
Virtualization and Cloud executives share their predictions for 2016. Read them in this 8th Annual VMblog.com series exclusive.
Contributed by T.K. Keanini, CTO, Lancope
Predicting the Cyber Security Future in 2016
When your everyday life is all about information security,
you start to see patterns that may not be so obvious to others. Each year, I take
my best shot at describing these trends and making predictions for the coming
year. In this annual article, we also go back retrospectively and review the
predictions we made the previous year to see how clear or cloudy our crystal
ball was in helping us create our forecast.
2015 Retrospective
We predicted 4 major trends for 2015: Muleware,
re-authentication exploitation, ransomware expansion and targeted
extortionware. Conservatively, I'm going to say that we certainly got 3 of the
4 with muleware being the hardest to track, but we know that certain hotels
where persons of interest frequently stayed were targeted in 2015 as staff
physically delivered exploits to personal computers left unattended in hotel
rooms.
Re-authentication exploitation continues to grow as more and
more people find out the hard way that not all email accounts are equal.
Attackers continue to target email accounts you use for password recovery and
with that, trigger the forgot-password function of a website and then steal the
password reset before you notice. The weakness here is that instead of looking
at authentication as a step in time, we need to protect its entire lifecycle
because if the authentication of a website is strong but the re-authentication
process is weak, the advantage goes to the attacker every time.
Ransomware continues to evolve in its technique and also
expand from Windows only to Macs, Android and Linux in 2015. While backup
solutions are cheaper and more convenient than ever, people are still not
backed up appropriately and it is too late once they are hit with various types
of ransomware. 2015 was an even bigger year for ransomware than 2014 and there's
no reasons this cybercrime method should slow as we enter 2016.
Extortionware differs from ransomware because here the
attacker has taken the data and is now threatening you to publish it publicly
if you don't pay. Everyone can think of something on their computer they would
like to keep private and if published publicly would damage them personally or jeopardize
their business. 2015 saw its share of this type of attack and like ransomware,
all signs indicate that it will accelerate in 2016.
2016 Predictions
Aside from the continuing trends from 2015, adoption of new
technologies and the spread of more personally identifiable information online
will precipitate new targets and types of cyber-attacks.
Cracking as a Service
The counterpart to cryptography is cryptanalysis - the art
of deciphering coded messages without being told the key. Large farms of
compute clusters are setup to do Bitcoin mining, and without much effort, they
could easily be setup for cryptanalysis as a service. How would this work? Like
other SaaS services, you setup an account and let's say that you have something
to crack the 256-bit key ‘23295937673927337a43297b4d226b7d7e762e213b6e225d2d53573157'.
Submit it with some metadata and within minutes (maybe seconds) you are handed
back the clear-text WEP key. This can be extended to other hashes and cyphertext.
This service can charge you by the compute cycles so it is truly an elastic
business. A service like this would punctuate the evolution of cryptograph
forcing everyone to a longer key length as massive brute force attacks are just
a REST API call away.
DNA Breach
We have seen a lot of data repositories breached to date,
but 2016 will be the year we see a DNA vault compromised and possibly used for
extortion/ransom. Millions of people are using DNA services to find their
genetic history and the bio-markers of known diseases. My guess is that some of
these sites are already compromised and just don't know it yet. Regardless,
never before have we had so much personal DNA data stored on the Internet and
2016 might be the year we experience a compromise of this type of data
effecting millions. Unlike a credit card or a password, this information is not
easily reset. In fact, it is immutable and so any disclosure of this data lasts
for an eternity.
Attack the Overlay Network
In 2016, many data centers will be utilizing overlay
technology, which enables software-defined networking (SDN). The main driver
for this adoption is microarchitectures like Docker containers. In the case of
Docker containers, VXLAN tagging technology is the overlay network that allows
the application to define the network overlay topology required by the system of
applications. The problem arises if there is no entity authenticating and
checking the tags. Attackers could then impersonate or abuse the tags, giving
them privileged access to the system and its data.
VXLAN is just one of these overlay networking technologies,
and in my opinion, not enough threat modeling has been explored in this area,
making it a ripe target for innovative attackers. We will see exploitation of
these overlay networks in 2016, forcing more threat modeling in the design and
causing these overlay networks to add security features and evolve in hostile
environments.
Namespace is the new battleground
Software architectures are quickly adopting containers. In
hypervisor-based virtualization, attackers took aim at the hypervisor to then
gain access to any of the resident guest operating systems. With container
technology like Docker, the battle is waged in the namespaces in userland.
These include the processes, networking and filesystem namespaces. In 2016, we
will likely see attacks coming from malicious containers trying to share
process namespace (UID 0 in my container becomes UID 0 in your container). This
could completely compromise the victim container, allowing attackers to do what
they want and erase most evidence that they were there.
Companies like CoreOS are working on cryptographic
assurances but until the market has experienced the worst of it, there will be
little demand for this as a mandatory feature. 2016 will likely be the year
everyone learns their lesson.
New approaches for a new theater
Whenever a new paradigm becomes widespread, there is a
tendency to apply old tactics and principles to cyber security. For instance,
when virtual machines gained adoption, many operators attempted to patch them
as they would a physical machine even when it was more time consuming and
complicated than just ending the old VMs and firing up new ones with up-to-date
software.
As more sensitive data is connected to the internet,
attackers gain better infrastructure and new forms of networking become
prevalent, we need to avoid trying to apply old, ineffective principles to new
theaters of technology. Otherwise, attackers will take advantage of this window
of opportunity while we are stuck trying to evolve our security in the midst of
a hostile situation.
##
About the Author
TK Keanini brings nearly 25 years of network and security experience to
the CTO role. He is responsible for leading Lancope's evolution toward
integrating security solutions with private and public cloud-based
computing platforms. TK is also responsible for developing the blueprint
and solution that will help Lancope's customers securely benefit from
the promise of software-defined networking (SDN). Prior to joining
Lancope, Keanini served as CTO for nCircle, driving product innovation
that defined the vulnerability management and configuration compliance
market. Before joining nCircle, he served as Vice President of Network
Services for Morgan Stanley Online, where he built and secured a highly
available online trading system. Previously, Keanini was a systems
engineer at Cisco, advising top financial institutions on the design and
architecture of their data networking infrastructure. Keanini is a
Certified Information Systems Security Professional (CISSP).