Ransomware, Cyber-Spying Among Top Security Trends to Watch

We look at 10 trends–from rising ransomware incidents to malware-less attacks from nation-states–that will likely play a pivotal role in security this year.

Demand for security pros will continue to rise. A tremendous shortage of professionals who understand security and the slow rate that education produces reinforcements will lead to an estimated shortfall of more than 1.5 million workers worldwide in 2020. Software engineers and hackers who truly understand the technical components of security are even in greater demand, leaving a short supply for startups and innovative companies. The trend will likely lead to a greater reliance on cloud and managed-security services in 2016, and a focus on information services that help companies understand the threats.

Is the information security sector a bubble of investment ready to pop? The question has dogged the industry for a few years, but signs of a slowdown are now be apparent. In the first two quarters of 2015, venture-capital firms invested just short of $500 million in 20 deals—impressive, but a significant decrease from the 33 investments in cyber-security firms in the first six months of 2014 worth $673 million. In fact, activity in the information security sector appears to have peaked in 2014, with 56 deals worth approximately $1.2 billion.

The holiday season in 2015 saw drones become popular gifts, so much so that the FAA rushed through regulations, announced on Dec. 14, that require all drones to be registered in a national database and fly below 400 feet. While drones may be the most versatile device that can be controlled—and thus hacked—remotely from a computer, other physical devices have shown the impact that hacks could have in the future. Two security researchers took control of a GMC Jeep, controlling it remotely. The number of devices considered to be part of the Internet of things will grow from 1.2 billion in 2014 to more than 5.4 billion in 2020, according to Verizon, which has published one of the most conservative estimates. All these devices present inviting targets to hackers.

Kidnapping is usually a desperate crime because the criminal cannot receive money until after they have actually committed the crime. Cyber-criminals, however, have turned the act of holding data for ransom into an efficient business while blurring the money trail enough to continue to collect from thousands of victims. Because of their success, criminals are increasingly using ransomware to infect computers. By the second quarter of 2015, ransomware attacks had grown more than tenfold compared to the same quarter a year earlier, according to data from Intel’s McAfee Labs.

As breaches continue to plague businesses and consumers, more companies will likely look to encryption to help bolster their data security, especially when the information travels outside the firewall. Over the past 10 years, encryption use has doubled—a slow technological trend, but significant, given the difficulty in managing encrypted data and its keys. The health care and retail sectors are leading the charge to encryption, according to an annual survey sponsored by Thales e-Security—unsurprising since both industries have been hard hit by breaches.

Service providers will increasingly offer a variety of forms of two-factor authentication, where the questionable security of a password is augmented by a second factor to confirm a user’s identity. Consumer services that have suffered breaches—from game sites, such as World of Warcraft, to business services, such as Google Gmail and Apple iCloud—all offer two-factor authentication, generally allowing a user to register a device as the second factor.

Security and privacy have long been considered to be two opposing forces because the easiest approach to security is often to track identities. While that battle will continue in 2016, two forces will add to the debate this year: ever-present calls from law enforcement to have greater access to citizens’ communications and the recent passage of the Cybersecurity Act of 2015. Following the recent terrorist attacks in Paris, France, and San Bernardino, Calif., law enforcement officials and some presidential candidates renewed calls for technology providers to build backdoors into their products to give agents the ability to decrypt communications. Technologists have pointed out that backdoors equate to vulnerabilities that will eventually be compromised. The debate is far from settled.

In the distant past—think 1980s—attackers used to break into systems, gain administrators’ rights and then use on-system tools to break into other machines. While viruses, worms and malware became the tools of choice during the age of mass compromises, sophisticated attackers infiltrating high-value targets are going “old school,” some security researchers say. By using IT administrators’ tools that are on the victim’s own system—and thus, white-listed by the company—attackers gain the advantage of being able to blend into the crowd on the targeted network. However, just as sophisticated attacks represent a very small minority of attacks—less than 1 percent by most estimates—attacks avoiding the use of malware are only used in limited cases, researchers say.

Phishing and malvertising have become popular methods for compromising computers and networks. Phishing is often used in a variety of cyber-criminals’ attacks but accounts for the lion’s share of sophisticated cyber-espionage attacks—more than three-quarters of all espionage attacks start with an email message with either an attachment or a link. The technique is effective: Some 23 percent of recipients clicked on a phishing email and 11 percent opened the attachment, according to Verizon. While malvertising is not quite as popular, numerous incidents have cropped up, hitting newspapers and entertainment services in 2015.

While the United States and China came to an accord in September to stop hacking to help domestic industries, the agreement is limited to economic espionage, which the United States forgoes by law and China denies as a policy. The agreement lacks teeth, and while the United States has threatened sanctions, no repercussions have yet been felt by nations frequently suspected of hacking and stealing data.