IT security threats for next year will be introducing new players while bringing back some old ones (with a few new twists). The 2015 threat landscape — It’s complicated.
Here are the biggest IT security threats that I anticipate for 2015
1: More Insider Breaches
Insider threats date back to the beginning of the industrial revolution, when french employees secretly opposed automated technologies and made unauthorized changes to the Jacquard loom. Jacquard employees soon developed a deep resentment and feared that they would be replaced by this new automated contraption. With their livelihood in jeopardy, they repeatedly sabotaged the new technology in order to discourage their employer from implementing it.
Though insider threats can mean many things to many different people, everyone agrees that insider threats put businesses at risk. Whether the threat comes from a negligent or malicious insider, or the insider has been compromised by an outside attacker – all insider threats emanate from the same pot. The weakest link in the IT security chain is human.
According to the PwC Network [top 2014 offenders of insider crimes]:
- 35% are current employees
- 30% were former employees
- 18% are current service providers, consultants, or contractors
- 15% were current service providers, consultants, or contractors
- 13% are suppliers and business partners
- 11% are customers
An Insider Threat Study from the Software Engineering Institute , regarding incidents of illicit insider activity in the banking and finance sector, found financial gain motivated the perpetrators in 81 percent of the cases. Revenge was the motivator in 23 percent of the cases, and 27 percent of the perpetrators were experiencing financial difficulties at the time they committed the acts.
When organisations overlook the threats residing inside their ecosystems, the effects can be devastating. Yet many companies do not have an insider-threat program in place, and are therefore not prepared to prevent, detect, and respond to internal threats. —PwC
2: Social Engineering Attacks Will Increase
Social engineering is the process of deceiving someone electronically, in person, or over the phone with the sole intention of breaching some level of security within the company. First, they identify the target. Then they create the dossier, and perform reconnaissance with the same tools that ethical hackers, pentesters, and governments use — Open Source Intelligence (OSINT) tools.
The social engineering attack cycle includes four phases:
- Phase 1: Footprinting-information gathering period
- Phase 2: Establishing trust – development of the relationship
- Phase 3: Psychological manipulation – exploitation of the relationship
- Phase 4: The exit – removing any links to real-life identity
In phase 1 the attacker gathers the information via OSINT (and other methods), in order to study (know) his victim beforehand, and carefully plan an illusion of trust (tailored to the victim). With the dossier in hand (phase 2), an attacker attempts to form a relationship with an individual at the targeted organization. After the relationship is established and the attacker gains the individuals trust (phase 3) — social engineering techniques are utilized and he either exploits the victim and gains entrance to the organization or the attacker moves to the next individual to accomplish his goals.
On-site attacks that are especially effective are those that involve the attacker presenting himself at a facility, while referencing a worker who is unavailable. — Shane MacDougall, Tactical Intelligence Inc.
Combining social engineering techniques with the weakest link in the IT security chain — the human, puts all organizations at greater risk.
3: Healthcare Data Will Become A Top Target
Websense observed a 600 percent increase in attacks on hospitals during a ten month period (from October 2013-August 2014). The primary motive behind these attacks were financial in nature. Since IT budgets are generally bottom-of-the-barrel as compared to other industries, data security has never been a top priority for many healthcare organizations.
Personally Identifiable Information [PII] will become the new hot mama of 2015. The mother lode of healthcare PII data for resale in the black market will certainly lead to an uptick in identity theft.
The human again
Healthcare workers often share passwords and workstations, and many employees do not understand the concept of how vital IT security is to an organization. As a case in point: I worked in a psychiatric hospital on the east coast and noted that everyone from case workers to doctors (who held varying levels of network credentials) often left their passwords exposed. One doctor even wrote his network password on the back of his clipboard, and it was a password that most likely belonged to his dog.
In late 2008 a nurse who always played on Facebook infected shared workstations with the Koobface virus. When I brought this to her attention — she immediately took offense to it. Later that day I defriended her on Facebook in order to avoid a Facebook war.
All hell broke loose the next morning over the defriending. I soon found out that she literally threw me under the bus with administration, claiming that I was a computer hacker and was infecting all their workstations. Meetings were scheduled and IS was brought into the cauldron of accusations against me. I was under severe scrutiny and a prime candidate for termination. Information Systems [IS] eventually exonerated me from all wrongdoing after I explained what the Koobface virus was, how the workstations became infected, and how to clean it up. If this hospital had been using an electronic records system — this story may not have had a happy ending.
“Many of the stories regarding healthcare information security breaches have been due to the negligence of staff.” – Dell, SecureWorks
4: More Reputation Sabotage
Reputation will become the new target for cyber attacks in 2015. A crucial part of a business strategy should be to protect the company’s public reputation. A disgruntled current or former employee can wreak havoc on social media and public boards. Negative reviews can pop up on high traffic sites such as Amazon, City Search, Glassdoor, Google reviews, Ripoffreport.com, and Yelp — to name a few. Insider threats that leak company information will become a force to be reckoned with too.
Two months ago PepsiCo released a new soft drink product: PepsiTrue. The soft drink is sold exclusively on Amazon. We all know that Amazon reviews carry a lot of weight. Activists quickly banded together in an attempt to coerce the company into adopting a more sustainable palm oil policy. The activists began an Amazon review sabotage campaign with almost 4,000 one-star reviews (as of this writing), with thousands of negative comments. And so it goes.
On a hind note: By Monday morning: the PepsiCo deluge that began last weekend, rolled in 3,900 negative Amazon reviews.
How can I trust a company that continues to support rainforest destruction by buying unsustainable palm oil, PEPSI BAD! BAD PEPSI BAD! And, STOP STEALING THE WATER OF DEVELOPING NATIONS! OR IS THAT COCA COLA?, and If I could give zero stars, I would. Pepsi is a truly horrific corporation. They have no sense of humanity.
5: More Crime As A Service (CaaS)
Money has moved online. Criminals value your information.
Most services offered in the underground are characterized by their ease of use and a strong customer orientation. They typically have a user-friendly administration console and dashboard for the control of profits. —Infosec Institute
CaaS attacks will become more innovative and sophisticated in 2015. Criminals will become more adept at combining OSINT tools with information obtained from intrusion and data leaks. New attacks: both physical and virtual, will target individuals based on their ability to provide access and information about their organizations to the bad guys.
That’s it for my predictions — it’s time to put the crystal ball away. What is your prediction for the top 2015 IT security threats currently brewing?
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit TechPageOne. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.