The last several years have all been known for high profile data breaches, and 2016 was no different. Some very well-known names, including government agencies, fell victims to cyber-attacks. If there is a silver lining in all this, it is that these data breaches have increased awareness and forced organizations to advance their security practices to better fight cyber-threats. At WhiteHat, we believe that these trends will continue into 2017; we expect the coming year to be a mixed bag of good and bad news. Listed below are our top security predictions for 2017.
Applications will continue to be the weakest link
Applications offer a large, vulnerable attack surface to hackers. According to the 2016 Verizon data breach report, 40% of data breaches come from web application attacks. From WhiteHat’s Statistics Report, we also know that state of application security is not pretty. Remediation rates are under 50%, and even vulnerabilities that are eventually remediated stay open for months. We are not seeing any fundamental change in app development processes or security practices. As a result, we anticipate that big data breaches originating from the application layer will continue to hit the headlines in 2017.
IoT attacks will continue
Billions of IoT devices currently in use are insecure, and are not likely to be patched or fixed anytime soon. As a result, hackers will continue to use insecure IoT devices to launch attacks like the one on Dyn in Oct, 2016. We also expect some new government regulations in this area to require manufacturers to build better security in IoT devices.
Cyberattacks stemming from weak or stolen credentials will decline
According to the 2016 Verizon data breach report, 63% of confirmed data breaches came from default, weak or stolen passwords. The good news is that multi-factor authentication — requiring multiple pieces of evidence to authenticate, making it harder to hack — is quickly gaining popularity. The research firm Markets and Markets estimates that the MFA market will reach 9.6 Billion USD (a CAGR of 17.7%). We expect that the growing adoption of MFA will curtail cyber-attacks that take advantage of weak, default or stolen credentials.
Vendor security risk will become more manageable
Vendor security risk, a known area of concern due to ad-hoc processes and lack of transparency from vendors, is undergoing transformation. In 2016, several sections were added to PCI standard 3.2 to clarify the responsibilities of service providers in the PCI compliance process. More recently, the Vendor Security Alliance published a questionnaire to help organizations assess and benchmark third party product and service risk. In 2017, we expect vendor security risk management processes to be more streamlined and automated.
Organizational silos will give way to a more security-centric culture
Organizational silos present the biggest hurdle to putting security in practice. Cybersecurity is a top priority for any organization; nevertheless, organizations remain vulnerable and get breached. One common root cause is that teams often have different priorities and fail to collaborate. The development team’s priorities are often not aligned with security team’s priorities, and even within the security team, folks working on Application Security don’t necessarily collaborate with network security or cloud security teams. We know from talking to our customers that organizations recognize this issue and are attempting to address it; we expect that the next wave of change will address the weaknesses of organizational siloes –particularly between the security team and the rest of the organization — to streamline processes and align priorities in the interest of improved cybersecurity.
In summary, 2017 will bring its own share of challenges to security teams. But we believe that organizations will continue to move forward and push for greater adoption of DevSecOps, better risk management maturity, and greater information transparency and collaboration. This work may not be completed in a single year, but we believe that 2017 will be a turning point.