The security landscape is constantly evolving, and while it's hard to predict the future, the experts of the RSAC Advisory Board have rubbed their crystal balls and offer some insight into where they see the industry moving next year.
What can we expect to see in 2016? Healthcare data will be more valuable to hackers, although experts disagree on how high-profile hacks will be next year.
According to Wendy Nather, research director at the Retail Cyber Intelligence Sharing Center, 2016 will be the year of "extortapalooza."While she notes that extortion has always been around, she expects extortion attacks to become more common next year.
"Extortion attacks are nothing new—for example, take the recent situation with Charlie Sheen having to announce that he is HIV-positive after paying out millions of dollars to people who knew about his status. Sheen’s case is a bit sensational, but this doesn’t happen only to celebrities; it can happen to companies of all sizes through crypto-ransomware or DDoS attacks and to those on Main Street if their identity is stolen," Nather says.
Healthcare will be especially vulnerable. "According to Reuters, medical information can be 10 times more valuable than a credit card number. Schemes will expand to medical devices such as diagnostic equipment, therapeutic equipment, and life support equipment, wherein attackers will lock it so it becomes inactive until a ransom is paid. That’s scary to think about when some of these devices are essential to keeping someone alive."
Benjamin Jun, CEO of HVF Labs, predicts that 2016 will be a good year for DevOps as organizations try to answer the question of whether security components should be built in-house or bought.
"In 2016, microservice security offerings will begin taking hold," Jun says. "Identity management and customer data—the crown jewels of any organization—will be increasingly migrated to specialized cloud services. Solutions will come from a diverse and new set of vendors, from Parse (acquired by Facebook) to Salesforce.com. Developers will insert vetted services and code into their own software, avoid building from scratch, and obtain a security level better than most homegrown offerings."
For companies who still insist on building their own solutions, "relief is coming in 2017 when container technologies will allow in-house teams to practically manage and integrate microservices of their very own."
Hugh Thompson, CTO, CMO and SVP at BlueCoat Systems, sees the industrialization of ransomware becoming a growing issue in 2016.
"Many cybercrime groups are running like companies, and they can quickly move to build out a ransomware infrastructure. For most people, it isn’t shocking anymore when their credit card data gets stolen. The most frustrating part for most victims of credit card theft is that they've forgotten all the services associated with that credit card, and they now have to go back into lots of websites and update everything. It's a big pain and time intensive, but the damage is typically short-term," Thompson says.
"This differs from data that might be embarrassing, invasive or harmful to a person. Stolen healthcare data doesn't have an expiration date, and we are only just starting to realize the implications of this type of data being in the hands of attackers."
Today's difficult-to-monetize data could be tomorrow's windfall for attackers. Healthcare organizations typically have smaller information security budgets and perhaps are more focused on compliance than on threat-protection when compared to industries like financial services, making them easier targets. "Stealing this type of data, like someone’s medical history that does not expire and cannot be reset, unfortunately gives attackers the luxury of time to build an infrastructure to monetize that data," Thompson says.
"In the past, data has been taken, destroyed or encrypted, but increasingly we’re seeing breaches during which data is leaked publicly in order to cause significant damage to a business, reputations, or even the government," he says. "Criminals and hacktivists are now stealing data and threatening to place it on public websites for others to see. In conjunction with this, hackers are building massive databases that include multiple types of data (insurance, health, credit card) to present a “full picture” of an individual. It’s one thing to have your data stolen and another to have it used against you. We’ll continue to see individuals’, corporations’ and public entities’ info used against them as a weapon in 2016."
Director of Commercial Consulting at Booz Allen Hamilton Todd Inskeep, meanwhile thinks hackers will go "quiet" in 2016.
"Since the Sony hack last year there have been a few high-profile attacks, but nothing quite as loud or full-on destructive. Attackers have been much quieter in 2015 in signaling their capabilities and broadcasting infiltrations and this will continue into 2016. Instead of the big showy attacks that post the data and embarrass companies, the use of more quiet attacks means the public will hear less, while boards and executives will hear more—not about the attacks themselves but about the effects of the hack. It'll be more 'Houston, we have a problem,' with less insight into how the attack was accomplished and how the hacker obtained any value from what was done. Hackers will become more insidious in nature and in practice," Inskeep says.