Ransomware is going to get personal. Password managers will be huge targets. And we will see the rise of a whole new exploit kit. These are among the 2017 security predictions from Malwarebytes Laboratories.

And because these attacks are going to continue to result in big headlines, cybersecurity is going to grow as a boardroom issue - which is good news for security leaders, says Marcin Kleczynski, CEO of Malwarebytes.

"I think 2016 was a period where a reset button was pressed, and more companies started thinking about cybersecurity," Kleczynski says. In 2017, he says, "more cybersecurity leaders will become board members; CISOs will be hired; and potentially CIOs will be displaced by CISOs."

In an interview about 2017 security predictions, Kleczynski discusses:

How ransomware defense must change; Why password managers and digital wallets will be bigger targets; What we can expect to see from large-scale, IoT-enabled attacks.

Marcin is the founder of Malwarebytes. He oversees the strategic expansion of the business, as well as the long-term vision for the research and development teams. Marcin has been recognized for his work in cybersecurity, receiving the Ernst and Young Entrepreneur of the Year award, and being named to the Forbes 30 Under 30.

Hack attack victims often ask two questions: "Who did it? And can we hack them back?"

But after an attack, with time of the essence for blocking further damage, those are the wrong questions for breached organizations to be asking, says data breach prevention and response expert Alan Brill of the corporate investigations and risk consulting firm Kroll.

"If you spend a bunch of money trying to figure out who did it, how's that going to help you?" he asks. "You're not cops. You're not going to go arrest somebody. You're probably not going to go file civil suits against foreign governments, [so] is that a wise use of funds?"

Focusing on attribution so that an organization can "hack back" - rather than focusing on how to quickly recover from a breach - doesn't make a lot of sense, Brill contends in an interview with Information Security Media Group.

Misguided Calls for Vigilantism

Following this year's belated discovery that Yahoo suffered the biggest known data breach ever, some commentators called for pre-emptive strikes against attackers. Meanwhile, a French ransomware researcher earlier this year described how he'd attempted to infect India-based tech support scammers with Locky ransomware after they allegedly targeted his parents with their online scams.

While this type of "hacking back" vigilantism may earn public plaudits and satiate a desire for revenge, it's often illegal - and it could easily cause collateral damage. In addition, it too often detracts from the rapid triage that must occur following any breach, Brill notes. "The resource in the shortest supply when a breach occurs is time," he points out.

In this interview (see audio link below photo), Brill also discusses:

Crisis management steps every organization should take both before and after a suspected breach; The legal risks faced by any firm that attempts to hack back; Lessons learned from hundreds of data breaches.

Brill is a senior managing director with Kroll's cybersecurity and investigations practice. As the founder of Kroll's global high-tech investigations practice, he has led engagements that range from large-scale reviews of information security and cyber incidents for multibillion-dollar corporations to criminal investigations of computer intrusions. He's also the co-author of a report issued by the nonprofit organization Center for Democracy and Technology titled: "Private Sector Hack-Backs and the Law of Unintended Consequences."

Fraud , Privacy , Risk Management

GAO Report on Privacy and Security: A Wake-up Call for HHS? It's Time to Recognize Healthcare as One of the 16 Critical Infrastructure Sectors Michael Magrath • December 15, 2016    

For years, I have been a vocal proponent of securing protected health information. It is no secret that The U.S. Department of Health and Human Services (HHS) swept security and authentication under the rug during the rollout of electronic health records (EHRs) as to not to impede adoption of electronic records by providers by making it difficult to use them. The current minimum requirements for identity assurance are set low, requiring only a strong password. The reality is HHS played Russian roulette, hoping that security breaches would not occur due to weak username and static password authentication. Putting convenience of security has led to breaches impacting millions of lives.

As Chair of the HIMSS Identity Management Task Force, I am constantly seeking news as it relates to security, identity management, and breaches to name of few topics and their effect on the nation's healthcare system.

I just read the Government Accountability Office's report to the U.S. Senate's Committee on Health, Education, Labor and Pensions. The title tells the story, "HHS Needs to Strengthen Security and Privacy Guidance and Oversight".

Having been immersed in identity management and the security side of health IT, nothing in the report surprised me. The GAO report touches on the key findings and cites the historic breaches in 2015 affecting over 113 million individual health care records due to hacking or other incidents as well as HHS' shortcomings as it relates to securing our healthcare system.

We are at a point where HHS needs to wake up and realize that our healthcare system is one of the 16 critical infrastructure sectors defined in 2013's Presidential Policy Directive 21. The Directive includes many provisions, one of which tasked NIST to develop a Cybersecurity Framework. Although conforming to NIST's Cybersecurity Framework is voluntary, its core set of security controls represents a consensus of topics to consider when developing information security programs. The Framework includes 98 subcategories.

HHS' Office of Civil Rights (OCR) proactively developed a "crosswalk toolkit" that mapped 2003's HIPAA Security Rule to the 2014 Cybersecurity Framework to show how organizations' existing HIPAA compliance efforts fit into the Framework. GAO points out that, "of the 98 framework subcategories, the toolkit fully addresses only 19. Many of the specific controls detailed within the framework's 98 subcategories are not addressed in the either the HHS security assessment guidance or in its other risk management guidance." If you are a baseball fan, 19 for 98 is below the Mendoza Line, batting .194.

Over the years HHS, has released several guidance documents, but all are weak and without mandates as it relates to identity management and authentication of entities accessing protected health information. Guidance documents typically include words like "may" and "should," but rarely include words like "shall" or "must," especially when it comes to identity management and the authentication of users accessing PHI.

The GAO reinforces my statements in the report stating, "However, the guidance published by HHS does not address all of the elements in the NIST guidance. HHS officials said they intended their guidance to be minimally prescriptive to allow flexible implementation by a wide variety of covered entities. However, until these entities address all the elements of the NIST Cybersecurity Framework, their EHR systems and data are likely to remain unnecessarily exposed to security threats."

The GAO provides five recommendations for executive action. The first two are most notable:

Update security guidance for covered entities and business associates to ensure that the guidance addresses implementation of controls described in the NIST Cybersecurity Framework; Update technical assistance that is provided to covered entities and business associates to address technical security concerns;

HHS can no longer stick its head in the sand and hope this cyberwar will just go away. I am pleased with the GAO's report and I hope it will serve as a wake-up call for HHS. Honestly, what else needs to happen to urge HHS to update the 13-year-old HIPAA Security Rule so that it maps to identity proofing and multi-factor authentication milestones included in ONC's 2015 Shared Nationwide Interoperability Roadmap and NIST's Cybersecurity Framework. It is my hope that HHS will collaborate with organizations like the HIMSS Identity Management Task Force, the HIMSS Privacy & Security Committee and the Identity Ecosystem Steering Group.

For more information on VASCO security solutions for healthcare visit https://www.vasco.com/solutions/healthcare-information-security/.

Rodney Petersen sees too many government agencies and businesses using old-school methods to identify and recruit IT security professionals. And, as a result, they often fail to build their cybersecurity staffs.

Petersen is director of the National Institute of Standards and Technology's National Initiative for Cybersecurity Education, known by the acronym NICE.

In an interview with Information Security Media Group (click player below photo to listen), Petersen says employers too often ignore qualified job prospects because they might hold an associate's degree, but not the obligatory bachelor's degree, despite having the right know-how to get the job done.

"HR and job descriptions quite often try to do what everybody else is doing, and therefore if everybody else is requiring a bachelor's degree, three-to-five years' experience and XYZ certification, then that must be good for us, too," Petersen says. "There is really no direct evidence [those requirements are] measuring the knowledge skills and abilities needed."

Petersen, in the interview:

Explains the importance of accurately describing job characteristics to attract the right people for the positions; Encourages employers to hire quick learners because the rapidly evolving IT security field requires professionals who can absorb new knowledge and pick up new skills swiftly; Describes the significance to job seekers, employers and educators of a new visualization mapping tool NICE is funding that will identify geographically IT security needs.

NICE, a government-private sector initiative housed at NIST, aims to develop IT security programs to accelerate learning and skills development, nurture a diverse learning community and guide career development and workforce planning.

Petersen, before joining NIST, served as managing director of the EDUCAUSE, a not-for-profit association of IT leaders aimed at advancing higher education, where he founded and directed its Cybersecurity Initiative and was the lead staff liaison for the Higher Education Information Security Council. He coedited the book titled Computer and Network Security in Higher Education.