Security, DevSecOps

What’s in store for the realm of IT security in 2018?

In 2016 and 2017, we saw major security breaches that shook both enterprises and governments. Here’s a tasty selection:

  • WannaCry ransomware: this software infected over 230,000 computers in over 150 countries

  • HBO’s ‘Game of Hacks’: unreleased footage from Game of Thrones stolen and ransomed

  • NotPetya ransomware: hundreds of millions of dollars in losses caused to companies including shipping giant Maersk

  • Facebook and Google being defrauded of $100m by a rogue Lithuanian hacker

  • Equifax breach: a breach that affected 143 million consumers  

  • Deloitte breach: cybersecurity ‘experts’ at Deloitte had failed to adopt two-factor authentication allowing hackers access to their entire email system. Not at all ironic.

  • NSA: leaked reports of a breach in the main digital defense branch of the US government by North Korean or Russian hackers.

Don’t expect the pace of attacks to slow down anytime soon.

You can, however, count on the nature and types of attacks to continue evolving. As we explain below, this evolution will define the IT security threatscape in 2018.

1. New Points of Entry and Methods of Attack

In many ways, online security is a classic contest between offense and defense, with first one, then the other getting the upper hand. As security experts find and patch existing vulnerabilities and devise ways of counteracting the latest methods of attack, cyber criminals and other malicious parties look for new points of entry.

Recently, we have seen attackers exploit vulnerabilities in widely used but under-protected systems, such as the Internet of Things and public WiFi points. In 2018, cyber criminals will find new vulnerabilities of this type, even as they continue to exploit existing points of entry which remained unpatched, and largely undefended.

We can expect greater penetration into the Internet of Things, with increased exploitation of the devices themselves as points of vulnerability (as opposed to simply using them as platforms for such things as DDoS attacks). We can also expect to see WiFi spoofing extended to cell tower spoofing, and see both devices and online services with publicly available APIs become targets.

Note that nearly all of these points of entry lead either directly or indirectly to the cloud. Since the cloud is by nature and design accessible by any device that functions as a client for cloud-based services, any new vulnerability should be considered a cloud vulnerability. This also means that the ultimate goal of at least some malicious actors will be to get past cloud service providers' defenses and attack the cloud platform itself.

2. New Targets

Along with new points of entry, we can expect new targets, particularly for ransomware attacks and related criminal enterprises. Hospitals and other health service providers will continue to be targets, and there is a strong possibility that cyber criminals will begin to focus their attention on such things as crucial life support devices and medical equipment required for lifesaving procedures.

In addition, it is important to note that many important elements of physical infrastructure are still controlled by unprotected or underprotected SCADA-based systems. These systems represent targets for both ransomware and politically motivated attacks.

Other less vital, but still important targets are likely to receive more attention. These may include such things as point-of-sale systems, and even inventory control and automated warehouse management software for large retail enterprises.

All applications that are involved in any stage of a financial transaction should be considered likely targets for attack, if they have not already been exploited. Many smaller businesses continue to use general-purpose applications (such as spreadsheet programs) for not only transaction records, but also customer data. Very often, this information is stored on computers and networks that do not have adequate security. While the volume of information which could be retrieved from the records of a single small business may not be large, the sheer number of lightly protected recordkeeping systems may make them a tempting set a potential new targets.

In many cases, key elements of the software used in these vulnerable systems either have moved or are moving to the cloud. This means that the cloud itself becomes a tempting point of entry for exploiting the target devices and systems. And that in turn means that cloud service providers and other companies that provide cloud-based services or hosting are likely to be increasingly held responsible at least in part for the security of such targets.

3. Increased Large-Scale Criminal Activity

There is likely to be no letup in the volume of financially motivated online criminal activity. In fact, as criminals find new points of entry and new targets, we can expect to see a significant increase in both the volume and cost of such attacks. It is now clear that even very large and technically very sophisticated enterprise-level corporations will, under some circumstances, pay out large amounts of money either in ransom or to prevent news of a break-in from becoming public.

One of the very unfortunate effects of this willingness to pay is that more current and would-be cyber criminals are likely to be tempted to get into the act. Stolen customer data is usually valuable in and of itself. When the company or organization from which that data was stolen pays hush money, the criminals can make a double profit. When you add to this the sometimes enormous number of records which can be obtained from one major target, it becomes apparent that the existing (and often inadequate) state of cyber security is likely to draw in more large-scale criminal groups. Take Uber, who in 2016 paid a 20-year-old hacker $100,000 to remain silent about the sensitive customer data he stole from them!

As more financial and customer-oriented big data moves into the cloud, it becomes increasingly important for cloud-based developers and service providers to make the transition from security as an added service to security fully integrated with the software delivery chain.

4. More Frequent Large-Scale, Politically-Motivated Attacks

It is clear that we have now entered the era not only of cyber warfare, but also of attacks on information-based systems as a political weapon by non-governmental actors. Among other things, this means that the resources which can be brought to bear in mounting an attack may be much greater and much more sophisticated than would be the case in an attack made purely for financial gain.

It also means that the actual targets of an attack are likely to be different and may be harder to identify. While most high-value military and intelligence data is stored on systems with hardened security, many of the records kept by civil government are not as well-protected. In addition, crucial hardware, software, and data required for the operation of a political system may be highly vulnerable. These can include such things as voter records, voting machines, and systems for identification of citizens.

In many cases, when these systems were first put in place, their potential vulnerability was not recognised or well understood. At some point in the future, all or most potential targets for politically motivated cyber attack may be adequately hardened. Until and unless that happens, however, there's likely to be a growing demand for security applications and services which can detect and possibly prevent such attacks.

5. Continued Shortages in Security Staffing and Funding

It would be nice at this point to be able to say that security programs in both government and private industry will have the staffing and the funding that they need. The truth, however, is that the demand for trained security personnel is likely to continue to outstrip the supply, and that many businesses will be reluctant to commit adequate funds to programs which, while they promise to cut losses, will not directly bring in profits.

According to ESG research from early 2017, 45 percent of organizations claim to have a problematic shortage of cybersecurity skills. From another perspective, 49 percent of cybersecurity experts are contacted about moving company at least once a week!

It will take time for businesses and government agencies to fully recognize the need for adequate security, and it may take more time to train the next generation of security personnel.

For now, cloud service providers and other businesses involved in developing and maintaining cloud-based infrastructure may be forced by circumstance to take up the role of forward defense against both criminal and political cyber attacks. This means increased monitoring, more sophisticated security-oriented analytics, and above all, a recognition that such frontline operations may be at times the only line of defense for key institutional targets in both government and private enterprise.

Conclusion: Security Can No Longer Be an Afterthought!

The stakes are rising while the resources enterprises need to secure themselves continue to be hard to find. Having a security-first mindset is key to maximizing what resources companies do have. This means moving away from tacking security matters at the end of the software delivery lifecycle (SDLC) or infrastructure deployments and, instead, embedding security concerns into each stage of the SDLC from the beginning.

  • Benjamin Wootton

    Co-Founder and CTO

    Benjamin Wootton is the Co-Founder and CTO, EMEA of Contino. He has worked with tens of enterprise organisations on DevOps transformation and is a hands-on DevOps engineer with expertise in cloud and containers.

    More Articles by Benjamin