Security Predictions 2018: how are we doing so

far?
Carl Leonard Principal Security Analyst

Back in November we released our Security Predictions for 2018. Now, only six months
on, we can uncover just how many of our predictions have come true already. While
we’re pleased with our accuracy, the reality can be somewhat discouraging, as many of
these predictions bring additional risk to businesses like yours.

The goal of our Security Predictions is to give you a better understanding of the risks your
organisation faces, and how you can better defend against them. I offer my top tips to
mitigate at the foot of this blog.

Our eight predictions for 2018 oriented around a core theme of privacy with regulations
such as GDPR prompting organisations to think critically about how they are protecting
personal data and intellectual property. We also discussed ubiquitous encryption, data
aggregation, cryptocurrency and ransomware.

Privacy Fights Back

Our first prediction anticipated “The Privacy Wars,” a polarising debate pitting
technologists and members of the public, splitting opinion in government, at work and at
home.
This debate has been thrust into the mainstream due in part to the Cambridge Analytica
case involving Facebook. Revelations have been made in the press highlighting the
extent to which people’s private data has been collected and used over many years by
the social network and the consulting firm. Mark Zuckerberg has appeared before the US
Congress and Facebook users and commentators continue to monitor the case. One
could have anticipated this as a “predictable surprise” with a perfect storm of sharing,
collecting and processing that one could only image just ten years ago. As a stand-out
story of 2018 the outcome will trigger debate in the public domain for years to come.

Voice-activated systems are being deployed in tens of millions of households capturing

and acting on commands. If you are interested in what Apple, Google and Amazon have
been collecting, this article describes how to remove historical voice commands from
devices such as Alexa.

It is not just our likes, follows and preferences for cat videos that are up for discussion.
Biometric data is now being used on city streets to identify individuals that have triggered
the interest of the police as in this example of portable fingerprint scanners being used in
the UK.

GDPR will do a lot to safeguard the privacy and personal data of EU citizens, in particular,
by making sure the data is used for the intended purpose, is protected and does not end
up in the hands of criminals who may misuse it. This brings us nicely to our second
prediction.

GDPR: Procrastination Now, Panic Later

We anticipated that many organisations would be slow to prepare for GDPR and it
appears that many are only now initiating programs to be “GDPR ready.” Is this a case of
“too little, too late”? I hope not.

The General Data Protection Regulations (GDPR) will be enforceable from 25 May 2018.
With just days to go it is apparent from discussion at cyber security conferences and trade
shows over the last six months that many businesses are simply not aware of their
responsibilities in respect of the regulations and are not prepared to respond to a breach
of personal data.

While technology is not the complete answer in the People, Process, Technology puzzle
it can be a leading indicator to uncover issues around data loss and anomalous
behaviour. Needless to say, Forcepoint can help; take a look at our GDPR Resource
Pack as well as my Top 5 tips to initiate change in your organization.

I think everyone is looking (forward?) to see how things play out post-May.
Disruption of Things

We predicted that Internet of Things (IoT) devices would not be held to ransom as much
as being leveraged for destruction in 2018. That didn’t stop the Oxford English
Dictionary adding ransomware to their pages for 2018.

Surveys identified that almost one-third of energy companies hadn’t given special
consideration to network security as part of their IoT rollout – a worrying observation if
true. Penetration testers are already seeing careful configuration to be lacking with one
such firm identifying school heating systems vulnerable to manipulation.

MIT Technology Review recently listed smart cities as one of the 10 Breakthrough
Technologies for 2018 so it seems as though the surface area being presented to cyber
criminals will continue to grow. As we talk about such applications for IoT it is worth noting
that 2018 has presented the first public discovery of an unauthorised cryptocurrency
miner in an ICS (Industrial Control Systems) or SCADA (supervisory control and data
acquisition) setting.

Speaking of which…

The Rise of Cryptocurrency Hacks

We all know that cyber criminals follow the money trail. There have been numerous
attacks on cryptocurrency systems during the last six months which fit to our prediction.
And while indeed predictable, this is certainly not surprising. (“Predictable surprises” is in
fact a phrase which Dr. Richard Ford, our Chief Scientist, has blogged about).

During 2018 we found that jumping on the cryptocurrency and blockchain wagon can be
both good and bad for your business. The company behind cryptocurrency USDT
(Tether) admitted that $31m USD had been lost due to external attackers at the end of
2017. This had a knock-on effect for other cryptocurrencies as value was lost due to loss
in confidence. Some organisations on the other hand enjoy a change in fortune as share
prices rocket upon announcing blockchain programs.

Sparking comparison with the delivery method of NotPetya ransomware of mid-2017 the
Windows version of the Bitcoin Gold cryptocurrency wallet was apparently
compromised at source and replaced with a version that stole funds.

We have seen reports that British companies are stockpiling BitCoin in readiness to pay a
ransom. While we don’t recommend payment, some businesses are choosing to explore
all options.
Data Aggregators

While everyone’s eyes are on the Facebook / Cambridge Analytica case the full impact is
still to be revealed. In November we predicted that the attractiveness of huge quantities of
data and complex ingress and egress will create a security challenge for data
aggregators. Cyber criminals have known for a good while the extra value in building out
FULLZ (complete sets of information pertaining to individuals).

As legitimate business models mine and combine the gold that is disparate data sources
it has been clear that the outcome can often exceed the original intent. The creation
of heat maps with the Strava fitness app data combined with GPS data permitted visibility
into un-user information, locations and run patterns.

Cloud Security

It’s no secret that organisations are moving (or plan to soon move) to the cloud. They are
doing this in droves, as a recent January 2018 report from Okta shows. Microsoft O365
has over 120 million active monthly users as reported by Ars Technica.

We predicted that a move to cloud computing will increase the risk of a breach from a
trusted insider.

In the case of Deloitte, one of the “big four” accounting firms, administrator credentials
were used to access the corporate email server. Two factor authentication (2FA) had not
been deployed with access gated by only a password. As more businesses move to the
cloud it will become ever more essential to lock down critical systems and secure the data
held in them.

With mandatory breach notification being dictated by regulations such as GDPR it will be
interesting to analyse the root cause of data breaches and how they relate to cloud
security post-May.

Encrypted by Default – Implications for All

From July 2018 Google Chrome will label all HTTP websites as “Not Secure” in a push to
move webmasters to use HTTPS. As we reported in November 2017 only 70 of the top
100 non-Google websites, accounting for 25 percent of all website traffic, are using
HTTPS by default. Are you using HTTPS by default on your websites?

We predicted that an increasing amount of malware will become MITM-aware; that is it

will realise when a security product is examining the otherwise encrypted traffic and
respond accordingly. We shall continue to track the adoption of such techniques.
Major web properties are still struggling with HTTPS. Governments are forgetting to
renew certificates, banks have not yet migrated to HTTPS on their homepage and
implementations of common websites are showing problems.

If you wish to check the performance of your own SSL servers’ configuration you could
use the renowned SSL Server Test offered by Qualys. If the result is not so great,
consider moving to HTTPS by default to offer a more secure experience for your users.

The news is not all bad. Facebook now uses HSTS and Chromium preload lists to load
external links as HTTPS.

The Next Giant Leap for the Industry

The migration to cloud, the determination of adversaries and the barrage of data breach
events make it a struggle for IT teams to balance the right mix of resources between
detection, mitigation and prevention. We have been working hard to make that easier.

Forcepoint is leading the charge to deliver human-centric security. See our recent
announcements and coverage from the 2018 RSA conference to learn how we are
redefining cybersecurity by launching Dynamic Data Protection for risk-adaptive
protection.

Top tips to mitigate

• Many business collect personal data for marketing, sales or general business needs.
Review your privacy policy and seek to protect that data.

• Work to finalise your GDPR-readiness plan. Identify your most critical data (personal and
intellectual property), seek to protect that and prepare your incident response plan.

• If you have acquired cryptocurrency coins seek to protect the wallet from malicious
attackers.

• Consider the threat posed by the use of cloud applications in your organisation. Do you
have the tools to uncover a Shadow IT problem, or protect the data within sanctioned
apps?

• If you do aggregate data it is important to understand the impact of combining those

sources and how that affects your users and original declaration of the purpose of such
data collection and processing. Review your policies accordingly.

• Consider deployment of SSL Inspection technology to permit interception of malicious

command and control traffic using HTTPS.
 • Migrate your website to HTTPS as opposed to HTTP. As of June Google Chrome will
otherwise mark it as “Not Secure.”

Our grade so far

With only six months passing since we released our 2018 Security Predictions we have
assigned ourselves a B+ grade. A high mark for us unfortunately means that many of our
predictions ring true. We shall continue to monitor developments throughout the year.

2019 Predictions

Look out for the continued analysis of our 2018 Security Predictions as we lead up to a
new set of 2019 predictions to be released at the end of the year.