By: Sanjai Gangadharan, Regional Director-SAARC, A10 Networks
From the BBC attack on New Year’s Eve to TalkTalk and Stagefright to fishy root certificates, 2015 was a memorable year for cyber-security. We witnessed less widespread, panic-inducing vulnerabilities in 2015 than in years past; while 2014 will go down in the security history books as the year of Heartbleed, ShellShock and point-of-sale malware, 2015 was comparatively tame despite the largest DDoS attack ever on BBC which closed out the year with a bang! Over 600 Gbps, hence the BBC attack is being called the largest DDoS attack wherein hackers took down the BBC global website.
However, trends like the Internet of Things (IoT) and cloud networking did generate a host of new threats. Researchers revealed attacks that could compromise connected devices such as cameras, cars, and rifles. Stagefright was at the top of the list of mobile security risks; it allowed malicious users to exploit Android devices simply by sending a malicious MMS message. With over 90% phones in India being powered by Android, it is hard to ignore this security threat that Stagefright poses.
With the blurring of network boundaries and the increasing number of connected devices, we predict even more attacks and vulnerability disclosures in 2016.
#1: Attacks hidden in SSL traffic will exceed attacks in clear text
Over the past few years, SSL encryption has become all the rage for both application owners and hackers and for good reason. Encryption improves security by providing data confidentiality and integrity.
Unfortunately, encryption also allows hackers to conceal their exploits from security devices like firewalls, intrusion prevention systems, and data loss prevention platforms. Today, encryption accounts for roughly one-third of all Internet traffic and it’s expected to reach two-thirds of all traffic in 2016. Internet powerhouses like Facebook and YouTube which are the top websites in India have already transitioned to SSL. As a result, encrypted traffic will become the “go-to” way of distributing malware and executing cyber-attacks simply. Whether sharing a malicious file on a social networking site or attaching malware to an email or an instant message, many attacks will be cloaked in SSL.
To counter the threat posed by SSL encryption, organizations can decrypt and inspect inbound and outbound traffic for cyber-attacks. A dedicated SSL inspection platform enables third-party security devices to inspect encrypted traffic and eliminate the blind spot in corporate defences.
#2 – IoT will gain notoriety as both an attack target and an attack source
With the continued rapid growth in the Internet of Things (IoT), we expect to see an increase in both the number and severity of active exploits of connected devices. Analysts predict that there will be over 5 billion connected “things” by the end of 2016, and as the number of devices leveraging personal information grows, we’ll start hearing about exploits targeting consumer-oriented IoT devices. This will lead to more vocal advocacy for consumer protection through government regulation, or more likely, industry-driven mandates similar to those defined by Payment Card Industry Data Security Standard (PCI DSS). Privacy and security concerns are deterring Indians from adopting devices and solutions based on the Internet of Things (IoT), according a new report. About 70% of the consumers surveyed cited security concerns as one of the main reasons for not using an IoT device.
IoT-specific threats are exacerbated by a number of factors:
- The number of connected “things” is outpacing the ability to secure them.
- Many devices have little to no security built in.
- There is no formalized process for securing IoT devices.
- An increasing number of devices provide access to personal information.
- Meeting demand for capabilities will continue to be a higher priority than security.
#3 – Attackers will target mobile app vulnerabilities
2016 will see a continued rise in the number of attacks targeting mobile devices – something that probably won’t come as much of a surprise to anybody. But the scope of the problem and the potential for damage will. The sheer volume of mobile devices, the amount of malware (20 million apps by the end of 2016, according to Trend Micro), and the inherent vulnerabilities present in even legitimate mobile apps means that a major breach is bound to happen, potentially on a massive scale. A mobile security report claimed that in 2015 as many as a million Android mobile devices were infected in India. While one million seems to be a small number in the face of the total number of smartphone users in India, what one should focus on is the rising number of Android viruses which, according to the survey, has exceeded 9.5 million.
Additional threats exist in spear phishing attacks that exploit the fact that mobile users are more likely to click on a malicious link simply because it’s harder to identify it as suspicious on a smaller screen. And malware designed to look like valid apps can convince unsuspecting users to enter login data that can then be used to gain access to legitimate sites storing detailed personal and financial data. Mobile device users, particularly Android owners, need to remain diligent in validating what apps they choose to download and the attachments they choose to open.
#4 – Cloud services will increase attack surface and burden perimeter security
Back in the good old days, networks were relatively well-defined. Servers were provisioned in the data center or the DMZ. Organizations could lock down their sensitive data and carefully monitor access to servers with data center and intranet security tools.
Those “good old days” are gone. Today, many organizations are migrating their application servers to the cloud or they are ditching their existing applications and moving to software-as-a-service (SaaS) solutions such as CRM, HR, email and file sharing apps.
The transition to cloud services has slashed costs and allowed easy access to business apps from any location. However, cloud applications have also introduced new security challenges, including:
An increased attack surface: With applications hosted in the cloud, malicious users can now attack apps from any location and any device.
Uneven data monitoring and auditing: Organizations should track access to sensitive data to detect and stop suspicious activity and for forensics. But it is much more difficult to monitor access to third-party SaaS applications than internal apps because apps are hosted in the cloud and application traffic is often encrypted.
Limited control over security: Organizations must rely on SaaS vendors to implement strong defences and fix vulnerabilities that arise quickly. While many SaaS vendors have undergone rigorous SAS 70 or ISO 27001 audits, they are also under pressure to rapidly innovate and to support Application Programming Interfaces (APIs) for third-party integration; business demands could lead to more vulnerabilities.
Increased traffic at the network perimeter: The adoption of cloud-based services will inevitably increase the load on secure web gateways and perimeter firewalls. Since much of this traffic is encrypted, businesses must ensure that their security devices can keep up with demand.
#5 – Drone-related threats will grow
Attack of the Drones
Consumer drones will get bigger in 2016, with expectations to generate over $1 billion in revenues. But their increased popularity will also introduce new cyber security and physical security risks.
Drones serve a myriad of purposes, from military to agricultural to surveillance applications to even delivering packages from the sky. During the torrential December floods in Chennai, India, police used drones to locate and rescue 200 stranded citizens. However, drones also present a wide range of risks, from privacy invasion to corporate espionage to terrorism.
While drones do not pose as serious a threat as other cyber security attacks such as malware, IT administrators should consider any potential cyber security or physical security risks that drones pose for their organization in 2016.
What You Can Do to Prepare for 2016
While it is challenging to predict which threats will cause the most damage in the future, we believe that trends like encryption, IoT, mobility, cloud and Internet-connected drones will introduce dangerous security risks in 2016.
To prepare for these risks, organizations should implement a multi-layered defence that can protect servers and endpoints, whether those servers are hosted in a data center or in the cloud and whether endpoints are traditional computers or mobile devices. A feature that would help eliminate blind spots in corporate defences and enable security devices to inspect encrypted traffic would also be an effective way to prepare for the risks. While employees cannot always predict the future, organizations will be ready to handle future risks with the right security technologies and processes in place.