At the very end of 2015 we ran a straw poll of individuals in the security space to determine . We divided the 74 “unstructured” comments into a number of lose sections with “people” emerging as the most popular response.
Last year the security breaches came in even more thick and fast, so, we decided to run the same poll again. To achieve this we simply asked industry professionals to tell us what they think the single biggest security threat of 2017 will be along with a short explanation as to why.
Out of the 86 usable comments we received, over a quarter (26) selected the Internet of Things. Within this section there was a lot of talk about the rise of DDoS attacks and botnets. Breaches related to staff and users came in a not-so-close second with 13 responses.
Amongst the general comments a wide number of different threats were highlighted. Data – and the vast glut of personal details now for sale on the dark web got a mention. While the continued reliance on passwords, rise of criminal AI and the increased professionalisation of cyber skills were also called out.
Of course, in some ways this is a spurious exercise. It is hard to reliably pull out a “single biggest threat” of the year, especially when so many trends are so closely interlinked. But the wide range of response is interesting. For example, although passwords were mentioned by a couple of individuals as a problem, the main alternative, biometric authentication itself was also singled out as a core security threat.
All 86 comments are listed below – I’ve just roughly grouped them into four sections:
- Some interesting answers – 12
- Some topical trends – 35
- Breaches related to people – 13
- The Internet of Things – 26
Some interesting answers…
Criminal AI
“Because of its potentially catastrophic ability to learn and adapt without re-programming, making an AI criminal attack very difficult to trace and deflect and to stop criminals who use this software.”
Paul Briault, Director of Digital Security and API Management at CA Technologies
Biometric authentication
“A password can be changed, but a face, fingerprint or voice isn’t so easy to change if that data is breached and replicated. As an industry we need watertight methods of storing this data securely before we play with people’s identities.”
Andre Malinowski, Head of International Business at Computop
Car Security
“There’s a push by automotive manufacturers to install more intelligence, functionality and automation into vehicles but with these additions, come more vulnerabilities which can be catastrophic.”
Javvad Malik, Security Advocate at AlienVault
Increased targeting of drones by hackers
“With frequent reports of low-cost, commercially available drones being flown in unauthorised areas, even models used by amateurs are able to inflict injury and damage; imagine what a cyber criminal with disposable income could do.”
Robert Page, Lead Penetration Tester at Redscan
Sophisticated, state-sponsored security breaches
“Adversaries are becoming more adept at bypassing traditional security measures, and as the breaches rise, network engineers will increasingly be called upon to help security investigations by making critical network packet data available that efficiently answers the who, what, when and how of the intrusion even weeks or months after discovered.”
Larry Zulch, President & CEO at Savvius
Geo-political threats
“US companies are now legally required to provide the US government with any data it requires. Similar legislation may follow in other countries as governments, highly sensitive to risks such as terrorism, try to get ‘control’ over the data that resides in their multi-national corporations. This is a huge risk to businesses, as it puts them at the mercy of government policy.”
Simon Persin, Director at Turnkey Consulting
AI cyberattacks
“As AI becomes commoditised, we can expect cyber attackers to take advantage in a similar way as businesses: 2017 will be characterised by the first AI-driven cyberattack, which will transform the ‘advanced attack’ into the common place, and attacks that were typically reserved for nation-states and criminal syndicates will now be available on a greater scale.”
Matt Middleton-Leal, Regional Director, UK, Ireland and Northern Europe at CyberArk
Cyber espionage
“Following the US presidential race, cyber skills will continue to be used to infiltrate other governments and perform attacks on critical infrastructure, while increased budgets for targeting cyber by the UK & US governments will seek to tackle this growing threat.”
Eldar Tuvey, CEO and Co-Founder of Wandera
The skills arms race between companies and cyber criminals
“With technology developing at a rapid pace, cyber criminals are becoming ever more sophisticated, and it’s proving extremely difficult to find skilled talent to mitigate the risk.”
Geoff Smith, Managing Director at Experis UK & Ireland
The undiscovered breach
“…that offers unlimited access to the company’s data, or the suspicious activity that goes unchecked and leaves the back door wide open to hackers; so detecting these weaknesses in real-time will be more critical than ever.”
Piers Wilson, Head of Product Management at Huntsman Security
Radio
“Radio (invented by some Russian guy back in 1895) is going to be the main threat of 2017 because a lot of modern critical systems including transport, banking, home automation and energy supply became very dependent on networking via radio channels (GPS, GSM, Wi-Fi, NFC etс) - all this wireless communications are easy to intercept or spoof.”
Alex Mathews, EMEA Technical Manager at Positive Technologies
The huge surveillance apparatus that the Trump regime will inherit from Obama's presidency
“Not only does this give the upcoming president powers to turn the United States (and, indeed, the rest of the world) into a police state, but by compromising every citizen's data integrity, it will also make them more vulnerable to criminal hackers.”
Douglas Crawford, Cybersecurity Expert at BestVPN
Some topical trends…
Advanced exploit tools
“This will pose a major threat to businesses and consumers alike, as everyday cyber criminals will be able to capitalise on the methods adopted by sophisticated adversaries.”
Mike East, VP EMEA at CrowdStrike
Attacks on critical national infrastructures
“In 2017 I believe we will witness a surge in sophisticated attacks across industrial control systems. The shift from legacy systems towards process control networks and increased enterprise connectivity with the internet, will create more extensive backdoor exploits around the industrial control systems (ICS).”
Azeem Aleem, Director of Advanced Cyber Defence Practice EMEA at RSA
Data
“As data usage continues to increase, the biggest security threat will be the disclosure of valuable data through unsecure Wi-Fi connections where cellular networks are unavailable.”
Achilles Rupf, CEO of Naka Mobile
Traditional premises applications
“Major cloud app vendors have invested heavily in security personnel and security infrastructure, and have proven their ability to effectively protect against threats. Premises applications, by contrast, commonly suffer from slow or non-existent patching, and less comprehensive security strategies than their public cloud counterparts. The balance between keeping internal privacy and security will also be a big issue. Keeping the company data safe and keeping the privacy laws in-line.”
Eduard Meelhuysen, VP EMEA at Bitglass
The Industrialisation of malware
“Malware won’t just impact on corporate data; in 2017 we will see the escalation of threats from pure digital attacks such as Ransomware to attacks that cause physical damage and could even endanger life such as the Stuxnet attack on the Iran nuclear power plant and the attack on the Ukraine national power grid where 80,000 people lost power to their homes following a malware attack.”
Matt Walker, VP Northern Europe at HEAT Software
Unpatched vulnerabilities
“The biggest security threat of 2017: Unpatched vulnerabilities on any kind of device, leaving devices at the mercy of malicious threat actors whose goal is not to make our world safer.”
Kasper Lindgaard, Director of Secunia Research at Flexera Software
The cloud
“The single biggest security challenge of 2017 will be how to leverage public cloud for mission-critical applications and data storage with complete surety of security, now and in the post-quantum computer world.”
Andersen Cheng, CEO of Post-Quantum
Over-the-air attacks
“So much critical user data now flows over WiFi and mobile phone networks that users can suffer life-impacting losses from over-the-air compromises, without ever knowing they should have protected their communications.”
Andy Lilly, Director and Co-Founder of Armour Comms
The evolution of Ransomware
“The growth in Ransomware shows no sign of abating so I suspect we will see continued campaigns by the criminal fraternity and, very likely, new ransom targets as the attacker looks for more avenues for easy money. As the recent ransomware infection of the San Francisco Light Rail System shows, we can expect our transport, power and water systems to be targeted in a similar fashion.”
Tony Rowan, Chief Security Consultant at SentinelOne
Data integrity attacks
“Hackers will no longer simply be stealing data, but instead aim to gain unauthorised access to manipulate vital data – which businesses will make important decisions on – for a number of ulterior motives, such as financial or reputational.”
Jason Hart, CTO Data Protection at Gemalto
APT (Advanced Persistent Threat) groups of attackers
“These prepare attacks very thoroughly and focused on getting to know its target and its weak spots. As an example, a HR team member in a company opens a CV sent by an APT group. This CV includes malware – and the group easily gains information on the business's structure, which leads to more attacks across the business. Without advanced prevention, audit and visualisation tools implemented through IT, the ATP group can, by abusing the well-chosen computers, control important financial systems for a long time period.”
Daniel Olsson, Chief Operating Officer at Soitron Group
Intellectual Property
“While typically not very accessible outside the core development team, many security problems can stem intentionally or accidentally in the software creation process. Large organisations can have billions of dollars of this kind of IP in version control systems, so a goal for next year should be to have more fine-grained user access to code, plus greater traceability and visibility of the software development environment.”
Sven Erik Knop, Principal Solutions Engineer at Perforce Software
Cyber criminals
“In the modern age, the business world is an interconnected mesh of connectivity and as such, cyber criminals are the single biggest security threat to companies around the globe. They have the potential to bring a business to its knees and won’t stop attacking an organisation until there is nothing left to gain.”
Glenn Temple, Head of Operational Security at Redcentric
Web applications
“Web applications will definitely be among the top threats for companies and organizations. According to Verizon Data Breach Investigation Report 2016, web application attacks are the #1 source of data breaches. This is confirmed by Gartner Hype Cycle for Application Security 2016, saying that applications, not the infrastructure, represent the main attack vector for data exfiltration. Almost every modern system or device (including IoT) have web interfaces, many of which contain custom or unverified code, exposing easily-exploitable vulnerabilities that lead to huge data breaches.”
Ilia Kolochenko, CEO of High-Tech Bridge
SSL / TLS encryption
“A key threat for 2017 will be the continued surge in Secure Sockets Layer / Transport Layer Security (SSL / TLS) encryption that will provide cybercriminals with more opportunities to conceal malware from firewalls. Last year we saw this encryption encrypt 64.6% of web hits and lead to under-the-radar hacks which affected hundreds of millions of users, something that will only increase in 2017.”
Florian Malecki, International Product Marketing Director at SonicWall
Password vulnerabilities and customer verification
“It is at the core of every modern interaction consumers have with organisations, from the Government to banks, retailers, and utility companies. The contact centre is the key portal here, and biometric solutions will be at the forefront in the 2017 battle against the fraudsters.”
Michiel Lely, VP Practices EMEA at Verint Systems
Mobile payments
“Mobile payments is a new avenue of attack for hackers and is a potentially lucrative channel for hackers to exploit as they would be able to gain access to users’ money as well as their personal and financial information too.”
David Midgley, Head of Operations at Total Processing
The proliferation of highly scalable attacks
“It seems that the one-off exploits and attacks have lost their shine in the hacking world, and large scalable attacks (such as the Mirai botnet taking down Liberia) are far more interesting due to the enormous impact.”
Mike Ahmadi, Global Director – Critical Security Systems at Synopsys
