Cyber criminals set to become information dealers, says Websense

Cybercriminals are set to become information dealers, according to the cyber security predictions for 2015 by Websense Security Labs

Cybercriminals are set to become information dealers in the coming year, according to the top 10 cyber security predictions for 2015 by Websense Security Labs.

Websense principal security analyst Carl Leonard said criminals will use the sale of credit card numbers to fund the collection of a broader range of data about victims.

“The underground market is flooded with stolen credit card data, but that will help fund the collection of fuller, richer personal information sets about individuals,” he told Computer Weekly.

These data sets will be far more lucrative than credit card details on the underground market and will include details of multiple credit cards, as well as regional, geographic, behavioural and personal data.

Websense expects this emerging trade in data sets on individuals will enable a new level of identity theft to enable fraud.

Healthcare sector will see increased data-stealing attacks

Allied to the shift to trade in data sets, Websense predicts healthcare data to become a top target in 2015 because it typically includes personal and financial data.

“Since the start of 2014, we have seen a 600% increase in attacks targeting healthcare data in the US because it is so valuable for enabling identity theft,” said Leonard.

In an environment still transitioning millions of patient records from paper to digital form, many organisations are playing catch-up when it comes to the security challenge of protecting personal data.

As a result, Websense security researchers expect cyber attacks against this industry to increase, particularly because of the drive to consolidate data to improve services.

“The healthcare sector faces the unique challenge of ensuring that highly sensitive personal data is accessible in emergencies to those who need it, but that it also highly secure,” said Leonard.

Attacks on the IoT will focus on businesses

While proof-of-concept attacks against consumer goods such as web-enabled refrigerators and cars have been widely reported, Websense researchers believe the real threat from the internet of things (IoT) is more likely to be in the business environment.

Every new internet-connected device in a business environment further increases a business attack surface.

These connected devices use new protocols, present new ways to hide malicious activity and generate more noise that must be accurately filtered to identify true threats.

According to Websense, attacks are likely to attempt to use control of a simple connected device to move laterally in an organisation and steal valuable data.

“In the coming year, manufacturing and industrial environments, in particular, are likely to see an increase in this type of attack,” said Leonard.

“IoT raises similar concerns as bring your own device (BYOD) and should likewise be a consideration when evaluating all the potential cyber risks to an enterprise,” he said.

Failure to do so could have devastating consequences, and Leonard goes so far as to predict 2015 will see the first big IoT-enabled data breach.

“This is likely to be in the manufacturing sector where web-enabled controllers for industrial processes are already deployed, but every enterprise should consider if they have an IoT-related risk,” he said.

Like the healthcare sector, manufacturing is seeing an increase in the number of cyber attacks, with a 20% increase in the first 10 months of 2014.

“Manufacturing companies should conduct thorough security appraisals of all industrial control systems they are using to assess the risk of cyber attack,” said Leonard.

He points out that Spain will have to update most of the electricity smart meters that have been rolled out because they have been found to be vulnerable to cyber attack.

“Spanish authorities rolled out the smart meters before they were aware of the security implications, so manufacturers should assess all new control systems before deployment,” he adds.

Mobile threats will target credentials more than the data

As mobile devices become used increasingly as a means of accessing online services through auto-login capabilities of mobile apps, Websense researchers predict cyber criminals will target mobile devices in credential-stealing or authentication attacks to be used at a later date.

Instead of targeting data stored on mobile devices, most attacks will aim to use the phone as an access point to the increasing cloud-based enterprise applications and data resources the devices can freely access.

“Access data is much more valuable and, although we have seen an uptick in mobile malware threats, this is still relatively low compared with malware threats targeting PCs,” said Leonard.

“While most corporate data is stored in the cloud, the credential data is often stored on the mobile device and sometimes in the clear, making it an easy target for cyber criminals,” he said.

New vulnerabilities will emerge from decades-old source code

OpenSSL, Heartbleed and Shellshock all made headlines in 2014, but have existed in open-source code for years, waiting to be exploited.

The 2015 top security predictions are aimed at helping global businesses interpret and anticipate threat trends to defend against innovative and sophisticated attacks

Carl Leonard, Websense

The pace of software development demands that new applications are built on open source, or legacy-proprietary source code.

As new features and integrations build on top of that base code, vulnerabilities continue to be overlooked.

Websense security researchers predict in 2015 attackers will successfully exploit seemingly divergent application software through vulnerabilities in the old source code that these applications share.

“Open-source code is widely adopted by enterprises, but it can open the door to security risks,” said Leonard.

“The Heartbleed and Shellshock vulnerabilities have been in existence for years, and no-one can assume malware writers were unaware of them before they were made public,” he said.

Users of the Drupal open-source content management system should also assume any instance not updated since 15 October 2014 is also vulnerable to attack.

“The fact that so many websites remain vulnerable to exploitation of the Heartbleed vulnerability 7 months after it was made public shows that protection is not guaranteed even when threats are known,” said Leonard.

Email threats will take on a new level of sophistication and evasiveness

Though the web remains the largest channel for attacks against businesses, Websense researchers expect new highly sophisticated email-evasion techniques will be introduced and designed to circumvent the latest enterprise-grade defences.

Traditionally used as a lure in past attack scenarios, the researchers predict email will become a more pervasive element of other stages of an attack, including the reconnaissance stage.

Malware command and control will increasingly be hosted on legitimate sites

Criminals will increasingly use social and collaborative tools to host their command and control infrastructure, according to Websense.

Those charged with protecting business from attack will have a difficult time discerning malicious traffic from legitimate traffic when communications to Twitter and Google Docs are not only allowed, but also encouraged in the enterprise.

New players on the global cyber front

The techniques and tactics of nation-state cyber espionage and cyber warfare activities have primarily been successful. 

As a result, Websense expects additional countries will look to develop their own cyber-espionage programmes, particularly in countries with a high rate of economic growth.

In addition, because the barrier of entry for cyber activities is minimal compared to traditional espionage and war costs, the researchers believe there will be an increase in loosely affiliated cells that conduct cyber terrorist or cyber warfare initiatives independent from, but in support of, nation-state causes.

“The 2015 top security predictions are aimed at helping global businesses interpret and anticipate threat trends to defend against innovative and sophisticated attacks,” said Leonard.

“However, each organisation will have a different level of exposure to each and will need to assess for themselves which are most relevant for their particular business and industry sector,” he said.

Leonard added while it is good to see many businesses are on the ball when it comes to cyber security, many others are still not aware of the threats that apply to them.

“It is important to get visibility of your IT estate and have a thorough knowledge of all the platforms your organisation uses to be able to make a proper risk assessment,” said Leonard.

“Businesses need to ensure they take into account all the non-official systems that have been introduced by ‘shadow IT’ that may also represent a cyber risk to the business,” he said.

Read more on Hackers and cybercrime prevention