The holiday decorations had barely been returned to the attic when 2016 already saw its first high-profile cyber attack. Time Warner Cable said on Jan. 6 that up to 320,000 customers may have had their email passwords stolen. The information likely was gathered through malware downloaded during phishing attacks or indirectly through attacks against other companies that store TWC subscriber information, the company said.
Here we go again. The world is coming off another banner year for hackers. Notable attacks in 2015 included the U.S. Office of Personnel Management server breach that compromised sensitive personal information of about 21.5 million people; the theft of information from tens of millions of Anthem Inc. customers (considered among the largest data breaches in corporate history); the stealing of personal data including Social Security numbers and completed tax returns of 330,000 people from the IRS; and the infamous Ashley Madison hacking that provided grist for the tabloids and late-night TV comedians for weeks.
Everyone still cringes over 2014's big attacks: The theft of data including names, mailing addresses, phone numbers and email addresses from more than 70 million Target shoppers and the credit card information of 40 million shoppers. Home Depot's admission that 56 million accounts had been put at risk after hackers infiltrated the retailer's systems. J.P. Morgan, Staples, Healthcare.gov, Neiman Marcus... the list of victims goes on and on.
The Worst May Be Yet To Come
Cyber attacks are nothing new. In fact, the first Internet breach occurred before there was even an Internet - the 1988 Morris worm that traveled across ARPAnet, the precursor to the Internet, and infected more than 6,000 university, research center and military computers.
But the incidents have increased in recent years as people hand over more and more personal information to retailers, financial services companies, healthcare providers and other businesses and government agencies via the Internet and hackers find new ways to exploit security holes.
And the worst may be yet to come. While more high-profile attacks like the ones that attracted headlines in recent years are a virtual certainty in 2016, the biggest Internet security threat this year could be something else: A rise in identity theft and account takeovers.
It's a cause-and-effect of the massive breaches of the last few years. In 2016, cybercriminals increasingly will put all that sensitive data to nefarious use.
The Dark Web
Hackers often sell stolen customer data on the black market. According to the security news site Krebs on Security, 1 to 3 million of the credits cards stolen from Target were resold on the black market, generating an estimated $53.7 million for the hackers.
A wealth of stolen data - credit card numbers, passwords, you name it -- lives on the so-called Dark Web, the seamy underbelly of the Internet where websites are publicly visible but the IP addresses of the servers that run them are undetectable, making them invisible to search engines and the authorities. This is often where the bad guys sell and re-sell hacked information.
We're also certain to see an increase in phishing attacks this year. Unlike hacking, phishing tries to trick people into clicking on links or downloading files in emails that seem legitimate but are actually gateways to malware - such as computer viruses, worms, trojan horses, spyware, adware and other malicious programs.
The main reason phishing persists is simple: People continue to fall for the scams. "If you're not sure what it is, don't click on it" is a bit of common sense that still eludes surprising numbers of Internet users.
To be fair, though, phishers are becoming more sophisticated. The supposed Nigerian prince who wants to give you $50 million is being replaced by emails that can look a lot like the genuine article, say from your bank. Cybercriminals are figuring out new ways to get their e-mails past the spam detection systems in many common email programs.
The Bot Threat
Yet another threat comes from bots, the pieces of software that run automated tasks over the Internet. Bots, much like the microorganisms all around us in the physical world, come in good and bad forms. Google, for example, uses bots to crawl and catalog the web and deliver accurate search engine results. But hackers also use bots to carry out a variety of attacks, unauthorized data gathering, spam and click fraud. Bots (good and bad) account for 60 percent of Internet traffic; humans just 40.
In 2016, bad bots will become better at disguising themselves to blend in with legitimate network traffic and fool IT administrators responsible for keeping them out.
While hackers can use bots for nefarious purposes such as lifting your credit card number from online store or turning your laptop into a spam-spewing zombie, businesses are exposed too.
Take the retail industry, for example. An entire underground industry has grown around the use of automated bots dedicated to scraping as much pricing and other data from online retailers' websites to share with competitors.
While the government is trying to step in and put controls on bots -- such as legislation proposed by Sen. Charles Schuler (D-NY) to crack down on bots in the online concert ticket market -- it lack the teeth to make a meaningful impact.
There are several reasons why. The nature of the bot industry makes identifying and prosecuting those who launch bots difficult, time-consuming and expensive. Bots can originate from almost any location in the world and they usually come from well-known hosting providers and networks that organizations trust. Even when a bot originator is identified, it's often tracked to an international location where US laws provide little or no recourse. On top of all that, most bot technologies are not even considered criminal.
The bad bot threat landscape will continue to grow in 2016 for a simple reason --bots are an effective means to an end for Internet evil-doers.
Be Concerned
If the Internet security landscape in 2016 sounds scary, it ought to. For too long, even the largest companies haven't done enough to close security holes. And they're still playing catch-up.
Businesses have no choice but to make online security their absolute No. 1 priority this year or risk losing the customers they've worked so hard to gain.
There once was a time when hacking was largely about mischief: "Let's see if I can take this site down!" Now, the bad guys have become more organized and sophisticated and they're after one thing - money.
A true enterprise of exploitation is growing in the dark corners of the Internet. We need to be aware of it, and fight it.