KPMG: Cybercriminals Set to Get ‘Creative’ in 2017
IoT threats, new EU data laws and the industrialization of cybercrime are all set to dominate the agenda as we head into 2017, according to professional services giant KPMG.
David Ferbrache, technical director in KPMG’s cybersecurity practice, made the predictions in his 10 expected trends of the coming year.
The Internet of Things will become a major threat vector and target in its own right, thanks to “misconfigured devices, default passwords, obsolescent operating systems and out of sight devices,” he claimed.
The Mirai DDoS attacks of late 2016 of course blazed a trail for the hackers in this regard.
More generally, Ferbrache predicted that the coming year would see cybercrime gangs increasingly leverage cheap labor and sophisticated tools to target victim organizations.
Social media will help these efforts, providing a wealth of information on employees which the black hats can use to tailor and personalize attacks in order to increase their chances of success.
Even ransomware will become “smarter and more targeted” as the year progresses, supported by the “as-a-service” model of the dark web, Ferbrache argued.
In fact, it already is, with reports emerging last week of fraudsters purporting to be Department for Education officials cold-calling schools to obtain the email addresses of head teachers, in order to improve the success rate of ransomware attacks.
Cybercrime tactics and targets will continue to evolve apace.
Ferbrache predicted that if the international retail banking community responds to recent high profile attacks by improving security standards, the black hats will likely look to fresh targets including insurance, e-payment and e-retail channels.
“We have already seen evidence of banking Trojans being re-purposed to attack the links between customers and e-retailers – with the aim of placing fraudulent orders for goods and services,” he told Infosecurity.
“There is a risk that retailers implementing digital channels may find themselves being targeted by such criminals.”
The coming 12 months will see organizations and industry respond to the growing cyber threat in several ways, KPMG claimed.
Passwords will become increasingly rare as the security and business community realize they need better ways to authenticate which use “multi-factor authentication (including biometrics), behavioural analysis and contextual information to make judgements on whether the user really is who they say they are; and just how risky their attempted transaction really is.”
The board will get increasingly involved in security issues, holding CISOs to account for their decisions, and siloes between fraud prevention and cybersecurity will begin to come down, Ferbrache added.
Finally, the forthcoming European GDPR will propel privacy to the top of the boardroom agenda for any firm globally which handles data on European citizens.
Ferbrache urged firms to test their web portals against common attacks including DDoS, cross-site scripting, SQLi and others.
“Firms also need to secure their key payment infrastructure from manipulation in the event of a compromise of the firm’s corporate network. This is a combination of segregation of key systems (PCI DSS) and also effective fraud control and monitoring over such systems to detect anomalous transactions,” he explained.
“Firms also need to play through key cyber scenarios which might include the compromise of their payment systems or infrastructure, including how they would handle customer/client communications and restore confidence.”
Source: Information Security Magazine