The growing crescendo of cybersecurity threats continued to grab headlines this past year and the prospects for even more disturbing news seem likely as we move into 2020, so says a panel of cyber experts that provided SIW insights into what they see as their top predictions for risk in the new year.
The ever-evolving cyber threat landscape continues to grow as more cloud applications are added, the IoT universe expands with myriad more devices and data stockpiles explode. How organizations and their security staffs manage this increased risk often depends on their strategic approach to creating a proactive plan of attack instead of counting on a reactive response once an incident has occurred. Avoiding the security blind spots while maintaining cyber vigilance is a challenge most CSOs can appreciate.
So, what do our cyber experts predict for the future of 2020 in the cybersecurity ecosystem? While the potential threats headed into the new year seem endless, our experts narrowed their list down to what they consider the Top Six Cyber Threats of 2020.
The IoT Universe is Under Attack
“We will see an increase in attacks on IoT devices, including smart home devices, home automation systems and more. We might see new forms of IoT financial cybercrime, building on first-generation IoT attacks on ATMs and their networks. Cybercriminals will exploit payment services and open banking initiatives such as Google's plan to offer checking accounts, Apple Pay, Google Pay and possibly Facebook's Libra. These technologies will provide opportunities for a new type of cybercriminal who utilizes next-generation payment providers to hack into accounts and not only access customer data but steal funds as well. On the plus side, we'll also see more systems based on artificial intelligence that will help companies protect themselves. We will even see solutions that were previously considered too good to be true,” says ThetaRay CEO Mark Gazit.
Srini Samudrala, Vice President and Chief Architect at Infinite says that while the IoT revolution is here to stay and that in 2020 this revolution will finally deliver on the full promise of digital transformation, the risks will also grow. He says that IoT-driven insurance will begin to create a paradigm shift in the insurance sector.
“Starting with autonomous cars, as more vehicles become driverless and rendered safer in 2020, the auto insurance market will start seeing huge paradigm shifts in 2020 and beyond. Looking ahead, we expect to see insurance companies insuring the technology or algorithms that make autonomous vehicles possible, instead of insuring the vehicles or people themselves. In fact, we foresee many companies developing in-house insurance products to insure their own technology. Additionally, IoT devices installed in every place from smart buildings, to large venues, college campuses and commercial establishments will provide the necessary data, driven by analytics and AI, which will enable insurers to move from an insure model to an ‘ensure’ model, driving down costs. This will also ensure continued operations and reduced risk, driven by predictive and preventive maintenance procedures,” Samudrala concludes.
Jonathan DiVincenzo, head of product at Signal Sciences shares that estimates of the number of IoT devices are expected to exist in 2020 varies enormously from 9.9 billion to even 50 billion. He says that not including smartphones and routers likely puts us on the low side of those estimates. But securing the billions of devices that interact with corporate networks and IoT providers daily is still a tall order.
“The days of massive home-router botnets taking down key parts of the internet infrastructure may—and that's ‘may’ with a question mark—be behind us. However, the proliferation of connected devices whose manufacturers have not fully considered security implications will make the Internet of Things a target of both security researchers and attackers for years to come,” says DiVincenzo. “For companies, the growth of connected devices increases the attack surface area that must be monitored. While much of the focus is on cyber-physical attacks—particularly cars—wearable devices, for example, pose a real threat as they can interact with corporate networks for reconnaissance or as a jumping-off point for an attack. For the most part, security products do not know how to handle these devices from a network monitoring standpoint, so they can be a source of significant false positives, or conversely, when such alerts are ignored, a potential place to hide attacks.”
Sean Peasley, Internet of Things (IoT) Security leader in Cyber Risk Services at Deloitte Cyber adds: “In today’s age of connectivity, security for IoT devices must be brought to the next level. In 2020, widespread transformation will become a necessity as organizations will need to build security into devices and applications rather than bolting it on to existing technology. Repercussions of not prioritizing this will become dire as connected devices evolve from seemingly trivial tools such as thermostats and refrigerators towards higher stake technology such as autonomous vehicles and more. Without building security into these environments, organizations will put end-users’ physical safety, privacy and more at risk.”
Ransomware Attacks Will Explode
Seth Berman, leader of Nutter’s Privacy and Data Security practice group and a former Assistant U.S. Attorney, where he was one of the most prominent computer crimes prosecutors in Massachusetts, says that 2020 will see an increased use of ransomware.
“Ransomware was originally created to be deployed against financial institutions. As financial institutions have gotten savvier in their defense against these types of attacks, hackers have started to go after a variety of targets in different and unique ways (i.e., the ransomware attacks in cities such as Baltimore). In 2020, we will continue to see an increase of ransomware attacks against different entities and in different forms.” Berman predicts.
According to Centrify CEO Tim Steinkopf, his expectations are that ransomware attacks will double in 2020. “The annual FBI Internet Crime Complaint Center Internet Crime Report for 2018 reported that the number of ransomware complaints decreased but the total amount of losses caused by the malware increased. This trend will continue in 2020, and, as the FBI softens its stance on business paying the ransom, the number of ‘successful’ ransomware attacks will more than double with total losses of all reported attacks increasing tenfold.”
It is a lot easier to change a malware’s appearance than to change its purpose or behavior, which is why modern ransomware relies on obfuscation to be successful, explains Mark Loman, Director of Engineering for next-generation tech at Sophos. But he feels that in 2020, ransomware will raise the stakes by changing or adding traits to confuse some anti-ransomware protection.
“From abusing a user’s account control bypass controls to elevate user account privileges to prioritizing the document size and drives they target first, ransomware attackers are tweaking their methods to give themselves an edge. Among the most notable advancements is an increase in ransomware attackers raising the stakes with automated, active attacks that blend human ingenuity with automation tools to cause maximum impact. And by encrypting only a relatively small part of each file or booting the operating system to a diagnostic mode where anti-ransomware protection is often unavailable, attackers will continue to evade most defenses,” says Loman. “Ransomware will continue to be a major player in the threat landscape as long as victims remain easily identifiable. The low-hanging fruit of exposed services, unpatched systems and compromised credentials will provide an ample bounty to both skilled and unskilled attackers. It is vital to have robust security controls, monitoring and response in place covering all endpoints, networks and systems, and to install software updates whenever they are issued.”
Increased Risk for The Cloud
When it comes to cloud computing, flexibility is the name of the game according to Andy Miller, Senior Director of Global Public Cloud for Sophos, stressing that an organization’s ability to toggle on or off resources as needed makes it easier for business to scale up to computing power that suites the needs of the clients. However, when it comes to securing the cloud, all that flexibility and ease can come back to bite you later.
“In 2020, small missteps in the cloud will end up exposing large businesses. The greatest vulnerability for cloud computing is simple misconfigurations. As cloud systems become more complex and more flexible, operator error continues to increase risk. Combined with a general lack of visibility, this makes cloud computing environments a ready-made target for cyber-attackers,” warns Miller. “Cloud platforms themselves are so complex, and change so frequently, it's often difficult to understand the ramifications or consequences of misconfiguring a specific setting. Further, the inability to closely monitor exactly what an organization’s machines are doing is hugely problematic. Criminals know this and have been attacking cloud computing platforms for precisely these reasons.
Miller adds, “protecting data stored in the cloud requires a very different toolset because the threat model is quite different from those of workstations or servers. It’s critical that organizations re-evaluate their cloud strategies with security top of mind.”
Mike Wyatt, a Principal with Deloitte Cyber, states that Cloud Service Provider (CSP) identity services will start to overtake the use of traditional identity management COTS products.
“We are seeing significant investment by the CSPs to grow the identity management capabilities beyond managing CSP infrastructure services and towards providing core application identity capabilities. As the center of gravity moves from the data center to cloud, the importance and adoption of these services will skyrocket,” Wyatt says.
Election Security at Risk
Deborah Golden, U.S. Cyber Risk Services leader for Deloitte Cyber thinks policy and governance on election issues will reach a crisis level in the coming year.
“2020 will bring a need for guidance on how to transcend governance across local, state and federal. Even if we collectively lack resources, together, state and local governments can do basic back-up hygiene and extend cyber awareness training, working off of a stronger probability at federal funding. After 9/11, federal governments were funding local governments directly for Homeland Security protections, so maybe this time around, cyber-resilient funding could be triggered,” chides Golden.
As the 2020 elections approach, Jamil Jaffer, Vice President for Strategy, Partnerships & Corporate Development at IronNet Cybersecurity figures U.S. election security is already top of mind with many voters, but he doesn’t expect to see a significant degree of election manipulation directly affecting votes since it is difficult to do this at scale and gain close access to systems. However, he does predict there will be election shenanigans in 2020.
“At the same time, there is certainly a very high likelihood that we’ll see a lot more of what we saw in 2016, including efforts to undermine candidates, parties, and confidence in the system as well as to create discord and dissent between groups and individuals in the electorate. Likewise, we may see attacks against vote databases, including through ransomware, that is designed to either extract revenue or to undermine confidence in our voting system,” says Jaffer. “These types of attacks—which can be partly mitigated using provisional ballots as created by the Help America Vote Act—can still achieve the goals of attacks. Ultimately, these nation-state actors—Russia principally, but possibly including China, North Korea, and Iran—seek to create uncertainty and undermine people’s confidence in the system.”
Centrify’s Steinkopf offers up a grim forecast adding that more than half the U.S. state election boards will be hacked in the upcoming 2020 elections.
“Federal aid to help states bolster their election security will come up short in 2020. As a result, every state election board will again be targeted by hackers in 2020 (as we saw in 2016), with more than half of all U.S. states successfully breached. Election boards frequently hold names, addresses, partial Social Security numbers, dates of birth, driver’s license numbers, and a variety of other personal information about voters that can be leveraged by hackers for financial gain. This sensitive information can also be used to impersonate voters and influence the election,” he warns.
Phil Dunkelberger, CEO of Nok Nok Labs, a leading authentication provider and founding member of the FIDO Alliance, predicts that cyber policy and data privacy will receive double the airtime this election season.
“As we approach the 2020 election, candidates will more aggressively and thoroughly build data privacy and cybersecurity into their platforms alongside more traditional hot-button topics like healthcare, tax reform and more. In order to legitimize their candidacy, they will need to demonstrate a deep understanding of cyber and privacy that impact everyday citizens. Voters will scrutinize candidates on how equipped they are to tackle these pressing challenges and then cast their vote accordingly,” Dunkelberger relates.
GDPR and CCPA Gain Steam
Jon Wallace, a Security Technologist at Instart predicts that GDPR and CCPA will show their teeth more in 2020 as oversight bodies will move to make organizations feel more pain.
“The reality is that in order to force an organization to act, they must feel substantial pain hence British Airway’s fine relating to around 1.5 percent of its turnover. GDPR penalties currently can be as high as four percent of turnover which would be significant for an organization,” Wallace says. “In light of lack-luster anger from consumers over data-loss, compliance organizations will look to ‘act in the consumer’s interest’ and punish organizations for not protecting their customers correctly —- and these penalties will only increase until a change is forced.”
Sharon Chand, Cyber Talent Leader for Deloitte Cyber agrees, adding that in the wake of the California Consumer Privacy Act (CCPA), privacy regulation will continue to proliferate across the United States.
“Other states will follow the lead from California’s footsteps and develop their own legislation. Furthermore, organizations will feel additional pressure from consumers who desire transparency and will increasingly make purchasing decisions accordingly. Acting in accordance with pressure from the government and public to prioritize privacy will come essential to organizations’ bottom lines,” she says.
Berman, of Nutter’s Privacy and Data Security practice group, also sees the impact of California’s 2018 cyber privacy law finally kicking in for 2020. “Will see California’s 2018 cyber privacy law finally go into effect, which gives California residents more control over their online data than any other consumers in the country. With many other states considering a similar law (including Massachusetts), legislators will be closely following the California Consumer Privacy Act to see how the law is implemented and how it impacts consumers and companies (especially companies who rely on advertising for revenue).”
5G Technology Moves Ahead
While Dan Schiappa, the Chief Product Officer at Sophos, is confident 5G will be the most fundamental game-changing technology to impact the cybersecurity landscape – maybe ever, 5G may also introduce never seen security threats.
“5G promises to connect almost all aspects of life through the network with game-changing speed and lower latency, but it will also introduce significant security risks with new potential entry points that will expose organizations to new types of attack,” Schiappa confides. “While 5G holds tremendous promise, overhauling our essential networks will open pandora’s box due to the introduction of radio frequencies that to date have not been accessible, not to mention the minimized visibility that will result from them. This will require us to put an even greater focus on the security of our connections, devices and applications.”
Schiappa continues that 5G devices come with built-in radios that don’t require communication with the corporate network, which potentially makes it incredibly difficult to identify threats and compromised devices.
“It’s never been more critical for cybersecurity products to work together as a system. Organizations will need a layered approach to security where products connect and share actionable intelligence. A synchronized security approach builds bridges allowing products to work together stronger than they would on their own,” he says.
Other Top Predictions
· CSO Job Requirements Will Change in 2020: “A gap exists in the current Chief Security Office (CSO)/Chief Information Security Officer (CISO) job description, which is the ability to add strategic value to the company. There’s a lot of highly technical people in this role, but when you advance to the C-suite title, there’s a need for business vision alongside technical prowess. Understanding how the company’s threat management strategy ties to the overall business goals and developing an action-orientated plan will be essential for CSOs in 2020. As the CSO, it is your job to develop the company's operational risk and demonstrate how that fits into larger business goals. After outlining the risk, the CSO must be able to establish a program that protects their people and assets from cyber and physical threats.” -- Munya Kanaventi, Sr. Director Information Security at Everbridge,
- U.S. Government Cyber Operations Will (Partially) Emerge from the Shadows: “As U.S. cyber operations become more assertive, they will become better at sharing their successes. Public disclosure will help policymakers support these activities and will also help increase public understanding and support. However, the most important benefit may be the deterrent effect these public relations efforts will have on our adversaries.” -- Greg Conti, Senior Security Strategist at IronNet Cybersecurity.
- API Security will be a priority for businesses: “Attacks on application programming interfaces (APIs) will increase in 2020, and business spend to secure them will spike as a result. Unsecured APIs can lead to exposure of massive information loads, from airline ticketing to online ordering. For example, two years ago, a large food retailer leaked nearly 37 million customer records due to unsecure access to its backend server and sequentially numbering customer records. This allowed for easy enumeration of the retailer’s entire customer base. Further, just last year, more than 140 airlines had customer information compromised because the booking system allowed anyone to access passenger records just by changing an identifier in the URL. Expect to see an increase in business spend to secure APIs in the coming year to prevent these damaging attacks. - Zane Lackey, co-founder and CSO at Signal Sciences.
- Supply Chain Attacks Will Increase in 2020: “Protecting and managing the supply chain is essential to operational survival in 2020. More organizations are moving their supply chain to the cloud, broadening the potential vulnerabilities and management challenges. Additionally, most manufacturers are dealing with third-party vendors in their supply chain, as it is impossible to make everything within one organization. Many manufacturers are partnering with smaller, niche organizations in the cloud to support specialized skills. With the addition of niche, organizations come downstream risks that need to be considered and managed. Organizations must have solutions in place that give them full visibility into their supply chain network, and tools that allow them to identify and respond to threats.” -- Munya Kanaventi, Sr. Director Information Security at Everbridge,
About the Author:
Steve Lasky is a 33-year veteran of the security publishing industry and multiple-award-winning journalist. He is currently the Editorial and Conference Director for the Endeavor Business Security Media Group, the world’s largest security media entity, serving more than 190,000 security professionals in print, interactive and events. It includes Security Technology Executive, Security Business and Locksmith Ledger International magazines, and SecurityInfoWatch.com, the most visited security web portal in the world. He can be reached at firstname.lastname@example.org.