By Sharon Florentine
Dec. 1, 2016
From W-2 scams to WordPress vulnerabilities, ransomware, business email compromises, DDos attacks and allegations of a hacked presidential election -- 2016's been a hell of a year in cybersecurity, and it's not over yet.
There's no reason to believe 2017 will be any better. If anything, it could be even worse as cybercriminals continue to push social engineering, find new ways to deliver malware, crack vulnerable databases and leverage mobile technology to find ways to get inside corporate defenses and target individuals.
We asked two leading cybersecurity experts, Matt Dircks, CEO of secure access software company Bomgar and Scott Millis, CTO at secure device management and mobile security company Cyber adAPT, what to expect in 2017.
1. Passwords 'grow up'
The recent DDoS attack that wreaked havoc on a huge portion of the internet on Oct. 21was at least partly enabled by unchanged default passwords on IoT devices, says Dircks, which hackers were able to exploit. Don't think you're immune; how many of your users have simple, common or outdated passwords? In 2017, Dircks says better password management services will gain traction as businesses understand how vulnerable they are.
"I used to do a party trick where I'd go to someone's house and hack their router. There are so many purpose-built, 'dumb' devices out there like the routers used to facilitate the DDoS attack a few months ago, that it's making hackers' jobs easy," Dircks says.
Cybersecurity professionals will struggle to protect critical infrastructure, connected systems and remotely accessed systems and devices while weak password practices remain the norm, but it's not just external threats that are a problem.
Mitigating insider threats can also be accomplished through better password management, he says. The best way to do so is to implement a solution that securely store passwords that remain unknown to users, and then regularly validates and rotates those passwords to ensure safety and security, he says.
"What we're talking about is credential vaults. In an ideal world, a user would never actually know what their password was -- it would be automatically populated by the vault, and rotated and changed every week. Look -- hackers are intrinsically lazy, and they have time on their side. If you make it harder for them, they'll go elsewhere rather than invest the energy to chip away," Dircks says.
2. Privilege gains power
Hackers want high-level access, which they get through targeting the credentials of privileged users like IT professionals, CEOs and vendors, Dircks says. And while organizations have applied security to the systems, applications and data that are most critical to their business, these preventative measures simply aren't enough anymore. In 2017, he says, savvy organizations will finally get serious about protecting not just systems, but privileged users by identifying them, monitoring their access and closing off access to what they don't need.