This year's top six cyber risks for businesses, according to The Chertoff Group principal Adam Isles, include: increase in destructive attacks targeting industrial control systems, expansion of IoT as a threat vector, evolution in nation-state activity tradecraft, advances in identity subversion as a tactic, increased use of software subversion to bypass security controls and increase in third-party risk.

Every five years, the U.S. intelligence community releases a Global Trends Report, and the one released in January 2017 cited destruction of important civilian infrastructure as an increasingly likely form of emerging warfare. The rise in attacks targeting industrial control systems (ICS) can be attributed to factors including the relative ease at brute forcing default or weak passwords on ICS equipment, an increase of the number of ICS accessible to the public and an uptick in motivation by malicious actors to control ICS for political influence or monetary gain.

“Threat is a function of motivation, capability and opportunity,” said Isles. “2018 is expected to bring additional advances particularly regarding autonomous/artificial intelligence-enabled systems and their use in both private and professional settings. As this trend advances, so too does the opportunity to exploit such devices for malicious purposes.”

In the last few years, many cyber-attacks were seen using IoT devices like CCTV cameras in large-scale DDoS attacks, including an October 2016 attack that disrupted Internet services throughout the U.S. for almost a full day. These attacks highlight large-scale challenges in ensuring that IoT devices are properly configured to prevent a compromise of those devices. Even if U.S. authorities were to introduce legislation for producers to lock down IoT vulnerabilities, the threat from exposed devices from other countries does not diminish, per Isles.

“Where malicious activity can be attributed to state actors, U.S. authorities have worked with allied governments to take responsive action–for example, sanctions and criminal indictments plus related cooperation through extradition and mutual legal assistance treaties,” he explained. “So, the ability to act without the attendant consequences of attribution will be of increasing utility to threat actors. In that vein, state actors are increasingly relying on capabilities–people and technology–with roots in organized crime.”

Per the 2017 indictment of individuals allegedly involved in the Yahoo breach, including officers of Russia's Federal Security Bureau (FSB): “One of the criminal hackers has been the subject of an Interpol 'Red Notice' and was listed as one of the FBI's 'Most Wanted' hackers since 2012. He resides in Russia, within the FSB' s jurisdiction to arrest and prosecute. Rather than arrest him, however, the FSB officers used him.”

In addition, while state actors have access to zero-day exploits, the state of unremediated vulnerabilities makes it more likely they will use recycled malware and hacking tactics to minimize chances of attribution. The security vulnerabilities of passwords are well-covered in security literature, and we are now seeing significant consequences of compromised passwords via “credential stuffing” attacks, which involve automated machine-gun style access attempts via compromised username/password pairs. So, according to Isles, understanding these risks, organizations are increasingly shifting to the use of multi-factor authentication to reduce risks around single-factor approaches.

“We should expect to see increased reporting across three trends: newly discovered vulnerabilities in multi-factor approaches based on increased focus by security researchers, exploitation of unremediated vulnerabilities by malicious actors and resort[ing] to social engineering to subvert the identity-proofing process that underlies multifactor authentication,” he said.

There is a flaw in the technology underlying token-based authentication systems–they use public-key-infrastructure (PKI) to maintain confidentiality of the supporting keys. This flaw, discovered in the chip underlying the tokens in question, effectively means that it takes much less time than previously thought for a malicious actor to reverse engineer the private key from its public counterpart, per Isles. The consequence is that attacks are more feasible against systems protected by those tokens. In this case, the security researchers who identified the vulnerability worked with the impacted token providers, who themselves aided customers in remediating the vulnerability.

“Likewise, there is an increase in threat reporting around the compromise of text messages that provide one-time passcodes as a second factor,” he said. “In turn, there is also an increase in reporting around social engineering schemes that trick customer support centers into updating the mobile phones associated with an account from the legitimate account holders to that of a malicious actor.”

As seen during the 2017 NotPetya and other incidents, adversaries are using third-party software as an entry vector to deploy malware on targeted systems. Security controls were bypassed through the subversion of trusted third party software, so malicious actors could infiltrate at the source of a supply chain, compromise the third-party software in question, and leverage this compromise to inject malware into victim computer systems, which then spread laterally through those systems. Maersk ported an impact of over $300 million, as did pharmaceutical provider Merck.

“In 2018, we expect to see a greater emphasis on review and securing all phases of the software development lifecycle, not only testing before release but also during the planning, development and update phases as well,” Isles explained.

Allowing partner organizations access to sensitive data, systems can help a company focus on what it does best rather than the extraneous support functions. But the risks from the trend have multiplied as organizations have increasingly offloaded specialized services to others, in particular, cloud service providers. Uber CEO Dara Khosrowshahi said that “external attackers inappropriately accessed user data stored on a third-party cloud-based service that we use to gain unauthorized access to this information. While this compromise did not breach our corporate systems or infrastructure, it did result in the compromise of personal information for 57 million Uber customers around the world.”

Isles added, “Even cloud services that have strong security built-in can entail vulnerabilities if customers do not properly configure and maintain them. Thus, we expect more focus in 2018 on services that can help customers spot misconfigurations and risky levels of access on cloud services.”

Amanda G. Ciccatelli is a Freelance Journalist for Corporate Counsel and InsideCounsel, where she covers intellectual property, legal technology, patent litigation, cybersecurity, innovation, and more.