and if they achieve results, that could trigger needed movement on this side of the pond.
Please note that attacks against IoT devices are no longer just a prediction, they are happening. What is an IoT attack? For example, hackers can use information from your IoT connected refrigerator to determine times when your home is generally empty (the refrigerator door is never opened between 8 AM and 6 PM.) They can get the same info from your thermostat (the temperature in the house drops from 72 to 64 at 8:30 AM every day, then back up to 72 at 5.)
Home invasion is not the only concern. If the robots on an automotive assembly line are hacked and on-the-road malfunctions are caused, lives could be lost and corporate reputations severely damaged. Major manufacturers and working on this and security companies are offering fixes, but there are thousands of manufacturers with millions of products and all are looking for consumer IoT “hot buttons”…but are they also looking at the security issues? And if your business uses these devices, what will be the effect?
Since it seems that regulations are unlikely to be passed that will create adequate controls, we expect that the marketplace will be the force that compels manufacturers to build in proper security as consumers, seeing future news reports of IoT enabled crimes, will demand it. If this is true, those companies that are building in security before the bad news hits will be the beneficiaries.
Quick example of how AI will affect cyber crime: spear phishing attacks have traditionally been labor intensive and so have been expensive to run. Some experts are predicting that inexpensive AI will enable a high volume of low-cost targeted malware attacks. Some are also predicting that because of the nature of the data they will be able to pull and analyze, this will lead to a new form of attack: blackmail. Employee training can be very helpful, but will not solve this problem 100%
That said, AI can also have a positive affect on cyber security. For example, AI can help determine a person’s “normal” behavior and deviations from such behavior can trigger alerts. Credit card companies have been using this type of analysis for years. If a person lives in Atlanta, and suddenly there are on-the-ground charges from San Diego and Buenos Aires, all within ten minutes, the charges will be blocked and the consumer will get a call from the fraud department.
But as with everything else in the cyber world, it goes both ways. The bad guys can use AI to determine behavior and use this information to trick systems into allowing access. So the products can be better, but hackers’ access, while requiring more advanced technology, may become even easier.
There are also billions of products out there with outdated firmware that will never be updated. We have yet to discover what threats lie in these. Note: one thing we are not particularly concerned with is the takeover of the world by robots.
Cryptocurrency was the trigger that enabled ransomware to become a multi-billion dollar criminal enterprise and propelled it into the national and international spotlight. The untraceable currency made payment of ransom demands quick and easy. Experts expect this to continue into this new year, but a new wrinkle we may be looking at is the holding of personal identities for ransom. What would you do if you received an email or phone call stating that your personal information, including social security and credit card numbers, along with medical information, had been “acquired” and that a $500 Bitcoin ransom was demanded in order to keep your information from being sold/distributed to hackers and others?
Let’s look at what can be expected on the cryptocurrency front over the next year or two. (Again, understand that we have researched expert opinions and what you read here is a compilation of those, not necessarily our own unique thoughts. Also, note that we are not and will not predict the rise or fall of the value of any cryptocurrency.)
It would not be unexpected if one or more cryptocurrencies were shown to have major flaws that would undercut its value. Flaws have already been detected in some of these currencies which did bring values down, but to date, these have not been serious nor widespread among other currencies. One developer reportedly did lose $300 million when a flaw was detected, but we do not know how many millions he had previously made. As the use of this type of currency becomes more widespread, it can be expected that intentional malicious activity will expand.
We can also expect more government regulation. Big banks are already making moves into regulating these currencies while maintaining holders’ anonymity, and, maybe not surprisingly, countries such as Russia and China may be expected to do likewise for their own benefit. We may also see big tech companies join the fray.
Just to be clear, we are not looking at fake news from a political perspective. While it’s out there, maybe on both sides, and almost certainly from foreign actors, we are going to look at fake news strictly from the perspective of cyber security.
We have seen headlines stating that cyber threats are on the rise and to be wary; conversely, we have also seen stories about how over-hyped the threat actually is and that negative releases have been placed for the benefit of cyber security software companies and those that sell it, install it and monitor it. Our concern is a feeling of over-confidence. The threat is real and grows annually. While we cannot state with any accuracy where the positive stories, those that tell you everything is ok, are coming from, we feel it is our obligation to provide you with some “real news” stats.
Reliable sources say that in 2016, cybercrime hit the economy to the tune of $450 billion, and is expected to rise to $1 trillion by 2021. Nine billion records have been stolen since 2013, including 2 billion in just the first half of 2016. (We don’t yet have stats for the second half.)
Why? Cybercrime is a booming and highly profitable business and in any profitable business, people will be working on new technologies and ways to increase their “bottom line.” These are highly sophisticated professional criminals who are working night and day to steal from you.
The above segments are certainly not intended to be all-encompassing nor complete. Any sub-set of cyber security is complicated and ever-growing. We have included a number of the best resources we found on “predicting the future”. As a managed IT support company that has been monitoring, managing and protecting the IT infrastructure of small to mid-sized Atlanta companies for more than 25 years, we are here, as always, to answer your questions and help you implement a powerful and effective cyber-security program. Call us today at 678-373-0716. Or visit us at DynaSis.com.