ESET predictions and trends for cybercrime in 2016

It’s that time of the year when the information security industry takes part in its annual tradition: coming up with cybercrime predictions and trends for the next 12 months. These lists usually range from the mundane to the bizarre, to the lighthearted and the dire (perhaps depending on the predictors’ consumption of eggnog and/or dystopian sci-fi media). Many have about as much accuracy as one might expect of people who are experts but not psychics. Still, you never know.

As regular readers of We Live Security will know, every December the ESET researchers put together their own predictions and trends for the coming year. In 2014, the emphasis was on APTs (advanced persistent threats) and attacks targeting the corporate world. This year, we’ll be offering a deeper analysis on a variety of topics such as IoT, ransomware, crimeware, haxposure, Windows 10, and critical infrastructure among others.

The full article will be released soon and you’ll be able to download the full version directly from our white paper section. What now follows is a brief, occasionally tongue-in-cheek view from a number of ESET researchers on what they expect 2016 will bring.

From David Harley:

• More convergence between tech support scams and real malware, especially ransomware.
• Increased targeting of platforms other than Windows for pop-up fake alerts and for ransomware.
• In the UK at least, NHS sites will continue to be slammed by security bloggers for squandering their pitiful resources on direct healthcare instead of upgrading computer systems.
• More toys will follow the Pink Fink (aka Hello Barbie) into the Internet of Things (IoT), despite concerns about privacy and the continued attention of researchers probing for scareworthy vulnerabilities.
• Understandable panic about terrorist attacks and other manifestations of physical violence will be translated into calls for the weakening of encryption and the abolishing of privacy.

From Aryeh Goretsky:

• We will see an increase in the usage of virtualization technology by home and SOHO (small office/home office) users, followed by an increase in attacks on them.
• Adobe Flash, PDF and Oracle Java will remain targets of opportunity. (Keep ‘em patched, folks!)
• Web frameworks (Drupal, Joomla, Typo3, Wordpress, etc.) will also be targeted, and exploits for them will increase in value.
• Web performance, optimization, analytics, personalization and other related service networks (think Newrelic, Optimizely, Parsely, etc) will be increasingly targeted via both sophisticated attacks (i.e. code injection of specific customers) and unsophisticated attacks (DDoS).
• Windows will still be a target.

From Bruce Burrell:

• High-visibility breaches will continue. This will be across all sectors, of course, but the press (and hence the public) will probably pay the most attention to the ones in retail and healthcare. The organizations affected will take restorative and preventative measures in the short run -- then they will revert to NIMBYism.
• Elsewhere, there will be lots of corporate board handwringing and, in some businesses, perhaps even occasional increases in security funding.
• Unaffected end users will be anxious, until the next news cycle. Afflicted users, of course, will stay anxious longer, when they realize their identities have been stolen, or funds drained, or that they can't get health insurance because …
• Regrettably, if 2016 unfolds like previous years, not enough will happen, as far as end users and businesses actually doing anything to protect themselves.
• Legacy devices will continue to be used in healthcare, because there is a perception, real or imagined, that it is not viable to move away from them. New devices will not have anywhere near sufficient security baked in until long after the 2016 timeframe. The exceptions will be few and far between -- but we should do everything we can to encourage those vendors who ‘do it right’.

From Stephen Cobb:

• In 2016, healthcare IT managers will be under pressure from 3LAs on three sides: fresh OCR HIPAA audits and penalties; more aggressive FDA action on vulnerable medical devices and pseudo-medical apps; and at least one FTC action against a wearable or IoT device or app used in wellness programs.
• 2016 may also see the responsible disclosure debate hit healthcare IT, just like the live Jeep hack demo hit the automotive industry in 2015. Many security experts oppose risky public demonstrations, but there is no denying the power of a video showing a car being disabled on the highway, which accomplished what several previous parking lot demos did not: a whole new level of public and congressional attention.

From Cameron Camp:

• IoT security will continue to make headlines, but if your digital ‘e-bear’ toy gets hacked you are in no certain peril, aside from a trip to the store to return it. Expect 2016 to be the year of the full-frontal assault on all things IoT though, where cybercriminals will find new ways of attacking unsuspecting victims through their new flock of ‘digital doo-dads’. But it will still take more time to find the ‘killer bad app’ nemesis for the IoT.
• SCADA (supervisory control and data acquisition) hacking becomes nation state day job for more people. After years of tinkering and poking the doors of unsuspecting industrial players, nations will pride themselves on having SCADA digital chops.
• Credit cards will still get hacked – despite EMV. Where’s there’s money, there will be hackers, no matter the technology. Still, EMV raises the bar a bit and makes hacking more expensive, which is good.

From Lysa Myers:

• Governments around the world will continue to pass laws that belie an understanding of technology, especially encryption and networked communication.
• Companies will continue to pump out toys, fitness devices, 'smart home' devices, apps, etc, that leak personal information like Snoqualmie Falls in an El Niño year.
• Healthcare companies will continue to lead the Breach Parade, as medical device manufacturers continue selling equipment with woefully outdated software and operating systems, and electronic health records are implemented without sufficient risk assessment.
• (Hopefully) more device manufacturers will publish responsible disclosure procedures for reporting vulnerabilities in their products.
• More devices and accounts will add simple – and perhaps novel – authentication techniques that allow people to increase their security
• More chip and signature terminals will come online in the US, and be closely followed by complaints from retailers that they’re significantly slower than magstripe cards.

Each of us had our own area of concern, according to our particular specialties, but we all predict many of the same outcomes for next year. From the 10,000 foot view, this could best be summarized as ‘things will continue along the same trajectory’. This could be considered a fairly pessimistic view, and yet a rather obvious one.

That said, the upcoming year – as with all years – brings the possibility for many learning opportunities, which offers plenty of scope for improvement. Unspoken jokes about job security aside, we very much hope this coming year yields greater transparency and understanding of security issues, which generates more and substantial improvements in privacy and security for everyone. Please stay tuned to We Live Security as the full paper will soon be available with a detailed analysis of each prediction and trend.