The information security threat landscape is constantly evolving. To help you navigate the terrain, each year the Information Security Forum (ISF) — a nonprofit association that researches and analyzes security and risk management issues on behalf of its members — puts out its Threat Horizon report to provide members with a forward-looking view of the biggest security threats over a two-year period. What follows are the nine biggest threats on the horizon through 2019 that your organization may have to manage and mitigate.
Theme 1: Disruption from an over-reliance on fragile connectivity
Organizations today depend of instant and uninterrupted connectivity, smart physical devices and trustworthy people. But that dependence makes them vulnerable to attacks on core internet infrastructure, devices used in daily business and key people with access to mission-critical information.
"We've been dependent on the internet for so very long," says Steve Durbin, managing director of the ISF. "We've gotten to the point where we view it as any other utility. If you suddenly cut of the electricity, it's a major issue. Corporations have backups in place for other utilities — generators for instance. No one has really done that for the internet. They just assume it's going to be there."
To defend themselves, Durbin says, organizations need to rethink their defensive models, particularly regarding business continuity and disaster recovery plans. Plans that rely on employees working from home won't survive attacks that remove connectivity or that target key individuals. ISF recommends that revised plans cover threats to physical safety as well as periods of operational downtime caused by attacks on infrastructure, devices or people.
Premeditated internet outages bring trade to its knees
As conflicts across the globe increase in number and severity, ISF predicts that within the next two years, nation states and other groups will seek new ways of causing widespread disruption, including internet outages at the local or even regional level. Commercial and government organizations are likely to be considered legitimate targets, and industries stand to lose millions of dollars if communications systems fail and trade grinds to a halt.
Given the increasing prevalence of 'just-in-time' supply chain models, even brief disruptions can lead to shortages, Durbin says. Financial services institutions are also vulnerable, and outages that target them could lead to cascading failures. For instance, if clearing houses (institutions that settle payments) lose connectivity, organizations across all industries may lose the ability to initiate or receive payments for the duration. Even government services like law enforcement depend on connectivity for communications.
Attacks in this realm could involve physically cutting cables (possibly under sea where repairs could take significant time), rendering root DNS or datacenters useless, distributed denial of service (DDos) attacks that harness massive botnets or even manipulating internet addresses and routes to ensure traffic doesn't arrive at its stated destination.
ISF says containing the chaos caused by such an attack will require coordination by central governments through their national critical national infrastructure programs. Individual organizations must also understand the extent of their reliance on the internet and have plans in place to address the risk of attacks that recur on a relatively frequent basis.
The ISF recommends you do the following:
- Engage with internal and external stakeholders to agree to alternative methods of communication
- Develop relationships with regional bodies (e.g., governments, competitors, industry forums) to create new, standardized contingency plans for when internet communications fail
- Assess communications providers' contingency plans; insist that they align with standardized or organizational plans , while partnering to ensure gaps are addressed
- Plan for alternative supply chain models for critical systems and services
Ransomware hijacks the internet of things
Criminals are increasingly profiting from ransomware — encrypting a victim's data and then demanding payment for the encryption key. According to a report released by Symantec last year, the average ransoms for data demanded by criminals jumped from $294 in 2015 to $679 in 2016. And the U.S. Federal Bureau of Investigation (FBI) estimated last year that cybercriminals would generate about $1 billion in revenue from ransomware by the end of 2016.
[ Related: 2017 security predictions ]
The ISF believes that over the next two years, cybercriminals will increasingly focus their ransomware efforts on smart devices connected to the Internet of Things (IoT). Attackers may hold specific devices for ransom, but the ISF believes they will also use the devices as gateways to install ransomware on other devices and systems throughout organizations.
Such attacks have the potential to disrupt business operations and automated production lines. But they could also prove deadly if they affect medical implants or vehicle components.
"Medical devices, manufacturing, we've put all of these 'things' out there," Durbin says. "Driverless cars, transportation, railways, financial services. We've embedded smart devices in all these areas, but we never really thought things through to this next stage. All of these things are out there in the real world. It's a bit like shutting the stable door after the horse has bolted."
Durbin says manufacturers of connected devices need to work with their customers to address security vulnerabilities and, at minimum, ensure that basic security features are always enabled. All organizations need to identify how they currently use connected devices, how they plan to increase use in the future and what the impact would be if one or more devices are affected by ransomware.
The ISF recommends you take the following actions:
- Apply pressure on manufacturers (e.g., via industry bodies) to build comprehensive security features into devices.
- Engage with industry bodies to lobby for (and influence) regulation ensuring minimum security standards for IoT devices.
- Raise the profile of the ransomware threat across your organization and mandate minimum security requirements for procurement of IoT devices.
- Incorporate IoT-related ransomware scenarios into your business continuity planning and run regular simulations.
- Collaborate with manufacturers and customers to gather threat intelligence about the IoT devices you use.
Privileged insiders coerced into giving up the crown jewels
Your business may be high-tech and digital, but your employees exist in the physical world, and that makes them vulnerable to blackmail, intimidation and violence. The ISF says that over the next two years, well-funded criminal groups will combine their global reach and digital expertise with the very real threat of violence to threaten privileged insiders to give up mission-critical information assets (e.g., financial details, intellectual property and strategic plans).
These privileged insiders may be senior business managers and highly placed executives, but they could also be their personal assistants, systems administrators, infrastructure architects, network support engineers and even specific external contractors. Extreme cases could involve "tiger kidnapping" of the insider's family.
ISF believes criminal gangs are likely to turn to these methods for these three reasons:
- They can significantly reduce the level of cyber expertise they require and replace that expertise with "muscle."
- They can continue to have access to compromised individuals and persuade them to act again.
- They can steal mission-critical information while operating at "arm's length."
To protect yourself against these threats, ISF recommends you take the following actions:
- Identify your mission-critical information assets and the individuals who own and access them.
- Invest in special measures to protect individuals with privileged access (e.g., instruction in physical security precautions; exposure to social engineering methods).
- Implement mechanisms to protect your organization against the insider threat (e.g., screen prospective employees; embedding appropriate clauses in employment contracts).
- Adopt a trust-but-verify approach to privileged insiders (e.g., foster a culture of trust, while verifying and monitoring appropriate system access).
Theme 2: Trust in the integrity of information is lost to distortion
To make good decisions, your business depends upon accurate and reliable information. If the integrity of that information is compromised, so is your business. This issue has risen to prominence recently with the 'fake news' that has begun swirling around major politicians. The ISF believes that over the next two years, attackers will spread lies or distort internal information in the hope of gaining a competitive or financial advantage at the expense of targets' reputations or operational effectiveness.
"With volumes of data increasing to the levels that they are, we've reached a point where it's absolutely impossible for anybody to really, absolutely ensure the integrity of data," Durbin says. "How do we work with the business to ensure we make the information they're using to make decisions as accurate as possible? We're going to see this change in the way that the CISO, in particular, is viewed within the enterprise. We've for so long assumed this is an IT security thing, but CISOs have been talking about their role and how that has evolved much more to reflect the business; it's more akin to risk management in the information space."
Durbin says organizations can reduce the effect of misinformation through proactive means: Monitoring what others say about the organization online and keeping track of changes made to internal information to provide early warning signals.
Automated misinformation gains instant credibility
Advances in artificial intelligence (AI) personas allows for the creation of chatbots that will soon be indistinguishable from humans. Attackers will be able to use these chatbots to spread misinformation targeting commercial organizations: Without ever breaching an organization's digital boundary an attacker could damage that organization's reputation by spreading convincing misinformation about its working practices or products. A single attacker could deploy hundreds of chatbots, each spreading malicious information and rumors over social media and news sites.
Attacks won't just target reputation. Fake news can also be used to manipulate a company's share price. German payments company Wirecard AG found that out the hard way in February of last year, when a fake report 'detailed' fraudulent activities by the company. While the report was later proven fake, the company's share price plummeted and took three months to recover.
You won't be able to stop chatbots from disseminating misinformation about your company, but recognizing the threat and incident response planning can mitigate the damage.
To protect your organization, the ISF recommends you do the following:
- Build scenarios covering the spread of misinformation into your overall incident management process.
- Extend monitoring of social media before and after big organizational announcements or events.
- Combine forces with industry bodies to lobby governments and regulators to investigate ways of identifying and prosecuting those spreading fake news and misinformation.
- Consider increasing existing social media output to proactively counter the spread of misinformation (e.g., encourage employees to spread legitimate news and report suspicious posts.
Falsified information compromises performance
Organizations are increasingly reliant on data to drive their decision-making, and that means criminals and competitors can add information distortion to their toolbox of threats. The ISF believes three types of attack on the integrity of information will become commonplace over the next two years:
- Distorting big data sets used by analytics systems.
- Manipulating financial records and reports, or bank account details.
- Modifying information before leaking it.
For instance, consider a utility company which analyzes data from smart meters to balance the amount of electricity it generates against the current demand. An attacker could manipulate smart meter data to falsely show high demand. Such manipulation could cause a surge in electricity generation. If that surge is significant enough, it could cause the electricity supply grid to fail.
Bogus or distorted data could also significantly affect pharmaceutical research, which is increasingly turning to big data analytics to improve the speed of modeling and trialing new drugs.
Durbin says organizations need to start preparing now to ensure information risk assessments address the likelihood and impact of attacks on integrity.
To prepare, the ISF recommends you take these actions: