ESET sets the record for 2017 security predictions

The report focuses on nine overall trends and reveals some converging trends that are, for want of a better word, plain scary.

Based on ESET’s research laboratories across the globe, the report says the “year of ransomware” will continue into 2017 as ransomware attacks continue en masse. It stated that, “We anticipate a new trend on the horizon: The Ransomware of Things or RoT, i.e. the possibility of cybercriminals 'hijacking' devices such as home security cameras and then demanding a ransom payment in exchange for restoring control to the user.”

Nick FitzGerald, senior research fellow at ESET, says, “Ransomware was a serious security problem throughout 2016. ESET takes no joy from having been on the right side of that prediction, nor in predicting that ongoing ransomware developments and ensuing success for the cybercriminals behind it seems likely to continue apace into 2017. As wealthy markets, Australia and New Zealand are often targeted in ransomware campaigns, and online users should continue to be especially wary of unsolicited email with attachments or URLs, and ‘too good to be true’ offers.”

{loadposition ray}

The Trends 2017: Security held ransom report, is divided into nine sections, each focusing on one important aspect of information security. Most of the sections deal with threats, either by type (Ransomware, Vulnerabilities, and Mobile) or by industry (Healthcare, Critical Infrastructure, and Gaming).

“Other concerning developments in 2016, were attacks against real-world infrastructure, such as electricity supplies and distribution networks, and internet infrastructure. The latter also exposed how much attack power could be rained down on a victim by harnessing multitudes of trivial internet-connected devices such as DVRs, webcams and other Internet of Things (IoT) gadgets. The possible convergence of increasing cyber criminal interest in IoT devices and the ongoing success of ransomware has led one of our senior security researchers to suggest the possibility of the development of the ‘Ransomware of Things’ – a key chapter in the Trends report,” said FitzGerald.

A brief overview of the trends is below:.

RoT: Ransomware of Things. How ransomware is evolving and could potentially take over every single device

The new goal of “jackware” is to lock up a car or other IoT device until you pay up. Let’s not forget the Jeep and Tesla cars that were jacked. In Tesla’s case, it was a remote hack with no physical connection or changes to the car. But there were other hacks via keyless entry, Internet radio and more. And kid’s toys, web camera’s, routers and more were jacked too.

ESET says that these are all challenges to be solved – and they will be especially as the US Department of Homeland Security has become involved and published the Strategic Principles for Securing the Internet of Things.

Security education and social responsibility – IT security education should be on every level of society: school, university, companies, governments

ESET says the threats may be changing but not the attack vectors – and humans are still the weakest link. While many may marvel that the Nigerian 419 scam still extracts millions of dollars, human gullibility is responsible for much bigger cyber crime returns.

Attackers continue to entice victims into naïve – and in many cases, irresponsible (albeit unknowingly) – behaviour with deceptive emails and messages on social media, as well as booby-trapped USB devices left lying around, all aimed at tricking them into compromising the safety of their own systems

Education is not a matter of age but there is a paradox – the more we know the less safe we feel.

To turn the tide, active participation by governments and companies is necessary. We have reached a point at which education on security issues must be handled in a formal manner, and companies should not simply relegate these issues to be covered as a one-off when inducting new employees. It must be a continuous and ongoing effort. End users must feel they are a part of the entire security chain and must understand firstly, that these threats do exist, and secondly, that the necessary mechanisms to use technology securely also exist.

Mobile security: the reality of malware... augmented?

Smartphones and tablets have evolved into their own ecosystem with their own vulnerabilities and unique hardware to exploit. The issue remains that few app developers are concerned or can afford to run vulnerability assessments and code auditing from independent, external experts, before releasing their products to the public.

Android was installed on 86.2% of mobile devices in use. The large number of people using this OS

makes it the preferred target for attackers. Its migration to other devices such as tablets, Televisions, wearables, and cars, makes it a potential vector for multi-platform attacks in ever more complex scenarios as new internet-connected home automation systems are developed.

A common occurrence in recent times has been the emergence of malicious apps in the official iOS and Android app repositories, a phenomenon that at first seemed extremely rare but that has unfortunately become more common over time. This trend has even affected the Apple App Store, which theoretically has more controls than the Google Play Store for Android.

Vulnerabilities: Reports are decreasing, but are we safer? Critical vulnerabilities are on the rise

The rapid global spread of technology and the increasingly numerous types of interconnected devices routinely used, have greatly increased the number of attack vectors available to cyber criminals. This is why the exploitation of vulnerabilities is still one of our major concerns when it comes to corporate security incidents around the globe.

Companies today, though more concerned with security incidents such as information leaks or unauthorized access to sensitive data, have not substantially improved their security management practices. Therefore, the main challenges to the corporate world in 2017 relate to focusing efforts on the management of technology, and the need to raise their employees’ awareness of these risks. This is due in large part to the need for compliance with standards imposed by business regulators.

Next-gen security software: myths & marketing

Distinctions between ‘fossilized’ and ‘next-gen’ products are often terminological rather than technological.

The self-styled next generation must come to terms with its own limitations, moderate its aggressive marketing, and learn the benefits of cooperation between companies with differing strengths and capabilities, we may yet all benefit from the détente.

Healthcare challenges: ransomware and the Internet of Things are the tip of the iceberg. Securing medical and fitness devices

2016 saw a surfeit of successful ransomware attacks in a variety of industries, and medical facilities have been a particularly juicy target for this type of threat. This, coupled with an upsurge in internet-connected medical devices and fitness trackers, indicates that the future of healthcare is likely to continue to bring significant challenges.

Manufacturers of both personal and hospital-based medical devices can lead a shift towards better security by giving it serious consideration, starting in the design phase.

The security of the healthcare industry is likely to be in the spotlight for the foreseeable future. Despite the current troubles, the opportunity exists to make a significant transformation that could serve as a model of positive change for other industries, as the Internet of Things makes its way into our homes and workplaces.

Threats to critical infrastructure: the internet dimension.

Malware-influenced power outages such as BlackEnergy and others affecting more critical infrastructure (power, water but also supply chain and even Smart Cities such as San Diego) could be more frequent than we thought.

As the global landscape becomes increasingly interconnected and interdependent across political, physical, and ideological boundaries, expect an interesting and complex mix of political and social reactions from nation states that now need to wrestle with the implications of an attack on this critical infrastructure, and what, if any, is an appropriate defensive and/or offensive response to an attack.

Challenges and implications of cybersecurity legislation – global policy needed

Legislation in several countries requires increased and improved security, based on objective moral and ethical criteria. The promulgation of laws relating to the scope of cybersecurity highlights the importance of implementing large-scale regulatory frameworks, which would contribute to reducing security incidents and preventing IT crime, all while developing and establishing a culture of cybersecurity.

However, there are no perfect laws, no universal concepts and more loopholes than honest lawyers. A growing trend in the development of new legislation is that it simply defines how a country's assets are protected in the context of cybersecurity.

Gaming platforms: the risk of integration between consoles and computers

The integration of gaming consoles with computers is growing and this could have an impact in terms of information security. On one side, there are many hardware resources available, which could be interesting for an attacker. On the other, video games are integrating with computers such as the Xbox connecting with Windows and starting to share login credentials and so on. It is also important to note Steam Machine and its security implications and secure software development has a bigger role in the gaming industry.

The ever-increasing number of players, in conjunction with in-game monetary transactions, poses major security challenges for the future. On top of that, integrated networking of gaming consoles with computers and mobiles is growing fast, this can have a significant impact on gaming’s information security in the coming years.