As the year draws to a close, it’s time to face the facts: You are being deluged with 2016 predictions while you scroll through your news feed on your mobile device. And right here, right in the palm of your hands…that’s our very first prediction. Your security team has a device visibility problem.
Whether it is called BYOD, BYOx, IoT, or some other acronym, the fact is every workplace of every size needs to see the phones, laptops, access points, printers, and more in and around their network. 2015 was the year this hits home, and now as Hello Kitty gets hacked we can see that we are susceptible via any connected device. But it’s not just childhood playthings. Now, if we all agree this is a major trend, and you’re done reading all the other 2016 predictions, let’s look at specific device security trends (ahem, predictions) you’ll see come true in 2016.
So, as we continue to work hard to close out the year with a bang, we took some time to sit down together at Pwnie headquarters to sip some eggnog and discuss our predictions for the year ahead. Here are a few we came up with:
2016 will truly be is the “year of mobile” – because a company will be breached via an approved mobile device, but not in the way you’d expect.
To date, no one has publicly acknowledged that a misconfigured device led to a crippling breach – or worse, the demise of an enterprise. But in 2016, this will change: we’ll learn (and see proof) of the first major, publicly disclosed breach linked to a connected device. And as these device threats take the spotlight, organizations will increasingly seek out ways to achieve better visibility of the devices in and around their networks – for without this critical situational awareness, they cannot hope to effectively enforce even existing BYOD policies.
2016 is the year physical and cybersecurity truly intersects
Not long ago, a group of researchers demonstrated how to use a drone to intercept wireless printer transmissions from outside an office building, among other nefarious uses for drones. These use cases, as well as the integrated data we can now see via personal devices, are increasingly common and highlight the close link between physical and cyber security. In 2016, we’ll see more reports of seemingly innocuous, connected devices – like drones, health monitors, printers or even vacuum cleaners – being used to penetrate the network of an enterprise, each brought past physical security quite easily.
The perimeter is dead. Now it will be time to start acting like it.
While historically the defense industry has focused on building walls and “digging moats” to keep attackers out, the billions of devices in and around an organization act as countless new points of entry – ways for attackers to parachute in, often undetected. The perimeter is dead (and has been for some time). Companies will begin to shift the lion’s share of their time and resources fortifying their defenses and instead, start placing more emphasis on effectively detecting and responding to current threats and even in-progress attacks. Many of these involve devices lurking in and around the workplace and also the “human factor” – internal employees wreaking havoc, often unintentionally, but sometimes maliciously.
The insider threat is real. In 2016 we get real about it.
While the industry has been aware of insider threats for a long time, we are just starting to fully grasp the notion that knowing is half the battle. As more agile detection and remediation technologies are introduced, companies are realizing just how large of a threat insiders pose, and that attacks from within often create the most damage. A recent SANS Institute study showed that almost three-quarters (74%) of IT security professionals are most concerned about negligent or malicious employees who might be insider threats. The FBI and Department of Homeland Security agree that insider threats have increased and that such threats pose a serious risk. The biggest inhibitor of progress on this front has been cost – if the price tag is too high, CIOs tend to find it cheaper to simply ignore the threat. Yet they cannot continue to bury their heads in the sand when it comes to insider threats. The stakes are too high, and in 2016 we’ll see companies begin to take this far more seriously and stories will focus around people losing their jobs and perhaps even being charged with corporate espionage.
Taking digital forensics to the next level in 2016. Device intelligence will be utilized in new and innovative ways to aid local law enforcement in catching known criminals – a capability once reserved for top intelligence officials and the FBI. Additionally, advancements in device detection, fingerprinting and intelligence gathering will help organizations and government agencies assess hard-to-secure locations and people, such as SWAT or delivery vehicles, bases of military operations, and high risk targets such as politicians, celebrities or executives.
The in-security of political campaigns will become clear.
As the 2016 presidential primary season heats up, the field narrows and stakes for each remaining campaign are growing higher. A candidate’s most valuable assets – data and voter information, along with policy and political secrets – are now prime targets for cyber theft, fraud and even political hacktisvism. Yet According to the Online Trust Alliance (OTA), most presidential campaign sites have received failing grades on privacy, security and consumer protections. We expect to see more reports of frequent, and increasingly sophisticated targeted attacks on these largely insecure campaigns. Politicians and their campaign leads need to wake up and realize they simply cannot afford to NOT have cyber security at the top of their priority list. Read all about how campaigns can secure themselves in our blog post on the subject.
What do you think 2016 will bring? If you have thoughts on device security please also consider taking our 5-minute annual survey. For your five minute effort you’ll get the report AND be entered into a chance to win a 12-month subscription to Pwn Pulse and a Pwn Plug R3.