[BreachExchange] Ten cyber security predictions for 2019
Destry Winant
destry at riskbasedsecurity.com
Fri Nov 16 00:56:03 EST 2018
https://www.continuitycentral.com/index.php/news/technology/3481-ten-cyber-security-predictions-for-2019
It’s the time of year where we start looking ahead to the New Year and
the possible changes that may occur in the threat landscape. In this
article, Ian Kilpatrick makes ten predictions for changes that may
occur in the cyber security environment.
Increase in crime, espionage and sabotage by rogue nation-states
With the ongoing failure of significant national, international or UN
level response and repercussion, nation-state sponsored espionage,
cyber crime and sabotage will continue to expand. Clearly, most
organizations are simply not structured to defend against such
attacks, which will succeed in penetrating defences. Cyber security
teams will need to rely on breach detection techniques.
GDPR - the pain still to come
The 25th of May 2018 has come and gone, with many organizations
breathing a sigh of relief that it was fairly painless. They’ve put
security processes in progress and can say that they are en route to a
secure situation – so everything is OK? We are still awaiting the
first big GDPR penalty. When it arrives, organizations are suddenly
going to start looking seriously at what they really need to do.
Facebook, BA, Cathay Pacific, etc. have suffered breaches recently,
and will have different levels of corporate cost as a result,
depending on which side of the May 25th deadline they sit. So GDPR
will still have a big impact in 2019.
Cloud insecurity – it’s your head on the block.
Cloud insecurity grew in 2018 and, unfortunately, it will carry on
growing even more in 2019. Increasing amounts of data are being
deployed from disparate parts of organizations, with more and more of
that data ending up unsecured. Despite the continual publicity around
repeated breaches, the majority of organizations do not have good
housekeeping deployed and enforced across their whole data estate in
the cloud. To give an idea of the scale, Skyhigh Networks research
indicated that 7 percent of S3 buckets are publicly accessible and 35
percent are unencrypted.
Single factor passwords – the dark ages
As if we need the repetition, single-factor passwords are one of the
simplest possible keys to the kingdom (helped by failure to manage
network privileges once breached). Simple passwords are the key tool
for attack vectors, from novice hackers right the way up to
nation-state players. And yet they still remain the go-to security
protection for the majority of organizations, despite the low cost and
ease of deployment of multi-factor authentication solutions. Sadly,
password theft and password-based breaches will persist as a daily
occurrence in 2019.
Malware - protect or fail
Ransomware, crypto mining, banking Trojans and VPN filters are some
of the key malware challenges that continue to threaten businesses and
consumers. Live monitoring by Malwarebytes, Kaspersky and others, has
shown that the mix of threats varies during the year, but the end
result of malware threats will be a bad 2019.
Increasing sophistication will be seen in some areas such as
ransomware, alongside new malware approaches and increased volumes of
malware in other areas. Traditional AV will not provide sufficient
protection. Solutions that have a direct malware focus are essential
for organizations, alongside tracking of network activity (in and out
of the network). With Cybersecurity Ventures predicting that
ransomware damage costs will exceed $11.5 billion by 2019, it
certainly won’t be going away. Oh yes, and make sure that your backup
plan is working and tested!
Shift in attack vectors will drive cyber hygiene growth
The ongoing shift of attack vectors, from the network to the user, is
causing a reappraisal of how to manage security. Driven partly by the
shift in boardroom awareness, and partly by GDPR, many organizations
are recognising, perhaps belatedly, that their users are their weakest
link.
Not only is there a greater awareness of the insider threat from
malicious current and ex-staff, but there is also a growing
recognition that staff cyber awareness and training is a crucial step
in securing this vulnerable area. The response from organizations will
take the form of cyber education, coupled with testing, measuring, and
monitoring staff cyber behaviour. Increasingly, Entity and User
Behaviour Analytics (EUBA) systems will be adopted, alongside training
programs and automated testing, such as simulated phishing and social
engineering attacks.
IOT - the challenge will only increase
We’ve already seen some of the security challenges raised by IoT, but
2019 will significantly demonstrate the upward trend in this area.
Driven by the convenience and benefits that IoT can deliver, the
technology is being increasingly deployed by many organizations, with
minimal thought by many as to the security risks and potential
consequences.
Because some IoT deployments are well away from the main network
areas, they have slipped in under the radar. In the absence of a
standard, or indeed a perceived need for security, IoT will continue
to be deployed, creating insecurity in areas that were previously
secure. For the greatest percentage of IoT deployments, it is
incredibly difficult or impossible to backfit security. This means
that the failure to segment on the network will further exacerbate the
challenges IoT will create in 2019 and beyond.
Increasing risks with shadow IT systems and bad housekeeping
Shadow IT systems continue to proliferate, as do the number of
applications and access points into systems, including legacy
applications. In the case of shadow IT systems, these are indefensible
as they are; and in the case of increasing applications and access
points, if they relate to old or abandoned applications, they are
difficult to identify and defend.
In both cases, these are an easy attack surface with significant
oversight, internal politics and budget challenges, and were
previously seen as a lower priority for resolution. However, there has
been both an increased awareness of the opportunity for attack via
this route, and an increase in the number of attacks, which will
accelerate in 2019.
DDoS - usually unseen, but still a nightmare
DDoS is the dirty secret for many organizations and attacks will
continue to grow in 2019, alongside the cost of defending against
them. Nevertheless, DDoS attacks aren’t generally newsworthy, unless a
big name organization is involved, or the site is down for a long
time. And, of course, the victim does not want to draw attention to
their lack of protection. That’s not good for custom or for share
prices.
The cost of launching an attack is comparatively low, often shockingly
low, and the rewards are quick – the victim pays for it to go away.
Additionally, cryptocurrencies have aided the money transfer in this
scenario. Yet the cost for the victim is much higher than the ransom,
as it involves system analysis, reconstruction and, naturally,
defending against the next attack.
Cyber security in the boardroom
A decade, perhaps two decades, late for some organizations, cyber
security is now considered a key business risk by the board. 2019 will
see this trend accelerate as boards demand clarity and understanding
in an area that was often devolved as a sub-component of the CISO’s
role, and was not really a major topic for the boardroom. The
financial, reputational and indeed C- Suite employment risks of cyber
breach will continue to drive board focus on cybersecurity up the
agenda.
More information about the BreachExchange
mailing list