Looking back at the big cybersecurity news stories of 2016, several trends stand out, which may provide a peek into what we, as cybersecurity professionals, should be preparing for in 2017. Since we know what happens to those who don’t learn from history, it’s worth the time to examine these trends to see how they can inform us and make our jobs a little easier, or at least more predictable, as we move into the new year.
2017 Is the Year We Pull the Plug on Usernames and Passwords
The volume and scale of credential theft has escalated over the past year, meaning there are hundreds of thousands of username/password combinations available either for free or nominal cost. With the rise of software-as-a-service (SaaS) applications, users have been trained to input their credentials into cloud-based authentication sites to access critical services, offering a golden opportunity to spoof these systems and trick users into handing over their valid credentials.
Because they’re cheap to implement yet still effective, phishing emails with malicious links have been on the rise, often serving as the first step for many cyberattacks we saw throughout 2016. Despite years of warnings, people continue to use the same username and password for multiple accounts and/or neglect to regularly change both their username and password. Others may use the same username with small variations on their password, but this is almost as bad as using the same combination across multiple sites.
It’s time we all say, “Bye, bye!” to using usernames and passwords and start looking at alternative solutions. ID verification methods like multifactor authentication and biometrics have already been adopted by leading device OEMs, service providers and financial institutions, and consumers are increasingly comfortable using them. So what’s everyone waiting for? Let’s make 2017 the year the cybersecurity industry finally moves past simple usernames and passwords as the primary method for ID verification, especially since they are now so easy to use.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017
In a previous column, I wrote about how easy it is for cybercriminals with little to no technical expertise to launch attacks due to the widespread availability of exploit kits. But exploit kits aren’t the only way novice cyberattackers can get into the hacking business; there are sites on the internet now that provide cybercriminals with one-stop shopping for all of their needs. Want to purchase a list of stolen user credentials or credit card numbers? Need to rent an exploit kit for few days to deliver your latest ransomware campaign to your unsuspecting targets? Better still, why not just contract with a cybercriminal-for-hire (you can pay them by the project or by the hour) to do your hacking for you?
All of these services and more are now just a few clicks away. 2017 is bound to see an increase in the number of attacks, particularly among smaller organizations that may have believed themselves less at risk compared to larger targets offering more substantial gains to cybercriminals. As the number of cyberattackers increases, thanks to the increasing availability and ease of use of today’s cyberattack tools, even smaller organizations will be at risk as more cybercriminals expand their target lists.
After Spending Big Bucks on Security Tech in 2016, Organizations Will Be More Process Focused in 2017
2016 saw record spending on the latest security technology, as organizations scrambled to ensure they wouldn’t be the next to fall victim to a high-profile cyberattack. Yet, with all of this technology adoption, why do successful attacks using previously known attack methodologies continue to plague us? An ad hoc collection of point security tools working independently of one another is bound to leave gaps in an organization’s security posture, and cybercriminals know how to exploit those gaps. Furthermore, since cyberattackers are constantly innovating new ways to circumvent defenses, it’s almost impossible for an organization to manually update their network’s security controls to protect against a threat landscape that changes daily.
In 2017, expect to see organizations spending more time focused on making sure existing security solutions are working well together as a platform, including the orchestration of protections across all locations and attack vectors. I also anticipate more organizations will adopt automated security approaches that can update themselves against the latest threats without human intervention. Automation will allow security teams to spend less time focused on attacks using established (but still dangerous) attack methods and more time on advanced threats that require human intervention.