When it comes to cybersecurity risks and threats in 2019, attackers will do what they always do and follow the path of least resistance (least time, cost, and difficulty) to the biggest reward (money, payout yield, reach, best success rate). For the last two decades, there have been some obvious vectors that always pay dividends, especially around the end user and compromising identity. Phishing is still big because it works, and with so many mechanisms focused on compromise of identity, we should expect to see more targeted, focused spear-phishing.
We’ve also seen rushes to firmware, printers, and routers, which will continue with more exploits of less used devices and the lack of hardware- derived security and good security hygiene. This will be accompanied by revisiting the phone as an infection vector early in the year and then more IoT targeted attacks as those devices ramp up with little-to-no protection, providing opportunities to DDoS the world. It’s important to note that IoT security needs to be beefed up out-of-the-box to avoid cyber and digital pollution for at least the next two decades.
Security risks and threats
IoT will keep increasing exponentially. It will drive our current digital footprint 2X, 10X, and 100X; and we will look back and wonder why we had a special name for what amounts to most computing nodes. These devices will steadily follow Moore’s Law, with full stacks and more computing power and commensurate bandwidth demand.
With an increase in complexity and topography, we will see an exponential increase in the options for attackers, almost a Metcalfe’s Law for the darker side. As a network grows, the risk topography grows faster and faster in a dark imitation of the increasing value — and IoT will exemplify this. The steps we make now will pay handsomely in the future, and what we don’t do now will plague us for decades.
Return of mobile
Mobile isn’t new, but it’s the favourite of CISOs and security departments to kick down the road. It’s always next year or when time permits, and security solutions are particularly weak. Most security solutions amount to insecure device management or, at best, an antivirus equivalent to signature checking.
The standard enterprise response has been to limit exposure and access of mobile devices, and this has created a blind spot in our risk assessments that will lend itself to incremental increases in access and exposure. Attackers have long targeted mobile and known how to exploit it, but it hasn’t been as attractive as more traditional targets like laptops and application-layer attacks, or even going after identities and “layer 8.”
That will change as mobile is not perhaps the most exposed, ubiquitous, and under-protected vector for enterprise malicious operations. Attackers will use these to infiltrate and exfiltrate, as stepping stones on the way in and out, carefully cleaning their traces. It’s happening now, but 2019 will see this come into the light and may lead to a small panic, too.
Weaponising outer space
The détente around weaponisation of space has been broken as the U.S. builds a Space Force. This is a battleground that only a few of the largest and most powerful countries can yet reach: China, Russia, and France. That’s not good enough, though, for countries threatened by existing and emerging superpowers and first-world nations.
In response, expect them to double down on investment not in conventional arms but rather in cyber arms. Cyber is the domain that enables the cheapest, largest reach for the least risk. Even relatively small countries from an economic and population perspective can become cyber powers and use this to counter new and scary emerging nuclear powers and space powers. Cyber is, in many ways, the great equalizer; and the fear now is of too many cyber-enabled states and a weaponisation of cyberspace.
Risks from diplomatic, trade and economic events
Cyber is the new, great equalizer, and nations have been stockpiling and continue to research transmission vectors and payloads while planning contingencies. As Clausewitz called war “an extension of politics by other means”, there is now a fundamentally cheaper, less risky, greater reach tool for extension of politics by other means: cyber.
As a result, we should expect a cyber dimension to any particularly important or nasty diplomacy, trade negotiations, economic recessions, or even military conflict. Cyber is both a battle ground in addition to land, sea, air, and space as well as a dimension of the existing battle grounds: drones can be hacked, logistics and communications can be disrupted, and sabotage can be executed without having to send a single soldier behind enemy lines. As the geopolitical and economic realities of 2019 unfold, except to see a new cyber shadow and cyber dimension in direct relation to importance and significance of other human conflict.
Critical infrastructure will continue to have a bulls eye on its back
Critical infrastructure is vital to continued government services, private sector health, and public safety. As a result, it is both a natural target and a potential tool for distractions and diversions. Attacking critical infrastructure hurts, and as a result defenses and first responders can be disrupted and the general noise and confusion around everything from nation-state hacks to simple cybercrime can benefit from noise-to-signal ratio, reduction in resources, confusion in triage, and more.
As a result, critical infrastructure has a bullseye on its back and it makes sense to drill in peacetime, establish critical relationships, define escalation paths, and get ready for when disaster may strike. Now is the time for resilience and contingency planning and preparedness.
Consumers will need to change their security habits or need new security options
It’s become hackneyed to say that end users need to change their habits, but this is a flaw in security thinking. Security that doesn’t consider how real people work and behave is bad security. While some folks may change their behaviours, and this should be encouraged, security needs to change itself to consider the natural pathways and use cases of real people.
New hackers and nation-states will emerge in a new cybercrime spree
Cyber is the great equalizer on the geopolitical and international relations front, but it’s also far more effective for traditional criminals: less chance of being arrested, serving time and anonymity inherent to the medium. This means that we will see many new “startups” and new tentative motions by nations that formerly have been much quieter on the cyber front in geographies like Africa and Latin America.
There is good computer science and cyber talent in more places than the first world and normal players, such as the U.S., Israel, the U.K., Russia, China, Iran, and North Korea, to name a few. Now we will see third-world nations playing in the same theaters and battlegrounds as the big boys and girls.
Sam Curry, Chief Security Officer at Cybereason