[BreachExchange] Top Four Cybersecurity Trends For The Year Ahead

[Destry Winant]

https://www.forbes.com/sites/forbestechcouncil/2018/11/05/top-four-cybersecurity-trends-for-the-year-ahead/#45a4ec394921

Cybersecurity is important for any organization, and the landscape is
constantly evolving. Maintaining vigilance is often a game of cat and
mouse or whack-a-mole. As both Sun Tzu and Rage Against the Machine
said in slightly different ways, you must know your enemy. In a
fast-paced world, this is not an easy task. Luckily, as with most
industries, the cybersecurity industry holds annual conferences to
help us all synthesize the latest and greatest trends.

I noticed a few common themes on this year’s conference circuit. Here
are the top four trends that I believe you should be ready for in the
year ahead.

1. Security Meets Data Science

A big theme this year was artificial intelligence, specifically deep
neural networks. Energized by news reports on the controversial use of
“deep fakes,” people started realizing that big data processing could
be used to enhance both attack and defense. At one conference, Joshua
Saxe of Sophos presented an example of a security neural network in
action by training a model with previously unseen URLs to score them
on a continuum of benign to malicious. His system showed a massive
lift in detection rates of malicious URLs versus the current
signature-based, blacklist-focused methods. This presentation
demonstratively showed that deep neural networks can augment existing
practices with better rates of detection. This is welcome news in the
ongoing efforts to thwart phishing attacks.

>From the attack side, there were multiple presentations at both
conferences describing the ability to train computers to simulate not
only video but also voice with a surprising degree of accuracy. While
these types of attacks are in their infancy, we might soon see video
and audio that is completely fabricated and nearly indistinguishable
from the actual source.

We're living in a time when a healthy dose of skepticism is a
requirement. In the near future, be prepared to question the validity
of audio and video that seem out of place in terms of tone or motive.
Make sure to get information from trusted sources, and remember that
trusted sources will be fooled sometimes as well.

2. Internet-Enabled Devices Are Everywhere

Internet of things (IoT) devices are becoming more and more
widespread, and that trend isn’t slowing any time soon. IoT devices
are difficult to update, and many have lax security measures in place.
To be clear: IoT devices within an organization can put companies,
infrastructure and individuals at risk. The problem is compounded when
compromised devices become gateways into industrial control or
supervisory control and data acquisition (SCADA) systems. Those
systems are often less protected and more difficult to update.

Adam Shostack gave a talk on threat modeling at a conference and
discussed approaches to these new threats. Agile methodologies have
been adapted for software development, and threat modeling cannot
continue to be ruled by an outmoded waterfall approach when things are
moving so quickly. We must be iterative in our approaches and respond
quickly as the threats pile up due to development speed and the pure
volume of wireless sensors. By doing so, we'll be better prepared to
handle the sheer volume of internet-enabled devices that come online
every day.

3. The Need For Proper 2FA Will Grow

Authentication is a perennial topic in the security arena. In recent
years, most companies have begun to use proper authentication
practices, but two-factor authentication (2FA) remains difficult for
many people to comprehend. There are three common types, or “factors,”
of authentication:

1. What you know (e.g., a password)

2. What you have (e.g., an authentication app)

3. What you are (e.g., a fingerprint)

Given that, 2FA is exactly what you might think it is — any
combination of two different types of authentication. The most common
application of 2FA is a password and a code generated by a physical
device.

Unfortunately, it doesn't seem to be common knowledge that companies
and users should not depend on text messages, emails and phone calls
for the second factor of 2FA. It's not that difficult for an attacker
to execute what is known as a SIM swap to gain access to a user's
phone. Rather than depending on texting, emails or calls, the codes
should be generated by either a dedicated device or an application
such as Google’s Authenticator app. Spend some time in the coming year
protecting your accounts by auditing and changing your passwords and
utilizing 2FA whenever possible.

4. Everything Old Is 'New' Again

Computers are more powerful than they were a decade ago, but the
threat vectors are generally the same. While computers have become
more powerful, they still complete the same task: They process data.
Protecting that data is an enduring problem. The STRIDE Threat Model
that Microsoft built to describe threats is still as relevant as it
was in 2009. The conference talks I heard all fell into similar threat
categories as they did last year and the year before that.

How do you prepare for these enduring threats? Maintain a basic level
of security. Protect your passwords. Ensure that your company performs
regular training and risk assessments. Have a business continuity
plan. Test all your safeguards.

There will always be new ways for hackers to break into computer
systems,and there will always be new hackers. Fortunately, there are
people who are just as enthusiastic about defense as the hackers are
about offense. You don't necessarily need to know the details of a
hacking attack to understand the risk it poses to your organization.
Stay on top of the trends and the overall threat landscape, and be
sure to make security a priority.