Petya/ExPetr was Data Killer, Not Ransomware

By Michael Hall, Chief Information Security Officer

Data Killer Malware

The malware attack that started in Eastern Europe in late June and quickly spread around the globe looks like it was not a ransom attack at all, but an all-out effort to destroy data, according to a security company that examined the program’s code.

At first, it looked like the attack that was detected on June 27 was similar to the Petya ransomware virus that emerged in 2016. With that software package, infected customers had to pay a ransom to the hackers to unlock their encrypted files.

Now it looks like the new software, dubbed Petya/ExPetr, does not contain any decryption information, leading the researchers at Kaspersky Labs to conclude the main reason for the attack was to wipe or destroy computer content, not to collect a ransom.

“After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims’ disks, even if a payment was made,” Kaspersky Labs said in a blog post.

“This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware.”

The security firm called this a “worst-case” situation for victims because even if they pay the ransom they will not get their data back. The Kaspersky blog added, “this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive.”

Matt Suiche, a researcher with another security firm, Comae Technologies, reached the same general conclusion. “This version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon,” Suiche wrote. “We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents, to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon.”

Like the recent WannaCry malware, Petya/ExPetr used the EternalBlue Windows exploit, created by and then stolen from the United States National Security Agency (NSA), to enter computers that had not already been updated with the targeted Windows patch. Unlike WannaCry, however Petya/ExPetr encrypted whole hard drives rather than individual files. In addition, this malware was programmed with advanced worm capabilities. This allowed the malware to quickly spread to networked computers once an unpatched computer had been infected, including those that had already been successfully patched with updated Windows security.

Three quarters of the victims of Petya/ExPetr were located in Ukraine, where the attack initiated. Targets included Ukraine’s central bank, main international airport and the Chernobyl nuclear facility. From there, it spread to sixty-five countries around the globe, including some businesses in the United States such as multinational law firm DLA Piper, the Pennsylvania health care provider Heritage Valley Health Systems and pharmaceutical company Merck.

Petya Prevention

There is a simple way to protect your organization against a malware attack like Petya/ExPetr and others: Apply security patches immediately.

All organizations should have a clear and updated list of all company devices and devices connected to company computers, such as employees’ personal devices that connect through services such as VPNs. When security patches become available, the organization’s IT department must check off each device on the list to be sure all possible entry points are protected.

In addition to keeping up with security, operating system and program updates, it is important to use and maintain antivirus and anti-malware software. Be sure to also install updates to these programs whenever they become available.

Related Articles:

Ransomware Takes a New Turn—How WannaCry was Different

WannaCry Recovery Tips

Ransomware Data Recovery

Cybercrime Forecast: Upswing in 2017

6 Ways to Protect Yourself from Hackers

Ransomware Takes a New Turn—How WannaCry was Different

By Michael Hall, Chief Information Security Officer

Bullet hole, loophole data

Last month, the ransomware known as WannaCry spread through the world at an astonishing rate, attacking hundreds of thousands of computers literally overnight and holding their data for ransom.

In 2016, ransomware cost its victims approximately $1 billion. That’s $1 billion for all victims of all ransomware programs over the entirety of 2016.

WannaCry cost victims that same amount in only twenty-four hours.

So how did it spread so quickly and do so much damage in only one night?

Weakness—Computer or User?

Previously, malware had to be downloaded to a target computer and executed, or set loose, by someone actively using that computer. Once activated, this malware could then encrypt important files with a code that could only be unlocked by using a decryption key held by the hackers who control the malware. This key could generally be obtained by paying a ransom, hence the term ransomware.

Why would anyone download ransomware to their own computer? They wouldn’t. Malware has historically been downloaded from innocent-looking emails or links. It might even look like a message sent by someone the user knows. This is known as phishing and it continues to be a growing problem.

Learn more about traditional phishing and how to identify it.

Once the victim clicked on the bait link, the attack happened automatically and access to their data became blocked—just like somebody had slapped combination locks on their files and then demanded payment for the combination!

The WannaCry ransomware that disrupted businesses around the world last month, however, did not depend on the usual devices such as phishing. Instead, hackers used a new, more direct route to private information that bypassed users altogether.

The criminals responsible for WannaCry instead used stolen technology that was developed by the CIA for anti-espionage purposes, known as EternalBlue. EternalBlue was a type of technology known as a zero day exploit. An exploit is a program designed to take advantage of loopholes in commonly-used software and operating systems. When the exploit is based on a weakness that is otherwise completely unknown, it is known as a zero day exploit because, without knowledge of a weakness, there are zero days to protect against it.

Zero days are valuable for espionage because they can be used to enter into systems without detection. As WannaCry makes it abundantly clear, this type of exploit is also valuable for theft, ransomware and other malicious hacker activity. Less than a month after it was stolen and released online in April 2017, hackers used EternalBlue to enter computer systems through a gap in the Microsoft operating system and launch their attack of WannaCry ransomware.

For WannaCry, only Microsoft-powered computers are vulnerable. Microsoft has since produced a patch for the EternalBlue loophole, which Microsoft users can download. Windows 10 users should already be protected, but users of previous versions of the operating system software will need an update to bring their protection up to par. Users of Windows XP are especially vulnerable to such attacks and they should upgrade to a later version of the OS before the improved security measures can be put in place.

Don’t Let Your Guard Down

The Microsoft patch doesn’t mean the end to this type of malware access. Criminals continue to use similar technology and security vulnerabilities to take control of users’ systems for a variety of malicious purposes. In fact, the sale of exploits is a thriving trade in the criminal world.

As always, it is critical that all computer users—not just Microsoft users—check for new patches for their systems and update to the latest software and operating system versions on a regular basis. You can be certain that more zero day exploits like EternalBlue will be used for criminal endeavors like WannaCry ransomware in the near future.

Professional Ransomware Data Recovery

If you have been infected by WannaCry or any other type of ransomware, there is hope! Call DriveSavers at 800.440.1904 to find out more.

WannaCry Data Recovery Tips

DriveSavers Ransomware Data Recovery Services

Digital Forensic Process—Preservation / Collection

By John Ahearne, Forensic Analyst

This article is part of a series that delves into each step of the digital forensic process. If you missed one of the previous articles, you can read them at the links below:

Handling Digital Evidence

Handling of evidence is the most important aspect in digital forensics. It is imperative that nothing be done that may alter digital evidence. This is known as preservation: the isolation and protection of digital evidence exactly as found without alteration so that it can later be analyzed.

Collection is the gathering of devices and duplication of electronically stored information (ESI)  for the purpose of preserving digital evidence (exact copy of the original) that remains untouched while digital forensics is performed. Here at DriveSavers, we never work on the original copy. Historically, the collection of data for forensics literally involved pulling the plug from a computer and sending it to a forensic team. However, depending on the situation, this is no longer acceptable in some cases. In fact, in certain cases this is a sure way to lose valuable evidence. On the other hand, you may have to turn off the device or isolate ESI in a way that will not alter evidence, such as with some smartphones. For example, a wipe command can be sent remotely erasing everything. Careful consideration of the situation is necessary.

Dead box forensic collection (imaging a device after it is powered off in order to collect digital evidence) still remains an essential part of the digital forensic process. It is growing more and more important with today’s technology to conduct live box forensic collection or simply a live collection (the collection of data from an active device prior to shutting it down). For example, if the device is encrypted, without the passcode or encryption key, you may never have another chance to acquire valuable evidence if that device powers off or locks due to inactivity.

Relevant data will be permanently lost due to continued use of the device, such as when an employee leaves a company and their computer remains in use. When a summons arrives six months later, it might be too late to realize that you should have preserved their old computer. Preserving a former employee’s electronic devices, especially C-level, may not be forensic best practices, but can surely be considered business best practice. I know it is tempting to log onto a former employee’s device and see what they did, but Stop! The data must be preserved for collection if it is to be considered for litigation. Time and date stamps will change, system log files will rotate and valuable information can be lost.

A copy of digital evidence must be properly preserved and collected in accordance with forensic best practices. Otherwise, the digital evidence may be inadmissible in court or spoliation sanctions may be imposed. This might be a good time to go back and review the Identification process.

A proper forensic image (sector copy) contains the operating system (OS) and deleted data, in addition to user-generated data. There will be times when it is not possible to collect the OS or deleted data due to time constraints, business operations or court order restrictions. A focused and/or targeted approach to collection of ESI will be required. If deleted data is suspected then a sector by sector copy of the entire computer will be necessary and could be time consuming. If you have minutes not hours, 90% of relevant evidence can be acquired by collecting user-generated data only; don’t forget the recycle bin.

Critical Business Operations

Business servers used in a production environment will be providing critical employee functions or providing a service to its customers. Unplugging one of these could cost a corporation millions in lost revenue and productivity. In this situation, the device cannot be powered down, and collection of relevant data must occur while the system is active. After-hours, weekends or scheduled down times are options for collection of a business server. It is important to consult with experts such as DriveSavers that will work with the company’s IT department to ensure that business operations are not adversely affected by the collection of server drives or data.

More and more companies are moving critical functions to the cloud or to a hybrid, a combination of both (servers and the cloud). DriveSavers can control collection costs by acquiring evidence remotely and securely from our protected environment.

A court order may direct its defendants/plaintiffs to provide data from a particular employee or employees and no others, not to mention privileged communication or personal information that will have to be redacted. Again, it is important to consult with an expert such as DriveSavers that can act as a neutral third party and understands the importance of relevant, privileged and regulated data. Please stay tuned for future articles in Analysis and Presentation for more information.

Encrypted Data

Data at rest will not be accessible on an encrypted device or inside encrypted partitions after it powers off or locks if the following is unknown:

  • User names
  • Passwords and passcodes
  • Encryption keys

This becomes an issue for both personal devices like laptops and smartphones and also in small companies without a dedicated IT team that manages a master encryption key for company-owned devices. It is important to note, that most smartphones and laptops are encrypted. Nearly all smartphones have a privacy lock, and increasingly complex passcodes and encryption schemes make it very difficult to bypass such schemes.

If the device is unlocked and you are unsure of the passcode, and you have the authority to do so, please disable the passcode or change/simplify it to something that can be remembered. If you have a company device, please check with your IT department for admin accounts and/or master keys. It is a good idea to place a device in airplane mode and/or remove the SIM card, if it is to be considered for collection. Please document every step taken to secure a device for collection: the time, date, location and changes that were made.

If the device is NOT encrypted, computer user passwords are not required.

Inaccessible Devices

If a device is locked or physically damaged to the point that it is not possible to access the ESI, give DriveSavers a call. DriveSavers engineers in our Certified ISO Class 5 Cleanroom have had tremendous success in recovering wet/corroded, fire damaged, physically damaged (crushed, cracked screen, etc.), mechanically and electronically failed devices. Please have the passcodes/passwords readily available because sometimes the window of opportunity to access a severely damaged device is a short one-time opportunity.

If a device is locked and its passcode is unknown, please give DriveSavers a call. We may be able to help.

Locations of Electronic Evidence

Examples of devices that may need to be collected for digital evidence:

  • Smartphones
  • Tablets
  • Laptops
  • Desktops
  • External hard drives
  • Flash/Thumb drives
  • Camera cards
  • Backup Tapes
  • Servers & RAIDs
  • DVRs & Surveillance systems
  • MP3 players
  • GPS devices
  • Game stations (Xbox, PlayStation, etc.)

Never underestimate the importance of an electronic device. We have even analyzed voice recorders and automatic electronic defibrillators (AED)! Internet of things (IoT) and automobiles  are also a source of ESI (how many times has your smartphone synced with your car?).

Preparing Devices for Data Collection

There are many different scenarios. Every possible situation has to be thought out carefully. DriveSavers specialists are available by phone 24/7 by calling 800.440.1904.

If the device is already powered down, do not turn it on. Follow these steps for forensically sound data collection:

  1. Determine if the device is on or off:
    • Look for lights
    • Listen for sounds
    • Feel for vibrations, haptic feedback and heat
    • A smartphone, tablet or laptop may be in sleep mode and appear to be off
    • If the device is a laptop or desktop, wiggle the mouse, but do not click any buttons
    • Is the smartphone or tablet’s screen greasy or dirty? Look for swipe patterns
    • Press the Home button or swipe the screen
  2. If the device is on, ask these questions and document the answers:
    • Is the device locked?
    • Is the user interface accessible?
    • Is the device encrypted? Do you know the passcode?
    • Is the battery charged?
  3. If a smartphone, tablet or laptop is on, activate airplane mode
  4. Record device model numbers, serial numbers and passcodes
  5. Take pictures
  6. Start a chain of custody document; DriveSavers will send you one
  7. If a device must be shut down in order to preserve ESI (such as a computer), shut the device down properly using the “shut down” command
  8. If you suspect destructive software (formatting, deleting, removing or altering data) is running, turn off the device immediately; pull the plug!
  9. Check for any removable media
    • CD/DVD trays
    • SD card slots
    • Flash drives
    • Sticky notes

Once a device is turned off, it can be delivered to a lab like DriveSavers for acquisition and/or analysis. Package all components, clearly labeling all devices, preferably in anti-static bags:

  1. Label the bags or boxes containing devices
  2. Package the device (anti-static bag whenever possible) tightly and securely in a box or evidence bag with at least two inches of bubble wrap
    • A local FedEx office can help you package the device
    • DriveSavers has several drop off locations in major cities; assistance with packaging is available here
  3. Keep all media away from magnets, moisture, extreme temperature and other potentially damaging elements
  4. Do not place evidence in the trunk of a vehicle, especially overnight

Sometimes due to business requirements, company policy or geographic location, it may not be feasible to send devices to a forensic lab or it may be financially prohibitive to shut down a corporate system. In the case of malware or network intrusions, valuable information may be lost if an electronic device is shut down. In this situation, an Incident Response Team must be onsite in a timely manner.

In any situation, DriveSavers can work with company IT staff, legal departments and opposing parties to preserve data for collection in a manner that is both defensible and repeatable according to forensics best practices.

Stay tuned for your lesson in analysis!

May 23, 2017: A Primer on Current Android Device Forensics (Enfuse)

Enfuse Conference 2017

Rene Novoa, DriveSavers Sr. Manager of eDiscovery and Digital Forensics, will be joining Ronen Engler, Cellebrite Sr. Manager of Technology and Innovation, to speak at the Enfuse Conference in Las Vegas.

Title: A Primer on Current Android Device Forensics
Date/Time: Tuesday, May 23, 2017 11:00AM – 12:00PM
Location: Caesars Palace, Las Vegas, NV

With Android devices compromising a majority percentage of the smartphone market it is critical to stay advised of the current state of Android device forensics. This session will cover current extraction technology, potential additional sources of data to supplement extraction limitations, encryption issues and challenges facing mobile device examiners specific to Android devices. Topics covered will be an Android workflow starting with pre-seizure all the way through to advanced analysis overview. Participants will be provided with a current breakdown of options for devices running the most recent version of Android, including obtaining a physical extraction, bypassing locked devices, and identifying and handling device encryption to obtain the most data possible.

Click here to learn more or to register to attend.

Digital Forensics Process—Identification


By Rene Novoa, Senior Manager of eDiscovery and Digital Forensics

Forensic Process: Identification

This article is part of a series that delves into each step of the digital forensic process. If you missed the introduction to the series, which provides a synopsis of the process as a whole, you can click here.

Identification is an extremely important first step in the forensic examination process. It directly impacts efforts to develop a plan of action and ultimately the success of the project. It also allows the customer to control cost.


Before any digital forensic examination begins, the scope of actions must be identified. Who are the key players and custodians? What are the best sources of potential electronic evidence that will need to be accessed for collection? This information is needed for many reasons, including:

  1. So that no essential evidence is missed that might affect a case
  2. So costs can be estimated in advance and the scope of the case can be adjusted to fit actual needs
  3. So potential sources of evidence identified later will have smaller impact in cost increases


Conducting interviews is a very important early step in a successful digital forensic examination. When determining relevant devices from which to collect data for a case, these individuals must be interviewed at a minimum:

  1. Custodians
  2. Site administrators
  3. Users—when available


Look at the range of variables and determine what factors are at play in the case, including:

  1. To what extent does legal authority exist to make a search?
  2. Is there an administrator who can identify devices and custodians?
  3. How many and what type of devices may be involved?
  4. Are any peripheral devices involved, such as flash drives, printers, scanners or memory cards?
  5. What types of electronically stored information (ESI) are potentially involved? It could be photographs, documents, spreadsheets, emails, text messages, databases and many other types of ESI.
  6. How was ESI communicated and who was communicating? We may be looking for email addresses, text numbers, IP addresses and other similar information.
  7. Has information been stored in an offsite location? On backup media? In the cloud? In remote locations?
  8. Are there devices involved that have potential remote login capabilities?
  9. What different operating systems may be involved?
  10. Do any devices require continuous electric power to operate?
  11. Other variables?


  • Interviews, including:
    • Names and titles of interviewees
    • The number and types of primary and peripheral devices to be included in the collection and search
  • Any locations from which peripheral devices may have been removed or where they were found
  • Whether or not any kind of network is present
  • File types involved
  • Any off-site storage that is used
  • What different types of software are present, including any proprietary software

Revise if Necessary

If it is determined that additional electronic evidence (not included in the original plan) needs to be gathered, it’s important to determine if there is a need for a legal warrant, amended consent form or any other changes to the original scope of work.

Measure Twice, Cut Once

Digital evidence needs to be thoroughly assessed with respect to the scope of the case. The scope of a forensic examination cannot include “everything.” At least, not unless there is unlimited time and budget involved.

It is important to spend time at the very beginning to more accurately determine the true scope of the examination, narrow down what digital evidence is needed for a case and where to find it. Otherwise, costs will grow and grow as the investigation moves forward, as will the amount of time required for the investigation.

Taking the extra time and attention to accurately determine necessary devices and custodians prior to proceeding with the next steps in the forensic process will dramatically impact the investigation as a whole and, therefore the outcome of the case.

Click for your lesson in preservation and collection!

Digital Forensic Process—Introduction

By Rene Novoa, Senior Manager of eDiscovery and Digital Forensics

DriveSavers Digital Forensic Process

More and more aspects of our daily lives are being monitored, tracked and recorded by electronic devices.

Today, computers, smartphones and tablets can be found in almost every home and have already become obvious sources of electronically stored information (ESI) useful in both criminal and civil cases. Email, texts, documents, pictures and more wait on each of these devices to tell their stories.

Every day, more electronic devices are being added to this list. Fitness trackers, smartwatches, thermostats, video doorbells, children’s toys, air quality monitors and just about anything else you can imagine are now being used to automate, secure and entertain.

We have already seen fitness trackers used in workplace injury cases, wifi-enabled children’s toys in child custody cases and Amazon’s Echo used in a murder case. ESI from these various data recording systems has unlimited potential as electronic evidence.

The danger is that ESI is extremely fragile and can easily be tampered with, modified or lost entirely. Any of these scenarios can occur and has occurred both with and without intention. Following an established protocol that finds and protects digital evidence is essential for successful admissibility of that evidence.

This is the introduction of a five-part series focusing on proper process for digital forensics. These articles will:

  • Define each step along the digital forensic path
  • Explain responsibilities for a digital forensic expert
  • Explain what actions your agency, firm or company can take with each step in mind to ensure the best outcome for your case, while also minimizing cost and time

Here are the steps of the digital forensic process that we will be explaining in detail in coming articles:

  1. Identification
  2. Preservation / Collection
  3. Analysis
  4. Presentation
  5. Returning evidence

Click for your lesson in Identification!

March 15–18: ABA TECHSHOW Conference and Expo Booth #917

Chicago, IL • March 15–18 • Booth #917

The ABA TECHSHOW Conference and Expo is where lawyers, legal professionals and technology all come together. For three days, attendees learn about the most useful and practical technologies available. The variety of CLE programming offered provides a great deal of education in just a short amount of time.

DriveSavers will be exhibiting at booth #917. Stop by to talk with Rene, senior manager of eDiscovery and digital forensics.

Learn more about the ABA TECHSHOW or register to attend this conference.

Warning: Internet of Things Holds Hidden Dangers

By Rene Novoa, Senior Manager of eDiscovery and Digital Forensics

Internet of Things (IoT)

Law enforcement and civil litigators now have another source of evidence—searching for clues and ESI in the Internet of Things (IoT) universe where “always-on” smart devices may collect and store evidence of criminal behavior or civil liability.

Police are investigating an Arkansas murder where clues to the crime may have been stored on the victim’s Amazon Echo, a free-standing personal assistant device that responds to verbal commands for information.

The victim was found in a hot tub and police say that another smart device, a water meter, could also hold clues to what happened at the crime scene.

Staying One Step Ahead

DriveSavers is one step ahead of the IoT curve. Our engineering team has done extensive research on how smart devices collect and store data. More importantly, we are developing the best techniques for data recovery and forensic investigation of a wide range of IoT devices.

Based on cases such as the U.S. Supreme Court’s opinion in Riley v. California, information from smart devices is likely protected by the owner’s right to privacy. In this case, Amazon rejected police requests for data that may have been collected by the Amazon Echo:

Amazon will not release customer information without a properly served and valid warrant or subpoena. Amazon objects to over-broad or otherwise inappropriate demands as a matter of course.

The Echo, which you address as Alexa, doesn’t store each voice request permanently on the device itself, but it sends a copy of each inquiry to the user’s mobile phone or tablet, according to our research.

Just the Start

In addition to being a legitimate target for legal discovery, the IoT is an expanding frontier where your personal data may be inadequately protected and susceptible to theft.

Tech-savvy hackers now may be able to get to your bank account via your garage door opener, refrigerator or virtual helpers like the Amazon Echo and Google Assistant.

Hackers can take control of large networks of IoT devices and use them to make debilitating Distributed Denial of Service (DDoS) attacks on commercial websites.

Last fall, Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix were among the websites that sustained DDoS attacks using commandeered smart devices—like DVRs, remote controlled cameras and even garage door openers—in an attempt to overload the sites with massive requests for information.

Personal Assistants, Personal Problems

Many smartphone users are already familiar with Apple’s Siri and Google’s Assistant, which, similar to Alexa on the Google Echo, are programs that respond with answers to verbal questions via smartphone. Data collected by these devices and others is not normally encrypted, making it a potential target for high-tech thieves.

Devices that are connected to the Internet can also lead hackers, law enforcement and civil litigators to other devices with even more sensitive, valuable and private information like bank accounts, credit cards and virtually anything else of value that’s in a digital format.

What You Can Do

Technology is an everyday part of life today and is necessary in school, career and at home. It’s important for you, your family and your employees to be familiar with how to use current devices as modes of communication.

Here are three ways to be safer when using electronic gadgets.

  1. Understand Your Devices

You should know the answers to these questions:

  • Does the device have a camera?
  • Can it transmit or receive pictures?
  • Does it have a phone book or contact list?
  • Can it download apps? What do the apps have access to (photos, contacts, etc.)?
  • Can you communicate with other people through the device?
  • Does the device post to the web?
  • Does the device have a dashboard? If so, is the dashboard part of the installed software or is it online?
  • What kind of information can be shared with other people online?
  1. Keep Up with Device Updates

Updates often include new security protocols and patches for security loopholes. Stay on top of these.

  1. Add Wi-Fi Security

Make sure your home Wi-Fi is password protected so that outsiders cannot easily access it.

For more cybersecurity safety tips, check out 6 Ways to Protect Yourself from Hackers.

Cybercrime Forecast: Upswing in 2017

By Michael Hall, Chief Information Security Officer


Computer security threats aren’t going away this year. They’re going to get worse.

And, they’re likely to create bigger and nastier problems for big and small companies alike as hackers create new pathways into even highly secure environments.

Google the term “security threat” for 2017 and you’ll get millions of hits with lists of threats expected to occur during this year.

Ransomware is Growing

Extortion is getting worse. You can expect more and better targeting of businesses through ransomware schemes that will demand higher extortion fees to unlock important data.

If that wasn’t bad enough, the hackers’ weapons keep improving.

There are many “off the shelf” programs that high-tech thieves can use to target your data. Once a solution is found to defeat one ransomware program, the bad guys can just buy a slightly different tool (created by a specialist) and continue to attack unprotected targets.

Trickle-down Effect

As big companies increase security protections, expect some hackers to shift their focus to midsize and smaller companies, which are easier targets because they do not have the cybersecurity expertise or budgets of their larger counterparts.

More Sophisticated Thievery

Steve Durbin, managing director of the Information Security Forum (ISF), told CIO magazine that we can expect bigger and more sophisticated attacks as the criminal enterprises mature.

“I originally described them as entrepreneurial businesses, startups,” Durbin said. “What we’re seeing is a whole maturing of that space. They’ve moved from the garage to office blocks with corporate infrastructure. They’ve become incredibly good at doing things that we’re bad at: collaborating, sharing, working with partners to plug gaps in their service.”

DDoS Attacks on the Upswing

Distributed Denial of Service (DDoS) attacks will also ramp up this year.

These criminal acts are designed to overwhelm a company’s website and shut it down by sending massive requests for information from armies of compromised Internet-connected devices. By co-opting growing numbers of these machines—like garage door openers, security cameras and other tools that are part of the Internet of Things (IoT)—hackers can knock a company’s website offline through the sheer volume of requests.

A huge DDoS attack last Fall took down a company that provides Domain Name Services (DNS) for several major U.S. businesses, thereby taking down the websites of those businesses. Expect more events like this.

Third-party Entry

Expect more attacks using third-party vendors. Even companies with excellent protection sometimes don’t account for the threat of a hacker who compromises the security of an outside maintenance provider with access to the company’s system. It’s much easier to get inside a company’s computer system if you can hitch a ride with someone who’s already got access, like a vendor or partner.

Security Skills Shortage

The IT worker shortage is real and could be getting worse in the cybersecurity area. According to a report from Cisco, there may be 1 million unfilled cybersecurity jobs around the world, including 200,000 in the United States.

The challenge now is to figure out how to get students interested in this area and train them.