HACKERS ARE NOTHING if not persistent. Where others see obstacles and quit, hackers brute-force their way through barriers or find ways to game or bypass them. And they’ll patiently invest weeks and months devising new methods to do so.
There’s no Moore’s Law for hacking innovation, but anyone who follows cybersecurity knows that techniques get bolder and more sophisticated each year. The last twelve months saw several new trends and next year no doubt will bring more.
Here’s our take on what to expect in 2016.
Following the Sony hack in late 2014, we predicted that hacker shakedowns would increase in 2015. By shakedown, we were referring not to standard ransomware attacks, whereby malware encrypts or otherwise locks access to a victim’s computer until the victim pays a ransom. We meant extortion hacks where attackers threaten to releasesensitive company or customer data if the victim doesn’t pay up or meet some other demand. With these attacks, even if you have backed up your data and don’t care that hackers have locked you out of your system, public release of the data could ruin you and your customers.
There’s just one problem with tracking such attacks. If the victim caves and does pay, the public may not know extortion occurred. We do, however, have at least two extortion hacks on record for 2015: the Ashley Madison hack, which took down a CEO and exposed possibly millions of would-be cheaters to public ridicule and worse; and the hack of InvestBank in the United Arab Emirates, which resulted in the exposure of customer account information. Extortion hacks play to the deepest fears of companies and executives—if not handled well, company secrets are exposed, customers file lawsuits, and executives lose their jobs. Expect such attacks to become more prevalent in 2016.
Attacks That Change or Manipulate Data
In testimony this year, James Clapper, the director of national intelligence, told Congress that cyber operations that change or manipulate digital data in order to compromise its integrity—instead of deleting or releasing stolen data—is our next nightmare. Mike Rogers, head of the NSA and US Cyber Command said the same thing. “At the moment, most [of the serious hacks] has been theft,” Rogers said. “But what if someone gets in the system and starts manipulating and changing data, to the point where now as an operator, you no longer believe what you’re seeing in your system?”
Data sabotage can be much more difficult to detect than the kind of physical destruction caused by Stuxnet. That’s because data alterations can be so slight yet have enormous consequences and implications. Anyone remember the Lotus 1-2-3 bug back in the 90s that would produce accounting miscalculations in spreadsheets under certain conditions? That was an unintentional error. But attackers could get into financial and stock-trading systems to alter data and force stock prices to rise or fall, depending on their aim.