
Virtualization and Cloud executives share their predictions for 2016. Read them in this 8th Annual VMblog.com series exclusive.
Contributed by Jason Hart, Vice President and CTO for Data Protection, Gemalto
2016: Here We Go Again
At
the end of every year, a number of industry leaders pull together their
predictions for what they expect to happen over the next twelve months.
Sometimes we're right, and
other times we're way off. In last year's
Security's Awkward Adolescence, I talked about 2015 being the year
that we would start taking data breaches more seriously, and the numbers
kept us on our toes.
According to the
Breach Level Index,
888 data breaches occurred the first six months of 2015, compromising
246 million records worldwide. The largest breach in the first half of
2015 was an identity theft attack on Anthem Insurance that exposed 78.8
million records, representing almost a third
(32%) of the total data records stolen in the first six months of 2015.
Other notable breaches included a 21-million-record breach at the U.S.
Office of Personnel Management; a 50-million-record breach at Turkey's
General Directorate of Population and Citizenship
Affairs; and a 20-million-record breach at Russia's Topface. And the tragic events in Beirut and Paris this past month have kept encryption - and the tug
between privacy and security - in the headlines.
Against
that backdrop, I want to offer up a number of 2016 predictions that
will hopefully get us to start talking about ways to get ahead of the
cyberthreats that are becoming
more ferocious and difficult to detect. Like most people that work in
this industry, I really hope that many of these predictions don't come
true, but believe that we need to start with vigilance and awareness.
- We will see an uptick in precise and targeted attacks on PHI, PII,
and intellectual property data. This kind of information is
the new oil. When oil pioneers started harvesting and refining "rock oil" in the mid 19th
century, there wasn't all that much demand. Slowly, as more and more
uses were identified for the various refinery byproducts - from kerosene
for lamps to
gasoline for the burgeoning automobile industry - demand grew and the
economy around oil grew with it. Today's hackers are in a similar
"Wild West" environment, one in which they are collecting massive
amounts of data - from personally identifiable information
to Social Security numbers, credit card numbers and even healthcare
records - with the intent of figuring out its best uses at a later
date. They're no longer just targeting data for its immediate value,
but instead are intent with its eventual value that
will come from repurposing stolen data for future attacks.
- Data integrity attacks will become the new "cash cow" for hackers.
Today's connected world constantly generates mounds of data that
businesses, industry pros and analysts use to
drive decisions, make projections, issue forecasts and more. For
sophisticated hackers, it's not about stealing data anymore; it's about
accessing and changing it. They can take actions that are difficult to
detect that lead to lucrative paydays that may take
years to impact a company or industry. Over time, bad data can lower or
raise the prices of stocks, enabling hackers to earn high dividends.
When it comes to entire industries - agriculture, for example - yield
projections can be manipulated and hackers can
seize investment opportunities based on erroneous data. For those with
an axe to grind, corrupt data can force poor corporate decision-making
and take down a company. And throughout it all, until the pain is felt,
data integrity attacks remain invisible.
- Cybersecurity will continue to be a hot topic in the boardroom as
companies try to understand their legal and insurance needs due to
seemingly ongoing data breaches. However, we'll continue to see
businesses struggle with misaligned or missing technical expertise
around their security strategies. Simply put, many businesses still do
not understand the data that they should be protecting,
where it is, and how to defend it.
- We will see an uptick in companies arguing to make two-factor
authentication mandatory due to the ongoing trend of password
insecurity.
The reality is that passwords are not secure, no matter how
complicated or clever we make them. Making them more complex, per the
stern instructions we receive when setting up our myriad personal and
professional accounts, only really helps to prevent
an amateur intruder from guessing the password. It does not stop a
sophisticated attacker, capable of viewing the password as you type it
in, no matter how many different alphanumeric characters it contains.
- APIs will soon become an attack vector capable of delivering the
"motherlode" of stolen data to thieves. When an API is hacked, hackers
can gain easy access to security keys themselves.
If a mission-critical application is impacted, it could expose data
from all users. A compromised API - even for an encryption-protected
application - would throw the doors open to sensitive information most
prized by hackers at countless companies. In short,
when an API is successfully targeted, all the application traffic
"under it" could be available.
##