2021 is right around the corner. A bit of online shopping season left, a set of major Winter holidays (in the Northern Hemisphere at least), then the new year. After the, shall we say, challenges, of 2020, we can all hope it will be a better year overall. This time of year is also when folks tend to make predictions about what we can expect going into the new year. Folks in the security industry are no exception. Here are our cybersecurity predictions for 2021.
We have a byline up now over at Threatpost with some cybersecurity predictions: Cybersecurity Predictions For 2021: Robot Overlords No, Connected Car Hacks Yes. It’s worth a read on its own. But, while you’re here, let me sum it up.
Bad Guys Will Stay Bad
We really don’t expect cyberattacks to go away. The fact is they will just grow more sophisticated over time and target a broader range of industries. Their business models will probably expand to include even more of the compound attacks we’ve been seeing. Attackers won’t just encrypt files to get a ransom. They’ll add blackmail to the attack by threatening to expose the stolen data if they’re not paid, so even if we have backups the bad guys still make their money. Or we suffer the loss. Either way, it’s a win in their books.
We won’t see cyberattacks let up against healthcare or infrastructure, which will lead to someone dying as the direct result of a cyberattack. Hopefully, crossing that line will lead to a more concerted effort by the international law enforcement community to address the issue. But the challenge of State and State Sponsored actors will remain.
Cryptocurrency is gaining more traction in the financial world, but whether it takes hold or collapses is an open question. Question or not, cybercriminals will continue to utilize it and we’ll continue to see cryptominer payloads as attackers leverage stolen compute in their effort to get something for nothing. It seems likely someone will try and develop an ultralight miner that can run on IoT iron, trading raw compute power for myriad clients toiling away mining for virtual gold.
Ghosts in The Machines
IoT will continue to be a challenge is another of our cybersecurity predictions. While big names add capability to everything from smart appliances to connected home hubs, security and privacy will lag behind the curve. The more powerful devices, such as the home hubs and appliances that are basically fridge mounted tablets, may get the security they need. Unfortunately, the small smart-bulb class devices will remain vulnerable. Unpatched, and probably unpatchable.
Connected vehicles have not, yet, seen a major attack. But that just means it hasn’t happened yet. With layers of security in place, the attack is likely to come from an insider – either bribed or blackmailed into abusing their access to attack somewhere in the chain between supply chain and road. We’re also likely to see real world attacks targeting self-driving vehicles. These will range from simple pranks that get them driving in circles in a parking lot, to more serious attacks, like making them stop for an obstacle that isn’t actually there. The vehicle’s sensors see it. We don’t. Because there is no spoon.
On the Bright Side
Our defenses will continue to get better. We’ll see more Insider Threat issues because our perimeter and application security will continue improving. It’ll never be 100%, but it will get better. Bug bounties will have a positive impact, as researchers take advantage of major developer’s offers to pay people for reporting flaws in their code. That will make everything from mainstream operating systems to popular video games more secure. Though the bad guys will offer their own version, by paying large sums on underground markets for zero-day exploits.
Passwords will continue to be a problem which seems to always be the case when it comes to cybersecurity predictions. The latest report detailing the top 200 passwords revealed in recent breaches shows that people haven’t learned their lesson on good password hygiene. I’m not sure what is worse. The fact that people will still choose “12345678” as a password, or that authentication systems will actually allow that as a password. Fortunately, password managers have been growing more common as has multi-factor authentication. Both of which improve the situation. Though, to be fair, MFA is the way to go, as long as it’s not phone call or SMS based – as those are too easy to spoof.
Better Tools in The Stack
Also on that front, behavior analytics enables Risk-Based Access Controls. That’s where users may be asked to re-authenticate when there is some risk that their access is suspect. Whether it’s because it’s a sensitive asset, or the user’s asking for access under unusual circumstances, it reinforces authentication while trying to be inobtrusive.
Moving forward, we’ll see more integrations across the security stack. Behavior analytics will be more widespread, and newly emerging tools like XDR will move from a vendor-specific to a vendor-agnostic model. We may also see more deception technology in the early warning role, augmenting the detections we receive from the endpoints and perimeter defenses.
This all said, check out our byline article in Threatpost for more details on our cybersecurity predictions, “Cybersecurity Predictions For 2021: Robot Overlords No, Connected Car Hacks Yes.”