Hot Hacker Targets in 2016: Fantasy Sports, Professional Services
As 2016 approaches, it's time to get the crystal ball out and predict next year's cybersecurity trends.
Here are some predictions from security pros TechNewsWorld interviewed.
Fantasy Sports Sites Will Be Hacked
Fantasy sports sites like DraftKings and FanDuel in 2015 caught the
attention of states' attorneys general, who wanted to treat the outfits
as
gambling enterprises. In 2016, the sites will get attention from another quarter: hackers.
"One of the very rich targets we can imagine being attacked in 2016
are the fantasy sports companies," said Stephen Newman, CTO of
Damballa.
"They've got a lot of personal information -- credit card numbers,
addresses, email addresses -- and they're moving a lot of dollars around
in betting," he told TechNewsWorld.
"Americans are spending $15 billion in fantasy sports today. That's a huge amount," Newman noted.
"What a rich target they would be to hit and make a statement," he added.
Ransomeware Will Target Professional Services Firms
Ransomware -- in which an extortionist scrambles the data on a computer
and demands a payment to unscramble it -- increased in popularity in
2015, and that's expected to continue in 2016, but with a twist.
"We're already seeing architectural firms and law firms having their
systems compromised with ransomware, but those compromises haven't been
made public because they don't include consumer data," said Craig
Spiezle, executive director of the
Online Trust Alliance.
"If you think of the value of the intellectual property of an
engineering or architectural firm, having their systems shut down would
have a huge impact on their business," he told TechNewsWorld.
"So I think we're going to see a shift from the traditional retail
environment to professional services where the intellectual property and
data have a higher net worth," Spiezle continued.
"Instead of dealing with credit card numbers worth $10 to $20 on the
cybercrime market, criminals are going to be extorting hundreds of
thousands of dollars from companies who don't want their business
disrupted or their intellectual property compromised," he said.
Targeting of Cloud Brokers Will Increase
Cloud brokers sit between cloud service providers and their customers.
Their place in the cloud infrastructure makes them a ripe target, one
that will get more attention from hackers in 2016.
"We're going to see more enterprises utilizing brokers, and in turn,
you're going to see more focus from the bad guys on compromising these
brokers instead of individual apps or individual devices," said IBM
Security Officer David Lingenfelter.
"Instead of focusing on an endpoint, they'll be focusing on a choke
point where all the devices have to go through," he told TechNewsWorld.
A Significant Theft of Healthcare Data From a Wearable Device Will Occur
The use of wearable devices that collect health information from their
owners grew in 2015, and that will make them a target for data thieves
in 2016.
"I expect we'll see the first cases where personally identifiable
information about healthcare-specifc data will be stolen," said Rohit
Gupta, CEO of
Palerra.
There has been a "vast proliferation of wearables like Fitbit and the
Apple Watch. These are all devices that connect to the Internet, and
they carry information like heart rates and all sorts of PHI data. That
is the kind information that is likely to be compromised," he told
TechNewsWorld.
"2015 was the year that wearable usage started increasing," Gupta
said. "2016 is the year wearables will see the first levels of
compromise."
Cyberinsurance Will Become a Must-Have for Businesses
As data breaches become routine events, businesses will begin looking to insurance to help mitigate risk.
"2016 will be a very important year for cyberinsurance," said Richard Ford, a principal engineering fellow at
Raytheon | Websense.
"Cyberinsurance will move much more into the mainstream and become a must-have," he told TechNewsWorld.
"You're going to se rapid adoption in 2016," said Stephen Boyer, CTO of
BitSight Technologies.
"It won't be as common as general liability insurance, but boards are
asking for these types of policies," he told TechNewsWorld.
Hacker Attacks Will Increase Use of SSL
Encryption can keep online transactions secure, but it also can be used
to mask criminal activity. That activity will increase in 2016 as the
amount of traffic using SSL encryption increases.
"Today, about a third to a half of all traffic is encrypted. Next
year, it will become two-thirds of all traffic," said Kasey Cross,
senior product marketing manager at
A10 Networks.
"This will become a major area of vulnerability next year," she told
TechNewsWorld. "With two-thirds of traffic encrypted, hackers are going
to leverage this avenue of attack even more than they have this year."
Not only will increased encrypted traffic attract hackers' attention,
so will changes in certificate requirements. "With new initiatives like
Let's Encrypt, it's becoming easier for anyone -- including hackers --
to increase their own SSL certificates," Cross said.
Developers May Deliberately Introduce Zero-Day Vulnerabilities
As the price for zero-day vulnerabilities prices jumps to six to seven
figures, some developers will deliberately insert bugs into major
vendors' code so that a friend can claim the bug bounty and split the
reward.
The economics aren't quite there in the United States. It wouldn't
make sense for a programmer making a six-figure annual salary to risk
losing that for a share of a six-figure bug bounty. However, companies
that outsource development of key products to countries where developers
are paid less are already at risk for this type of deception.
"If you're a programmer in India making $20,000, $25,000 a year, a
six-figure bounty can be an awful lot of money," said Andrew Conway, a
threat researcher at
Cloudmark.
"There's got to be the temptation day to sneak in a zero day and tell
your friend about it and split the bounty with him," he told
TechNewsWorld.
Breach Diary
- Dec. 7. Missoula County Public Schools in Montana issues statement apologizing to students and their families for an email accidentally sent to 28 parents containing sensitive academic, medical, disciplinary and criminal information about hundreds of students at Hellgate High School.
- Dec. 7. U.S. District Court Judge Leonard Wexler issues a restraining order against Compass, a brokerage firm alleged to have stolen thousands of listings from competitor Saunders & Associates. Saunders claims one of its former employees used a colleague's login credentials to copy information from its systems.
- Dec. 8. Morgan Stanley suspects Russian hackers stole company data from Galen Marsh after the former employee took the information home without authorization, The Wall Street Journal reports. Marsh pleaded guilty earlier this year for illegally accessing the bank's computers.
- Dec. 8. CM Ebar warns customers who used payment cards at its 29 Elephant Bar restaurants between Aug. 12 and Dec. 4 that their data is at risk due to a malware infection planted on its payment processing systems.
- Dec. 8. MaineGeneral Health announces it suffered a data breach in November that compromised personal information belonging to patients and prospective donors. Information on the number of affected people was not released.
- Dec. 9. VTech reports data breach at its Learning Lodge website affected 4.9 million parent accounts worldwide (2.2 million in the U.S.) and 6.4 million kid profiled (2.9 million in the U.S.).
- Dec. 10. Jason Chaffetz, chairman of the House Oversight and Government Reform Committee, in letter to Acting Office of Personal Management Director Beth Cobert, calls for removal of OPM CIO Donna Seymour after a critical report by the inspector general of the contract award for identity monitoring and protection services following a massive data breach at the agency.
- Dec. 11. U.S. Office of Personal Management reports it has finished notifying more than 20 million people affected by data breach at the agency earlier this year. About 7 percent of the people remain unnotified due to address problems, OPM said.
- Dec. 11. In 2015, 55 healthcare providers suffered data breaches resulting in theft of data for more than 110 million Americans, Motherboard reports.
- Dec. 11. Police in Wauwatosa, Wisconsin, say overseas hackers perpetrated a data breach that compromised more than 1,000 accounts and resulted in $164,000 in losses at a local Burger King.
- Dec. 11. Northwest Primary Care in Portland, Ore. reveals information for 5,372 patients is at risk after it was stolen by a former employee.
Upcoming Security Events
- Dec. 16. Crafting a National Strategy for the Internet of Things. 9 a.m. ET. Rayburn House Office Building, 45 Independence Ave. Southwest, Room 2237, Washington, D.C. Free.
- Dec. 17. Cyberattacks Happen Every Day. Are You Prepared to Stop One? 2 p.m. ET. Webinar sponsored by Cyberark. Free with registration.
- Jan. 16. B-Sides New York City. John Jay College of Criminal Justice, 524 West 59th St., New York. Free.
- Jan. 18. B-Sides Columbus. Doctors Hospital West, 5100 W Broad St., Columbus, Ohio. Registration: $25.
- Jan. 22. B-Sides Lagos. Sheraton Hotels, 30 Mobolaji Bank Anthony Way, Airport Road, Ikeja, Lagos, Nigeria. Free.
- Feb. 5-6. B-Sides Huntsville. Dynetics, 1004 Explorer Blvd., Huntsville, Alabama. Free.
- March 18. Gartner Identity and Access Management Summit. London, UK. Registration: before Jan 23, 2,225 euros plus VAT; after Jan. 22, 2,550 euros plus VAT; public sector. $1,950 plus VAT.
- June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: before April 16, $2,950; after April 15, $3,150; public sector, $2,595.