2015 In Cybersecurity: Sadly, Another Bumpy Year is Ahead
January 27, 2015
By: TMCnet Special GuestPatrick Peterson
, CEO, Agari
Unfortunately, 2014 was another “good” year for cyberattacks that siphoned billions of dollars in global economic productivity into criminal hands. Many of the attacks would be classified under “business as usual” type of occurrences –– targeted emails, ransomware and malware –– that you could have seen in headlines from 2009. The fact remains that many criminals are still very successful with these types of attacks. There were, however, some novel twists in 2014, the most notable being the Home Depot data breach that the retailer confirmed in September. Some 60 million credit cards –– more than the population of Spain –– may have been compromised in a five-month attack on its payment terminals. In this case, the thieves deployed malware on Home Depot’s point-of-sale systems, capturing the data after the cards had been swiped, but before they were encrypted deeper in the retailer’s computer systems. A second innovation, if you want to call it such, was the sheer speed and attack diversity we saw in 2014. It was quite remarkable. From P.F. Chang’s China Bistro, to Home Depot, Apple (News - Alert) and Neiman Marcus, even Goodwill, thieves are branching out beyond the usual targets. When it comes to cybersecurity teams, I can guarantee you that the Goodwill security team doesn’t look much like Apple’s.
So, with 2014 coming to a close, here are my top predictions for cybersecurity in 2015:
- HEALTHCARE CYBERSECURITY IN CRITICAL CONDITION. You already know your credit card number is valuable to cyber thieves, but did you know that your medical information is worth 10 times as much on the black market? Cybercriminals already are targeting the $3 trillion U.S. healthcare industry, and we can expect their efforts to get even more brazen in 2015. Many companies in the healthcare industry still rely on aging computer systems that don’t use the latest security features. This summer, for example, the FBI warned healthcare providers to up their game after one of the largest U.S. hospital operators said Chinese hackers broke into its computer network and stole the personal information of 4.5 million patients. Fraudsters steal this information so they can fraudulently bill for medical services, among other schemes. We could also see criminals become more intelligent about socially engineering their attacks. For instance, you could go to the doctor for a specific ailment, only to have thieves then send you targeted emails with bogus pharmaceutical offers pertaining to your condition.
- CHIP-AND-PIN CARDS PUSH MORE THEFT ONLINE. Europe and Canada have already had them for years, but “chip-and-pin” credit cards are coming to the United States in earnest in 2015. In October of next year, new credit-card standards go into place, changing how liability falls between credit-card issuers and retailers. While compliance isn’t mandatory, liability for fraud will fall on the party that hasn’t upgraded its systems. So, vast numbers of merchants and retailers will be installing payment terminals that use the microchip-embedded cards, making it impossible just to steal cards without having the pin, or to duplicate credit cards, and use them physically. Much of the offline fraud that now takes place with stolen or duplicate cards is going to go away, meaning there will be that much more demand for criminals to carry out theft solely online.
- EMAIL STILL NAME OF THE GAME. Since the dawn of ecommerce, email has always been the preferred weapon of choice for cybercriminals. Because of its ubiquity –– and unless you’re protected by DMARC –– anyone can send an email claiming to be anyone or any organization. Whether it’s phishing, ransomware or malware, email remains the single most effective and widely used vector of attack. Unfortunately, that’s absolutely going to continue. We see nothing – with the exception of DMARC – on the horizon that’s going to take back that medium from criminals; email will continue to be their best friend in propagating their badness.
- FROM STEALING CASH TO PILFERING POINTS. As more and more people come online and embrace ecommerce across the globe, criminals are becoming far more clever about what they’re stealing. It’s gone well beyond just credit cards or bank account credentials. They’ll go after reward points for hotel chains, for example, virtual goods, airline frequent-flyer miles, even stealing shipping credentials, and then using them to ship purloined goods. The criminals can turn these nuggets of information into assets with monetary value. As more services are moved online, the more innovation we’ll see in this arena. There’s a hierarchy here: First the criminals go where they cash is, which is the most liquid asset out there. Then they go after the credit cards, which aren’t nearly as liquid. Now, points and other virtual goods have become ripe for the picking.
- SHARE AND SHARE ALIKE. Security solution vendors and industry participants will start sharing –– in a serious way –– information and data with one another to thwart cybercrime. At Agari we’ve started this critical cooperative effort with the Agari Trust Network, an ecosystem of leading infrastructure and security solution providers worldwide that have partnered to eliminate email cyberattacks, protect customers, secure personal data, and preserve brand reputation. If I see something happening in my email system, something happening on the desktop environment, and something going on in the data center, I want professionals with each of these products to work together in an ad hoc fashion. I want them to combine the data from multiple products and be able to synthesize that effectively to ward off attacks. The information sharing landscape will begin fundamentally changing –– for the better –– in 2015.
After a rough 2014 for cybercrime, it would be great to say, “Oh, that speed bump is behind us,” or, “We built some magic widgets that will solve the problem.” Unfortunately, that’s not the case. Much of what criminals did in 2014 were slight modifications to what they’ve done before, and the pace at which we’re all responding is still too slow. Sadly, I see 2015 being another very, very bumpy year for cybersecurity.
How will you combat cybercrime in 2015? Use #predict2015 to follow the conversation on Twitter (News - Alert).
Edited by Stefania Viscusi