Cyber security is an arms race. Attackers constantly evolve their techniques, and in response, defenders continue to adapt their defenses. With each passing year, we witness the fallout from this arms race in the form of data breaches, malware outbreaks, privacy infringements and other compromising scenarios that in the end, affect telecoms customers, both consumers and businesses. These events continue to attract headlines, and rightly so, divert the public’s attention to the importance of cyber security in our ever more connected world.
Six F-Secure experts shared their predictions for what to expect for the near future. From IoT to AI, organizational security trends to consumer concerns, here are the trends the experts predict will affect telecom customers this year.
The IoT will keep growing and attracting more interest from attackers
It’s no secret that internet-connected devices, particularly IoT (Internet of Things) devices are spreading like wildfire. More and more homes are adopting connected thermostats, lights, voice assistants and entertainment systems.
For years, experts have been sounding the alarm about the security defects of IoT devices, defects which have led to hackers peeping through home webcams; IoT devices being infected with malware and used to launch DDoS attacks or other botnet-related activities; and the leaking of user data from these devices. That’s why the continued adoption of IoT devices is a trend F-Secure Security Consultant Laura Kankaala says will continue to have security implications.
“We have seen devices being exploited, from just poor password policies, to remote code executions, to DNS rebinding attacks,” says Kankaala.
Kankaala expects to see more exploitation of these devices. But on a more positive note, she says she hopes the increase in exploitation will result in regulation to reign in the problem.
“The GDPR could be extended to actually cover IOT devices, or some other regulation could come in place that would extend the GDPR to cover these IOT devices as well,” Kankaala explains.
Supply chain attacks will increase
A supply chain attack is normally thought of as an attack that leverages vulnerable parts of a supply network to target an organization. One of the best-known examples is perhaps 2017’s NotPetya ransomware attack, when a Ukrainian tax accounting software update was compromised and used to run malware instead of an actual update. The attack resulted in billions of dollars of losses and affected not only Ukrainian businesses, but also extended to major organizations around the world.
But F-Secure Service Technology Lead Artturi Lehtio points out that supply chain attacks are incredibly diverse, and can even target individuals. Compromising a service provider to steal a particular customer’s data is another kind of supply chain attack, and manipulating otherwise legitimate information that people normally trust can be considered still another.
It could be as simple as making a change to an online service that brings security risks users don’t really understand.
“We’re putting large parts of our lives in the hands of others, where we don’t always realize how much we’re relying on others or trusting others. And we don’t really have a way of verifying that they are still worthy of that trust,” Lehtio explains.
Infostealers will scope user devices to maximize attack profit
The past year has seen three main different types of malware preying on users: Cryptominers, which take advantage of a device’s computing power to secretly mine cryptocurrency; banking trojans, which infect a victim’s device and then go after the victim’s banking details; and ransomware, which encrypts a user’s files and then demands a ransom fee for decryption.
Christine Bejerasco, Vice President, Tactical Defense UnitSecurity Research & Technologies, says this year, all three will continue to be used, but in conjunction with infostealers, which malware authors have begun using to scope out the device before hitting it with the actual payload.
“Last year, there was a rise in cryptominers which coincided with the increase in cryptocurrency valuations,” Bejerasco explains. “Then, when the cryptocurrency valuations started falling, malware authors started getting more opportunistic: Putting an infostealer on a user’s device to figure out if they can gain more by putting a cryptominer, banking trojan or ransomware on the victim’s machine. In 2019, this trend will continue.”
Public Wi-Fi will continue to be a hazard
Many people are aware of the dangers of using public Wi-Fi – sharing a network with strangers can expose your data to cybersnoops with special software and/or hardware that can spy on your traffic. But with more and more websites becoming encrypted, with “https” to assure visitors their data will be safe, does this mean it’s time to let go of worries about public Wi-Fi security? According to Bejerasco, the answer is no.
“Even if people are using websites that are increasingly encrypting their traffic and properly deploying certificates, there is still a combination of certificate theft and profiling via your DNS traffic that can potentially compromise a user,” says Bejerasco. “With GitHub containing hundreds of tools that can be used to sniff network traffic, public Wi-Fi should continue to be untrusted.”
Bejerasco says anyone who uses public Wi-Fi should protect their connection by using a VPN. F-Secure’s VPN also blocks third party tracking by advertisers.
More companies will be prepared to detect and respond to attacks
Contrary to doomsday messages we often hear, F-Secure Principal Security Consultant Tom Van de Wiele believes we can look forward to positive security developments in 2019. Van de Wiele thinks that as more companies begin to take advantage of advances in automation and detection and response technologies to root out attackers infiltrating their company networks, targeted attacks will begin costing adversaries more money. Van de Wiele, who carries out ethical hacking assignments to test the defenses of F-Secure’s corporate customers, bases this opinion on what he sees happening with the companies he works with.
“We see a definite trend at customers where more and more software and services are being introduced because they are being hit by certain attacks, or because their competitors are being hit,” he says. “And that increase in automation when it comes to detection, is of course discouraging some attackers and making it more difficult for other attackers to try and slip into companies in an undetected way.”
Data breaches will continue to expose customer data
Data breaches, which regularly grab news headlines, affect not only companies but the customers they serve, who must then take precautions to prevent or mitigate identity theft.
“There is a continued rise in the number of breached companies, with users’ data being extracted and sold,” says Bejerasco, who expects no slowdown of breaches in 2019. There’s not much a consumer can do to impact the internal security posture of companies they patronize, but there are other ways of protecting your data, says Bejerasco. “Be careful which websites you input your information and credentials into,” she says. “Even if the site is legitimate, if they don’t have a rigid cybersecurity process, compromising them could be cheap and easy, and this means that the data that you sent them could be victimized.”
Organizations are going to start thinking about why they get hacked
Adam Sheehan, Behavioral Science Lead at MWR Infosecurity, studies the social engineering tactics attackers use to dupe people into clicking, and how people respond to those tactics. Sheehan predicts more companies will begin to be interested in what he describes as the next level of analysis – not only which risky behaviors their employees engage in, such as clicking on malicious links or downloading infected files, but also why employees get tricked into performing these actions.
“I think for too long there’s been an assumption that if Organization A has a high click rate, let’s say on email phishing, and Organization B has the same observable high click rate on email phishing, that they should be offered more or less the same solution,” Adam says. “Actually in one case the underlying problem could be one issue. And in another case, the underlying issue could be quite different.”
Sheehan says this desire among companies to delve into root cause analysis will grow, and will drive organizations to seek bespoke solutions to address the issue their particular organization faces.
Privacy issues will continue to affect users
The Snowden revelations of 2013, when whistleblower and government contractor Edward Snowden exposed global government surveillance programs to the public, first brought privacy concerns to the forefront of our minds. Nearly six years later, privacy issues still plague cyber space, and users should still be aware of whether and how their data is being used and shared by organizations, apps and services, says Bejerasco, starting with mobile devices.
“On mobiles, be mindful of the permissions that you give the apps that you install,” she says. “Some of them could acquire behavioral data and their systems are then able to create profiles of your behavior which their owners can use or sell to others. Always make sure that you give only the permissions that supports the functionalities that you need from the app.”
Reinforcement learning will keep taking a big leap forward
A final trend may be a less obvious one, but will nevertheless impact consumers in the offers and notifications they receive. Artificial intelligence (AI) is a buzzword in information technology, and it has important applications in cyber security as well. According to Andy Patel, Researcher at F-Secure’s Artificial Intelligence Center of Excellence, reinforcement learning is where the big advances in AI will happen .
Patel describes reinforcement learning as teaching an algorithm to learn by rewarding it when it makes positive progress. An example is how it can be used to teach a computer to play a car racing game – after enough repetition, the computer would learn on its own how to press the gas, brakes, and turn the wheel to avoid a crash.
According to Patel, Facebook is using reinforcement learning to figure out when users should receive notifications. Other companies are using it to train financial trading models, video streaming, and more.
“There are many other similar applications in cyber security, mostly on the penetration testing or fuzzing side that are interesting. Like password guessing, or like application fuzzing, things like that. So I would imagine that people might actually publish, even if it’s just academic, something that uses reinforcement learning for these sorts of things,” Patel says.