As 2020 gets underway, you've probably seen about 30 or 40 IT and cybersecurity prediction lists. And to be honest, most of them are quite scary in terms of how sophisticated cyber attacks have become.
Let's take a look at my top predictions with a twist: how originations can remedy or think about new strategies or approaches.
Advice for the decade's top cybersecurity predictions
As powerful as artificial intelligence is, AI is also powering the creation of highly convincing fake audio and video content. Known as deepfakes, this content can make a real person, like a sports figure or politician, appear to say or do whatever the creator of the content wants to have the person say or do.
Forrester wrote that costs related to deepfake scams will exceed $250 million in 2020. Various media reports have stated that some organizations are already being tricked into wiring large amounts of money to scammers. This is taking social engineering to new levels, so as always, start with the basics to protect all your social media accounts against account takeover, preventing things like malicious posting — whether it be a malicious phishing link or a deepfake video — on your behalf. Also, don’t forget to monitor social channels for mention of your brand and top executives and be sure to make all of your employees aware of this increasing threat.
The increasing growth and complexity in the number of partners and suppliers an organization has is mind boggling. In turn, vulnerabilities across such partners exposes organizations to a variety of risks that can come from the exploitation of the weakest link in a global network, which could be several layers down your supply chain.
Any supply chain system open to suppliers or third-party contractors may be less secure than a company’s own network. Think about it: in many cases your suppliers are often treated as your most trusted business partners and may have access to your network. Attackers attempt to use the supplier as a launching point to other larger organizations by exploiting the level of trust given to them.
To get ahead of this, start a review your current vendor risk management (VRM) process and your current vendor risk segmentation mode, then identify which vendors are not currently risk-assessed and analyze the current scope of your VRM. As you continue to mature your program, conduct a review of who has responsibilities and accountabilities of VRM and develop a living roadmap for improving efficiency and effectiveness of VRM.
The introduction of 5G has greatly raised the hyper speed and scale at which all personal data is processed, stored, transmitted and received which in turn will, yes, increase the risk that privacy will be sidestepped. Security and risk management leaders need to enhance customer and stakeholder trust by implementing counter measures that minimize privacy risks.
5G also increases the risk of data breaches with the acceleration of IoT, which expands the attack surface that can be exploited. Attackers will have many more devices that they can seek to exploit. Attackers can also target one type of device, then use the exploited weakness to link other connected devices and coordinate an attack. The ultimate goal is to gain access to personal or other sensitive data such as NPI, PII or PHI.
Building a secure 5G architecture requires organizations to take an enterprise view, not just focus on individual technical components in isolation. Organizations need to look at things like interactions between user authentication, traffic encryption, mobility, overload situations and network resilience aspects — all considered together. It is also important to understand relevant risks and how to address them appropriately.
Attacks on critical infrastructures
As we know, unfortunately, all networked devices and systems can be vulnerable, and in is this connected world we live in, the cybersecurity of a network is only as strong as the weakest device connected to it. When those devices are used in high-risk environments like critical infrastructure such as financial or power, the consequences of a breach could be more far-reaching, with the potential to take down much more than just an ATM network or substation or other facility.
Therefore, it is essential that networked devices in these applications provide the level of security necessary to protect the overall system from the potentially catastrophic effects of a breach.
Back in November 2018, the President signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018 (CISA). This legislation elevated the mission of the former National Protection and Programs Directorate (NPPD) within DHS and establishes the Cybersecurity and Infrastructure Security Agency (CISA).
The CISA coordinates security and resilience efforts using trusted partnerships across the private and public sectors and delivers technical assistance and assessments to federal stakeholders, as well as to infrastructure owners and operators nationwide. In case you missed the news, a new spending bill allotted the Department of Homeland Security’s (DHS) cybersecurity agency more than $2 billion for fiscal 2020, a $334 million increase in the last year for the year-old agency tasked with protecting federal networks and critical infrastructure from cyberattacks.
The 16 critical infrastructure areas are:
- Chemical Sector
- Commercial Facilities Sector
- Communications Sector
- Critical Manufacturing Sector
- Dams Sector
- Defense Industrial Base Sector
- Emergency Services Sector
- Energy Sector
- Financial Services Sector
- Food and Agriculture Sector
- Government Facilities Sector
- Healthcare and Public Health Sector
- Information Technology Sector
- Nuclear Reactors, Materials, and Waste Sector
- Sector-Specific Agencies
- Transportation Systems Sector
- Water and Wastewater Systems Sector
- Critical Infrastructure Sectors
Nation-state actors and high-profile criminal organizations operate with a level of sophistication that surpasses the basic preventative and detection capabilities of most security and risk management teams. Most people would agree that in terms of the threats the U.S. faces, nation-state hackers are the most serious. Cyber breaches according to various reports were projected to cost the global economy $2.1 trillion in 2019, that is more than quadrupling the cost since 2015.
Everyone understands the importance of security, but the hidden challenge of security and technology as evolving concerns requires continuous learning. Organizations are not always making a concerted effort to stay current. Every organization should evaluate the overall (people, process and technology) risk exposure of the company and its clients, business partners and third-party relationships mapped to standards, frameworks and regulations. Also seek to identify and analyze possible vulnerabilities that may be exploited by malicious persons or activities from a technological standpoint by conducting a vulnerability assessment or penetration test.
In 2019, the US was hit by an unprecedented number of ransomware attacks that impacted almost 1,000 government agencies, educational establishments and healthcare providers at a potential cost in excess of $7.5 billion. In 2020 I suspect we will see a sharp increase in these numbers.
Traditional entry points such as malware, vulnerability exploit, spear phishing and other human-facing social engineering tactics remain among the most successful forms of attack, despite advances in security architectures and technology. New attack surfaces are constantly being developed such as third-party providers, new targets within the organizations, attacks on APIs and a shift in techniques, such as completely fileless attacks with AI and ML.
To combat this problem, organizations really need to apply some rigor around conducting regular tests on how existing defenses adapt to trends for the most prevalent threat vectors: malware, phishing and attack on credentials. Conduct incident response tabletop exercises and engage in a cross-team effort to improve discovery of new assets and emerging business technology use. Leverage the use of a risk register to standardize the approach to aim at a more continuous exposure assessment.
In case you have lived under a rock, the California Consumer Privacy Act (CCPA) went into effect on Wednesday, January 1st, 2020. According to estimates in the Standardized Regulatory Impact Assessment for the law, CCPA will protect more than $12 billion worth of personal information that’s used for advertising in California each year.
AB 375 is very light on requirements around security and breach response when compared to the General Data Protection Regulation (GDPR), but requirements around tracking, accessing and storing data are called out, which means collaboration with teams in your organization is critical.
Compliance isn’t a simple process and its not a product you buy, and it affects multiple areas of a company, not just SecOps or IT. You’ll need executive buy-in to obtain the staff hours and other resources to make this happen.
By 2021, 90 percent of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than the UI (up from 40 percent in 2019). Poor API design can limit usage, functionality and results in deployment delays and cost overruns.
As I have said in previous articles, APIs are being added and consumed by organizations on a regular basis, making solutions to these data breaches more complex. With today’s modern application architecture trends — including mobile devices, microservice design patterns and hybrid on-premises/cloud usage — API security is complicated, and there is rarely a single "gateway" at which protection can be enforced.
It is impossible to secure what you cannot find or categorize. Initial interviews with key API stakeholders when developing new security policies will allow for input across the organization on:
- key steps the organization can take;
- maintaining an inventory of your APIs, starting with externally exposed APIs;
- developing API security policies, including authentication and authorization of API users, traffic management and content threat detection;
- API management gateway (there are many providers of API gateways and micro-gateway solutions) as the go-to technology;
- how existing platform vendors can contribute;
- removing or tokenizing sensitive data in the API URL path; and
- a capabilities view of API security before implementing it in infrastructure, such as API gateways.
Shared responsibility model
This term is going to become common in 2020, if it hasn’t already, and it's overdue. The Information Sharing and Analysis Centers (ISACs) have been talking about cybersecurity being a shared responsibility for years now. The ISACs bring together analysts from companies of all sizes to share information on how to identify and defend against active attacks.
Information sharing is essential to the protection of critical infrastructure as we discussed earlier in this article. No matter where you look, this term is becoming very common (AWS specifically identifies security and compliance as a shared responsibility between them and the customer).
Shared responsibility just means that everyone needs to take part in securing your information. If the vendor is going to help you respond to cyber security incidents, that’s great, but you (the consumer) need to make sure your data breach disclosure and notification requirements when relevant are up to date.
Brace for Zero Trust
The main purpose of a Zero Trust architecture is to trust nobody — inside or outside your network — by default and require strict verification of every individual or device before granting access. Zero Trust network access provides flexible design, precise access and it's identity focused. Removing network location as a position of advantage eliminates excessive implicit trust.
With the explosion of IoT, the lack of skilled resources and exploitability of insider threat (as we discussed earlier), it's now more then ever critically important to embrace a security approach that includes Zero Trust. A well thought out Zero Trust environment should be agile and dynamically adjustable to your unique business requirements such as customer-facing services, geographic business expansion, public cloud services, third-party suppliers and opening up critical processing facilities.
A secure 2020
As always, the world of cybersecurity continues to evolve. It's apparent that my advice from the previous decade continues to ring true as we move forward: it is more important than ever to continually evaluate your security posture and stay up to date on what today's attacks look like and how to respond.