Cybersecurity has come a long way over the past five years. Controls have been invented to monitor a user’s every move without violating their privacy and the chief information security officer (CISO) is now a fixture in many modern organizations.
With the last quarter of 2016 upon us and 2017 looming large, Jamie Graves, CEO of cyber security company ZoneFox looks at what companies need to do as 2016 draws to a close, and what may be in store during 2017.
• Stay on top of vulnerabilities - Microsoft states that 41.8% of vulnerabilities are given a highly severe rating these days. This is a three-year high! Ensure you’re prioritizing and managing your vulnerabilities accordingly.
• Wean your people off of Flash - According to Microsoft, 90% of malicious web pages contained Flash. HTML5 is great at streaming video. As such, Flash is no longer necessary and should be removed from your systems.
• Prepare for ransomware – Ransomware has become ubiquitous. 61% of exploit payloads are now ransomware, according to MalwareBytes. Keep good backups, monitor your files for encryption activities, and – ideally – employ endpoint protection with application whitelisting or encapsulation.
• Emphasis on detection – Prevention eventually fails. So, put your money on detecting threats or breaches as quickly as possible. 2016 saw several next-generation platforms come into being; machine learning and user behaviour analytics, along with big data, are helping to detect malicious behaviour more efficiently.
• Get a CISO! – The Price Waterhouse Cooper Global State of Information Security survey states that in 2015, 91% of organizations were following a risk-based cybersecurity framework, but only 54% have a CISO running their cybersecurity programme. Roughly half of respondents are running security awareness training, conducting threat assessments, or are monitoring cyber intel. There may be a correlation here: A risk-based framework is a great foundation, but less effective without a CISO dedicated to driving the initiatives forward.
Five years ago, the term CISO was not popular, ransomware was only a twinkle in its daddy’s eye, and Flash vulnerabilities were (relatively) few and far between - but times are changing.
So what's in store for 2017?
It looks as though there will be at least three heavy hitters next year.
• (further) Proliferation of mobile malware - Mobile malware seems to be growing at an exponential rate. Security researchers at Check Point Software have found upwards of 10 million Android phones infected with auto-rooting malware. The idea that some mobile malware can embed itself in a phone’s bootloader and remain persistent even after factory reset is a scary thought.
• Internet of Things leveraged for attacks – In September 2016 Brian Krebs’s blog, KrebsOnSecurity, went down due to a 620Gb/s(!) Distributed Denial of Service (DDoS) attack carried out by IoT devices. The Mirai malware code - used in the attack on Krebs - has recently been released, which means that attackers will be able to recruit vulnerable IoT devices for similar attacks.
• Emphasis on obtaining, training, and retaining cybersecurity staff - Over the past few years, much focus has been placed on buying the best tech, hiring consultants and auditors, and putting employees in place to monitor and respond to cyber threats. Unfortunately, there are more positions than there are qualified cybersecurity analysts. This is a problem. Requirements for employment should be reduced (i.e. no bachelor’s degree required), or employees must maintain certifications and regular training to stay up to date with the latest threat trends and technologies.
• User Behaviour Analysis and AI - Artificial intelligence and UBA may be one of our saving graces next year. Leveraging AI and UBA will provide new means for detecting threats, reducing the need for “eyes on glass” and allowing the good guys to actively remediate threats as they appear.
Many of the trends of 2016 are going to stick with us and new ones will emerge over the coming months – so it’s important to keep cyber security as a priority.
By Jamie Graves Ph.D is Co- Founder and CEO of ZoneFox