Cyber-criminals will target new payment technologies, Generic Top Level Domains (gTLD) and upcoming elections in 2016, states Raytheon|Websense in its recently published Cybersecurity Report.
While 2015 will go down as the year of the data breach, its researchers suggest to be on the lookout for presidential election cyber-antics; cybercriminals pickpocketing the wallet on your phone; and an increase in vulnerabilities from the aging Internet, among other security challenges.
“The increase in connectivity and the digitization of the daily lives of both businesses and the general public will also lead to an exploitation of payment systems, IOT devices and the reformulation of our current perception of privacy. Smart cyber security is no longer about just preventing a breach, but building the resiliency and the flexibility to respond to and minimize the potential negative outcomes of a breach,” Joshua Douglas, CTO, Raytheon|Websense explains.
Highlights of the report include:
• Attackers will use the attention given to political campaigns, platforms and candidates, as an opportunity to tailor social engineering lures. Others will focus on hacktivism, targeting candidates and social media platforms. In addition to the obvious social engineering of threats around political campaigns, platforms and candidates, the tools and infrastructure of those involved with the political process will be targeted (e.g. candidates, news sites, and support groups). Hacktivists may reveal unwelcomed personal details or use compromised accounts to spread false information appearing to come from the candidate. Security lapses and gaps in defenses will prove costly for those who are not diligent during this time.
• Mobile wallets and new payment technologies will introduce additional opportunities for credit card theft and fraud. Hacks targeting mobile devices and new payment methodologies will impact payment security more than EMV (Europay, MasterCard, and Visa). The increase in non-traditional payment methods on mobile devices, or via beacons and smart carts, will open up the doors for a new wave of retail data breaches.
• The addition of the gTLD system will provide new opportunities for attackers. The number of gTLDs, as of November 2015, exceeds 700 domains and about 1,900 more are in the waiting list. As new top-line domains emerge, they will be rapidly colonized by attackers well before legitimate users. Taking advantage of domain confusion, criminals and nation-state attackers will create highly effective social engineering lures to steer unsuspecting users toward malware and data theft.
• Cybersecurity insurers will create a more definitive actuarial model of risk – changing how security is defined and implemented. Insurance companies will mature their offerings with qualifications, exceptions, and exemptions allowing them to refuse payment for breaches caused by ineffective security practices, while premiums and payouts will become more aligned with underlying security postures and better models of the cost of an actual breach. Further, insurance companies will greatly affect security programs, as requirements for insurance become as significant as many regulatory requirements (PCI, HIPAA, ISO 27001).
• The Internet of Things (IOT) will help (and hurt) us all. The boundaries between corporate and personal devices have become blurrier, causing increasing friction and security challenges affecting critical infrastructure. Industries that utilize a large number of connected devices and networked systems in the course of their everyday business, such as healthcare, are likely to face a wider range of security vulnerabilities and threats.
• Data Theft Prevention (DTP) adoption will dramatically increase in more mainstream companies. As a result of the very public breaches of 2015, predicted changes in cyber insurance, increased visibility in the boardroom for all things cyber and continued worries about data loss, there will be a more aggressive adoption of DTP strategies outside of its traditional financial services installation base. The prevailing assumption among security teams will become ‘we are already compromised” to help them strengthen their ability to deal with the inevitable.
• Societal views of privacy will evolve, with great impact to defenders. Increasing frequency of data breaches, such as the many seen in 2015, are changing the way we think about personally Identifiable Information (PII). Further breaches and loss of PII will drive major shifts in the way in which privacy is perceived. Just as the last decade saw the introduction of “the right to be forgotten,” anticipate that within the next decade similar large shifts in privacy rights and expectations will emerge.