9 Cyber Security Predictions for 2020
Leadership Team, Secrutiny Ltd
27 January 2019
Whether you call them cyber security forecasts, risk trends or predictions, here’s a roundup of what our experts are saying about the year ahead, including a huge growth in encrypted hacking, 24×7 Pentesting, and the future of ‘Extortionware’.
1. IoT Will Be Targeted as a New Route to Breach Internal Environments
Organisations and individuals want IoT connected devices. They offer considerable benefits that are instant in many areas, and pretty much anyone can set them up. That camera or smart TV or heating controller makes a difference.
The speed to market for vendors is paramount as competition is high; it’s a land grab for customers. Being last to market with great security is a loser. Being first to market with basic security is a winner, but not really for the user.
Research from CSO Online by IDG found that over 60% of organisations experienced an IoT security incident in 2019. The solution is not to try and fight the deployment, but to get a network-wide visibility tool of IoT behaviour to monitor and manage the risk.
2. Cyber Recovery Will Appear on the Enterprise Agenda as Organisations Recognise They Need a Plan and a Budget
Research by Forbes Insights reveals that 60% of executives are NOT confident that they could recover from a major cyber event. Look at Travelex & Gedia. There has to be a big question about how/when/will they recover?
Recovery is about having a process and a plan. What data do you need that cannot be tampered with to build again quickly? Where are you going to keep it? What is required to action the plan?
3. Pentesting/Red Teaming Will Become a 24×7 Automated Process Using Technology
Pentesting has been compliance-driven typically; can regulators be shown a certificate and the things that were fixed? This needs to grow up fast as the process of pen testing needs to become 95% automated and running 365X24X7. Organisations need to find the ‘holes’ daily not once a year. The technology is available.
4. Huge Growth in Encrypted Hacking as Adversaries Hide in 443 Traffic
Encryption technology has enabled much greater privacy and security. However, threat actors have leveraged these same benefits to evade detection and to secure their malicious activities, launching over 2.8 million encrypted attacks in 2019 alone.
Statistics suggest that this year, more than 70% of malware campaigns will use some form of encryption to conceal malware delivery, command-and-control activity, or data exfiltration and 60% of organisations will fail to decrypt HTTPS efficiently, missing critical encrypted threats.
On the flip side, technologies that can locate and stop cyber attacks hidden in encrypted traffic, without decryption, are appearing in the market to combat the growth in encrypted hacking and the TLS 1.3 Challenge.
5. Personal Data Will Become Part of the MFA Process – Location/Heart Rate/No. of Steps etc.
As bad actors develop methods of deceiving token and phone-based systems (security experts recently demonstrated an automated phishing attack that can cut through 2FA), biometric authentication, where employees can log into their applications, workstation or VPN with just their fingerprint or face, will become more popular.
In fact, in September 2019, the FBI released a Private Industry Notice urging American companies, to urgently integrate extra layers of biometric factors and behaviour recognition checks to prevent hackers from easily bypassing multi-factor authentication security systems.
One example of the practical application of biometric authentication is Nymi; a wearable device that reads your heartbeat and uses it as a unique biometric to identify you – first trialled by Halifax Bank in 2015, who dubbed the technology as “superior to fingerprints or iris scans.
6. Extortionware Will Start to Replace Ransomware
Attacks involving ransomware remain prevalent, “accounting for 24% of incidents where malware was used” according to a 2019 data breach report. Our experiences echo this, having seen growth in the number of incidents, as well as their impact on organisations, relating to evolving ransomware tactics over the past year.
Primarily the historic focus has been on ‘incidental extortion’, using targeted ransomware for financial gain through business interruption. However, we increasingly see ransomware used instead as a way to initiate negotiations due to data theft and the prospect of brand damage or potential litigation from the leak or other misuses of that stolen data. The latter is being termed ‘Extortionware’.
In other words, hackers no longer encrypt content and demand a ransom as they are finding too many companies can recover. Instead, they steal sensitive data, and failure to pay the ransom demand means the data will be made very public.
What won’t change is the need for organisations to implement and test strategies to remediate the threat and maintain critical business operations. Those able to do so quickly will exhibit the resiliency required to deter repeat efforts, whether they be extortive or punitive in nature.
7. Evidenced-Risk Will Be Used to Drive Investment; Fear Will No Longer Generate Budget
Cyber security should not be an IT problem but a risk to be managed – however, organisations cannot manage the problem if they don’t understand its context. This lack of context puts a strain on teams to make prioritised, strategic decisions on how to secure their IT environment and safeguard their crown jewels.
I’m sure the majority of those reading this receive countless phone calls every month from people trying to sell you a ‘thing’ that is going to solve all of the ‘things’ that could potentially cause you a problem. But how do you prioritise that? And how do you put it into a framework that’s meaningful for the business so they can engage with it?
Organisations will increasingly turn to Technical Cyber Risk Assessments for evidential determination of their level of risk and what changes can be made to processes, policies and controls to reduce this. Looking beyond the propaganda, threat-mania and hype of the industry, and focusing on the specific risks and threats of priority to them.
8. Secure ‘Data Sharing’ Will Start to Be Discussed Because If the Data Is Protected the Real Risk Goes Away
The way data is shared inside and outside organisations is largely primitive if you consider security. Documents are emailed (normally unprotected) or uploaded to the cloud and control is lost. The data is often confidential, and it presents risk. There has to be a better way – and it isn’t DLP.
9. Avoiding Cyber Embarrassment Will Be the Number One Priority at the Board Table
Embarrassment matrixes and breakthrough cyber threat prioritisation modelling will help organisations:
- Determine cyber risk appetite
- Reduce confusion caused by alert fatigue and conflicting priorities
- Define remediation priority based-on evidence
A critical privilege escalation exploit in Windows Server (CVE-2020-1472), codenamed Zerologon, allows an attacker to become a domain admin, even without any credentials.
Microsoft’s September Patch Tuesday fixes 129 security holes (23 of which are rated ‘critical’) in numerous versions of its Windows operating system and related software. One of the more critical patches could allow remote code execution by sending an email to a victim.
Secrutiny Awarded Position on Crown Commercial Services “Cyber Security Services 3 Dynamic Purchasing System”
We are thrilled to announce that Secrutiny has been awarded a position on Crown Commercial Service’s Cyber Security Services 3 Dynamic Purchasing System (DPS).