Industry executives and experts share their predictions for 2018. Read them in this 10th annual VMblog.com series exclusive.
Contributed by James E. Lee, Executive Vice President of Atlanta-based Waratek Inc.
Good Riddance 2017 and Welcome to 2018
2017
didn't break cybersecurity records; it threw them to the ground and stomped on
them. What will 2018 mean to
cybersecurity teams?
This time last year pretty
much everyone staring into their crystal balls came forth with the same
prediction: 2017 would be dominated by IoT
attacks and ransomware. Oh, how wrong we
were.
We will remember 2017 as the
Year of the Software Flaw. After a
routine start to the new year, the Apache Foundation announced in March the
discovery of a long-term, but unknown flaw in the Struts 2 framework. The first attacks were reported within hours
of the news and more variants were announced within weeks. Soon, newly discovered software flaws opened
the door to mass-attacks on a global scale.
Exploits with headline
grabbing names like WannaCry, PetYa and NotPetYa dominated the attention of
cybersecurity teams, corporate executives and government officials. Attack read like a who's who of global and
national brands: The UK's National
Health Service. Home Box Office. Netflix. Hyatt Hotels. Meanwhile, hackers were
already inside a company that sells information on virtually every adult in the
United States and a number of other countries - Equifax.
And all of this happened in
just the first nine months of 2017, smashing the total number of reported breaches
set in 2016 (a 40 percent increase over 2015) by September. The total number of records lost or stolen so
far in 2017 is a whopping 375 percent higher than 2016.
Five predictions for 2018
So, here we are again at the
end of a year, looking into a future where the fall-out from the Equifax breach
is still fresh and the number of attacks continues unabated. Here are five predictions of what the
cybersecurity community may see in the next 12 months in no particular order:
Government regulations will drive behaviors.
Depending on who you ask, Equifax (and other companies) either waited
too long to report its breach or just followed the requests of law enforcement.
Beginning in 2018, though, the European Union's GDPR will require breaches to
be disclosed within 72 hours along with significant fines for failing to comply. In the US, New York already requires state-regulated
organizations to report certain cyberattacks to the agency within 72 hours. Look for the 72-hour window for reporting to
become the norm and the number of reported breaches to grow exponentially.
Patching will (continue to) be the Achilles
heel of applications. With the
US National Vulnerability Database containing more than 12,500 flaws (3500+ of
which are severe), physically patching web applications and other software on a
timely basis is all but impossible. One
recent study put the time to patch 86 percent of severe web app flaws at 30
days or more. Gartner predicted two years ago that 99 percent of all successful
cyberattacks would be the result of flaws known for at least one year - a spot
on prediction so far.
Out-of-support software is the next frontier
for attacks. Long-since out-of-support software like
Windows XP - still one of the most widely-used OS in the world - get a lot of
media attention. Yet, enterprise applications based on older versions of Java
and .NET represent a more significant attack surface and are notoriously
difficult to patch / upgrade unless you want to rewrite the mission critical applications. The price tag, measured in time, may be years
and the financial investment may require millions.
More of the same. Here's
a safe bet: Software flaws, already ubiquitous, will grow in volume as the
amount of new software written continues to increase. We live in a software
driven world where an estimated 111 billion new lines of code will be written
by the end of 2017. One recent study
found more than 1.3 billion flaws in web applications, the exploit of choice
for hackers. None of that will change in
2018.
IoT and Ransomware attacks will (still) be a
threat. Just because Twitter feeds were not filled
with daily news about IoT devices slaved to massive botnets or that WannaCry was
less of a ransomware attack than a proof of concept, doesn't mean the threats
are diminishing. Successful attacks did
occur and, by all accounts, the bad people were simply perfecting their
business model and attack strategies.
They will be back with a vengeance in 2018 or some other day when we all
least expect it.
##
About the Author
James
E. Lee is Executive Vice President of Atlanta-based Waratek Inc., the virtualization-based application
security company.