2016: What a year! Internet of Things (IoT) threats became a reality and somewhat paradoxically spawned the first 1TBs DDoS—the largest DDoS attack in history. Radware predicted these and other 2016 events in the 2015–2016 Global Application and Network Security Report. Since initiating this annual report, we have built a solid track record of successfully forecasting how the threat landscape will evolve. While some variables stay the course, the industry moves incredibly quickly, and it takes just one small catalyst to spark a new direction that nobody could have predicted.
Let’s take a look back at how our predictions fared in 2016—and then explore what Radware sees on the horizon for 2017.
Radware’s Cyber Security Prediction Report Card
|Prediction||Current Status||Did We Get it Right?|
|Advanced Persistent Denial of Service (APDoS) as Standard Operating Procedure||APDoS is an attack technique that leverages multi-vector attack campaigns targeting various layers of the victim’s IT infrastructure. The majority of today’s cyber-attacks are now multi-vector.|
|Continued Rise of Ransom Denial of Service (RDoS)
|2016 was the year of cyber-ransom, with 56% of companies reporting being threatened. While we predicted that cloud companies would be the main targets, it turns out that ransomware affected just about every type of business.|
|Privacy as a Right (Not Just a Regulation)||The United States and European Union reached the “Privacy Shield” agreement in May of 2016, followed by a debate about whether or not it accurately reflects the morals of personal privacy.|
|More Laws Governing Sensitive Data||Under the U.S. Federal Communications Commission’s (FCC) new rules in favor of online privacy, consumers may forbid Internet providers from using and selling their data.|
|The Internet of Zombies||Everyone’s talking about the Mirai IoT botnet and its record-breaking volumes!|
|Arrival of Permanent Denial-of-Service (PDoS) Attacks (Albeit Very Slowly)||“Very slowly” turned out to be the operative words. While there were a few examples in 2016, we foresee this threat gaining momentum in 2017.|
|Growing Encryption to and from Cloud Applications||SSL-based attacks grew 10% year over year. Yet encrypting traffic to and from cloud applications requires additional resources, including overcoming the certificate management challenge.|
What’s on the Horizon
For years there has been talk about the imminent threat of a dire cyber-attack that cripples society as we know it. There’s even a TV show about what it might look like. But what are the actual possibilities for such an occurrence? What follows are some very plausible cyber-attack profiles and scenarios for the upcoming year. Read them for pleasure—and preparation.
Prediction 1: Rise of Permanent Denial of Service (PDoS) for Data Center and IoT Operations
Imagine a fast-moving bot attack designed not to collect data but rather to completely prevent a victim’s technology from functioning. Sounds unlikely, but it’s possible. Permanent denial-of-service (PDoS) attacks have been around for a long time; however, this type of attack shows itself spectacularly to the public only from time to time.
Also known loosely as “phlashing” in some circles, PDoS is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. By exploiting security flaws or misconfigurations, PDoS can destroy the firmware and/or basic functions of system. It is a contrast to its well-known cousin, the DDoS attack, which overloads systems with requests meant to saturate resources through unintended usage.
One method PDoS leverages to accomplish its damage is remote or physical administration on the management interface of the victim’s hardware, such as routers, printers, or other networking hardware. In the case of firmware attacks, the attacker may use vulnerabilities to replace a device’s basic software with a modified, corrupt, or defective firmware image—a process which when done legitimately, is known as phlashing. This “bricks” the device, rendering it unusable for its original purpose until it can be repaired or replaced. Other attacks include overloading the battery or power systems.
- An article published by Help Net Security detailed a new USB exploit that, when inserted into a computer, can render the machine bricked. According to Help Net, the latest PDoS USB attack “when plugged into a computer … draws power from the device itself. With the help of a voltage converter, the device’s capacitors are charged to 220V, and it releases a negative electric surge into the USB port.”
- An article in Dark Reading highlighted PhlashDance, a tool uncovered by HP Labs. PhlashDance finds vulnerabilities in often forgotten firmware and binaries that sit locally on computing devices. The risk occurs when a device hasn’t been properly patched and upgraded. The article states that “remotely abusing firmware update mechanisms with a phlashing attack, for instance, is basically a one-shot attack. Phlashing attacks can achieve the goal of disrupting service without ongoing expense to the attacker; once the firmware has been corrupted, no further action is required for the DOS condition to continue.”
- Recent safety hazard incidents of the Samsung Note 7 is stoking concerns about devices that can be intentionally set on fire. There have been numerous test cases of malware and bots overheating devices, causing them to physically distort or worse. These attacks, bundled into a cyber-attack, could have devastating and lasting effects beyond what we commonly think about in the world of the “nuisance” DDoS attack.
Prediction 2: Telephony DoS (TDoS) Will Rise in Sophistication and Importance, Catching Many by Surprise
Cutting off communications during crisis periods would impede first responders’ situational awareness, exacerbate suffering and pain, and potentially increase loss of life. A new cyber era could consist of multiple components—including a physical attack with a corresponding cyber-attack targeting the communications systems that first responders use to contain and minimize damage.
Can the day be far away where a terrorist attack is magnified by an effective outage of first responders’ communication platforms? If you doubt the feasibility, review this bulletin. It was issued in 2013 by public safety organizations asking for assistance in cracking a TDoS attack against 911 emergency response systems.
Prediction 3: Ransom Attacks Become More Segmented, More Real, and More Personal
Radware predicts that cyber-ransomers extend their reach beyond companies. In 2017, ransom attacks could get personal.
Hackers target personal implanted health devices. Imagine if your life depended on an implanted defibrillator or other medical device. Now imagine if such a device were hacked and held for ransom. The idea of hacking defibrillators is not science fiction. Cyber ransom is the fastest-growing motive and technique in cyber-attacks. Can a marriage between the two be far off? For those unfamiliar with these risks and U.S. Government-issued warnings in this category, please refer to the FDA’s Advice to Medical Device Manufacturers, a summary of FBI & DHS alerts on Internet of things and these warnings on cyber ransom.
Public transportation held hostage. In many ways, cyber ransoming a public transportation system is the ultimate hack—empowering attackers to hold a community hostage for financial or criminal gain. If you live in France, the United States or many other countries, you may have grown accustomed to railway or airline workers striking and wreaking havoc on the communities around them.
From trains and planes to buses and automobiles, entire systems of transportation are becoming more automated. This automation is meant to provide increased safety, improved reliability and higher efficiencies. But is it really providing those things? If you have been following cyber-security threats to public transportation as closely as we have, you likely know there have already been many attacks—some of which have distinguished themselves as harbingers of future attack categories. (In case you missed it, a recent Radware blog post shares four real-world examples that help illustrate the problem.)
Just as other forms of transportation face increased threats, so does the aviation industry. Like water, aviation terror threats tend to take the path of least resistance. Via external analyses and documented evidence, we know that the aviation sector is vulnerable to cyber-attacks. How long will it be until terror strikes evolve in the aviation industry—as they have around the world—to the cyber front? If you have responsibility for any aspect of these areas, please don’t be a bystander. Be proactive about onboarding controls and saving lives.
If transportation systems are vulnerable, could ransoming of these systems be far behind? If so, what would politicians pay for a return to operations and safety for their constituencies? Does “pay-for-play” government behavior reward the pursuit of future combinations of terrorism and crime?
Military devices ransomed. Military branches have long been heavy technology users. They have also had a technology procurement model based on an outdated approach and xenophobic buying behavior. In a world of commercial-off-the-shelf (COTS) products, goods are procured fairly at will. Will these COTS packages—frequently made with large amounts of foreign components be the small pebbles that undermine the operational capabilities of the world’s largest military forces? Seemingly innocuous cameras, sensors and other IoT devices pervade the military—but are just as rife with security issues as any on the planet. Once demonstrable vulnerabilities are validated, how much would a government pay to regain control of weapons or other crucial resources?
Prediction 4: The Darknet Goes Mainstream
Many people live two or more lives: one life in flesh and blood; and the other life or lives are various online avatars, which are essential for highly functioning citizenry. These avatars span health, finances, education, love interests, and more. Today the Darknet offers easy, affordable access to terrorize or otherwise alter someone’s personal avatar for financial or other benefits. What, exactly, do we mean? Here are a few examples of what 2017 could bring:
- Compromised surveillance systems available for rent, enabling someone to see through another person’s cameras
- Access to FBI files and lawsuit information
- Access to emails and computer systems of people going through a divorce, as well as teachers’ personal communications or lawyers’ strategic documents and communications
- Personal medical records or previous criminal activity or misdemeanors
In the face of these frightening prospects, who is the definitive source of who we are, and how do we reconcile file/record issues? Before you answer, picture yourself in a job interview. You provide one set of information about your educational history; a report from your school serves up conflicting data. Who rules the day?
This analogy can be extended to numerous scenarios. The common thread: that your online avatar now represents and requires high security and fidelity in order for you to function properly in society. In light of that, one of the single most personalized acts of terror that can occur is a wide-scale loss, alteration or deletion of records—with no reconstitution capability. This should strike fear in us all.
Is the Best Behind Us?
The conclusion we draw from all of these predictions: If growth of attack surface, techniques and means continues into 2017, then the best years of security of our systems may be behind us. As we move forward into 2017, Radware views these as key questions to explore:
- With physical terror playing such a major role in global strife, how could cyber-security sabotage NOT be far behind?
- Given the threat landscape, what controls/testing can be performed to ensure that the public risk is abated through proactive measures—and that private scenarios are regulated so that we can trust our Internet avatar system as we trust our financial system?
Given the evolution of threats and the importance of the sanctity and trustworthiness of online systems, government needs to step in and provide something akin to a Federal Bureau of Cyber Security with a separate and distinct charter. This agency’s role would be equivalent to the physical Secret Service in numerous ways. However, its operating space and domain would be one with the ghostly characteristics of computer warfare. In defending the citizenry, this agency would need to cover freedoms of press and speech overall.
No matter when or how the government responds, each organization has a responsibility to be aware and prepared. Radware urges you to contemplate how our 2017 predictions could affect your organization and the people you serve—then work to devise appropriate strategies and controls for mitigating the risks.