Cybercriminals to Target New Payment Technologies, Generic Top Level Domains and the US Elections in 2016
The year 2015 has become widely referred to as the year of the data breach. What nefarious cyber-acts will define 2016? For the first time as a newly combined company, Raytheon|Websense cybersecurity experts today shared their security predictions for the coming year. Researchers suggest to be on the lookout for: U.S. presidential election cyber-antics; cybercriminals pickpocketing the wallet on your phone; and an increase in vulnerabilities from the aging Internet, among other security challenges.
The U.S. elections cycle will drive significant themed attacks
Attackers will use the attention given to political campaigns, platforms and candidates, as an opportunity to tailor social engineering lures. Others will focus on hacktivism, targeting candidates and social media platforms. In addition to the obvious social engineering of threats around the political campaigns, platforms and candidates, the tools and infrastructure of those involved with the political process will be targeted (ie. Candidates, news sites, support groups). Hacktivists may reveal unwelcomed personal details or use compromised accounts to spread false information appearing to come from the candidate. Security lapses and gaps in defenses will prove costly for those who are not diligent during this time.
Mobile wallets and new payment technologies will introduce additional opportunities for credit card theft and fraud
Hacks targeting mobile devices and new payment methodologies will impact payment security more than EMV. The increase in non-traditional payment methods on mobile devices or via beacons and smart carts will open up the doors for a new wave of retail data breaches.
Forgotten maintenance of the Internet will become a major problem for defenders as costs rise, manageability falls and manpower is limited
The addition of the gTLD system will provide new opportunities for attackers
The number of gTLDs as of November 2015 exceeds 700 domains, and about 1,900 more are in the waiting list. As new top-line domains emerge, they will be rapidly colonized by attackers well before legitimate users. Taking advantage of domain confusion, criminals and nation-state attackers will create highly effective social engineering lures to steer unsuspecting users toward malware and data theft.
Cybersecurity insurers will create a more definitive actuarial model of risk – changing how security is defined and implemented
Insurance companies will mature their offerings with qualifications, exceptions and exemptions allowing them to refuse payment for breaches caused by ineffective security practices, while premiums and payouts will become more aligned with underlying security postures and better models of the cost of an actual breach. Further, insurance companies will greatly affect security programs, as requirements for insurance become as significant as many regulatory requirements (PCI, HIPAA, ISO 27001).
The Internet Of Things (IOT) will help (and hurt) us all
The boundaries between corporate and personal devices have become blurrier, causing increasing friction and security challenges affecting critical infrastructure. Industries that utilize a large number of connected devices and networked systems in the course of their everyday business, such as healthcare, are likely to face a wider range of security vulnerabilities and threats.
DTP adoption will dramatically increase in more mainstream companies
As a result of the very public breaches of 2015, predicted changes in cyber insurance, increased visibility in the boardroom for all things cyber and continued worries about data loss, there will be a more aggressive adoption of data theft prevention strategies outside of its traditional financial services installation base. The prevailing assumption among security teams will become ‘we are already compromised” to help them strengthen their ability to deal with the inevitable.
Societal views of privacy will evolve, with great impact to defenders
Increasing frequency of data breaches, such as the many seen in 2015, are changing the way we think about personally Identifiable Information (PII). Further breaches and loss of PII will drive major shifts in the way in which privacy is perceived. Just as the last decade saw the introduction of “the right to be forgotten,” anticipate that within the next decade similar large shifts in privacy rights and expectations will emerge.
“The increase in connectivity and the digitization of the daily lives of both businesses and the general public will also lead to an exploitation of payment systems, IOT devices and the reformulation of our current perception of privacy. Smart cyber security is no longer about just preventing a breach, but building the resiliency and the flexibility to respond to and minimize the potential negative outcomes of a breach.” – Joshua Douglas, CTO, Raytheon|Websense
“2015 will be seen in retrospect as a watershed year for information security, as many of the evolving threats and security practices now emerging will be directly attributable to events in this last year.Lures created from interest in US Elections, as well as other high profile events, will present opportunities for social engineering, not just for consumers but also for the candidates themselves. In the digital age, data handled less than securely could impact elections or even the candidates themselves.The evolution and expansion of an aging Internet will present significant opportunity for attackers while simultaneously tripping up defenders.” – Carl Leonard, principal security analyst, Raytheon|Websense Security Labs
On May 29, 2015, Raytheon Company (NYSE: RTN) and Vista Equity Partners completed a joint venture transaction creating a new company that combines Websense, a Vista Equity portfolio company, and Raytheon Cyber Products, a product line of Raytheon’s Intelligence, Information and Services business. The newly-formed commercial cybersecurity company will be known on an interim basis as Raytheon|Websense. The company expects to introduce a new brand identity upon completion of standard organizational integration activity.