2017 didn’t break cybersecurity records; it threw them to the ground and stomped on them. What will 2018 mean to cybersecurity teams?
This time last year pretty much everyone staring into their crystal balls came forth with the same prediction: 2017 would be dominated by IoT attacks and ransomware. Oh, how wrong we were.
We will remember 2017 as the Year of the Software Flaw. After a routine start to the new year, the Apache Foundation announced in March the discovery of a long-term, but unknown flaw in the Struts 2 framework. The first attacks were reported within hours of the news and more variants were announced within weeks. Soon, newly discovered software flaws opened the door to mass-attacks on a global scale.
Exploits with headline grabbing names like WannaCry, PetYa and NotPetYa dominated the attention of cybersecurity teams, corporate executives and government officials. Attack read like a who’s who of global and national brands: The UK’s National Health Service. Home Box Office. Netflix. Hyatt Hotels. Meanwhile, hackers were already inside a company that sells information on virtually every adult in the United States and a number of other countries – Equifax.
And all of this happened in just the first nine months of 2017, smashing the total number of reported breaches set in 2016 (a 40 percent increase over 2015) by September. The total number of records lost or stolen so far in 2017 is a whopping 375 percent higher than 2016.
Five 2018 Cybersecurity predictions
So, here we are again at the end of a year, looking into a future where the fall-out from the Equifax breach is still fresh and the number of attacks continues unabated. Here are five predictions of what the cybersecurity community may see in the next 12 months in no particular order:
Government regulations will drive behaviors
Depending on who you ask, Equifax (and other companies) either waited too long to report its breach or just followed the requests of law enforcement. Beginning in 2018, though, the European Union’s GDPR will require breaches to be disclosed within 72 hours along with significant fines for failing to comply. In the US, New York already requires state-regulated organizations to report certain cyberattacks to the agency within 72 hours. Look for the 72-hour window for reporting to become the norm and the number of reported breaches to grow exponentially.
Patching will (continue to) be the Achilles heel of applications
With the US National Vulnerability Database containing more than 12,500 flaws (3500+ of which are severe), physically patching web applications and other software on a timely basis is all but impossible. One recent study put the time to patch 86 percent of severe web app flaws at 30 days or more. Gartner predicted two years ago that 99 percent of all successful cyberattacks would be the result of flaws known for at least one year – a spot on prediction so far.
Out-of-support software is the next frontier for attacks
Long-since out-of-support software like Windows XP – still one of the most widely-used OS in the world – get a lot of media attention. Yet, enterprise applications based on older versions of Java and .NET represent a more significant attack surface and are notoriously difficult to patch / upgrade unless you want to rewrite the mission critical applications. The price tag, measured in time, may be years and the financial investment may require millions.
More of the same
Here’s a safe bet: Software flaws, already ubiquitous, will grow in volume as the amount of new software written continues to increase. We live in a software driven world where an estimated 111 billion new lines of code will be written by the end of 2017. One recent study found more than 1.3 billion flaws in web applications, the exploit of choice for hackers. None of that will change in 2018.
IoT and Ransomware attacks will (still) be a threat
Just because Twitter feeds were not filled with daily news about IoT devices slaved to massive botnets or that WannaCry was less of a ransomware attack than a proof of concept, doesn’t mean the threats are diminishing. Successful attacks did occur and, by all accounts, the bad people were simply perfecting their business model and attack strategies. They will be back with a vengeance in 2018 or some other day when we all least expect it.