2015 Outlook

It’s that time of year again where we look ahead toward the cyber security trends and topics we’ll be seeing in 2015.
Below are a few highlights from CIS staff on what we’ll be talking about in the coming months.
Increase in Click Fraud 
Curt Maughs, CISA, CISSP, GCIA, Security Operations Manager, Center for Internet Security
What is click fraud? Click fraud occurs when links on web pages, usually ads, are clicked on in an automated fashion. This activity usually occurs when a user unknowingly downloads an unauthorized program (such as a Trojan horse) that gets installed on their system, or through other methods including infection via drive-by malware or botnet. The objective of the cyber criminal in using these malicious programs is to collect revenue on a per-click basis. The impact to the victim includes the consumption of computing resources (e.g., network bandwidth, CPU cycles, or RAM usage) that results in lost productivity, and in some extreme cases distributed denial of services (DDoS)-like conditions affecting multiple users on a network.
While most click-fraud activity does not directly involve data exfiltration, it is not uncommon for malware that performs data exfiltration to install click-fraud applications as part of their routine to maximize the profit per infected host under their control.
We are expecting click-fraud to increase in 2015 as this functionality becomes incorporated into more malware.
The best defenses against this threat include the following:
  • Keep hosts up to date on patches and remove all unnecessary applications from systems.
  • Keep anti-virus/anti-malware applications and their associated signatures up to date.
  • Implement IDS/IPS capable devices and SIEMS to assist in detecting infections and anomalous behavior.
  • Ensure users have minimal permissions/rights necessary to perform their job functions or execute applications.
  • Restrict the execution of unauthorized programs.
  • Remediate infections as soon as possible after identification.
Transition to Chip-Based Technology 
Thomas Duffy, Senior Vice President, Operations and Services, Center for Internet Security
In 2015, we will see more widespread use of chip-based technology for debit and credit cards in the United States. Per executive order by President Obama, federal agencies and executive departments must transition to chip-based technology for government payment cards and federal facilities that accept payment cards must be equipped to handle chip and pin-enabled cards.
Major card companies, along with some major retailer have indicated their plans to finalize migration to the new technology in 2015. The implementation involves one of two standards: Chip and PIN which requires a PIN number to be entered by the card holder; and Chip and Signature which only requires a signature of the card holder.   The initial implementation includes the traditional magnetic stripe on the card so that entities that do not have the new chip based terminals can continue to process transactions.  These will likely be phased out over time.
The push toward this technology, which has been implemented in many other countries for several years, comes in the wake of major high-profile breaches and the need for new methods to enhance transaction security.
Card users will still need to remain vigilant in managing their accounts and monitoring for any anomalous activity.
Internet of Things – Wi-Fi Risks at Home
Spencer McClain, GCIA, Security Operations Analyst, Center for Internet Security
In 2015 we will be seeing more wirelessly connected devices than ever before, from laptops and smartphones, to refrigerators and slow cookers. Having an open home Wi-Fi network might make it easier to connect all of your devices, but it allows unauthorized users access to your private network.
You must enable security on your home router, including a password for anyone connecting to your wireless network. Below are the security modes typically offered for wireless routers:
An open Wi-Fi network does not require a password and allows anyone within range to connect. It is very simple for someone to connect to your network and intercept sensitive information such as usernames and passwords for social media or bank accounts, for instance. These networks are common at public spaces like airports or coffee shops. This method should not be used for home wireless networks and caution should be used whenever connecting to any open network.
This stands for “Wired Equivalent Privacy.” This older security method was the standard in 1999 and has since become obsolete with the rapid advancements in computer processing power. All of the wireless traffic is encrypted with a single hexadecimal string known as a key. This key is generated by the router and is usually 10 or more characters. With just a basic laptop, an attacker can monitor the encrypted traffic and crack the key with freely available software. This option should only be used if no other option is available.
WPA/WPA2: (Recommended)
This stands for “Wi-Fi Protected Access” and has been available for home wireless networks for more than a decade. A significant feature of this method is user-generated passwords; however, it’s important that strong passwords are used. If not, an attacker who is within range of the network can try to log on with a list of the most common passwords. Another benefit of WPA/WPA2 is that each data packet is encrypted with a new key (vs. just one when using WEP) and therefore the attacker is no longer able to crack the encryption key by collecting many packets. WPA/WPA2 will be your best option in securing your home wireless network and all of your Internet-connected devices in protecting against the evolving threat landscape in 2015.
Increased Targeting of Individual Users
Stacey Wright, Security Operations Manager, Center for Internet Security
It’s been said that a photo is worth a thousand words and lasts a lifetime, but today a digital photo can be worth a lot more: a photo can tell criminals where you are, what kind of security you have, and how best to target you.
Cyber criminals can use malware to turn on your computer, tablet, and smartphone cameras and take pictures of you without your consent. They can also steal pictures stored on social networking websites, in email accounts, on private computers, smartphones or tablets, and use them against you. Criminals can use a picture of you on vacation to know that it’s a safe time to break into your house or as proof that they know you when they use your name in their scams. Criminals looking to target a building can use the background information in a picture to figure out security details. If a criminal wants to hack into your bank account, the picture of your brand new car tells them the answer to the security question that asks ‘what color is your car?’  There’s even a way to take a picture of a key and turn it into a real key that will open a door.
In 2015, expect to see more cyber criminals targeting single users. Since targeting motivations vary from financial gain to revenge or pure chance, anyone can become a victim. A few simple steps can help protect you, your family, and your company from cyber criminals who use pictures for malicious intent. Make sure your camera lens isn’t recording something you don’t want the world to see, cover the lens when it’s not in use, and think about what that picture tells people who see it. Does it give away the fact that your home is empty or does it show a sensitive document? Does that picture, along with other pictures give away too much information? Photos are often fun in the moment and a few simple security precautions can help keep them fun forever.
Risks When Traveling Abroad
Ben Spear, Intel Cyber Analyst, Center for Internet Security
Are you traveling abroad this year? You may want to leave your laptop and cell phone at home. Many foreign networks are less secure than those in the U.S. and there is a greater risk of malware infection. As we enter 2015, cyber criminals no longer seem interested in just the low hanging fruit; they are engaged in targeting specific groups that meet a particular profile. Foreign travelers are at an increased risk solely by visiting an unfamiliar place, and the fact that they usually visit for a limited time decreases the likelihood that a criminal might be caught in the act. Throughout 2014 there were several security reports on criminal groups and state-sponsored actors targeting tourists or business travelers in hotels and other public locations. In 2015, expect the attempts by malicious actors to compromise travelers’ devices to grow. In order to protect yourself, try to get ahead of the bad guys when you travel. Do you really need to travel with an electronic device, and if so, what information is vital? Keep any devices you’re traveling with close, never leave them in a hotel room or out of sight. For more information and tips on how to protect yourself see our CIS Security Primer: Securing SLTT Devices While Traveling Abroad