Top Cyber Security Trends for 2016

© 2015 Imperva, Inc. All rights reserved.
Top Cyber Security Trends
for 2016
Amichai Shulman, CTO, Imperva
December 16, 2015

Amichai Shulman – CTO, Imperva
•  Speaker at industry events
–  RSA, Appsec, Info Security UK, Black Hat
•  Lecturer on information security
–  Technion - Israel Institute of Technology
•  Former security consultant to banks and financial services firms
•  Leads the Imperva Application Defense Center (ADC)
–  Discovered over 20 commercial application vulnerabilities
–  Credited by Oracle, MSSQL, IBM and Others
2
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”

Agenda
•  Introduction
•  2015 Forecast Score Card
•  2016 Cyber Security Trends
•  Summary and Conclusion
•  Q&A
3

2015 Score Card
4
Trend Score
1 Targeted attacks change their nature
A
2 Patching is going to become impossible A-
3 DDoS is growing at the Internet rate A
4 SSL is at a tipping point A-

2016 Cyber Security Trend #1:
IoT / BoT - Botnet of Things
1
5

BoT - Botnet of Things
6

Hacking the Fridge
7

Asking the Right Question
•  Can someone hack my toaster?
8

Asking the Right Question
•  Can someone hack my toaster? •  Can my network be attacked with a
shoe?
9

The Internet
of Things
A dramatic increase in
networked devices leads
to more opportunities for
ATTACK
The Internet
of Things

BoT - Botnet of Things
•  Connected IoT devices will never have “adequate” security
–  Device take over
–  Credential theft
•  Botnets can grow larger undetected
–  More opportunity – easier to form larger botnets
–  More DDoS as a Service opportunity
•  Possible increase in exposure from insiders
–  BYOD on steroids
–  Watch, wearables and others not as secure
–  More compromised devices in the vicinity of enterprise networks
11

Our Prediction
•  More people talking about the wrong problems
•  More “IoT” based botnets
•  More incidents to link personal credentials with IoT breaches
•  Highly sensitive companies starting to feel the pressure (not until the end of
the year)
12

Rise of Insider Threat
2
13

Rise of Insider Threat
14
Globally 89% of respondents felt that their organization was now more at
risk from an insider attack – Vormetric 2015
“55% of the Incidents from Internal Actors due to Privilege Abuse”
-Verizon DBIR 2015

Outside In
•  Personal attack surface is growing
–  Social, mobile, IoE
–  We are extremely exposed and extremely vulnerable
•  Engaged employees are a two way sword
–  Mix work and personal life
–  Most infections happen during office hours, 20% of infected machines attributed to
enterprise networks
•  End stations are increasingly vulnerable
–  Tracking the number of patched vulnerabilities in end point components suggests a
growing backlog with a constant fixing capacity
16

Inside Out
•  Shadow IT
–  Unmanaged Database servers
–  Partly commissioned SaaS applications
•  More employees and more collaboration
–  Barriers are taken down
•  Shared data repositories with trusted partners
•  Sensitive data is everywhere
–  Cloud applications provide direct access without IT control
–  Big data lakes
–  1000s of “traditional” databases
17

Our Predictions
•  Decrease in detection rates
–  Most solutions look for the tools and not the attack
–  Attackers have all the infrastructure in place to evade ANY solution that takes the
above approach
•  Increase in absolute number of attacks of internal nature
•  Large increase in total number and percentage of incidents of internal nature
18

Data Security for the Big and Small
3
19

Big Breaches = Big Price Tag
•  Cost of data breach is higher than anticipated
–  Target’s gross breach expenses totaled $252 million, insurance compensation brought that
down to $162 million
–  Home Depot expects $100 million in insurance payments toward $232 million in expenses
from its 2014 breach
–  Anthem breach expected to cost more than $100 millions
20

Big Breaches Start Small
•  Target breach started with a
compromised HVAC company
•  T-Mobile customer data breached
through Experian
•  JPMC customer data breached after
an affiliate was breached
•  Lockheed Martin breach through
RSA
21

Smaller Companies are Targets
•  While sophisticated, targeted attacks do exists they are a negligible minority
•  80% of infections stem from massive eMail campaigns
•  Smaller organizations are infected and compromised as much as larger ones
(or even more)
•  Attackers are aware of 3rd party relationships between large targets and
smaller service providers
•  Transfer of liabilities may prove to be devastating for a smaller 3rd party
22

Cyber Insurance is Not a Silver Bullet
•  Big breaches leave some of the costs uncovered
•  Insurance claims result in higher policy costs in the future
–  “Health insurers who suffered hacks are facing the most extreme increases, with some
premiums tripling at renewal time” - Bob Wice, a leader of Beazley Plc's cyber insurance
practice
•  Policy cost is detrimental for smaller business
–  Insurers are not proficient yet in assessing the risks
–  May consider making coverage conditional on a full and frequent assessment of
policyholder vulnerabilities (PwC Research)
–  Especially true for 3rd party liabilities
23

Our Predictions
•  Continuing on our previous prediction – smaller organizations are going to
continue falling prey in larger numbers
•  Expect more breaches to be attributed to 3rd party negligence
•  Big enterprises to start paying attention to security posture of 3rd parties
–  Set up standards / guidelines / requirements
–  Transfer liability in the event of a breach
•  Cyber insurance companies to attempt to set guidelines for data security
–  Penetrate the smaller business market
–  Must come up with a good actuary model based on standardized mitigation requirements
24

SSL More of a Problem than a Solution?
4
25

Subversion of Free SSL Certificates for Malware
26

Subversion of Free SSL Certificates for Malware
•  Easier to encrypt C&C communications
•  Fast flux DNS can now be used in conjunction with SSL
•  More certificates for more organizations = more opportunity for theft
–  More opportunity for impersonation and code signing
•  Free SSL certificates can significantly lower the cost of signed malware
–  Combined with automation will help them remain undetected
27

What (else) Could Possibly Go Wrong?
•  eDellRoot
•  Logjam
•  Schannel TLS Triple Handshake
Vulnerability - CVE-2015-6112
–  Add “Extended Master Secret”
•  Bar Mitzvah attack
–  RC4 under SSL is REALLY broken
•  SSL Pinning
–  Would invalidate NG Firewalls?
28

A Note on HTTP/2
•  Major complex revision of HTTP protocol
–  Keep semantics but replace everything under the hood
•  Intended for use over TLS
–  This part was not mandated by RFC but dictated by major browser vendors
•  Inconsistency between SPDY and HTTP/2 in the use of TLS extensions
•  New implementations that are not even based on the SPDY prototypes
•  Across all major servers and browsers
29

Our Predictions
•  Continuous growth in SSL implementation and design vulnerability flow
•  Increase in SSL usage and changes to CA infrastructure will benefit attackers
–  More attacks go undetected over network (SSL certificates)
–  More attacks go undetected inside end stations (code signing certificates)
•  New HTTP/2 vulnerability flow
–  We already have some in our lab
•  It’s going to be much worst before it becomes better
–  The foundation for secure traffic over the Internet must go through a drastic simplification
process
30

Ransomware/Blackmail – Flourishing
Business
5
31

Ransomware Business on Personal Devices
32

Ransomware Business on Personal Devices
33
•  CryptoWall 4.0 – enhanced and harder to detect
•  Once data is encrypted, unfortunately, not many options
–  Standard modern encryption used in the proper way (i.e. cannot be broken)
–  Reformat and restore from backup
•  Authorities set the right atmosphere
–  “To be honest, we often advise people just to pay the ransom.” – Assistant Special Agent
in Charge of the FBI’s CYBER and Counterintelligence Program
–  The success of the ransomware ends up benefitting victims (same as above)
–  Ransoms are low. And most ransomware scammers are good to their word (guess who…)
•  Criminals are netting an estimated $150 million a year through these scams
(FBI)

Ransom/Blackmail on Enterprises
34

DDoS as a Service
35

DDoS as a Service
•  Ransoms with threats of DDoS Attacks
•  Based on low end DDoS as a Service Providers
•  Simple execution
–  Go online
–  Purchase a monthly package
–  Launch short attacks
–  Send email
–  Collect money
36

Our Predictions
•  Unless authorities step in this is going to grow
•  May spill into the ICS / SCADA domain
•  Some gangs may choose to go after bigger prey
37

Summary
6
38

Our 2016 Predictions
•  IoT will start taking its toll on enterprises and individuals
–  Botnet of things
–  Credential theft through insecure devices
•  Rise of insider threat
–  Dramatic growth in successful attacks of insider nature
–  Due to increased attack rate and lower detection rates
•  Attackers go down the food chain
–  Increased attacks on smaller companies
–  Increased liability will drive data security needs
39

Our 2016 Predictions (cont.)
•  Continuous decay in security value of SSL
–  Coupled with new opportunities for attackers to abuse growing use of SSL
–  HTTP/2 vulnerability flow
•  Ransom/Blackmail as a business model
–  Fast growth business
–  May affect larger organizations and other domains (ICS / SCADA)
40

Recommendations
•  Cyber space is not going to become more secure this year
•  Enterprises must continue to invest in securing themselves, this goes down to
the smaller enterprises as well
•  Attackers are after data. This is where enterprises should invest their efforts of
protection
•  Once inside the organization attackers are not “attacking” but rather “abusing”.
Look for solutions that detect abuse rather than attack
•  Look for security as an overlay solution
–  Databases cannot defend themselves
–  Applications are not self defending
–  Networks cannot be defended against DDoS from inside the network
41

Top Cyber Security Trends for 2016

Top Cyber Security Trends for 2016

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Top Cyber Security Trends for 2016

Similar to Top Cyber Security Trends for 2016 (20)

More from Imperva

More from Imperva (20)

Recently uploaded

Recently uploaded (20)

Top Cyber Security Trends for 2016