Trends to Watch in 2016

1. Android threats: more than just headline-grabbers

The threats to Android devices continues to top the list of security challenges this year. Evidence of the number of Android exploits continues to climb.

There are significant vulnerabilities on the Android platform which can take months to patch, providing tempting targets for hackers.

SophosLabs has already seen samples of these exploits that go to extreme lengths to avoid Google Play Store detection and filtering, giving apps a better chance of surviving on app stores. These apps are sometimes designed to look like harmless games and then loads malicious payloads when it is ‘safe’ to do so.

Once users have handed over control, the app has the ability to display popups that install highly intrusive adware, even if a user has rejected the invitation to install it. Because the apps root the device and embed themselves into the system partition they can’t easily be uninstalled.

Android malware can be complicated and consumers cannot necessarily trust the Google Play Store to detect these vulnerabilities in every instance.

2. 2016: the year iOS malware goes mainstream?

Malware targeting iOS isn’t new — we’ve already seen the Apple App Store get hit. The InstaAgent app snuck through the vetting processes, and XcodeGhost tricked Apple app developers into incorporating the code into their apps, infecting them but staying cleverly hidden behind what looked like Apple code. In March we saw a new family of iOS malware, “AceDeceiver,” which successfully infected jailbroken devices.

With more and more apps coming onto the market, iOS remains a tempting target environment for hackers. Nevertheless, the nature of Android — in particular, its support for the flexibility of third party markets — will continue to contribute towards Android being an easier target than iOS this year.

3. IoT platforms: the potential for malware is there

The Internet of Things (IoT) is rapidly becoming a way of life. But with this shift comes additional risk. IoT will continue to produce endless horror stories because these devices are not secure. (Last year we saw many stories focusing on webcams, baby monitors, children’s toys, and cars, and these stories certainly aren’t going away.)

On the upside, we won’t see widespread examples of attackers getting IoT devices to run arbitrary code any time soon. IoT products are not general purpose computing devices with the same broad suite of interfaces that we have on desktops/mobiles. This keeps them relatively protected, though their use doesn’t present the same opportunity for hackers that mobile devices present.

Over the course of the rest of the year, expect to see further research and proofs of concepts demonstrating the vulnerability of IoT devices. We’ll also see an increase in data-harvesting attacks against these devices as well, where attackers convince the devices to disclose information they have access to: video/audio feeds, stored files, credential information for logging into cloud services, and more.

And as IoT devices evolve in their utility and ability to interact with their surroundings, the security concerns around the IoT will become very similar to the set of security concerns around SCADA/ICS. The industry should look toward the best guidance that NIST, ICS-CERT, and others have formulated.

4. SMBs becoming a bigger target for cybercriminals

Throughout 2015, we witnessed a lot of high-profile hacking stories (such as Talk Talk and Ashley Madison). But it’s not just big businesses that are being targeted. Reports have found that almost a quarter of small and medium businesses (SMB) have had a recent security issue — and it’s only going to get harder for SMBs as hackers perceive them as easy targets.

Ransomware is another area we’ve seen some high-profile incidents occur in the past year, and we’ll continue to see criminals monetizing small businesses through attacks. Ransomware is significantly more visible compared to previous payloads like spam or malware. And ransomware has the potential to destroy an SMB if they don’t pay up.

With smaller security budgets, SMBs apply a best-effort approach to security investments, and they remain vulnerable to attacks as hackers easily find security gaps in their network.

A security breach can cost a small business tens of thousands of dollars or more. SMBs need to thoughtfully plan their IT strategy to prevent an attack before it happens. This requires a consolidated effort and, for optimal success, a comprehensive system where all the components communicate with each other.

5. Data protection legislation changes, increased fines

After four years of preparation to overhaul the European Union’s data protection rules, the EU Parliament gave final approval in April, 2016 for the EU General Data Protection Regulation (GDPR).

This is a huge step forward to better protect EU residents by providing a consistent set of regulations across borders. These rules will apply to businesses of all sizes, anywhere in the world, who hold information on EU residents.

In the future, business will face severe penalties if data isn’t secured in compliance with regulations. This will have an inevitable impact on businesses and how they deal with security.

Two major changes will be the EU GDPR, and the Investigatory Powers Bill in the U.K.

  • The EU Data Protection regulation will come fully into force across Europe by the end of 2017, so companies need to start preparing in now. It has numerous components, but one key takeaway is that European businesses will now be held responsible for the protection of the data they process, including cloud providers and other third-parties. In other words, don’t ignore these new regulations and hope you won’t get fined.
  • In the U.K., the Investigatory Powers Bill will modernize laws surrounding communications data. This will give the police and other intelligence bodies the ability to access all aspects of someone’s communications on Information and Communications Technologies (ICTs), whether they are suspected of a criminal offense or not.
  • In the U.S., data protection is complicated by the fact there is no single overarching law. This has the effect that data protection tends to be less strict than in Europe, which has led to issues around the Safe Harbor agreement. Over time, the U.S. and Europe will hammer out their differences, but it seems unlikely that we will see a new agreement any time soon.

Read more about the EU Data Protection Regulation.

6. VIP spoofware will remain a problem

VIP spoofware isn’t going anywhere. In fact, hackers are getting better at it — it’s become increasingly common for employees to see spoofed emails allegedly from key individuals within their own company. Hackers are becoming increasingly talented at infiltrating business networks to gain visibility of personnel and their responsibilities, and then using this information to trick staff for financial gain. For example, sending an email to the finance team that appears to be from the CFO requesting the transfer of significant funds. If you haven’t had first-hand experience with spoofware yet, you will.

7. Ransomware — more visible, more problematic

Ransomware has become a household name in 2016, with high-profile incidents making headlines. Ransomware has been increasingly more common as email attachments tricking the end user into opening the malicious file. The most common forms of ransomware in 2016 are so effective that it’s so far proven impossible to unscramble your data without the key from the hackers holding your data hostage; prevention is far and away better than trying to find a “cure.” At the moment, we’re seeing ransomware targeting data, but how far off is the potential for your car or house being infected with ransomware and held hostage? The more internet-enabled our devices become, the greater the risk (and the more opportunity for hackers).

Attackers will increasingly threaten to go public with data, rather than just taking it hostage, and we have already seen websites being held ransom to DDoS. Many ransomware families are using darknets for either command or control, or for payment page gateways, as we saw with the likes of CryptoWall, TorrentLocker, TeslaCrypt, Chimera, and many more.

8. Social engineering and employee education

The best way to prevent data breaches is to stop them at the source — when the end user lets the hackers in. This means social engineering and employee education. As hackers grow more sophisticated in their psychological tactics to fool users, it falls upon employers and organizations to invest in social engineering. Employers need to educate their staff, making them more security savvy and make them a part of the security process through smarter use of technology.

Here’s some basic tips for training your staff to be more security-minded:

  • Teach them the implications of phishing emails and how to identify one
  • Make sure they don’t click on malicious links in unsolicited emails
  • Encourage them to be wary of scam emails and how to identify telltale signs
  • Help them know how to identify and watch out for sites that ask for sensitive information
  • Provide them with basic ground rules for internet safety: e.g., never share a password

We’ve seen a rise in malicious code hiding in what have always been basic, everyday files like Microsoft Office documents or PDFs. Teach your staff not to open files from unknown or untrusted senders, and never click “yes” to warnings about macros or active content unless you know why the document has it.

9. The bad guys are more coordinated; we should be too

It may not seem logical for the bad guys to “team up,” but for some time, hackers have used coordinated attacks to get what they need from us. The cyber security industry is moving toward a more collaborative environment as well, through greater information sharing and workflow automation. We expect to see big differences in 2016 and beyond because of this culture shift.

10. Commercial malware authors continue to invest heavily

It’s a terrifying prospect, but commercial malware authors continue to reinvest at ever greater rates, bringing them towards the ‘spending power’ of nation-state activity. This includes purchasing zero-day exploits. These bad guys have lots of cash and they are spending it wisely. We need to be prepared to fight back.

11. Exploit kits continue to dominate on the web

Thousands of poorly secured websites make the prevalence of exploit kits, like Angler and Nuclear, one of the biggest problems we have on the web today. This looks set to continue, and, in fact, these poorly secured websites are making it easy for them. Reports have found that malware authors are using the same exploit kits over and over again, some of which are years old.

Cybercriminals will exploit where they can most easily make money. Exploit kits have simply become stock tools of the trade, used by criminals to attempt to infect users with their chosen malware.

Patch promptly, keep your security software up to date, beware of unsolicited attachments, and consider using a stripped down document viewer. Make the hacker’s job harder and you’ll be part of the solution, not the problem.