Looking back on 2017 gives some clues to the security realities we must face in 2018 and beyond. At the same time, though, companies must start confronting disturbing new trends, say Jeremy Capell, executive: cyber resilience at Internet Solutions and ContinuitySA and Tim Quintal, senior product manager: cyber resilience at Internet Solutions.
2017 will be remembered for significant data breaches. South Africa experienced its biggest ever when the personal details of almost the entire population were found to be freely available on the Dark Web in a file hacked from a property company’s insecure server.
Quintal says that we can expect more such mega-breaches in the future. However, the European Union’s General Data Protection Regulation is due to come into force on 25 May 2018, and he expects the implementation will provide good lessons for the implementation of the Protection of Personal Information Act (PoPI) in this country.
The WannaCry ransomware attack also made headlines during 2017. Serious though the ransom demands were, Quintal believes the true implications are not yet fully appreciated. He points to the subsequent NotPetya virus, which appears similar to WannaCry but was not designed to collect ransom payments – its payment links were inoperative. The consensus is that ransomware will be used as a cover for an attack aimed at incapacitating the system itself; warfare rather than extortion, in other words.
“It’s worth reiterating that both WannaCry and NotPetya were fully preventable as patches had been issued months beforehand,” Quintal says. “Companies that do not have an ongoing, effective patching process in place need to prioritise the implementation of best practice patching policies as soon as possible. That should be a priority for 2018.”
The new year was only a few days old when the Spectre and Meltdown vulnerabilities were officially announced. They affect the central processing units (CPUs) of virtually all devices, including mobile phones.
The vulnerabilities are a legacy of the old, unconnected world; they exploit the fact that CPUs use a process called speculative execution, in which they perform commonly used calculations before they are actually requested. The aim is to speed up processing times. If, however, the calculation is not needed, the data is discarded into an unsecured part of the memory – one that’s vulnerable to attackers.
This “data dump” was not secured because, when CPU architecture was originally designed, computers were self-contained, so there was no risk of unauthorised access to data from outside. The good news is that patches have already been developed, although they may impact processor performance somewhat.
What does the future hold?
“2017 showed us just how aggressive and well-resourced the cybercriminal networks have become, and how threats are morphing all the time. These networks are better resourced than any corporate, and they are focused in a way that a CIO or even a chief security officer cannot be,” says Capell. “We therefore need to move away from trying to prevent our corporate systems from being breached, to detecting and effectively responding to a breach. In other words, the departure point must be that a breach will happen.
“As a result of this mindset shift, we will see security spend move from protection to detection.”
Capell says that a key strategy in this new world will be to use deception to lure intruders into “honeypots” where their presence will be detected.
A second big trend is hackers’ growing focus on operational technology – the myriad sensors, programmable logic controllers (PLCs) and supervisory control and data acquisition (SCADA) devices used to control machinery of all kinds. These are typically built on outdated DOS or Windows platforms for which no patches exist, and are thus extremely vulnerable to attack.
In similar vein, the growing integration of smart, connected devices into our homes imports the same level of vulnerability. Home management systems, air-conditioning systems, smart appliances and even toys are increasingly connected – and highly insecure.
At a more profound level, says Capell, those concerned with security need to be thinking about where technology is headed—and anticipating how their enemies could exploit it. For example, the growing maturity of artificial intelligence (AI) and blockchain should be carefully considered.
The obvious danger is that hackers could disrupt AI-enabled processes and penetrate the Blockchain ecosystem, but there is a much more disturbing scenario, he argues. What if, instead of targeting these systems, hackers began to use AI and blockchain to increase their effectiveness? In this scenario, hackers use AI in their malware to give it the ability to test various approaches and to learn from that – and then used blockchain to distribute each piece of malware’s learnings to its ‘siblings’. In this way, all the individual instances of a particular malware would share their knowledge, becoming smarter exponentially.
“AI and blockchain code is freely available already, and you can be sure that if I am thinking it, somebody is building it,” he concludes. “To return to my original point: security officers must look beyond prevention to finding ways to deal with what will happen. In this case, perhaps, they will have to use a similar approach by building AI into their detection technology and using blockchain to disseminate what is learned to strengthen everybody’s defences.
“One thing is for sure: security will be a challenging place to work.”