Will IT security be different next year?

Karl Sigler, Threat Intelligence Manager at Trustwave

It is that time of the year again where we delve into the back of the cupboard and dust off the crystal ball as we make our predictions for the year ahead. This annual ritual has become something of a mainstay for some security professionals as they dream up (quite often) the weird and wonderful threats and challenges that they believe could affect businesses each year.

Yet in reality, all too often we see the same issues occur year-after-year. So much so that we can probably predict that they will rear their heads again in 2016. With that in mind, we’ve taken a look at the top trends over recent years and look at whether we have moved forward in cyber security or whether some organizations are stuck in a rut and are going to be facing the same issues for the second year in a row.

1. Poor P@s$worD security

Unfortunately, this probably won’t come as any surprise to anyone, but poor password security and management remains top of the list of things to look out for in 2016. The strength of passwords as an authentication control is more important than ever before. Many cyber-criminals are increasingly using automated password cracking tools to identify passwords in a matter of seconds. This is because all too often users stick with default passwords or don’t want to have to remember a long, complex sequence of numbers, letters and characters.

Since 2011, “Password1” and “Welcome1” have been repeat offenders at the top of our charts. In our 2015 Trustwave Global Security Report, our penetration testers were able to crack 51 percent of passwords within 24 hours and 88 percent within two weeks. Moreover, it only takes one day to crack an eight character password.

The simple answer to remediate this would be for administrators to enforce character complexity rules and length requirements to a minimum of 10 characters for all password policies. However, password policies alone are not enough ensure strong passwords. “Password1” has replaced the old favorite password “password” specifically because it satisfies many password polices. After all it is longer than eight characters and contains both a capital letter and a number, but that doesn’t make it any more secure than just “password”.

Admins should supplement their password policies with user awareness education on the importance of strong passwords. Beyond using strong passwords, implementing two-factor authentication would also help strengthen security. Password managers and replacing those short, complex passwords with longer passphrases also go a long way toward better password security.

E-commerce – bad for your bank balance in more than one way

As the recent Black Friday and Cyber Monday madness fades away, what became evidently clear is that we are still a nation that loves to shop – particularly online. But this continues to make e-commerce a prime target for cyber criminals, who are seeking Personal Identifiable Information (PII) and payment card data, with no signs of this slowing down in 2016. In fact, looking back we have seen e-commerce grow as our ‘Top Target Asset’ for the past three years. It has risen from 48 percent in 2012, to 54 percent in 2013 and is now at 64 percent for retail breaches in 2014. It is safe to say that we expect compromises of e-commerce sites to continue to dominate our investigations through 2016 and beyond.

Spam will continue to fall

It isn’t all doom and gloom as it appears that spam volumes are continuing to decrease making up 60 percent of total inbound mail (compared to 69 percent in 2013 and more than 90 percent at its peak in 2008). However, six percent of it included a malicious attachment or link. The reason behind this decline could be due to an increasing crackdown by security firms and government agencies on big spam and botnet operations, such as Ramnit.

As usual, it was healthcare-related spam that topped the charts in terms of subject matter, comprising 72 percent of total spam. To protect against the impact of these attacks, organizations should look to deploy an email security gateway, either on-premise or in the cloud, including anti-spam and anti-malware. Organizations should also look at the inbound email policies and block all executable files or unusual attachments.

‘Beep Beep’ – Can we really be attacked via connected cars?

IoT is an acronym that we cannot get away from. It seems like vendors and startups are adding new devices to the list of Internet of Things every day. With everything from toasters to toilets being connected to the Internet and rushed to market, security often becomes an afterthought.

Of IoT security issues connected cars are generating the most excitement from consumers according to a recent survey from Deloitte. The industry is nascent at the moment, but with predictions of as many as a quarter of a billion connected vehicles on the roads in the next five years, it may not be long before they are commonplace.

The best way to prevent a vehicle vulnerabilities (or any IoT vulnerability) would be to utilize the same methodology we use with standard internet connected software like web servers. Organizations should be implementing some sort of Software Development Lifecycle that includes intensive code checking for potential vulnerabilities, preferably with a third party. Manufacturers should also have a process in place to accept vulnerability reports from 3rd parties and independent researchers and a method of deploying security updates to their products. These important steps are often missing when it comes to IoT devices. In addition, all third parties, suppliers and distributors would need to be strongly vetted.