As cybercrime evolves to blur and 2016 may see hackers rise in prominence as they target individuals, governments, businesses and connected devices to steal data, knock competitors offline and, in some of the most extreme cases, cause real-world damage that could lead to fatalities.
As consumers increasingly store everything from money to memories in the cloud, criminals are similarly putting their resources and efforts into targeting online networks. During the past 12 months we have seen hugely embarrassing data breaches like the one on adultery-promoting site Ashley Madison and at the U.S. Office of Personnel Management. We also saw connected devices — including guns and cars — being hacked, and the emergence of a new and highly-sophisticated hacking team called Equation Group, which was uncovered by researchers at Russian security company Kaspersky Lab and subsequently linked to the NSA .
International Business Times truned to some of the world’s foremost experts on cybersecurity to outline eight of the biggest threats and trends that may emerge over the next 12 months:
U.S. Presidential Race
David Gibson from Varonis says: “In 2016, a cyberattack will strike the campaign, causing a major data breach that will expose donors’ personal identities, credit card numbers and previously private political preferences.”
Besides facing their own cybersecurity threats on the campaign trail, the candidates will also be discussing cybersecurity as it relates to battling terrorism — following the Paris and San Bernardino mass shootings and the encryption debate they ignited.
While many derided Donald Trump’s recent assertion that Bill Gates could help turn off dark sections of the internet where terrorists communicate, his stance hasn’t yet dented his standings in the polls. The GOP front-runner has, however, incurred the wrath of Anonymous hacktivists, who have used crude attacks to knock some of his websites offline in recent weeks — and that’s likely to continue.
Besides attacks on candidates and campaigns, we’ll likely see cyber criminals exploiting the interest in the race via election-related phishing emails designed to lure victims into downloading malicious attachments or visiting compromised websites.
“Expect lures made to look like political party or candidate email, advocating an online petition or survey about specific election issues, linking to a supposed news story, or relaying information about voter registration or debates,” security company Websense says in its 2016 Predictions report.
Year of Extortion
Meanwhile, cyberattackers are getting better at preying on victims’ fears. By tailoring attacks to trigger known anxieties, a cybercriminal has a much higher chance of success. Thus we’ve seen the rise of ransomware, where people are scared into paying a fee to unlock their files rather than reporting the attack to authorities — and in 2016 this trend will continue.
“In 2016, online threats will evolve to rely more on mastering the psychology behind each scheme than mastering the technical aspects of the operation. Attackers will continue to use fear as a major component of the scheme, as it has proven to be effective in the past,” Trend Micro says in its 2016 Security Predictions report.
And attacks can be more precise. In the coming year, criminals will zero-in on specific individuals or businesses with attacks, seeking to undermine their reputation and extort money from them. With some identities now stored almost entirely online, the risk of having your biggest secrets exposed has grown exponentially and in 2016 expect to see criminals take advantage of that.
The Rise of iOS Malware
Before 2015, there was little evidence of successful attacks on devices running Apple’s iOS software, but in the past year we’ve seen a number of significant attacks , including XcodeGhost and YiSpecter. And while the ecosystem remains much safer than Google’s Android OS, 2016 could see attack levels increase significantly.
The reason for the increase is pretty simple. “If you view attackers as rational economic actors, investment in targeting iOS is logical, given Apple’s growing smartphone market share,” says Kevin Mahaffey, co-founder and CTO of mobile security specialists Lookout.
While Mahaffey doesn’t see widespread malware attacks taking place from the App Store, criminals will target a very specific subset of iPhone and iPad users: businesses. “We foresee growth in enterprise-targeted iOS attacks given the large amount of data stored on and accessible to enterprise mobile devices and the high prevalence of iOS devices in enterprise environments,” Mahaffey says.
Rise Of The Killer Robots
With everything from cars to kettles now being connected to the internet, the attack surface for criminals is increasing exponentially, with Trend Micro predicting that in 2016 at least one “consumer-grade smart device failure will be lethal.”
Smart-connected home device shipments are projected to grow at a compound annual rate of 67 percent over the next five years, and are expected to hit almost 2 billion units shipped in 2019 — faster than the growth of smartphones and tablet devices. The problem? There is little standardization, a wide range of operating systems, and an almost complete lack of regulation for smart devices. While there is no sign of a large-scale hacking attack, the Wi-Fi and Bluetooth networks these devices use will become clogged as gadgets fight for connections. This will, in turn, cause mission-critical tasks to suffer.
“The likelihood that a failure in consumer-grade smart devices will result in physical harm is greater. As more drones encroach on public air space for various missions, more devices are used for healthcare-related services, and more home and business appliances rely on an internet connection to operate, the more likely we will see an incident involving a device malfunction,” Trend Micro’s report says.
2015 was the year Apple Pay, Samsung Pay and Android Pay all hit the mainstream. While these provide consumers with a (mostly) fast and efficient way to pay for goods and services, they also offer a huge opportunity for hackers looking to steal people’s money.
“As adoption and the types of transactions capable on mobile phones increases, malware authors will also increase their efforts to steal from a digital wallet,” security company Websense claims in its predictions for 2016.
Internet Of Things
While the threat from a smart fridge or a connected lightbulb might be seen as low, when the smart home now consists of internet-connected smart locks and security cameras, the risks posed by hackers increase greatly. “Attackers can exploit the abundance of soft targets in many ways: from running malware that participates in DDoS attacks and spreading spam, to running proxies, scanning other machines, or — in the worst case — acting as a leverage point for compromising all other devices on the local network,” security company Imperva says in its annual predictions report.
While Mahaffey says Internet of Things and wearable devices are still not a priority for cybercriminals — with the exception of industrial IoT (e.g., manufacturing, the smart grid, nuclear facilities) — some predict that 2016 will see the first example of businesses being breached by a wearable:
“With the emergence of wearables in the enterprise, 2016 stands to be the year of the first breach, or network intrusion, caused by a wrist-bound device,” Yorgen Edholm , CEO of Accellion, says.
We are only into the second week of 2016 and already we have seen the first — and most worrying — example of what is likely to be a significant threat throughout the next 12 months. A power outage in Ukraine by a Russian hacking group called Sandworm is the first known case of a blackout induced by a cyberattack and could presage a year of significant problems for states around the world.
Security company Imperva says it “is only a matter of time before terrorists build cyberweapons” that will attack critical infrastructure. The primary targets for cyberweapons are industrial control systems and, according to Leo Taddeo from Cryptzone, a former special agent in charge of the cyber division of the FBI’s New York office, the same hackers who targeted the power grid in Ukraine have been monitoring similar systems in the U.S.
Traditional security measures such as firewalls and antivirus are not good enough to prevent these attacks, with experts suggesting that tight identity and access management as well as network traffic flow management are critical to preventing the malware from spreading from workstations to vital control systems.
With the proliferation of cyberattacks against the enterprise, one of the biggest trends of 2016 will be companies protecting themselves against the theft of customer data. “The cyber insurance market will dramatically disrupt businesses in the next 12 months,” says Carl Leonard, the principal security analyst at Raytheon Websense Security Labs. “Insurance companies will refuse to pay out for the increasing breaches that are caused by ineffective security practices, while premiums and payouts will become more aligned with the actual cost of a breach.”
In the coming 12 months, the requirements for cyber insurance will become as significant as regulatory requirements, impacting on businesses’ existing security programs, and companies will need to show how their technical solutions have reduced risk. “This is a significant shift from the current paradigm that often highlights implementation over efficacy, and a lot of security vendors won’t be happy,” Mahaffey says.