[BreachExchange] 20/20 security vision: seeing the future clearly
Destry Winant
destry at riskbasedsecurity.com
Wed Jan 15 10:09:27 EST 2020
https://www.itproportal.com/features/2020-security-vision-seeing-the-future-clearly/
As digital transformation continues to change the face of business,
enterprises globally are under mainstream pressure to tighten their
cyber-defence as they migrate business-critical applications to the
cloud and become more application centric. We are finally seeing an
increase in resources for underappreciated security teams as they
struggle to address the rising frequency of data breaches, and the
seemingly constant barrage of new data regulation.
This article will outline some key trends and threats that should be
high on any CISO’s agenda for 2020. By predicting future trends,
security teams will be able to deliver better cyber-hygiene through a
proactive multi-layered defence.
Regulation sets the bar:
The Californian Consumer Privacy Act (CCPA) went live on January 1st,
setting the tone of regulatory compliance for the coming decade. This
act has been dubbed the American counterpart to GDPR, applying to
practically any enterprise conducting business in California. Failing
to comply with regulation doesn’t just put your customer’s data at
risk, it will also result in hefty fines. The introduction of CCPA
will no doubt catch enterprises of all size off guard and 2020 will
most likely see many cases of regulatory incompliance, confirming the
fact that you shouldn’t wait until regulation is set in stone before
securing critical data. Indeed, this decade will most likely see many
other states follow California’s example as data and privacy rise to
the forefront of policy discussions.
Developer education and DevOps automation:
Business-critical applications will continue to be a target for
cybercriminals. One can only hope that this is the year that security
education is taken seriously. The last thing we need is more needless
data breaches. Perhaps education will increase as developers begin to
code with security in mind. Indeed, the need for organisations to have
a well-developed, and embedded education program covering the key
aspects of secure coding practices and a layered defence will become
more apparent with the increased adoption of DevSecOps. In 2020,
automated testing tools for application security will be key to
supporting a DevSecOps approach that allows internal teams to
collaborate and work more efficiently while updates are continuously
tested against security guidelines.
Phishing – we’re not off the hook yet:
Ideally, we would have left phishing in 2019 but unfortunately, it’s a
threat that keeps on biting. In fact, phishing attempts accounted for
90 per cent of data breaches in 2019, and this trend will most likely
continue and grow in both volume and sophistication throughout and
beyond 2020. The past year we have seen an increase in advanced
phishing methods targeting applications secured with two-factor
authentication (2FA) and almost all reporting phishing websites appear
to use a secure HTTPS connection. Likewise, would be criminals are
targeting increasing Internet connectivity by deploying ‘smishing’
(SMS phishing) on smartphones. Hopefully 2020 will also be the year of
increase support and adoption for hardware authentication devices.
This will hopefully combat smishing schemes that don’t seem to focus
on the content of the text message, so long as the content puts
pressure on the victim, and the company name that is used as sender
matches the victim’s profile. The included hyperlinks are often not
even masking the fact that it is an illicit webpage. Perhaps 2020 will
be the year that we finally nip phishing in the bud or maybe that’s
just wishful thinking.
2019 predictions – the year ahead for cybersecurity
High hopes for hybrid-cloud:
In 2019 we have seen a strong growth of multi-cloud adoption, with
more than 73 per cent of organisations using 2 or more cloud
providers. A saturated market means that organisations can pick the
provider that best suits their needs. Cloud provider competition has
given rise to application developments, as companies are migrating
more critical processes to the cloud in an effort to lower computing
costs and increased flexibility. The rise in cloud reliance will see
it become a target for threat actors in 2020, as hackers begin to
exploit gaps in multi-cloud misconfiguration. This means that cloud
providers will continue to push into security, by offering integrated
solutions. These solutions will most likely increase the market share
of customers with low legacy architectures but will not support
multi-cloud scenario and complex hybrid architectures. In order to
protect your cloud infrastructure and provide security assurance,
organisations need the tools to automate discovery of cloud assets and
homogenise security controls across providers to achieve a single view
of the risk profile.
Back to basics and live above the hype
It is most likely that most breaches this year will be down to old
forgotten systems, outdated software and poor access management,
resulting in individual users with privileged access being targeted.
As with phishing, we are going back to the basics of cybersecurity,
and based on past trends, the next ten years do not promise to be the
decade that we will eliminate the root cause of breaches. Instead,
what we have seen, and unfortunately will continue to see, a misguided
focus on what’s new and cool (the hype) rather than what is safe. With
60 per cent of breaches in 2019 involving unpatched vulnerabilities,
this is particularly frustrating because often major risks can be
resolved with proper security hygiene, regular risk reviews and
security assessments. As windows 7 nears end of life in 14 January
2020, organisations who stick to the soon to be obsoleted operating
system will be at increased risk of being targeted by hackers.
No escape from a widening threatscape
The next decade will complicate the security landscape as IoT devices
are becoming cheaper and more ubiquitous. This will certainly pose a
problem for security teams looking to secure corporate networks from
external threat. We will most likely begin to see new risks being
uncovered in the next year as consumers and businesses increase their
reliance on wireless and smart technologies, such as Bluetooth and
IoT. Each innovation brings new threats. Indeed, one need look no
further than smart supply chains. Just in time, delivery and an
increasing array of technological solutions means that the slightest
interference in procedures can result in catastrophic delays. This is
even more worrisome when considering global third-parties that aren’t
subject to the same data regulations and fail to offer the same levels
of visibility. 2020 might just be the year that gives us more
large-scale exploitations of smart technologies and processes;
particularly as corporations are so frequently overlooking basic
security protocols such as network security.
Final thoughts
2020 will surely bring a multitude of new challenges for security
professionals, however it’s better to be prepared, taking a proactive
approach and regain control of your attack surface before it becomes a
real problem, or regulatory fine. With increasing compliance
regulations coming into force, it is essential to eliminate security
blind spots by providing continuous full stack assessment across
network, device, application and cloud. Giving you time to focus on
strategy, delivering ROI and helping to implement a security-led
culture where all employees are accountable in delivering a secure
future into the next decade.
More information about the BreachExchange
mailing list