Thought leaders within the IT community are beginning to view cybersecurity not just as part and parcel of the everyday cost of doing business, but as an enabler, a direct driver of business continuity and bottom line growth. This shift in perception has begun to have a dramatic impact on the position and role of security within organizations, from a view of “security means you can’t” to “security means you can.” Over the past year, fences, walls and moats have become outdated as the ROI of security takes priority with a focus on measuring detection, responding to legislation and the automation of remediation, patch management and minimizing dwell time of an attacker. While a lot has changed in 2015, the speed of security means there’s only more to come. These are Forcepoint Security Labs’ predictions for 2016.
Elections Hackers and Hacktivists Hone In
• Attackers frequently see large events as an opportunity to launch cyberattacks on a curious population.
• Political campaigns, platforms and candidates present a huge opportunity to tailor highly effective lures. • Candidates’ and issues-related websites and social media present a large, built-in following for hacktivists in need of an audience.
• Information on social media is often spread and accepted before fact can catch up with fiction, giving determined hacktivists an opening to misrepresent and/or misdirect the public’s perception of individuals and events.
• In political one-upmanship, data often equals an advantage.
• Technology decisions made by candidates during their tenure can expose them to data theft attacks (as seen by Clinton’s use of a private email server).
The U.S. elections cycle will drive significant themed attacks The Internet, especially social media, are now a standard part of reaching constituents on the campaign trail. Still a relatively new tool in the 2008 U.S. presidential election, by the 2012 election social media was considered a primary communication method (in addition to, if not on par, with traditional news media). This is now a primary vehicle to raise awareness of campaign messages and events, as well as being a way to gauge voter interest and promote engagement on various issues.
The 2016 presidential race will likely see the most prolific use of online and social media campaigning yet as candidates and their teams regularly turn to online resources, campaign websites, Facebook, Twitter and Instagram to reach voters and target specific demographics in their race to win the White House. With 74 percent of adults active on social networking sites as of 2014, according to the Pew Research Center, social media may eventually surpass traditional news media and paid advertising as the top source for voters for election news and opinions. However, this shift to relying on social sites for news presents challenges. On the one hand, when done right it is a proven method to quickly spread a particular message. The other hand suggests there’s little to prevent incendiary, inaccurate information from virally spreading and being accepted by the public as factual. Even if such information is later corrected, this false information lives forever on the Internet, with the potential to inform opinions and as a result misinform – and potentially direct the actions of – the electorate.
A CAMPAIGN OF LURES AND MALWARE IN POLITICAL ONE
-Attackers will use the 2016 election and related campaign issues to craft email lures and misdirects in order to push malware payloads with the intent to compromise. Expect lures made to look like political party or candidate email, advocating an online petition or survey about specific election issues, linking to a supposed news story, or relaying information about voter registration or debates.
THE EXPLOITATION OF NEW MEDIA
We’ve already seen websites hacked to promote propaganda or create confusion. Beginning in 2011, the Syrian Electronic Army (SEA), a group of hackers supporting the government of Syrian President Bashar al-Assad, began targeting and defacing the websites of political opposition groups, government agencies and news organizations with pro-regime commentary. In addition, the Facebook pages of President Obama, along with former French President Nicolas Sarkozy, were targeted by SEA spam campaigns to broadcast support for the al-Assad regime. The SEA also took over the Twitter accounts of legitimate news organizations, tweeting false news updates, creating uncertainty and alarm as the messages spread online before these accounts were again secured.3
These attacks demonstrated how relatively simple it was to deface websites and appropriate others’ media technology to achieve recognition and reach, even if only temporarily. Other groups may look to follow the SEA’s lead in 2016, training their sights on candidates’ web pages and social media with a goal to embarrass or discredit, or hijacking the Twitter accounts of legitimate news media to inflame and influence the electorate.
As if to prove the point, only last month the InfoSec Institute released a scorecard indicating which top five presidential candidates is most likely to be hacked.4 Only one candidate received an A grade, the highest awarded in the study.
A FUTURE CYBER WATERGATE
Nowadays, you don’t need to jimmy a lock and rifle through file cabinets for information. Breaking in and stealing or modifying data requires only determination, desire, and a willingness to break the law.
Nation states have been pointing fingers at one another for stealing data from companies and governments for years. Most recently, this activity culminated in the United States and China agreeing in September not to engage in state-sponsored cyber intrusions.5 However, given the influence the choice of a U.S. President can have, not only on a myriad of social issues and business regulations and operations in the United States, but also on future foreign policy with other nation states, it’s not hard to envision a circumstance where factions hoping to gain insight or advantage in an election or following it, might target a candidate or groups involved in promoting them for useful data in keeping ahead of or undermining the competition. However, unlike finding a burglar red-handed, attribution for such an attack will be difficult given the many methods by which hackers can spoof information, circumvent logging and tracking or otherwise remain anonymous.
• Businesses should educate employees on the potential for politically targeted and tailored lures in email and via the web.
• Presidential candidates should consider outsourcing ownership of their website donations collections system and web-based advertising to known trusted and respected companies experienced in such activities that use data theft prevention solutions.
• Organizations tasked with hosting a Presidential candidate’s website should consider, among other approaches, building the website as secure by design, implement DDOS protection, implement and maintain a Web Application Firewall if appropriate and ensure FTP passwords are kept secure.
• Organizations tasked with administrating the social media accounts of presidential candidates should follow security best practices, including rotating passwords regularly, monitoring status updates, and using suitably complex passwords for log-in.
• Those involved in campaigns or election activity must also elevate the importance of online security in all of their efforts.
• Attacker Trends
• Data Theft Prevention
02 PAYMENTS SECURITY
Pickpocketing the Mobile Wallet
• Money is still the primary attraction for criminal attackers, with credit cards a lucrative historical target.
• Mobile technology and retail innovation is rapidly morphing payments methodology.
• Security is not the first priority for those seeking to alleviate payment friction. Convenience has often trumped security in these rollouts.
• The introduction of the EMV6 or Chip and PIN standards in the U.S. is likely to decrease face-to.face fraud. However, history suggests that overall fraud rates are not likely to diminish.
Mobile wallets and new payment technologies will introduce additional opportunities for credit card theft and fraud
The payments and payment security landscape is set for some tumultuous shifts to occur in 2016. These seismic shifts are exactly the types of situations from which savvy cybercriminals usually seek to take advantage.
With EMV, or Chip and PIN, technology still in a rolling deployment throughout the U.S., it is still too early to assess its current impact. If historic deployments of this technology are to be repeated, we are likely to see a decrease in the amount of in-person credit card fraud, but overall rates will remain the same as fraud migrates online and into other channels.
As criminals look to shift their game plans, there are three distinct areas we see attackers migrating: newly introduced infrastructure, new payment methodologies and mobile wallets.
Point-of-sale systems in brick-and-mortar stores are changing in response to rapid EMV implementations. While it may seem that the act of swapping one payment terminal for another is without hazard, the introduction of this new hardware will inevitably lead to security gaps exploited by attackers. This is further complicated by the fact that it can be more difficult to dispute fraudulent charges made using these new “safer” cards.
Integrating new technology and processes securely is a painstaking process. While many will take every measure to do so, the massive scale of change will present significant chances for criminals to attack poorly configured devices, or their network connections. Criminals well versed in physical tampering of terminals may even take advantage of the migration to “introduce” a number of data capturing smart carts and devices of their own into a large terminal replacement projects.
HACKING NEW PAYMENT METHODOLOGIES
While this shift is occurring, there is an increasing push for retailers to take advantage of new technologies to streamline the payment process. The increase in non- traditional payment methods via beacons (a system to allow retailers to detect a mobile app user’s presence in the store) and smart shopping carts will open up the doors. for a new wave of attacks. The smart carts and beacons will be a target. Less-rigorous security implementations of these systems will leave them vulnerable. Some banks are already taking action to diminish their responsibility for attacks associated with third-party payment applications that link to accounts at the financial institution. The Wall Street Journal recently reported that Bank of America has cut off data to some sites and mobile apps that rely on it to provide consumers with money management strategies. While many have chosen to focus on this as a competitive decision, don’t forget the security and liability issues at play. A financial institution traditionally does not hold a consumer liable for fraud committed on their account (business account rules differ).
However, if an attacker targeted a third-party application developer, who was in possession of your banking credentials and passwords because you provided them, you may be in trouble with the bank. As adoption and the types of transactions capable on mobile phones increases, malware authors will also increase their efforts to steal from a digital wallet. Mobile malware will evolve to use these payment methods to commit fraud. As the cell phone continues to become the preferred two-factor source of authentication for many financial transactions, it has also increased the value of exploiting the mobile device or its applications to empower much more theft than currently seen. Ransomware on mobile may also come as a result of the increased significance of the mobile device in commerce.
Once attackers have learned to infiltrate the wallet on your mobile device, they aren’t going to stop there. Remember, money is the primary motivation for these attackers. After they have drained the wallet, they will begin to take advantage of their residency on the device to look for other sources of “income” in the wake of the BYOD phenomena that is now part of the business paradigm. This will likely mean using the device as a head start to compromise your business network; there is plenty more money to be had there for a wizened cybercriminal. Emails, contacts, authentication measures and apps that access the corporate network from the phone can become a phenomenal source of intellectual property, insider information and other confidential business materials become easily obtainable and can net an attacker sizable treasure.
• Everyone – not just retailers – must begin to prepare now for protection at the ragged network edge as new mobile and payment technologies stretch and extend the traditional notion of a network.
• The enterprise must acknowledge that the technological push by attackers against the mobile platform to commit fraud will also enable others who wish to breach the enterprise.
• Understanding that the mobile device can create risk and exposure for a business, organizations must look to prioritize the protection of data by monitoring industry best practice and implementing security protections prioritizing data protection.
• Businesses must be forward looking and nimble to accommodate: accelerated update cycles; immediate recognition and categorization of confidential information; rapid security assessment of new technology implementations; and a morphing risk environment.
• Attacker Trends
03 ATTACKER TRENDS
.Cyber and .Criminal are Coming for Your .Money and .Computer
• The Internet community has seen a major change in the domain name registration system, with the increased adoption of new generic top level domains (gTLD).
• Attackers are often early adopters of new opportunities and will rapidly colonize new avenues of attack, including new domains.
• As a result, criminals who populate the new top level domains win a much larger proportional presence than in existing, more common TLD.
• This is a demonstrated behavior with all new technologies; when introduced, it is often the fringe elements of the Internet that first move into them.
The addition of the gTLD system will provide new opportunities for attackers For those accustomed to the old Internet of .com, .edu, .gov, .net, .org, and .info, your intimate little neighborhood is about to get a lot more neighbors. The implementation of expanded new generic top- level domains (gTLD) by the Internet Corporation for Assigned Names and Numbers (ICANN) means that you are now beginning to see many more URLs ending in .club, .xyz and .guru. This will only increase in frequency because as of November 2015, the number of new gTLDs (delegated strings) available is 800.8 ICANN has reported that 1,300 new names or “strings” could become available in the next few years. A quick look at the new approved and delegated TLD provided by ICANN reveals both big brands big brands used by everyday consumers and common words (including .car, .wine, .mom, .family). These new TLDs potentially allow for more effective branding and could conceivably become an asset navigating the Internet in the future. For now, they are primarily an asset being cultivated by criminals to confuse users and to ensnare and entrap their computers with malware.
NEW gLTD = .NEW .OPPORTUNITY .FOR .SOCIAL .ENGINEERING
While there has been a tremendous effort by ICANN to ensure that brands have an opportunity to control the TLD of their names, this hasn’t prevented controversy and contesting for specific terms. Will consumers shopping for a computer steer towards shop.apple, apple.macintosh or apple.computer? Will businesses users with Salesforce accounts respond to an email that comes from renewal.salesforce, salesforce. This potential confusion is a golden opportunity for criminals and nation-state attackers to create highly effective social engineering lures to steer unsuspecting users toward malware and data loss.
ATTACKER New gTLDs will definitively be used in active spam and other malicious campaigns. In a Forcepoint sample set of several gTLDs, millions of different URLs proved to be suspicious or directly malicious. With attackers well entrenched within the new domains before legitimate users, consumers will eventually hesitate before casual navigation. These gTLDs will also make it significantly harder for defenders to protect as many are unprepared for the new landscape created. This will prompt security advocates to demand to be involved earlier in the process with how to approach new technologies on the Internet. More specifically, defenders must consider how new resources and facilities might be abused by an attacker.
• Defenders should recognize that all new technologies hold possibilities for adoption by attackers. Thus, the savvy defender should carefully consider each major change to our ecosystem before waiting for the wave of attacks. This is true at the Internet scale (such as the gTLD example) but also at the company scale (for example, the release of a new feature in a product). RELATED
The cyber insurance market will dramatically disrupt businesses in the next 12 months. Insurance companies will refuse to pay out for the increasing breaches that are caused by ineffective security practices, while premiums and payouts will become more aligned with the actual cost of a breach. The requirements for cyber insurance will become as significant as regulatory requirements, impacting on businesses’ existing security programs. ” — Carl Leonard, Principal Security Analyst, Forcepoint Security Labs