Cybersecurity: Predictions and a Wish List for 2020

Imagine Two Sports Teams

? 2019 Bob Carver, CISM, CISSP, M.S.

Cybersecurity in 2020 will continue to get worse before it gets better.

What is the state of cybersecurity now?

Imagine two sports teams playing in the heat of battle. In the past you easily identified what team a player was on by the color of their uniforms. Now imagine that magically both teams had their uniforms transformed to the exact same color even with jersey numbers duplicated. Players lose their teammates in critical plays, referees are confused in making their calls and the onlookers are having difficulty following, not knowing who to cheer for.

This is part of what is happening now in cybersecurity and is often referred to as "living off of the land." The differentiation between valid processes and changes to every computing system or network devices have become blurred on whether what is happening is a legitimate transaction or process; or whether it is something manufactured by your adversary since they are utilizing some of the same common processes and protocols to perform a task. Your user and admins are utilizing these to create value, while cybercriminals are wreaking havoc.

Next imagine going to the next level in the game. 90% of your players become invisible, but are still able to continue playing the game. Perhaps only one out of every eleven players is still visible. You don't know where most players are or what they are up to the vast majority of the time. This can be related to data flows that are encrypted or tunneled. It also can be processes that are hidden in other "hollowed out" processes providing a perfect cover to remain undiscovered a large part of the time.

These are very real issues that current cybercriminals are utilizing and what defenders need to detect and defend against.

Predictions

Visibility will be key. Those individuals and corporations that don't have visibility into networks, data flows (whether encrypted, tunneled or obfuscated), devices and endpoints (processes and code) along with sufficient analytics and a game plan to mitigate discovered threats will be at a severe disadvantage in fending off cyber adversaries.

Time from discovering vulnerabilities to utilizing attacks against the vulnerability will continue to shorten. The time to patch will need to continue to happen faster than ever. Patches need to be coded, tested and installed on large groups of computers they or they will risk being compromised. Automation and prioritization will be key in being successful or in being a failure. Systems that have been available in the past that test for incomplete patches, direct users to an update link and force those updates before being allowed on the network may need to become a regular requirement.

We will continue to discover vulnerabilities in Open Source software and legacy standard utilized utilities and protocols. This will lead corporations to funding independent vulnerability audits, producing patches or coding new commercial paid secure software as an option to current offerings.

Deepfakes-as-a-Service will increase and be available in underground markets. This increases the chance of ransomware effectiveness, assists in bypassing authentication and fraud detection controls, financial controls, risk processes and even promoting psyops and election interference. Cybercriminals and those manipulating the masses will choose their options among video, audio, biometrics and other factors.

Ransomware and extortion variants will continue against cities, governments, municipalities, hospitals. This will continue to be the "bread and butter" income for cybercriminals. Gone are the days of simply stealing data (although this will continue to happen where the data is valuable). Now the cybercriminal will embed themselves into your network, use blackmail or extortion against their targets. Cybercriminals will threaten to release valuable data, incriminating evidence or escalate their threat by simply destroying or creating confusion and mayhem by populating databases with false data. In the worst cases they will simply destroy entire systems if a stream of income is not paid in a timely manner.

There may be less difference in security between operating systems than was thought in the past. Cybercriminals and nation states will continue to develop their attacks so it will not matter what operating system they encounter first. Whether it is Windows, Linux, UNIX, Macs, printers or other devices on the network. The point is to establish an initial foothold into your network to launch future attacks regardless of what device or operating system is available.

IoT Security Issues will continue to create problems and interrupt business operations. Many IoT devices are made to minimize cost and optimize time to market. Vulnerabilities abound and can be used to upload code for nefarious purposes like DDoS or to simply hide the tracks of the cyber attacker. Some can be patched. Other IoT devices may have to be completely replaced in order to rectify security shortcomings. Smart businesses that utilize Industrial Internet of Things devices will require security patching to be made available for the length of their support contract. After the end of the contract, if additional vulnerabilities are found, it would be prudent to declare the devices at "End Of Life" and have it replaced with new more secure equipment.

Supply Chain/3rd Party Risk. As we approach realization of Industry 4.0 where all suppliers, sellers, distributers, sensors, databases, cloud implementations and ordering systems are interconnected through one or more web of networks. Each business is cyber resilient only to the level of their weakest link in the supply chain. We will need to evolve in our risk management processes to cope with this complexity and highly diverse attack surface. This will eventually create a demand for risk management cyber professionals that specialize not only in third party risk, but cyber risk for organizations entrenched in Industry 4.0.

Automation in malware and attackers. I saw early forms of crude automation in malware a decade or more ago. This malware detected the type of operating system of the computer it encountered, then delivered the appropriate malicious payload accordingly, being able to compromise all popular flavors of operating systems of the computer it encountered. Now we will evolve to see automated attacks that will need less North/South (endpoint traffic to and from the Internet) command and control traffic. Not only malware that will enumerate systems, but will autonomously map entire networks, develop a game plan to locate the "crown jewels" and determine how to embezzle them. Those early attacks were merely playing a game of checkers. Imagine bringing this game to the next level squared. Then you might have something closer to a 3D chess game.

AI, machine learning and data analytics. This will continue playing a larger part in an overall cybersecurity/cyberresilience strategy. Currently AI/machine learning can often determine if an attack has happened. Where improvement is needed: 1) eliminating gray, uncertain or borderline alerts that aren't clear whether the alerts are due to poor coding practices or an actual attack has happened and 2) completing the analysis, determining if the cyberattack was successful in actually compromising a computer system.

And yes, we will see more cybercriminals vs. cyber protector play a game of "my AI is better than your AI."

Mergers and Acquisitions. Any major merger and acquisition that is done in a prudent manner now requires a cyber risk management analysis to be performed as a part of the normal process of due diligence. Anyone that doesn't do this now may be considered negligent. This could even result in lawsuits for those that omit this or have been negligent in their cyber risk analysis and due diligence.

Insurance Companies. There will continue to be issues with insurance companies making 100% payouts on their claims. Large companies will need to have their attorneys, insurance and cybersecurity specialists with them in negotiating policies. Insurance companies will continue to refine the small print of their contacts on how and when they will or will not pay. As I have stated in the past "Force Majuere" and "Acts of War" may be utilized by insurance companies as their "get out of paying the cyberattack claim" card.

Wish Lists

IoT Cybersecurity Legislation in the U.S. We have had several false starts. In this last attempt, congress consulted cybersecurity experts for their input to the proposed legislation. We currently have no one that takes responsibility seriously for IoT security. Let's complete this or we will again see modern day cyber attacks reminiscent of the old Wild West.

Cybersecurity and Privacy Issues be Taught in our School Curriculums. Some countries outside of the U.S. have taught cybersecurity and privacy related subjects as early as grade school. The countries that have this education are shown to have a much lower percentage of compromised computers, phones and other electronics as well being less susceptible to cybercriminal scams such as phishing. Being taught good common sense risk management, cyber hygiene and how to recognize scams over time has paid off for businesses and the population as a whole. Those countries that have implemented this program have some of the lowest percentages of compromised systems on the planet.