By Howard Solomon | IT World Canada
This year was a banner year globally in cybersecurity — for criminals.
Despite years of best practices available for organizations to follow, lessons still haven’t been learned by many firms in 2019.
Headlines about ransomware, business email compromise, e-commerce website scraped for credit card data and data theft popped up daily.
Arguably the biggest news was the number of unsecured Amazon AWS, Elasticsearch and other databases — some belonging to companies, some apparently stolen data — that security researchers regularly reported finding. For example, a Mexican media company named Cultura Colectiva was caught with an unprotected S3 database with millions of records on Facebook users, including comments, likes, account names and Facebook IDs. Just a few days ago researchers discovered an unsecured database of more than 267 million Facebook user IDs, phone numbers, and names that apparently had been unknowingly lifted by criminals.
Then there were internal configuration boo-boos. Facebook admitted early in the year — after it was publicly revealed by a reporter — that hundreds of millions of FB and Instagram user passwords had been stored in plaintext on internal servers that employees could have accessed.
The good news: These and similar discoveries were potential data breaches. The bad news: No one knows how many of these databases were found by criminals. But if good guys could find them …
One of the most alarming reports of how criminals work came from Check Point Software, which described a ‘man in the middle’ attack that intercepted and changed email messages between a venture capital company and a startup. The vencap saw a $1 million payment to the startup disappear when it was unwittingly sent to a bank account controlled by the criminal.
The year started with Mariott Hotels admitting that at as many as 5.25 million unencrypted passport numbers were included a huge hack of the company’s Starwood chain database of customers discovered in the fall of 2018.
It ended (at press time) with U.S. convenience store chain Wawa admitting its point of sale systems had been hacked with payment card numbers (but not PIN numbers) of customers siphoned off for months. Wawa has some 860 stores in six states and Washington, D.C.
In between, an attacker claimed to be selling 617 million online account details stolen from 16 hacked websites. In March, Norwegian aluminum manufacturing giant Norsk Hydro was crippled by ransomware that forced it to shut down several automated product lines and switch smelters to manual production processes. According to news reports, it cost the company $71 million to scour its systems.
The parent company of American Medical Collection Agency had to declare bankruptcy after a data breach exposed the medical records of some 20 million people. And then there was the theft of some 100 million credit card applications from U.S. provider Capital One.
Small wonder the CNET news service titled its year-end roundup article, “Same mistakes, different year.”
Same mistakes: In its annual, and comprehensive, look at thousands of security incidents around the world released in the spring Verizon found 32 per cent of breaches involved phishing, 29 per cent of breaches involved the use of stolen credentials, errors were involved in 21 per cent.
And despite all the money spent on defense, 56 per cent of breaches took months or longer to discover.
A number of security vendors issued long reports that infosec pros might consider dipping into. Sophos, for example, said that as automated content generation continues to advance we can expect machine learning attacks against the “human elements of systems” to become increasingly prominent. Be prepared for automated 419 scams, phishing, and perhaps even deepfake-enabled video attacks. But it suggests automated systems will be of limited effectiveness in stopping them. “Constructing robust policies and systems to cope with human failures will be required.”
FireEye said China’s Belt and Road Initiative (BRI) will drive espionage throughout Europe, the Middle East, and Asia. “Recent cyber-espionage activities believed to be related to the BRI have targeted governments at the national and regional level, transportation, extractive, energy, defense, space, media and telecommunications sectors.”
Kaspersky suggests the new open banking regulations that recently came into full effect across the European Union, and are being discussed in Canada and the U.S., may open new attack vectors. This approach is aimed at allowing customers of financial services firms to exchange data with emerging fintech companies. “Security of online, including mobile, payments is a key aspect of the legislation. Nevertheless, as banks will be required to open their infrastructure and data to third parties who wish to provide services to bank customers, it is likely that attackers will seek to abuse these new mechanisms with new fraudulent schemes.”
One of the most common prediction: Despite graduating more students with majors in the field, colleges and universities still won’t be able to close the demand for people with cybersecurity skills. That means — again — smart infosec leaders will look for solutions with machine learning/artificial intelligence to help take the load off staff.
A brief roundup of shorter predictions from IT vendors
Anthony Di Bello, vice-president of strategic development at OpenText:
“In 2020, the majority of businesses will accept an uncomfortable reality – a security breach is inevitable. This is not security fatalism, but security realism. The perimeter is gone. CEOs, CIOs and CISOs must embrace that bad actors are already inside the firewall and adopt proven technology that detects suspicious activity quickly enough to respond before a breach becomes a crisis. Businesses must also embrace solutions that provide security without compromising privacy.
The most secure enterprises will focus on information governance to protect their most valuable information, will use smart automation to deal with cyber threats at scale, and will adopt a zero-trust mindset toward endpoints and identity.”
Fredrik Forslund, vice-president of cloud and data centre erasure solutions at Blancco Technology Group:
“We’re currently facing a growing knowledge gap when it comes to security, not only within the industry at large but more worryingly among senior leaders. Data privacy is now a board room issue, yet a recent study showed that 76 per cent of Canadian enterprises confessed to stockpiling out-of-use equipment and 57 per cent agreed that the plethora of different devices is not only a cause of this but leaves them vulnerable to breaches. 2020 will need to see the industry band together to better educate at all levels. This should happen by implementing data lifecycle management processes that integrate into existing systems and workflows. Making data erasure an active part of these processes instead of an afterthought should be the key to unlocking this.”
Corey Nachreiner, CTO of WatchGuard Technologies:
“Despite its far-reaching damages and soaring revenues, ransomware has largely left the cloud untouched. As businesses of every size move both their servers and data to the cloud, it has become a one-stop-shop for all of our most important information. In 2020, we expect to see this safe haven crumble as ransomware begins targeting cloud-based assets including file stores, S3 buckets, and virtual environments.”
Brian Vecci, Field CTO at Varonis:
“Forget fake news: 2020 will be the year of the deepfake and at least one major figure will pay the price. Thanks to leaky apps and loose data protection practices, our data and photos are everywhere. It will be game-on for anyone with a grudge or a sick sense of humor. It raises the ultimate question: What is real and what is fake?”
Jon Wallace, security technologist at INSTART:
“Given that attacks on the webserver are generally more challenging, attackers will instead look to leverage holes and weaknesses in the browser. Web applications generally come together in the browser much in the same way that traditional applications come together in the compiler, with external libraries and first-party code, which are all linked together. The problem, however, is that the same robust development practices that are often in place for traditional apps aren’t applied within the web-app world.
Kowsik Guruswamy, CTO, Menlo Security:
“The coming year will usher in an even greater adoption of cloud security, with a material change in attitude and organizations fully embracing the cloud. As organizations increasingly access enterprise applications like Box, Salesforce, etc., it’s no longer practical for them to VPN back to the stack to remain secure while accessing these services in the cloud. With this move to the cloud comes countless security risks. Not only will we see more companies jump on the bandwagon and shift their applications and operations to the cloud, but we will also see the security stack move to the cloud and more resources dedicated to securing the cloud, such as cloud councils.”
Ravi Khatod, chief executive officer, CloudVector:
“The Capital One breach may have been the most high-profile API breach, but it wasn’t the first and it won’t be the last. According to a 2018 Deloitte global CIO survey, 93 percent of respondents have adopted the cloud or are considering it. CloudVector’s own research indicates a majority of organizations have deployed Docker or Kubernetes, resulting in widespread use of APIs. Yet even as organization seek to implement an API security strategy, they have been limited by the capabilities of the market to provide more than access controls. Even worse, these gateways provide no observability to discover API specifications nor to monitor for changes. As attackers turn their attention to this unsecured vector, 2020 will become known as the year of the API breach.”
David Richardson, senior director of product management, Lookout:
“Authentication will move from two-factor to multi-factor, including biometrics in 2020. Most companies have implemented one-time authorization codes (OTAC) to provide two-factor authentication (2FA), but Lookout, and others in the industry, have already seen OTAC targeted by advanced phishing attacks. To protect against credential theft and to address regulatory compliance, enterprises are increasingly adopting MFA and biometrics using mobile devices. This new approach strengthens authentication and improves user experience, but it is critical that the mobile device is free from compromise.”
Matt Tyrer, technology evangelist, Commvault:
“With AI creeping into more areas of our lives than ever, companies in this space will have to double-down on eradicating or at least minimizing, any bias embedded in their AI. This will mean pre-processing and profiling of data prior to using in AI systems – so once again, data quality will take centre stage, but for different reasons than previous years.”
Sean Peasley, Internet of Things (IoT) security leader in Deloitte Cyber Risk Services:
“Without built-in security, IoT devices and their users will suffer. In today’s age of connectivity, security for IoT devices must be brought to the next level. In 2020, widespread transformation will become a necessity as organizations will need to build security into devices and applications rather than bolting it on to existing technology. Repercussions of not prioritizing this will become dire as connected devices evolve from seemingly trivial tools such as thermostats and refrigerators towards higher stake technology such as autonomous vehicles and more. Without building security into these environments, organizations will put end-users’ physical safety, privacy and more at risk.”
Michael O’Malley, vice-president of strategy, Radware:
“In 2020 we will likely see 5G IoT devices successfully take down a high profile network and/or an application. 5G offers large improvements in network performance as well as lower latency, which could prove valuable for companies. On the flip side, those advances will enable threat actors to wield more powerful botnet armies comprised of 5G IoT devices, which generally have low security measures embedded at endpoints.”
Srinivas Mukkamala, co-founder and CEO of RiskSense
“Concern for container security will continue to increase significantly and with good reason. With 90 per cent of enterprises currently implementing containers, securing these assets is now a top priority. While the prevention technologies like TwistLock, Aqua, and StackRox are important, the ability to map vulnerabilities to individual container assets (static and run-time), which has proven so valuable for securing other parts of the IT attack surface, is sorely lacking. One of the leading security vulnerabilities that will need to be addressed in 2020 is that far too many containers are running with far too many privileges. In these scenarios, if one container is compromised, an attack can quickly lateral across the enterprise IT infrastructure.
As an industry, we invested heavily on identity and access management at the user level, but have not done the same for container and cloud implementations.”
Joel Windels, chief marketing officer, Netmotion:
“Ransomware attacks have been incredibly successful, resulting in multimillion-dollar payouts. For that reason, it’s only natural that hackers will turn their focus to new, exposed targets in 2020. As a result, we may see the first concerted ransomware attacks on mobile applications running on Android or (less likely) iOS devices. As OS fragmentation becomes a bigger issue for Android devices, in particular, many of these devices have been left unsupported with older software and less frequent security patches. This has proven to be a headache for IT teams simply from an application compatibility perspective, but time will tell whether it becomes a genuine security threat, too.”
Adi Dar, CEO of Cyberbit:
“The talent crunch will continue to get worse but companies that can’t or won’t outsource their security operations to an MSSP will improve their ability to fill and retain critical SOC roles. This will happen for two reasons. First, due to the law of supply and demand, SOC analysts will become the highest-paid cybersecurity workers. Second, HR staff will start looking internally for SOC talent and focus their efforts on up-skilling or reskilling existing employees. Viable candidates that may not have initially been interested in applying for a job that requires significant retraining will be enticed by the ever-increasing prestige and high pay.”
Tim Steinkopf, CEO of Centrify:
“A 2019 Centrify study revealed that 60 per cent of organizations don’t understand the shared responsibility model when it comes to who secures workloads in the cloud. This will create a false sense of security in cloud security providers by their customers, as the latter are responsible for securing privileged access to their cloud administration accounts and workloads. Therefore, cloud environments will become a top target of cyberattacks in 2020 as this false sense of confidence placed by organizations is exploited by bad actors.”
Christopher Kennedy, CISO of AttackIQ:
“We are just beginning to recognize the social dangers of rapidly-advancing and broadly-used technology in a highly connected society. Take new biometric technologies, as just one example. Advanced facial recognition capabilities are being used by governments around the world, and in response, consumers have begun to revolt by creating and donning an “opt-out” cap that obstructs the wearer from being identified by facial recognition scanners to avoid physical tracking. In 2020 we’ll see a continued rejectionist movement, particularly among young people; further exploitation of various technologies; and a growing trend of avoiding social media. We will witness a strong movement of distrusting the government’s use of technology in the processes that put them in power, and in-services intended to protect and support the public.”
Gaurav Banga, CEO and founder, Balbix:
“In recent years, CISOs have gotten much-desired access to the board of directors, yet have struggled to speak in a language that resonates. This has limited the value of their exposure to the board, with many struggling to achieve the appropriate backing for their initiatives. In 2020, CISOs will recognize that business leaders will never understand technical security details such as threats and vulnerabilities, and will begin to leverage education and new tools to communicate business risk and economic exposure to the board.”
Anurag Kahol, CTO and co-founder, Bitglass:
“Misconfigurations of cloud databases will continue to plague enterprises around the world and will be a leading cause of data breaches in 2020. Gartner forecasts that global public cloud revenue will reach $249.8 billion in 2020, a 16.6 per cent increase from 2019. This rapid rise in revenue is spurred by continued growth in cloud adoption. However, cloud adoption is clearly outpacing the adoption of the tools and expertise needed to properly protect data in cloud environments; this is supported by the fact that 99 per cent of cloud security failures will be the customer’s fault through 2025, according to Gartner. Consequently, misconfigurations will continue to be a leading cause of data leakage across all verticals.”
Chris DeRamus, CTO and co-founder, DivvyCloud:
“Everything in the cloud has an identity, and the relationships are complex, so scoping to least privilege or adopting zero trust sounds great, but is really difficult to do. In 2020, security professionals are going to realize that identity and access management (IAM) is an area where they can lose control rapidly, and it is very hard to take back. Approaches and strategies from the datacenter world don’t transfer, and companies need to rapidly invest in the process and in supporting tools (including automation) to stay ahead in this complex landscape. The repercussions of poor IAM governance are substantial and sometimes unpredictable.”
James Carder, CSO and vice-resident of LogRhythm Labs:
“Ransomware continues to be easy cash for hackers, recently reaching an average payout of US$41,000. Given ransomware’s proven track record, it’s time for hackers to take it to new markets. Critical infrastructure is a prime target: while most ransomware isn’t built to target this type of infrastructure, it can still be used in those environments, and shutting down a power grid is certainly going to yield a significantly higher than average payout – not to mention it could lay the foundation of distrust in the government’s ability to protects its citizens. Critical infrastructure is due for another significant breach anyway, making 2020 the perfect opportunity to introduce ransomware into this space.”
Peter Goldstein, CTO and co-founder of Valimail:
“Brand Indicators for Message Identification (BIMI) is an email standard that will change the way people interact with their favorite brands via email. BIMI provides a framework through which an organization can provide an authorized logo for display in the recipients’ inboxes alongside authenticated email from that organization. We predict BIMI will grow in popularity, especially among large enterprises and prominent brands that rely heavily on the trust and engagement of their customers. In fact, Google will be launching a BIMI pilot in 2020, which will help spur adoption. Research by Verizon Media has shown that BIMI can increase open rates and boost customer engagement, giving marketers a big incentive to support the email authentication that is a prerequisite for BIMI.”
Darren Guccione, CEO and co-founder of Keeper Security:
“Risk of cyberattacks and social media misinformation/disinformation attacks against government agencies (systems, databases and people) will increase, with a focus on the 2020 U.S. presidential election. Most likely, these attacks will be orchestrated by well organized and technically sophisticated cybercriminals.”