The arrival of the New Year provides a timely occasion for the security community to reflect upon the lessons learned over the past year and examine the challenges – and opportunities – ahead.
Compromised privileged accounts and credentials continued to be a popular pathway for attackers – the attack on the U.S. Office of Personnel Management is an example of one with extensive and ongoing fallout. The attack put privilege front and center – not only in the press, but also with the U.S. federal CIO, who issued the now-familiar “30 Day Sprint” that prioritized privileged account security, among other guidance.
What changed last year was a significant uptick in awareness – across IT and executive teams – around privileged account security. Our annual Threat Landscape survey found that 61 percent of respondents cited privileged account takeover as the most difficult stage of a cyber attack to mitigate, up from 44 percent from the year prior. Additionally, a 2015 retrospective article from Dark Reading explored 15 cyber security lessons that should have been learned in 2015. Among the lessons – the critical need for organizations to bolster privilege account management practices. Reporter Sara Peters wrote, “Study, after study, after study this year revealed that privileged accounts need to be better managed. It isn’t just that the credentials themselves are too weak, but sometimes they’re poorly monitored, too widely shared, and they’re not efficiently revoked when employees leave an organization.” We agree!
While we expect privileged account security to continue to be recognized as an enterprise security priority, there are a number of other trends to watch in the coming year. While not an exhaustive list, we expect these issues to get attention in the coming months.
- Hitting Close to Home, Data Breaches Will Get Increasingly Personal. The recent VTech data breach highlights consumer privacy issues in a very powerful way. The breach exposed personal information, photos and chat logs of 6.4 million children – and prompted parents around the globe to take a hard look at the seemingly innocuous, Internet-connected toys their children have access to. Within weeks of the breach, headlines emerged revealing vulnerabilities in other popular children’s toys, including Hello Barbie and Hello Kitty. Despite this jarring wake-up call, an Altimeter Study indicates the vast majority (87 percent) of consumers still don’t even know what the term “Internet of Things” even means. This lack of awareness will need to change quickly. While consumers should properly educate themselves on the potential dangers of Internet-connected devices – from tablets to toys to smart thermostats – it is the responsibility of manufacturers to design with security in mind, and not put time-to-market ahead of protecting their customers. Manufacturers also need to put in place stronger controls for protecting the data that is collected from these devices and stored.
- Cyber Criminals Will Get Even More Aggressive with Ransomware In Their Pursuit of High-Profile Financial Targets. According to an Infosecurity Magazine article, financial services firms are hit by security incidents 300 times more frequently than businesses in other industries. In 2015, the Federal Financial Institutions Examination Council (FFIEC) warned that cyber attacks against financial institutions to extort payment in return for the release of financial information and sensitive data are increasing. In the year ahead, these attacks will become more prevalent and aggressive, as motivated attackers find new ways to utilize ransomware to blackmail individuals and corporations. Not surprisingly, the attackers will follow the money, particularly targeting enterprise organizations that have the resources and are most likely able to pay the requested ransoms.
- Lines Between Physical and Cyber Terrorism Will Blur. In 2015, devastating acts of terrorism impacted the global community. In 2016, we will increasingly see the convergence of physical and cyber terrorism aimed at wreaking far-reaching havoc. For example, as Reuters reported, a suspected attack on a Ukrainian power grid recently left parts of the country without energy. This attack represents one of the few publicly documented assaults on an industrial target. In late December 2015, the NSA issued a report “Seven Steps to Effectively Defend Industrial Controls Systems.” Within the introduction of that report, it’s noted that it’s not a matter of if industrial controls systems will have an intrusion, but when. Over the next 12 months, we expect to see more headlines of greater coordination between these two types of attacks – and more successful breaches that could negatively impact major health systems, financial markets and energy grids, among others.
What are you tracking in 2016? Share your thoughts on the cyber security landscape. On Twitter use @CyberArk with the hashtag #2016Predictions.
From all of us at CyberArk, we wish you a safe and secure New Year!