Article by ESET senior research fellow Nick FitzGerald.
In 2017, we saw an increasing number of cybersecurity incidents grabbing the headlines in the mainstream media. As we begin 2018, there is no doubt that cybersecurity will continue to generate further discussions. In Asia Pacific, we saw sensitive data on Australia’s advanced aircraft stolen, Singapore’s leading universities hit and Malaysia’s biggest mobile data breach affecting some 46.2 million subscribers.
One phrase is likely to be heard time and time again. Cyberthreats and attacks are here to stay. Indeed, they will continue to expand in scope and volume this year. They may evolve and diversify, but a common underlying thread will persist – an effective cybersecurity posture pivots on knowledge of the value of information, coupled with insight into and an understanding of the threatscape.
Arming ourselves with facts and experience, better enables us to control the criminal hive mind swarming online. To help the reader navigate through the maze of such threats, ESET’s thought leaders have zeroed in on several areas that top the priority list in our exercise in looking forward.
Criminals following the money
With data being the most valuable asset (so much so that many have called data ‘the new oil‘), ransomware is poised to remain in great demand among cybercriminals. With an eye to slashing the risk that your data may end up mangled, we offer take-home lessons and observations gleaned from the recent evolution of ransomware.
Cautiously, we extrapolate from recent trends to the foreseeable future. We note the largely indiscriminate nature of ransomware campaigns and highlight the perils of paying up in exchange for (by no means guaranteed) restoration of access to data held ransom. Organisations seen as willing to pay up in lieu of hardening their defenses may run the risk of finding themselves a target of choice, yet with no certainty of getting their data back.
In a world of smartphones and other mobile devices, attackers are more focused on denying the use of devices themselves than on data stored therein.
The generally perilous state of affairs in the Internet-of-Things (IoT) arena presents a host of challenges of its own, as the dramatic increase in the number of smart devices shows no signs of stopping especially with the APAC region expected to lead the IoT charge over the coming years. By contrast, the addressing of security concerns is often an afterthought.
Where cyber meets physical
On a different note, we cannot help echoing our past – and prescient – sentiment that attacks aimed at critical infrastructure are set to continue to generate headlines. Worryingly, industrial equipment targeted by malware known as Industroyer – the biggest threat to industrial control systems (ICS) since Stuxnet – is in wide use, while much equipment in ICS was not designed with internet connectivity in mind.
Making things worse, prompt upgrades, though important in striving for a secure environment, are not always a panacea: the drive towards a cheap generic architecture for industrial devices may introduce additional weaknesses into the supply chain, ultimately endangering our physical safety.
Democracy in peril?
Electronic voting systems – another obvious area where security is playing catch-up with technological advancements – are grappling with vulnerabilities of their own. The preponderance of evidence that such systems can be manipulated highlights the risks of over-reliance on technology for something as significant for our societies as elections. This was the case in 2016 when Philippines suffered an elections hack that affected 70 million people and raised questions regarding the security of the automated voting machines used.
This brings us to the overarching question: can a cyberattack rig the results of a nation's election and, thereby, subvert democracy? We note the use of social media for undermining election campaigns by spreading faux news reports or launching ad hominem attacks.
Admittedly, such attacks may not signal doomsday for democracy, yet technological interference poses critical challenges in opposition to the need to ensure the legitimacy of future elections. To this end, all aspects of an electoral system must be regarded as part of every country’s critical infrastructure, and be safeguarded accordingly.
Privacy and data bonanza
The apparent appetite among some trusted security vendors for the monetization of user data in exchange for free antimalware software is set to persist into the next year. This will add to risks associated with data privacy, which is already under fierce attack given the endless trail of digital exhaust left behind by a plethora of (notably IoT) devices.
Such digital breadcrumbs can be collected to tell a story about us and, coupled with machine learning and artificial intelligence, that story could be used as a basis for manipulating our thoughts and actions. The data detritus should raise concerns of users as to what ‘free’ products or services actually entail and how the data being slurped are used.
While we hope for greater user awareness, we suspect that the stockpiles of data will expand dramatically next year with little awareness on the user’s part. We may not be able to put the toothpaste back in the tube, but we need to make informed decisions and choices lest our privacy be eroded further.
Safer for all
This year has seen ESET’s malware analysts continue to help law enforcement crack down on malicious campaigns and, by extension, the criminals spewing them. We are confident that 2018 will bring further successful investigations as we will continue to lend a hand to authorities so that, ultimately, the internet can become a safer place for everyone – except cybercriminals.
We also believe that the increasing general awareness of cyberthreats and our preparedness to cooperate in tackling any and all manner of felonious wares served up by attackers will accrue to our shared benefit, particularly as technology is now woven through the entire fabric of our societies and we face a host of internet-borne threats.