From state-sponsored attacks and vulnerable industrial systems to an ongoing shortage of security practitioners, 2018 brought us larger breaches, bigger DDoS attacks and the increasing challenge organizations face defending their infrastructure from criminals. It was a year of firsts—week-long DDoS attacks in the terabytes, monitorization of compromised systems for crypto-mining and increased political and military motives for launching attacks. The mandated GDPR data protection and privacy regulations also went into effect, changing individual rights to personal data protection with impacts worldwide.
Applications were notably the primary target, outside of users themselves, of cybercriminals in 2018 and as we look towards the new year, one thing is certain: this phenomenon will remain unchanged. Applications and their users will remain at risk and as 2019 rounds the corner we need to be prepared for the continuous evolution of cybercrime.
These are some of the major areas where we see new trends and sustained risk:
There is a shared responsibility to secure systems in the cloud. While the cloud provider is responsible for their infrastructure and the services a customer purchases, securing the application itself is the customer’s responsibility. As more organizations rely on cloud services, cloud providers are drawing a line to help organizations understand where their responsibility ends. Many of the early cloud security solutions were built out of necessity but as more critical applications move to the cloud, it will be up to the customer to ensure the proper policies, identity & access management, and other security protections are in place for their unique application requirements. There could be a rise in managed security service providers (MSSPs) in the coming year offering needed services that a traditional cloud vendor lacks… with the continuing trend that security personnel remain in limited supply.
As more business units (HR, Finance, etc.) deploy their services in the cloud, they too will need to adopt security measures. Often this is in conjunction with their IT department, or at least following some ‘best practices’ but there will be many who, while rushing to the cloud, will forget or forgo security in their quest for agility. For the business overall, more cloud adoption means increasing budgets for cloud infrastructure security, managed services, IAM, user behavioral analytics, and orchestration/automation-type solutions.
Organizations may also look to building more security into the code but also need security considerations within DevOps functions. Whatever the security measure—WAF, IPS, IAM, proxy—those services should be considered and tested during development.
2019 will ultimately see more budget allocated for application security. This is good since all our lives depend on those applications.
There are billions of connected devices today and billions more are set to connect in the coming years. Many have limited, or no, security built in making them ripe for takeover. In the past, IoT botnets were only considered theoretical until Mirai hit in 2016. Today, ThingBots delivering DDoS attacks are a daily occurrence.
Given this, proactive bot defense will be crucial in the coming year. While you may already have a Web Application Firewall (WAF), many traditional WAFs do not provide this important function nor do they have the capability to mitigate evolving threats targeted at the app layer. More advanced protections are necessary to address threats moving up the app stack.
To address limited security features in IoT devices, California recently passed a law (SB 327) that places more responsibility on manufacturers. While light on specific details it does mandate that, “Beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”
This is an important first step in legislative regulation regarding these not-so-smart devices. It could also set a precedent where other states will soon follow. The law mandates manufacturers reveal the information/data the device collects, contains and transmits. It also requires each device has a unique password that users can change before use. This is important since many compromised IoT devices either have no password or the default is well-known and therefore exploited.
We’re not talking about any new iPhone, Android, Samsung, or other models here but more about areas like policy-based access, behavioral biometrics, 5G and Enterprise Mobility/BYOD.
Policy-based access will give enables employee using any device to access data while that data is protected encryption or virtual, isolated work containers that can be erased if the device is lost, stolen, or an employee leaves the company.
Devices will also become better at identifying and authenticating the owner. Newer facial recognition software can determine contours of the face, or evolve to recognize the person’s voice, movements, or typing style to unlock the phone. This is certainly important as more workers access corporate resources from their personal devices.
Phishing is the number 1 attack vector according to F5 Labs threat research. Social engineering tactics have made phishing scams far more sophisticated and difficult to spot. Attackers profit off hacking with monetization and that drives the type and frequency of incidents that happen. Often, phishing attacks are a way to steal an identity to then use for an application attack. According to Symantec, the average user was receiving 16 malicious emails per month last year. If you are phished, keep a close eye for additional intrusions. While maintaining total privacy in today’s digital age is near impossible—and becomes more complex with the plethora of personal smart devices—remember that most of us willingly share details about ourselves on a daily basis. Even though our data and information may have sprawled all over the internet, we still need to take every security and privacy precaution we can. Europe’s GDPR seeks to protect every piece of personal data and any breach could dismantle an organization due to GDPR fines. With GDPR, the reputational hit to a breached organization can have lasting consequences.
We need to be smart, stay vigilant, and watch how much we’re giving away. You never know when that old friend from high school suddenly appears in an email asking if you’re going to homecoming. Pro tip: Don’t click the link!!