Sophos Predicts Top Cyber Security Trends for 2016

In the ever changing and increasingly complex landscape of cyber security, Sophos experts offer their top predictions for 2016.

In 2016, an increase in Android exploits becoming weaponised can be expected (as opposed to bugs like Stagefright which was heavily reported in 2015 but was never fully exploited). There are significant vulnerabilities on the Android platform, which can take months to patch. Although Google claims that nobody has actually exploited these vulnerabilities to date, it will ultimately be an invitation that is too tempting for hackers to ignore.

Sophos Labs has already seen samples that go to extreme lengths to avoid App Store detection and filtering giving Apps a better chance of surviving on App stores. For example, some hackers will design an App that loads harmless games if it thinks it is being tested, but then loads the malicious payload when it detects it is ‘safe’ to do so. And more recently, mobile users using third-party app markets were tricked into granting malicious apps from the adware family Shedun with control over the Android Accessibility Service. Once they have handed over control, the app has the ability to display popups that install highly intrusive adware, even if a user has rejected the invitation to install it. Because the apps root the device and embed themselves into the system partition, they cannot be easily uninstalled.

Android malware can be complicated and consumers cannot necessarily trust the App Store to detect these vulnerabilities in every instance.

The Apple App Store got hit a few times last year, once with the InstaAgent app which snuck through the vetting processes, which both Google and Apple pulled from their respective app stores, and before that, with XcodeGhost, which tricked Apple app developers into incorporating the code into their apps, thereby infecting them but cleverly hidden behind what looked like Apple code.

With more and more apps coming onto the market (both Apple and Google have more than a million apps each in their official marketplaces to date), it is not hard to imagine more criminals trying their hand at getting past the existing vetting processes. Nevertheless, the nature of Android, in particular support for the flexibility of third party markets will continue to contribute towards Android being an easier target than iOS.

Every day, more and more technology is being incorporated into our lives. IoT (Internet of Things) devices are connecting everything around us and interesting new use cases are appearing constantly. IoT will continue to produce endless scary stories based on the fact that these devices are insecure (early 2015 saw many stories focusing on webcams, baby monitors and children’s toys and latterly cars have become a hot topic researchers hacked a jeep in July).

However, widespread examples of attackers getting IoT devices to run arbitrary code are unlikely any time soon. IoT devices are relatively protected, as they are not general purpose computing devices with the same broad suite of interfaces that is available on desktops/mobiles. Moving forward, one can expect more research and Proof of Concepts demonstrating that non-vendor code can be installed on these devices because of insufficient validations (lack of code-signing, susceptibility to Man in the Middle-class exploitations) by the IoT vendors.

An increase in data-harvesting/leakage attacks against IoT devices can also be expected, wherein they are coaxed to disclose information that they have access to, e.g. video/audio feeds, stored files, credential information for logging into cloud services, etc.

And as IoT devices evolve in their utility and ability to interact with their surroundings, i.e. as they become “roboticized” an app-controlled Roomba for example the set of security concerns around IoT will start becoming very similar to the set of security concerns around SCADA/ICS, and the industry should look toward the best guidance that NIST, ICS-CERT and others have formulated.

Throughout 2015, the focus was on the big glamorous hacking stories like Talk Talk and Ashley Madison, but it is not just large organisations that were being targeted. A recent PwC report revealed that 74 percent of Small and Medium Businesses (SMBs) experienced a security issue in 2015, and this number will only increase due to SMBs being perceived as ‘easy targets’.

Ransomware is one area where criminals have been monetizing small businesses in a more visible way last year. Previously, payloads such as sending spam, stealing data, infecting websites to host malware were far less visible so that small businesses often did not even realize they had been infected. Ransomware is highly visible and has the potential to make or break an SMB if they do not pay the ransom. This is why, of course, criminals are targeting SMBs. Expect to see this increase in 2016.

Lacking the security budgets of large enterprises, SMBs often apply a best-effort approach to security investments, including equipment, services, and staffing. This makes them vulnerable as hackers can easily find security gaps and infiltrate the network. On average, a security breach can cost a small business anywhere up to £75,000 (approximately PHP 528,320) a significant loss for any business.

It is important therefore that SMBs take a consolidated approach to security. This requires a thoughtfully planned out IT strategy to prevent attacks before they happen. Installing software that connects the endpoint and the network will mean a comprehensive security system is in place where all components communicate, and ensure there are no gaps for hackers.

In 2016, the pressure on organisations to secure customers’ data will increase, as the EU data protection legislation looms closer. In future, businesses will face severe penalties if data is not robustly secured. This will have a far-reaching impact for how businesses deal with security, including the high-risk area of employee personal devices.

Two major changes will be the EU General Data Protection Regulation (GDPR), and the Investigatory Powers Bill in the UK. The EU Data Protection regulation will come into full force across Europe by the end of 2017, so companies need to start preparing in 2016. It has numerous components, but one key takeaway is that European businesses will now be held responsible for the protection of the data they process, including cloud providers and other third parties.

In the UK, the Investigatory Powers Bill will modernise laws surrounding communications data. This will give the police and other intelligence bodies the ability to access all aspects of one’s communications on ICTs, whether these users are suspected of a criminal offence or not. As this is due to go ahead in 2016, it will be interesting to see how this bill is shaped and shifted, and if people will start prioritising data security.

In the US, data protection is complicated by the fact there is no single overarching law. This has the effect that data protection tends to be less strict than in Europe, which has led to issues around the Safe Harbor agreement. Over time, US and Europe will hammer out their differences, but it seems unlikely that a new agreement will be implemented any time soon.

Growth in the use of VIP spoof wire transfers can be expected in 2016. Hackers are becoming increasingly talented at infiltrating business networks to gain visibility of personnel and their responsibilities, followed by using this information to trick staff for financial gain. For example, sending an email to the finance team that appears to be from the CFO requesting the transfer of significant funds. This is just one of the ways criminals will continue to target businesses.

Ransomware will continue to dominate in 2016 and it is only a question of time before ransomware goes beyond data. It is perhaps some time away before a sufficient mass of internet-enabled cars or homes are common, but one should ask the question: how long before the first car or house is held for ransom? Attackers will increasingly threaten to go public with data, rather than just taking it hostage, and recently, there have been some websites being held ransom to DDoS. Many Ransomware families were using Darknets for either command or control, or for payment page gateways, with the likes of CryptoWall, TorrentLocker, TeslaCrypt, Chimera, and others in 2015.

As cyber security comes to the fore and social engineering continues to evolve, businesses will invest more in protecting themselves from such psychological attacks. They will achieve this by investing in staff training, and ensuring there are strict consequences for repeat offenders. Employees need to be trained on how to be security savvy when using the company network.

It is recommended for staff training to incorporate the following teaching the implications of a phishing email and how to identify one; ensuring staff don’t click on malicious links that might be found in unsolicited emails; encouraging staff to be wary that mis-spelt emails could be a sign of a scam; and to watch out for sites that ask for sensitive information, such as card PIN and national insurance number. Another golden rule is never to share a password. It is also important for custodians of valuable data such as the bank, health insurance company, payroll management service to provide strong security. If they are unable to provide the option to use multi-factor authentication, ask them why not? Or better still, just switch to a provider who does.

Finally, remind users of something they have probably all forgotten not to open Office documents or pdfs unless it is from a known sender. It is also important to never click “yes” to warnings about macros or active content unless the message is clear. Recently, there has been a surge in downloaders of malicious code hiding in macros in office documents that seem legitimate. This is also expected to be on the rise in 2016.

The bad guys will continue to use coordinated attacks but the cyber security industry will make significant strides forward with information sharing. For some time, the bad guys have been coordinating and collaborating, re-using tactics and tools, and generally being one step ahead of the cyber security industry. But the industry is now evolving and information sharing and workflow automation continue to be promising, and expected to deliver significant differences in 2016 and onward.

Commercial malware authors will continue to reinvest at greater rates, bringing them towards the ‘spending power’ of nation-state activity. This includes purchasing zero days. These bad guys have lots of cash and they are spending it wisely.

Exploit kits, like Angler (by far the most prevalent today) and Nuclear, are arguably the biggest problem on the web today in relation to malware and this looks set to continue due to various poorly secured websites on the internet. Cyber criminals will exploit these websites to make money easily and exploit kits have simply become stock tools of the trade, used by criminals to attempt to infect users with their chosen malware.