Top 10 Targets on Hackers' Hit List

Cyber criminals are clever and always on the hunt for more financial and personal data that they can sell and make a profit.

Hackers are often one step ahead and are seeking to penetrate weaknesses in the system, especially in industries which have lagged behind in protecting themselves. Energy companies and the healthcare industry along with others have not kept up with the pace of other industries against malicious hackers as their cybersecurity protection remains weak.

These are the top ten targets for "black hat" or the unethical hackers.

More of What's Trending on TheStreet:

1. Open Source Codes
1. Open Source Codes

As companies compete heavily to bring their products to the market, the use of open source codes can be detrimental. Patching vulnerabilities in open source code faces obstacles, said Xu Zou, CEO of ZingBox, a Mountain View, Calif.-based provider of IoT solutions.

"Relying on timely patches of IoT devices as the primary method of security will simply fail as we've seen from other recent attacks," he said. "Organizations must implement IoT security solutions that allows them to "roll with the open source punches" since we will undoubtedly see more punches ahead. The lack of readily available human interface, difficulty in identifying versions of underlying software and FDA requirements (for the healthcare industry) all adds up to significant challenges."

2. Internet of Things (IoT)
2. Internet of Things (IoT)

The increased use of personal and home automation both at home and at the workplace poses even greater risks as both consumers and employees remain lax about the security aspect. Although many of the devices such as Alexa have risen in popularity, the users of these devices are lackadaisical about how they are using the technology and fail to heed to warnings about the data being hacked or resold.

"Organizations will seek to maximize efficiency and effectiveness through improved connectivity, whether this be in the home with devices such as Alexa or through the increased proliferation of devices throughout our transport infrastructure," said Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security and risk management. "Associated threats in an expanded and more complex threat landscape come with these benefits."

The Internet of Things (IoT) is estimated to increased by over 50% by 2018, surpassing 50 billion devices by 2020. These billions of devices will collect a wide variety of data from users, "who will be unaware that it is happening, where the data is being stored or who has access to it," he said. "These devices are often inadequately protected, exposing critical infrastructure - such as industrial control and financial systems - to malicious actors."

Many organizations will respond by automating tasks previously performed by people. Human cognitive abilities will be viewed as a "bottleneck" to completing tasks efficiently and the result is that algorithms will be increasingly used to ensure tasks are performed with accuracy and timeliness, Durbin said.

"However, the interactions between these algorithms will become complex to understand introducing the potential for significant vulnerabilities," he said.

The new challenges which will emerge include identifying, assessing and managing the information security risks.

"Organizations will continue to adopt IoT devices with enthusiasm, not realizing that these devices are often insecure by design and therefore offer many opportunities for attackers," Durbin said. "There will be an increasing lack of transparency in the rapidly-evolving IoT ecosystem, with vague terms and conditions that allow organizations to use personal data in ways customers did not intend."

Breaches in IoT means companies will be liable by regulators and customers for a lack of data protection.

"In a worst case scenario, when IoT devices are embedded in industrial control systems, such as temperature controls, fire alarms and health equipment, security compromises could result in harm to individuals or even loss of life," he said.

Too few IoT products have been created with adequate security and this type of environment will permit attackers to easily use IoT devices as a backdoor and they will no longer need to hack directly into organizations.

"For example, hackers will access insecure IoT devices on the periphery of bank networks and use them as a pathway into core systems," Durbin said. "Organizations will also expose themselves to liability when they collect data from IoT devices and share it with supply chain partners without customer consent."

The designers and manufacturers of smart lightbulbs and appliances, connected thermostats and computerized cars are not placing enough priority in the security aspect, said Larry Johnson, CEO of CyberSponse, an Arlington, Va.-based company which provides an automated orchestration engine for rapid cyber incident response.

"The software, operating systems and firmware which drive these products are not going through a rigorous security testing and development process before they are released," he said. "What also compounds this problem is that once these products are brought into the home, they will not be easy to fix. Even if the manufacturer releases a software update to patch known vulnerabilities, the chances are the end-user won't know about the update, won't know how to install it or just won't care."

Cybercriminals take advantage by attempting to "infect" more expensive products like washing machines, dishwashers and refrigerators with ransomware, said Johnson. They can extort a ransom or cause mayhem for homeowners. Other criminals will infect these devices with "botnet malware which allows them to create large-scale DDoS attacks against specific companies and industries," he said.

"We'll see a lot of pranks and harassment targeting devices in the home: since hacking tools are becoming more readily available online, it won't be long before they exist for IoT gadgets, too," added Johnson. "We will see all kinds of mischief result from this."

3. Cryptocurrencies (aka Bitcoin)
3. Cryptocurrencies (aka Bitcoin)

Cryptocurrency hacking and stealing is definitely on the top of a hacker's list, said Joseph Carson, chief security scientist at Thycotic, a Washington D.C.-based provider of privileged account management (PAM) solutions.

"Why rob a bank or an ATM when you can steal digital money across the world and take it out without being detected?" he said. "When using crypto currencies, you need to make sure you take extra security to protect your wallet, keep it secret, add multi factor authentication and use encryption."

4. Voting Machines
4. Voting Machines

Hacking into voting machines has proven to be easy. Governments need to take steps to "ensure integrity of the data and could use blockchain to maintain tamper resistance of voting machines," said Carson.

"Let's face it, why vote only once when you could potentially change the entire political governance outcome from across the border?" Carson added.

5. Car Hacking
5. Car Hacking

Cyber criminals have been targeting vehicles for a while and the incidents have risen steadily, said Carson.

"With almost every vehicle being connected, hackers want to see how far they can take it with fully controlling a car," he said. "In order to protect yourself, you must limit the details on what you share."

The electronic control units of cars which control all the key functions such as the brakes, steering and the entertainment console, are highly vulnerable to a variety of attacks which could be dangerous to drivers, said Ang Cui, CEO of Red Balloon Security, a New York City-based embedded device security research and development firm.

"Today's cars are basically computers on wheels and as such they're becoming a bigger target for hackers," he said.

The hackers can change the car's direction, disable the brakes or blast the radio.

"The automotive industry hasn't done enough to protect the components from sophisticated cyber attacks and malware," Cui said.

Since cybercriminals are motivated mostly by money, there are faster and easier ways for them to generate a quick profit. An enterprising nefarious organization gets involved in targeted assassination of serendipitous car hacking because when they can install spyware, these criminals can sell the data.

"The spyware data means they can sell feeds of real-time locations of every vehicle in the DEA fleet or every word uttered inside every federal motorcade," he said. "Then there is extortion. If you can disable a fleet of commercial trucks by infecting them with specialized vehicle ransomware or in some other way hijacking or crippling the key electronic control units in the vehicle, then the attacker could demand a hefty ransom."

Securing vehicles against these attacks is readily available, but automakers must implement the technology.

"Our company actually developed one of the first technologies to defend electronic control units from malware and other malicious code and commands," Cui said. "It's an intrusion defense technology which is injected into the firmware of the car's control units it blocks any unapproved commands from being executed. We've done a few pilot studies with the Department of Homeland Security, DARPA and the Navy on how this same technology can be used to protect other types of embedded devices."

6. Industrial Control Systems
6. Industrial Control Systems

The Internet of Things includes the use of industrial control systems by a wide variety of industries, said Carson. "With the IoT, everything is being connected to the internet," he said.

"These industrial control systems make these devices function including power stations, factories, cargo ships and renewable energy such as wind farms," he added. "Certainly, hackers are interested and challenged to know what can they do with them."

7. Humans and Identities
7. Humans and Identities

While hackers have been stealing identities for several decades, committing the fraud is now easier than ever with the prolific use of social media.

"It is a bit like Jason Bourne and hackers want to steal identities so they can carry out many activities using trusted stolen identities so they can remain hidden and pretend to be someone else," said Carson.

"People should use additional privacy settings, use multi-factor authentication, check activity logs and use a password vault to create complex strong passwords," he added.

8. Cloud Infrastructure
8. Cloud Infrastructure

As more data and tech innovations are deployed in the cloud, criminals are targeting where information is being stored.

"From misconfiguration of cloud deployments that leave data exposed to brute force attacks on data center facilities, cloud infrastructure is the next logical target," said Jack Kudale, CEO at Lacework, a Mountain View, Calif.-based provider of cloud security solutions. "This includes streamed videos and movies will be hijacked by hackers to spread propaganda materials."

9. Health Care
9. Health Care

The health care industry has already been the victim many highly publicized attacks for ransomware and hackers will only focus more on it because of their vulnerabilities.

The complicated nuances of the industry where employees need to share data with multiple entities and providers and allow access from several locations have made it more challenging, said Dave Chronister, managing partner of Parameter Security, a St. Peters, Mo.-based ethical hacking firm.

Consumers face even more risks because cybercriminals can sell personally identifiable information on the black market for a "pretty hefty sum," he said. "Although black market prices fluctuate, this information generally sells for a higher price tag than stolen credit card numbers."

Once healthcare information is sold, the fraud and abuse can damage a person for many years.

"I expect we'll see cases of medical record extortion occur down the road, particularly for high profile individuals, as criminals could use the same methods to obtain these records through insecure healthcare providers and then threaten to dox the individual by releasing sensitive or embarrassing information -- such as STDs, abortions, prescriptions, psychiatric records -- to the public, unless the victim pays up," said Chronister.

Another large threat are the ransomware attacks on hospitals and healthcare facilities. Since these oorganizations struggle with basic cybersecurity and they must digitize medical records because of a federal mandate, this creates a perfect storm for ransomware criminals.

"It isn't too hard to hit a hospital with ransomware by using standard phishing techniques and once a hacker is inside, a ransomware worm can spread rapidly across the network, encrypting critical files and systems that are used to manage patients' health," he said. "We are very likely to see a number of incidents down the road where these records are permanently lost even after the hospital pays the ransom, as hackers begin to use ransomware for sabotage purposes."

As more patients use more medical devices that have WiFi or Bluetooth connectivity, they are prone to additional possibilities of the data being hacked, especially malware and ransomware.

"What often limits the real world implications of these proof-of-concept attacks is that the criminal would have to know the device's serial number or be within a certain physical distance of the person and the device in order to pull off the attack," said Chronister. "It isn't too far fetched to imagine healthcare workers selling medical device serial numbers to black market websites, as there have been a number of instances over the years where employees have been involved with identity theft rings."

10. Power Grid
10. Power Grid

The power grid is vulnerable beasue the industrial control systems used like SCADA also pre-date the Internet. Water systems are also a potential target.

"It is difficult, expensive and time-consuming to update these systems to make them more cyber secure because often they will have to be taken offline to do so," said Chris Weber, co-founder of Casaba Security, a Redmond, Wash.-based white hat hacking firm. "That is a risk which could lead to malfunctioning, damage and service disruption."

The "good news" is that the power grid and the energy sector is mostly targeted by nation state actors, he said.

"They are infiltrating these networks in order to establish footholds and backdoors they can use in case of a military conflict down the road," said Weber. "Nation states tend to be more restrained. Russia, China, Iran and even North Korea know that if they were to trigger an outage in a U.S. city, it would very likely lead to a proportional response by the U.S. - either a similar cyber attack on their infrastructure, or some type of military action."

Terrorist groups, hacktivists and lone wolves are not as likely to demonstrate the same self-restraint as national governments since the barrier to entry is becoming lower all the time.

"Between industrial search engines like Shodan which make it easy to find exposed endpoints on these networks and the many malware and exploit kits which are sold on the Dark Web, it's not hard to imagine a time when we'll see less sophisticated hackers be able to target utilities, especially if the utilities don't push ahead with a major security overhaul and modernization," he said.

A hacker group could easily launch a ransomware campaign against a local electric utility and be able to shut down its front office operations, Weber said.

"There are also well known and readily available malware kits like Black Energy, which are specifically designed for industrial targets and can be customized with new malicious payloads," he said. "In my view, it's only a matter of time before we see a motivated hacker group attempt such an attack."