A CISO's Security Predictions for 2020As Threats Continue to Evolve, So too Must Defenses
Having worked with some of the smartest and most competent CISOs and delivered literally hundreds of cybersecurity solutions to a broad variety of clients over the past decade, I have witnessed the amazing evolution of cyber defense technologies and an equally startling speed of recovery and response curve embraced by cyberattackers.
I have participated in post-attack forensics and incident response for clients across industries ranging from hospitality to retail, gaming to healthcare, manufacturing to finance. And I've watched script-kiddies take down banks and interrupt well-known Internet services, inter-bank messaging services and national payment systems - for fun.
Lacking improved context beyond our conventional threat perimeters, it will continue to be difficult to defend against modern cyberattacks and threat actors.
So when I'm asked to come up with a list of cybersecurity predictions for the new year, my thoughts are often informed by what went wrong and what needs to be done to get things right. Invariably, the evidence points to failed fundamentals.
More of the Same
When I look to the future, I see only more of the same. More pressure to adopt new technologies and to leverage productivity-enhancing operational environments through expanded cloud-based computing, AI and ML, "smart" devices, 5G and IIoT networks - with far more work at faster speeds with fewer skilled resources.
The cybersecurity outlook for 2020 and the new decade will be characterized by more advanced, targeted and coordinated attack vectors designed to exploit the cybersecurity skills shortage, along with congenitally poor security fundamentals and hygiene, the result of an expanding demand for new and untested technology by business owners seeking to reap the benefits of digitization.
While the risks associated with malware and phishing attacks can be mitigated through proper cyber-defense strategies, tools and processes, most organizations aren't there yet.
Lacking improved context beyond our conventional threat perimeters, it will continue to be difficult to defend against modern cyberattacks and threat actors. Some of the more easily predictable dangers lurking on the 2020 battlefield are:
The combination of AI and GAN technologies and the flaws inherent in all of the current technologies that leverage facial recognition to unlock smart phones, verify passport IDs and identify criminals on the street presents a rapidly growing threat, which cybercriminals will look to exploit.
Extortionary deepfakes will be used to portray highly realistic videos of executives in compromising positions alongside ransomware demands tied to the threat of public domain release.
Propagandized deepfakes will abound throughout the 2020 election cycle and be leveraged to discredit candidates and propel misrepresentations of truth (lies) to micro-targeted segments of voters via social media.
Audio and video deepfakes will enhance the credibility of business email compromise attacks and lend an even more convincing air of authenticity to money transfer requests.
And it won't take a hacking genius to pull these off. In fact, anyone can leverage AI to build convincing deepfakes without expertise in technology. Machine-learning websites available today can accept uploaded audio and videos and return deepfakes based on specific scripts.
These deepfakes will also be used outside the political and ransomware arenas to mimic authentic CEOs making earnings calls or announcing a product recall, while threat actors leverage the obvious subsequent repercussions in the equity markets.
The Ransomware Two-Step
Multistage extortion attacks will become the norm, with initial lock-ups used to bargain with victims or insurers within a pre-set range for return of files and then secondary boosters re-targeting the same victims aimed at the public disclosure of sensitive data, IP, emails and internal documents.
API and IPA
Enterprise dependence on APIs will increase alongside the expansion of reusable cloud application components for back-office automation and ubiquitous cloud services, such as Office 365 and Salesforce.
The more APIs that reside outside of the application security infrastructure, the greater the access to vulnerable paths to sensitive data, which are largely ignored by most security processes and prevention teams.
Consumption-based APIs that are not secured well with strict rate limits will continue to remain the most vulnerable and lead the way toward an increase in cloud-native threats in 2020, resulting in a sales spike for 7 percent alcoholic IPA brews.
Hygiene and Fundamentals
U.S. businesses will continue to ignore third-party, supply-chain and basic cybersecurity hygiene threats, resulting in a historic level of preventable cyberattacks and corporate data breaches. Internet-facing RDPs (Microsoft's Remote Desktop Protocol) remain exposed and create high-value opportunities for cybercriminals to attack networks, gain control and execute their vector of choice. Even if an attacker chooses not to access sensitive information or deploy ransomware, cybercriminals routinely buy and sell Remote Desktop credentials in criminal markets for substantial returns because some targets contain high-value IP, PHI and PII.
Our apparent inability to remove hundreds of thousands of internet-facing RDPs or restrict access behind a secure virtual private network or invoke firewall rules for authorized users or implement a multifactor authentication mechanism will perpetuate this lingering hygiene threat well into 2020 and beyond.
In addition, patch-related issues are increasing as we continue to implement open-source and network components that expand the threat landscape by an order of magnitude. The confluence of the current skills shortage and an ever-increasing workload is creating a broadening exposure that attackers will leverage for additional points of entry. It's not just the timeliness of critical patch applications that are in the cross-hairs. The failure to patch completely or the ability to provide defect assurance opens up disruption opportunities against critical systems. Attackers will continue to push the current trend of exploiting patch gaps and bypass the incomplete patches on their way to opportunity targets on the network.
Remote working arrangements and improperly configured home computing devices will change the definition of third-party risk as work-from-home employees will inadvertently create an entry point for supply chain attacks through impersonation - either directly to the host network or through connected adjacent systems. As we become more dependent on a broad array of enterprise and third-party software for remote workers, we will require heightened attention to identity access controls, router settings and more sophisticated authentication schemes.
Pushing the Limits in Cloud Adoption
DevOps will need to increase the attention paid to vulnerabilities in container components becuse today's software release cycles are faster and more integrated and the container counts are skyrocketing. A given application will require development teams to make sure that hundreds of containers across multiple virtual machines and stored in a combination of hybrid and commercial cloud platforms are secure. Conventional security best practices will not be able to keep up, creating dramatically increased risk and new opportunities for cybercriminals to hijack sensitive data.
The disconnect between commercial cloud customers and providers over the shared responsibility model and failures to properly configure access privileges on internet-facing servers will replicate the vulnerability that was exploited in the Capital One breach and expand the threat surface for extensive cloud adoption.
The Expanding Threat Surface
The implementation of software-defined 5G alongside the increase in the quantity of smart devices and the cascading networked IoT universe will introduce brand new vulnerabilities at scale simply due to the never-before-seen-nor-tested technologies underpinning each rail and the now common inability of the vendors' to anticipate and mitigate resulting threats by design.
As we continue to satisfy our thirst for greater productivity, connectedness and profitability from digitized business operations dependent upon advanced technologies, we substantially ratchet up the threat meter while failing to provide reasonable offsets through proper resource provisions within our InfoSec infrastructure. It's a recipe for an expanded universe of risk, a reduction in the ratio of skilled practitioners to mitigated threat vectors, impressive advances in the unaddressed sophistication of cyberattack techniques and many more breaches.
What is required to combat the onslaught is the implementation of a multilayered approach to cyber defense that includes complete visibility, behavior monitoring, detection and blocking of intrusions across the network and every endpoint, a correlation of that data for integration with threat intelligence and optimized remediation in near-real time, leveraging advanced technologies that can orchestrate and automate response and recovery.
That's a multilayered defense capability that most organizations don't enjoy today.