As cybersecurity threats are rapidly evolving to stay ahead of defensive application security measures, it is difficult to make infosecurity predictions that are guaranteed to stand up when we review them in January 2020.
However, by combining our team’s web application testing and computer forensics experience with research into the changing face of attacks over the past 12 months, there are five cybersecurity and cybercrime threats that can be highlighted:
1. Continuing lack of visibility across corporate IT assets intensifying data breaches
Thanks to advances in technology, many businesses have implemented digital transformation into their business strategy, which includes moving company assets and operations to the cloud or leveraging hybrid cloud infrastructure for flexibility. There is a risk involved in cloud computing of organisations losing visibility and control over their assets and operations after the move. The vast majority of the worst data breaches that we saw in 2018 all have the very same single cause and origin - a lack of visibility across corporate IT assets.
Today’s businesses have complex IT infrastructure that is composed of unconnectable pieces located across different places globally. Many companies and organisations are not even aware of all of their external applications and unprotected cloud storage, let alone internal systems. Thus, for them, it is impossible to mitigate any vulnerabilities or misconfigurations, including critical ones.
The very first step to mitigating any potential vulnerabilities caused by a lack of visibility is to build a comprehensive and up2date inventory of your digital assets: hardware, software, clouds, data and users. It may be challenging in the epoch of hybrid clouds and Bring-Your-Own-Access (BYOA), however it remains crucial for a sustainable cybersecurity strategy. Once you have visibility of your assets, you will be able to properly assess the risks, assign priorities and allocate resources to maintain them up2date, secured and monitored.
For example, shadow systems co-exist with legacy mainframes, abandoned cloud applications and third-party code that’s been unmaintained for years. Shadow and legacy IT is a huge problem too as the IT infrastructure in many large organisations resembles Frankenstein's monster, assembled from thousands of insecure, different and often incompatible pieces. Obviously, such unknown or semi-known systems cannot be protected or secured in any manner so they are an ideal target for hackers to run ransomware, phishing and lots of other highly-sophisticated and targeted attacks.
Attackers often don’t even need any expensive 0days as there are machines and applications that can easily be breached via public exploit in a matter of minutes. Improper internal access control often enables attackers, who control one machine, to spread their presence on all other hosts in the local network. All this makes the perfect environment to harvest new data breaches and security incidents, and with the complexity of corporate networks only going to continue growing, the problem of visibility is one that will definitely remain this year.
2. Easy pickings in the cryptocurrency sector
Cybercriminals follow easy money, and many cryptocurrency owners are the perfect victims. They are virtually unable to protect either themselves or their digital assets, being susceptible even to relatively simple phishing attacks.
Law enforcement is frequently uninterested in investigating and prosecuting petty offences with digital coins theft, as they are already under water with highly-sophisticated nationwide hacks. While crypto start-ups are virtually ignorant even to the fundamentals of cybersecurity, spending all their effort and resources on surviving within extremely volatile and highly-competitive market.
Attackers have now established impressive infrastructure purposely tailored for large-scale theft and scams with digital coins, so we can almost certainly expect further proliferation of security incidents related to cryptocurrencies. Although people had believed in the inherent immunity, resistance and security of cryptocurrency as a financial asset, their illusions have been vaporised over the past 12 months, as millions lost their money in cryptocurrencies during 2018.
The problem for 2019 is that many victims irrecoverably lost their confidence in blockchain technology in general. It will be time-consuming to restore their trust and convince them to leverage blockchain in other areas of practical applicability. On the other side, it’s not too bad, as potential future-victims are now paranoid and won’t be a low-hanging fruit for fraudsters.
Owners of crypto assets should remain extremely vigilant, maintain all their devices and installed software up2date, install at least a free antivirus from a reputable vendor, use two-factor authentication and unique passwords, and never entrust their wallets to any third-parties unless they have a very good reason to utterly trust them.
3. Cybercriminals using Artificial Intelligence (AI) and Machine Learning (ML) to accelerate intrusions
These technologies are mainly used for intelligent automation and acceleration of various complicated tasks and processes but are not a panacea and if desultory applied are essentially worth virtually nothing. Cybercriminals have attained a decent level of proficiency in practical AI/ML usage though and, most of the time, they use the emerging technology to better profile their future victims and to accelerate the time and thus effectiveness and profitability of intrusions.
As opposed to many cybersecurity start-ups who often use AI/ML hype mostly for marketing and investor-relationship purposes, the bad guys are focused on its practical and pragmatic use to cut costs and boost income. The use of AI/ML will continue to expand as cybercriminals harness the technologies to increase the efficiency of their attacks. However, modern cyberattacks are so tremendously successful mainly because of fundamental cybersecurity problems and omissions in organisations that ML is just an accelerator.
One should also bear in mind that AI/ML technologies are being used by the good guys to fight cybercrime more efficiently too. Moreover, development of AI technologies usually requires expensive long-term investments that Black Hats typically cannot afford. Therefore, significant AI-bases threats are unlikely to occur over the next five years at least, but we will probably have the first cases of simple AI technologies competing against each other in 2019.
4. Crowd security testing morphing into pen-testing
Crowd security testing and bug bounties can bring a lot of exciting opportunities both to the researchers and companies, but one should keep in mind that any crowd security testing can never substitute a mature application security program.
Although most crowd security testing companies now offer highly-restricted bug bounties, available only to a small circle of pre-screened testers, or process-based fees instead of usual result-oriented approach, they will never substitute a mature application security program, with systems development life cycle (SDLC), DevSecOps and continuous security monitoring.
Bug bounties are trying to reinvent themselves now in light of emerging start-ups within the field and not-for-profit initiatives such as the Open Bug Bounty project, so we’ll likely see crowd security testing converting into another form of classic penetration testing before long.
5. GDPR impacting on the cyber resilience of global business
During 2018, companies were over-concerned with compliance on paper, ignoring practical security requirements due to limited budget and resources. Many organisations are now frustrated with severe GDPR sanctions and spend virtually all of their time and resources on attaining formal compliance, which means that they are often focused more on a formalistic approach that omits any critical aspects of practical cybersecurity and privacy.
In some companies, the burden of GDPR was not even alleviated by a proportional cybersecurity budget increase, so security professionals were forced to juggle with scant resources and understaffed teams.
This means we are likely to see more data breaches as having cybersecurity resources that widely remain the same nowadays as they were prior to GDPR implementation won’t effectively cover both practical security and compliance requirements. Even if compliance and security are tangential, contiguous and even highly intertwined areas, they are still substantially different and cannot replace each other.
Ekaterina Khrustaleva, Chief Operating Officer, High-Tech Bridge
Image source: Shutterstock/Sergey Nivens