2017 could be considered one of the most exciting (or horrifying) years in the technology industry. End-of-year statistics showed that the number of reported breaches in the business sector saw a 21% increase over the previous year, and headlines from all major news outlets were riddled with reports of hacks, data leaks, and high-profile vulnerabilities1. Experts in the cybersecurity field state that these numbers are showing no signs of slowing down, and project that there will be a similar trend into 2018 and beyond. While these statistics clearly support the idea that there are some serious gaps in information security, it is also important to understand the technical and economic factors that have allowed this gap to persist into 2018.
In 2017 there were “27 million developers working across 67 million repositories” on GitHub. These projects involve everything from social media to decentralized applications, artificial intelligence (AI), and machine learning2. Basic coding practices are being introduced earlier in education systems, and easy access to documentation and training are increasing the number of people with coding experience. Open-source technologies are readily available for aspiring developers to implement however they see fit, enabling the rapid development of disruptive technologies. In short, there are more developers with more tools at their disposal, and while we would like to think that these developers are well intentioned, it would be naïve to think that there aren’t individuals out there plotting to use these tools for nefarious purposes.
The availability of complex open-source tools allows malicious users to deploy more sophisticated attacks on larger scale. One such example is the use of artificial intelligence. The fifth most contributed project on GitHub in 2017 was Tensorflow, an open-source software library for machine learning and AI. Many security firms have been using AI to better detect and anticipate attacks, and it is very likely that hackers are integrating AI tech into their tool chest as well. One use case, as highlighted by the MIT technology review, illustrates how hackers could potentially create machine learning models to better craft fake messages for phishing attacks and maximize their return on investment3. This explains why MIT listed the weaponization of AI as one of the top cybersecurity threats of 2018.
While data breaches took the headlines in 2017, many IT professionals were working behind the scenes to patch their systems. Vulnerabilities had been discovered that affected millions of devices. Weaknesses were found in WPA2 and Bluetooth wireless protocols, which led to the release of the KRACK and Blueborne exploits. Similarly, successful exploits of the WannaCry and NotPetya malware cost businesses millions of dollars in 2017. This trend is set to continue as we move into 2018, especially with the discovery of the Specter and Meltdown vulnerabilities in early January that affect nearly all CPUs. Vulnerabilities like these are low-hanging fruit that hackers can use to gain unauthorized or privileged access to data or systems if left unpatched.
There is no better example of this than the Equifax data breach announced in September. Equifax had discovered that between mid-May and July of 2017, “cybercriminals accessed approximately 145.5 million U.S. consumers’ personal data.” They did this by exploiting a vulnerability in the Apache Struts web-application software. Arguably, one of the worst aspects of the breach is that it was totally avoidable. The exploited vulnerability (outlined in CVE-2017-5638) had been disclosed for two months before the breach.
So why is it so difficult to properly manage cyber risk in an enterprise environment? With the number of attacks on the rise, it is obvious that businesses need the proper people and technology to combat the rising threat. Unfortunately, as the cybersecurity industry expands, there aren’t enough security professionals to expand with it. Some estimates project that there will be 1.5 million unfilled cybersecurity jobs by 2019, and many existing IT professionals are lacking essential skills4. In addition, the speed with which the cybersecurity industry is evolving has made it difficult for formal education programs to stay relevant as technology changes rapidly. Many companies have leveraged third-party experts to help fill the gap.
Cloud Service Offerings
The maturation of cloud services has provided easy access to the underlying infrastructure needed to provision highly available applications, reducing time to market and startup costs. One 2017 report stated that budget allocations for information security is slowly being shifted from the network to the application and data layers5. This is because nearly all the requisite infrastructure that would normally need to be provisioned in-house can now be deployed in the cloud instantly and on-demand. Thus, new applications can be provisioned quickly and cheaply to gain a competitive advantage in new market segments.
Unfortunately, the economic incentive to be the first to market for a specific technology or service offering can stress the administrative processes required to build and maintain a secure system, service, or application. Therefore, the incorporation of cloud services, while beneficial, can make it difficult to properly define and manage cyber risk. In 2017 it was uncovered that Uber, which uses a hybrid cloud infrastructure, reported a data breach that happened in 2016, where they paid off hackers $100,000 USD to cover up the breach6. While cloud service offerings continue to grow, it is expected that high profile breaches such as these will continue into 2018 and beyond.
Historically, one of the chief deterrents for cyberattacks has been the difficulty in monetizing stolen information. In the past, investigators have had the ability to track the flow of funds between cyber criminals since currencies are traditionally centralized. However, new decentralized cryptocurrencies like Bitcoin (surpassing the $20,000 mark in 2017) built on blockchain technology have enabled cyber criminals to sell stolen information online with little to no risk of being discovered. Bitcoin itself has enabled several types of criminal activity such as money laundering, the online drug trade, and data theft. This issue has pushed U.S. law enforcement to invest heavily in the development of blockchain tracking technologies. Despite these efforts, there has been a shift in the cyber-underworld to more advanced crypto-currencies, such as Monero and Zcash, that use anonymous blockchains and the Tor network to allow criminals to cover their tracks. This means that the monetary incentives for hackers to steal data will continue and therefore perpetuate the increased numbers of attacks into 2018.
What You Can Do
Many organizations lack the expertise to properly combat evolving cyber threats and manage their cyber risk. Coalfire Systems has cybersecurity experts in many areas of compliance, cyber engineering, vulnerability assessment, and penetration testing. If you would like more information about Coalfire’s engineering services visit https://www.coalfire.com/Solutions/Cyber-Engineering to see how Coalfire can help your organization manage risk in the evolving cybersecurity landscape into 2018 and beyond.