The new era of cyberterrorism
Cyberattacks are on the rise, and government agencies, law enforcement and the private sector all seem powerless to stop them. The list of recent high-profile victims includes such well-known names as Target, Sony and Ashley Madison, and it also includes the Joint Chiefs of Staff and even the White House. Many of the cybercrime attacks are coming from countries that include China, Iran and North Korea.
The U.S. government has budgeted $14 billion for cybersecurity for fiscal year 2016, so clearly, this threat is being taken seriously at the highest levels of government.
Unfortunately, security experts expect cyberattacks seen in 2015 to continue in the new year, if only because those most likely to be victimized simply haven't done much to step up security. In fact, many federal agencies have not even instituted two-factor authentication, something as simple as requiring both a card and a PIN number.
So what major cyberthreats are expected next year? CNBC spoke with experts in the fields of cybersecurity, telecommunications and IT consulting to determine what's at risk. The list may surprise you.
—By Daniel Bukszpan, special to CNBC.com
Posted 25 September 2015
Cloud computing allows vast amounts of data to be stored without taking up one inch of physical space. Increasingly, U.S. businesses rely on it to warehouse their sensitive information.
According to the technology investment banking firm Centaur Partners, centrally hosted software and cloud-based business application services revenue is expected to grow to $33 billion in 2016, as compared to $14 billion in 2011. Rohit Gupta, CEO of the cybersecurity firm Palerra, said that hackers targeting cloud computing could be the biggest threat of 2016.
"More and more transactions are moving online and to the cloud," he said. "Many U.S. businesses are even running their business-critical applications and services in the cloud. Why would hackers go through the trouble of overcoming physical security when it's so much more lucrative to target cloud services and transactions?"
Many security experts worry about the possibility of U.S. infrastructure becoming the next major target of cybercriminals. Bobby Kuzma, systems engineer for Core Security, told CNBC that this type of attack could be one to watch out for in the months ahead.
"The biggest threats aren't going to be information breaches," he said. "It's going to be attacks against critical infrastructure, like utilities, telecommunications and logistics. Industrial control systems have been overlooked for too long, and with the success of weaponized code like Stuxnet, it's only a matter of time before we're hit with similar attacks."
According to the mobile security firm NowSecure, 43 percent of "bring your own device" (BYOD) smartphones used by U.S. workers don't have a password, a personal identification number or pattern lock. Fifty percent use these devices to connect to unsecured Wi-Fi at least once a month, and nearly half of mobile apps on any given mobile device have at least one major security flaw.
"Securing data in the cloud can be problematic, before the added complexity of managing the data on a mobile device," said Mike Meikle of the security consulting and education company SecureHIM. "However, mobile platforms are becoming the access point of choice for the enterprise, and so this issue needs to be addressed swiftly."
It sounds like something out of a bad horror movie. A car controlled by an unseen force comes to life and causes deadly mayhem for motorists and pedestrians alike. But automobile hacking is real, and no supernatural force is responsible.
As more and more cars connect to the Internet for such functions as GPS, they become more vulnerable. Hackers can connect to a car over a cellular network and, conceivably, turn off the engine while the car is speeding down a crowded highway, or cut the brakes, or cause any number of nightmarish circumstances.
"The worst-case scenario is that multiple vehicles could be infected from a single source, and the manufacturer is then held to ransom," said Andy Rowland, head of customer innovation, energy, resources and automotive at British Telecom. "The infection could start in multiple ways, with a compromised app that drivers download, or through a batch of components that have embedded malware that is not detected when the vehicles are manufactured."
EMV Chip cards
On October 1, U.S. credit card issuers will begin issuing EMV (Europay, MasterCard and Visa) compliant cards, which will store data on an integrated circuit, not a magnetic strip. While this change is intended to reduce certain types of fraud, it will also give cybercriminals a new avenue of attack—card-not-present (CNP) technology.
"We've actually seen this happen globally with other countries which made the EMV chip card switch," said Tami Cohorst, chief operating officer of credit card processor Abtek. "For instance, fraud related to CNP transactions in the U.K. spiked to 79 percent within the first three years of the company migrating to EMV chip cards. Since Canada made a similar shift, fraud has doubled."
Phishing is not new, but most cybersecurity experts believe it's as prevalent a form of cybercrime as any other, and it remains a top threat in the coming year. The Global Phishing Survey of the Anti-Phishing Working Group (APWG) found that in the last six months of 2014 alone, there were approximately 124,000 unique phishing attacks worldwide, which occurred on more than 95,000 unique domain names.
A phishing attack typically involves sending an email to a victim that looks to the untrained eye as if it comes from a legitimate financial institution. The email will ask the victim to verify personal information through a link to a fraudulent Web page. Once that's provided, the criminal can access the victim's financial information. Even companies that work to reduce cyberthreats are not immune to receiving them.
"These sorts of emails come into our agency, specifically within the finance department, just about every other day," said Tim Friez, director of information technology and security at the Gatesman+Dave advertising agency.
Malware, like phishing, has been around for a while. Short for "malicious software," it can take the form of a virus, a program concealing harmful code or an infected disk and can be unwittingly installed on a computer by the user and expose sensitive information. It's often part of a long strategy that many cyber criminals use to fleece their victims, with great success.
"Once the cyberattackers have gained access to an organization's systems and placed their malware inside the organization, this malware can be very sophisticated and often goes unnoticed by the organization," said Rick Shaw, president and CEO of the risk-management prevention company Awareity.
"Two hundred and five days is the median number of days the malware is inside the organization before it is noticed."
CryptoWall is a form of ransomware that makes computers unusable until victims pay the criminal who infected their computer with it. Gene Gerovich, co-founder of the IT consulting company MyBizGeek, said CryptoWall will be a threat in the new year, but if companies do one simple thing consistently, all the heartache can be avoided.
"When you have an IT team, in-house or outsourced like our company provides, who is responsible for your backups, they can have you up and running in a matter of minutes, and the company moves forward, business as usual, no ransom paid," he said. "Having backups done daily seems like a no-brainer, right? Yet very few small businesses do it."
In August the FDA and the Department of Homeland Security advised health-care facilities to stop using Hospira's Symbiq infusion pump after learning that the device, which administers medication to a patient over time, is vulnerable to hackers. Mick Coady, health information privacy and security partner at PricewaterhouseCoopers, believes that this type of cybercrime will become more prevalent in 2016.
"The newest threat for medical devices will be 'ransomware/Stuxnet' attacks, where hackers can tap into the administrative privilege capabilities of medical devices, which are typically restricted to manufacturers or hospital administrators," he said. "We will especially see an uptick in exploitation of medical devices that have moved to more modern types of interconnectivity with mobile devices."
In June the U.S. Office of Personnel Management (OPM) was breached. Personal information pertaining to 22 million Americans was stolen by hackers, who were believed to be from China. Many of the victims had security clearances, making the theft of their data a concern not just for personal privacy but for national security.
MailChannels is an email delivery technology company, and Ken Simpson is its co-founder and CEO. He said that he considers nation-state commercial espionage to be one of the biggest and most serious threats to U.S. businesses, and the White House appears to agree with him.
"The recent move by the Obama administration to threaten a tactical cyber response to China should it pursue further commercial cyberespionage is an indicator of how serious this threat has become," he said. "It will be necessary for Western states, including the U.S., to really start providing material support to businesses to help them defend themselves against these types of attacks."