Cybersecurity experts ponder looming 2019 threats

Dec. 26, 2018
CISOs may not agree on what the challenges are but all agree they must be proactive

From cyber attacks on major corporations to breaches on vulnerable industrial control systems. From the potential weaponization of AI to an exploding IoT universe traversed with threats. Cybercriminals are constantly evolving their tactics as the landscape of digital technology expands. Protecting information that is stored in the corporate cloud or carried in the smartphone of employees leaves security professionals in a constant struggle to find mitigation strategies that work.

While CSOs and CISOs might not all agree on what their most dangerous threats are, they are certainly in unison when it comes to taking a more proactive than reactive approach to facing their challenges. As is our custom this time of the season, SecurityInfoWatch investigates our collective crystal ball – with the help of industry experts, of course – to predict what threats and challenges loom for 2019.

The responses we received from the cybersecurity community was varied and covered a wide array of topics. Our editorial staff selected what we felt best represented the collective mindset of CISOs, CSOs, consultants and solution providers alike.

Public Awareness of Cybersecurity, Mitigation and Resilience


Silver Bullets Don’t Exist: Realize Cyber Operational Risk
s -- Dean Weber, CTO at Mocana

In 2018, we saw a lot of leadership adopt technologies due to their hype and false pretenses that they would be the quick and easy fix for their organizations’ risks. Blockchain is a great example of one of these technologies. This is one of the biggest areas that we have seen leadership make mistakes.

A way to avoid this common mistake in the new year is to fully recognize all risks. This is made possible by also measuring cyber operational risks, not just operational risks. Oftentimes they solely focus on the risks to up-down/downtime and the impact they will have on operational costs. Essentially - what things can go wrong and how to measure it? Unfortunately, risks cannot be mitigated with existing technologies and most of cybersecurity insurance only accounts for property or assets and casualties. What they’re missing is addressing what happens if the distribution office its hacked or if they continued use of older systems that cannot be patched. Because of this, we will begin to see more organizations look to create a holistic view of their risks.

Public Awareness of Cybersecurity Will Continue to Evolve -- Jason Rebholz, Senior Director at Gigamon

The public’s broader awareness of cybersecurity has changed. This has been led by an increased number of public notifications of security breaches, some of them with massive amounts of data loss, well into the tens of millions, if not hundreds of millions of potentially impacted individuals. While these types of attacks have been going on for years, it’s garnering more mass media attention, resulting in wider spread coverage of the security challenges organizations have been facing for years.

To the untrained eye, it would appear as though every organization is failing at security, and in some cases they are correct. The untold story highlights organizations struggling to investigate and get details out to the public, which often causes more pandemonium and undue stress as misinformation begins to circulate. The benefits of the increased public awareness bring increased public scrutiny over how organizations are protecting personal data and additional regulations mandating public notification of security breaches. This, in turn, drives more investment into security budgets which should, in theory, provide a safer online experience for the public.

Small Organizations Will Finally Take an Enterprise Approach to Cybersecurity -- Brian NeSmith, CEO and co-founder of Arctic Wolf Networks

Small organizations are finally realizing that they need to be as prepared as large organizations when it comes to cybersecurity, making it no longer an IT problem but a larger business challenge within every organization. Additionally, we will see small businesses’ approach to cybersecurity impacting larger organizations through the supply chain vector. Hackers will take advantage of smaller organizations, which often fuel larger business’ supply chains, because they typically have security vulnerabilities that can be more readily exploited than larger “targeted” companies. With this in mind, in 2019 we will see the C-Suite become more involved in cybersecurity, not only when it comes to making decisions about tools to leverage, but also taking the brunt of repercussions.

Cyber Insurance Emerging as a Big Risk Management Influencer -- Mark Carney, Executive Vice President, Cybersecurity Services at Coalfire  

Cyber insurance is hot—and for good reason. CISOs need to protect against the nearly inevitable breach and its consequences. Still, many organizations are uninsured, or very confused about what is covered under their existing cyber policy. Look for cyber insurance companies to leverage their influence and risk calculations to set the industry standard on how to evaluate cyber risk, and continue to broaden their scope by partnering or offering expanded cyber risk services of their own, such as breach management, legal assistance, and policy consultation to offer a more seamless solution.

Cyber Risk Management Gets in the Groove with Enterprise Risk Management – Mark Carney

With all areas of business risk competing for company dollars and attention, cyber risk needs to start speaking the same language and integrating with the rest of the business (especially other risk disciplines). In 2019, look for CISOs to begin tailoring their cyber risk frameworks more specifically to the unique needs of the business, translating it into terms the organization can understand, and working in closer harmony with enterprise risk management functions.

The CISO Mindset will Make a 180 -- Jason Haward-Grau, CISO at PAS Global

In the cybersecurity industry, it’s common knowledge that the average tenure of a CISO is about two years. In 2019, mindsets will begin to shift in order to address this short-term expectation. CISOs will forced to become stronger leaders as they are forced to think and operate more strategically than ever. The stakes on their role have never been higher, which means they must prepare for the worst by enabling their companies to succeed rather than the fear of a ‘breach’ failure.

As the threat landscape rapidly evolves, the specter of a breach becomes “when” not “if,” and CISOs must help their organizations embrace these odds by providing them with the information necessary to combat threats minimizing the impact of the inevitable breach and achieve success through effective recovery capabilities. By doing so, CISOs will enable their organizations to eliminate the “blame game” culture and focus on the bigger picture of enabling the business, succeeding by recovering and striving to stay secure.

Organizations Will Go Above and Beyond Baseline Standards -- Jason Haward-Grau

2018 showed a wealth of promise when it comes to cybersecurity policy. From GDPR, through NIS-D, NIST 1.1 to the California Consumer Privacy Act and more, industries began working closely (both carrot and stick) with legislators to adopt strong baseline standards for security and privacy. However, in 2019, organizations will begin to realize that these foundational policies are not enough. They will acknowledge that policy is a foundation that must be built upon rather than a ceiling to be achieved and relied upon, and respond by adopting their own internal (or industry) set of standards that are better tailored to their own unique risk environment. By doing so, they will create stronger defenses, meaning adversaries will need to step up their game in order to conduct targeted attacks. We will see the recognition that it is no longer acceptable to avoid the bear by outrunning just your competitors, rather that together we need to tackle the bear.  

Automation Will Help, But the Cybersecurity Talent Gap Will Remain A Problem As 2019 Brings More Impactful Attacks, Including Attacks on Smart Cities -- Cesar Cerrudo, CTO at IOActive

The demand for cybersecurity talent will continue growing, but so will the advancement of automation. Thanks to automation, one person can now do the work of many. However, when it comes to jobs requiring highly-skilled and specialized people, automation cannot help.

Common cyber-attacks and ransomware are already having a detrimental impact on companies. In 2019, we will see increases in these attacks and their negative impact on companies. Ransomware is an easy way for cybercriminals to profit, so it will continue propagation unless the bad guys find a better method to profit. Coin mining attacks may replace some ransomware attacks, depending on how cryptocurrencies do next year, in terms of valuation and mining difficulty. This means cybercriminals could choose to use hacked computers more to mine cryptocurrencies, rather than asking for ransom.

In 2019, technology adoption in cities will continue to grow and speed up. Most cities are deploying new technologies at a rapid pace, regardless of whether they are big or small cities because technology helps to provide better services and to reduce costs. While adopting new technologies is a great move which brings many benefits, it also brings many problems related to cybersecurity -- the more technology that is being used, the more possibilities there are for cyber-attacks.

Companies Who Take a Risk-Centric View & Focus on Operational Resiliency Will Persist Through Future AttacksJohn Sheehy, Vice President of Strategic Security Services at IOActive

It’s important not to look in the rear-view mirror and focus only on what has been successful in the past. Companies and agencies alike must identify emerging risk and manage it by having a very risk-centric view with a mature security program that covers IT, OT and, if applicable, product technology as well. We need to focus on operational resiliency. Many predictions this year involve attacks that will be deep in the supply chain; there is no way for the ordinary organization to see these today. As organizations continue to face an increase in social engineering, phishing and spear-phishing attacks, how they manage risk post-breach will differentiate organizations soon. In 2019, it won’t be surprising to see DDoS attacks coming back with a vengeance due to higher speed infrastructure with insecure IoT devices. Soon I predict we will see the return of large-scale DDoS attacks that will take down whole sections of the Internet.

Setting the Roadmap for a Security Strategy -- Marc French, Chief Trust Officer and Data Protection Officer at Mimecast

In 2019, we’ll finally see some headway made toward defining what a 'basic security' program looks like across businesses of all sizes. If this truly happens and people adopt it, the rising controls tide will lift all ships on the protection front.

In the year ahead, on the threat intelligence front, organizations will make it a point to ensure that they’re not exhausting their IT administrators with “useless” information. CISOs will prioritize sharing actionable threat intelligence data in order to help executives make informed business decisions that are backed by knowledge of relevant cybersecurity trends. Also, expect organizations to increasingly automate cybersecurity systems next year, especially those that generate threat intel alerts.

Mitigating risks will, of course, continue to be a priority for CISOs in 2019 as well. Organizations will make a concentrated effort to advance their threat intelligence capabilities, regardless of available budget to allocate toward cybersecurity, while making clear decisions about whether or not to outsource their efforts.

Growing Role of AI & Challenges of IoT Security


Watch Out for IoT Devices and Vapor Worm --
Ken Underhill, Master Instructor and Joe Perry, Director of Research at CybraryWatch

2019 will be the make-or-break year for IoT security. Thus far, the overall lack of sophisticated IoT security hasn’t led to serious losses, but that’s going to change fast. One of the primary fears for enterprise security is the abundance of bring-your-own-device (BYOD) workspaces, and IoT exacerbates that problem to a currently unmanageable level. Attackers can compromise sensitive information by gaining access to an employee’s home network, dropping malware on their smart-home management device, their refrigerator, or even their IoT light bulbs, then propagating onto phones, tablets, and computers. It’s a fundamental fact that the larger the attack surface, the higher the likelihood an attacker will gain access. BYOD may be a cost-saver, but it means that the entire smart-home platform of every employee is now a potential attack vector. In 2019, the industry will either do something serious about securing these platforms, or we’ll find out why they should have done so.

Malware Will Become Faster, Stronger and (Artificially) Intelligent -- Laurence Pitt, global security strategy director at Juniper Networks

2019 will see wider adoption in AI and Machine Learning in forensic incident analysis and with that, a surge in abuse of the technologies. While false positives and negatives associated with the technologies cause industry experts to question their reliability, cybercriminals don’t share those concerns. AI and ML will open new doors for hackers to carry out more sophisticated and personal attacks in the new year and beyond, making it critical for enterprises to stay one step ahead and stop attacks in their tracks.

5G Will Make It Faster and Easier for the Bad Guys -- Laurence Pitt

2019 will bring widespread 5G connectivity for the very first time, and with it, exponential growth in connected devices. Regardless of the purpose of the device, any device connected to 5G has the potential to become a target for hackers – even if it runs on a secured 5G network, it is still a wireless device and therefore available as a target for a breach. The growth of 5G means that the industry needs to be considering how to have an effective security posture and a solid foundation of security before these new networks are deployed.

IoT Attacks Will Evolve in Sophistication -- Joe Lea, VP of Product at Armis

Since the Mirai botnet in 2016, we’ve witnessed a rapid evolution of IoT attacks. Within the past year alone, IoT devices have been harnessed maliciously for crypto-mining, ransomware and mobile malware attacks. In 2019, IoT threats will become increasingly sophisticated, shifting from botnets and stray ransomware infections to APTs for surveillance, data exfiltration and direct manipulation of the physical world to disrupt operations.

Unmanaged and IoT Device Security Will Become a Board-Level Priority -- Joe Lea

Today, about 30 percent of companies I work with discuss IoT security at the board level. IoT is not simply a driver of revenue growth. More and more Boards recognize the risk, compliance issues, and exposure these new unmanaged devices bring - which is why securing them is now a board-level initiative. I expect at least 60 percent of boardrooms will be prioritizing IoT security going forward.

Point Solutions Reach Critical Failure Point for IoT Security – Joe Lea

Companies today are cobbling together multiple cybersecurity solutions and pointing them to the dark space of IoT hoping for visibility and protection. Betting on security with this point solution model is dull for several reasons. First, it’s impossible to install agents on all connected devices in an enterprise environment, especially when IT is unaware of nearly half of those devices; there are massive technical hurdles to integrating multiple tools, each with siloed data and their own deployment and operational complexities; pile on the industry shortage of the security skills necessary to get value out of each of these tools; and the Sisyphean task of wrangling point solution vendors into cooperation. The industry went down this path when securing and managing conventional IT. In 2019, I’m optimistic that companies will realize that this piecemeal security approach won’t work for IoT. Instead of jerry-rigging legacy point solutions to mitigate IoT risk, security decision makers will invest in dedicated IoT security platforms that help bring connected devices into the fold of enterprise security and operations.

Increased Use of AI by Security Vendors and Corporations in Predicting Attacks -Candace Worley, Chief Technical Strategist at McAfee

In addition to the current use of AI to detect anomalous behavior indicating a cyber attack, organizations will increasingly use AI advancements to predict cybersecurity issues based on their organizations’ past cybersecurity events plus contextual and environmental information. In 2019, AI solutions will truly ‘learn’ networks, including endpoints, cloud logs, and behavioral characteristics of users in the network to know what belongs to the network and what does not. To identify an anomaly, the AI software looks for attributes such as suspicious behavior, known or unknown patterns and the behavior of machines that act like humans.

Threats to Social Media, Email


Management of “Fake News” on Social Media Will Continue On Its Downward Spiral --
Brian NeSmith, CEO and co-founder of Arctic Wolf Networks  

Over half of the population claims to regularly see fake news on sites such as Facebook or Twitter. Yet, despite fake news being more commonplace than one would think, social media companies have been highly ineffective in doing anything -- except around the most egregious events. Next year, this trend will increase substantially, especially as our nation gears up for the 2020 elections.

The most notable example of hackers leveraging fake news was when Russian agents used misinformation campaigns, including 3,500 divisive Facebook ads, to allegedly influence the 2016 U.S. elections (CNBC). Such instances have made it clear to malicious actors that it is just as impactful to influence an election by stirring the pot as it is to directly attack voting machines. As we continue to see more instances in which false campaigns on social media impact our nation, we will begin to see more regulation of social media, especially around key, controversial topics.

Making Secure Email Environments a Priority -- Joseph Carson, chief security scientist at Thycotic

Email and stolen privileges will continue to be the primary method of bypassing organizations’ security in 2019 to inhibit services, disrupt productivity, steal sensitive data or conduct financial fraud. Heightening security to limit the impact and risk of emails and privileges should be the top priority for organizations to reduce their vulnerability to cyber attacks. By controlling inbound email content and implementing a least-privilege strategy, you can significantly reduce cyber risk. Cyber weapons have been in development by several governments for years and many have begun secretly engaging in attacks against other countries, spawning near-war scenarios. As the world has become somewhat callous to the threat of nuclear arms, cyber weapons have enabled countries to disrupt citizen societies and political stability. In 2019, we will likely see governments reveal their offensive cyber capabilities and demonstrate their power to cause social and political harm without ever even crossing borders.

Cloud, Supply Chain, Servers, Oh My!


Getting Every Security Player on the Same Cloud --
Rishi Bhargava, Co-founder at Demisto

In 2019, cloud security will align strongly with traditional security measures. While cloud adoption has improved organizational agility, reduced products’ time-to-market, and leveled the playing field with respect to computational power, it has also resulted in disparate environments that security teams struggle to monitor on a regular basis. This is especially true if the security teams are isolated from other teams that deal with DevOps, cloud infrastructure setup, and product development. During incident response, it’s also tough to reconcile cloud asset data with data from traditional security tools. Security vendors and organizations have both realized this, which is why product interconnectivity will grow and security teams will be able to coordinate actions across both cloud and on-premise environments from a small number of consoles.

Business Concerns Over Cloud Security Will Grow -- Jason Rebholz, Senior Director at Gigamon

Organizations are increasingly pushing their technology stack into the cloud in an effort to alleviate scalability issues and, in some cases, help reduce costs. As organizations expand their borders to the cloud, they begin to lose visibility into the perimeter they once had fine-tuned controls around. These borders are no longer just contained within the equipment and employees associated with that organization. They expand into third-parties like Amazon, Microsoft, and Google. Furthermore, the traditional tools that these organizations once relied on may not provide the proper visibility into the cloud environment. Ultimately, this pushes these organizations into a position where they are much more concerned on how they can adequately secure their cloud environments in the same way they would their traditional networks. The widespread adoption of cloud technologies will cause cloud security to be a top business concern in the coming years. This will shift the focus onto porting traditional security tools over to the cloud and cause an increased focus on application level logging available within the cloud environment

Supply Chain Attacks in Healthcare -- Stacia Tympanick, Security Strategist at Carbon Black

 We will see a lot more supply chain attacks occur within the Healthcare industry. Healthcare is such a tough attack surface to protect because many healthcare organizations grow by acquiring smaller healthcare organizations. There is so much focus on just making sure that devices are discovered and protected on networks, that managing medical devices on top of this opens up a large attack surface. Healthcare is also starting to move to the cloud, so cloud providers should be evaluated under a stern eye to ensure that proper and secure procedures/processes are in place.

Servers are in the Cross-Hairs -- Chester Wisniewski, Principal Research Scientist at Sophos

Cybercriminals prefer to inflict the kind of damage that offers the best chances for success, with the smallest effort and chance of detection. It’s a balancing act of risk and reward. In 2019, this means we’ll see an increase in cybercrime relegated to servers. In recent years, companies have invested in next-generation technology to protect endpoints, but server security has fallen to the wayside despite the high-value data often stored there. Preying on server exploits that may be harder to patch or monitor, cybercriminals can get deep within a company’s network to inflict serious damage, while crypto-miners can hang out unnoticed for months stealing a company’s resources, just to name a few dangers.

Zero Trust


Zero Trust Goes from Buzzword to Reality --
Tim Steinkopf is the President at Centrify

As catastrophic data breaches become more common, the need for organizations to consider new approaches is escalating. For today’s enterprises, the concept of Zero Trust is rapidly moving from interest to adoption, and savvy organizations will adopt Zero Trust approaches to stay ahead of the security curve. In fact, Zero Trust Security is generating more interest from technology and security leaders than any other security technology, according to the 2018 IDG Security Priorities Study. Bad actors are no longer hacking their way in, they’re logging in using stolen, weak or compromised credentials. As attackers breach what’s left of enterprise perimeters and begin to look — and act — like trusted users, the concept of blindly trusting insiders now seems like a quaint notion. All of which explains why Zero Trust Security will generate even greater interest from security leaders in 2019.

Authentication

Stepping the Authentication Protocols -- Stacy Stubblefield, Co-Founder and Chief Innovation Officer at TeleSign

In 2019 we will see an evolution in the two-factor authentication (2FA) process that directly addresses some of the most discussed fraud attacks. It’s a documented fact that the use of 2FA to stop unauthorized account access has exponentially decreased account takeover fraud around the globe, but as fraudsters have evolved, so too must the techniques used to combat them. The increasing prevalence of SIM swap fraud and porting fraud (where attackers take over an end-user phone number, so they can intercept one-time passcodes) has led to more collaboration between online businesses and mobile network operators, who can tell those businesses (in real-time) when a SIM swap or porting change has occurred. What we will see as 2019 unfolds is the use of that data to augment 2FA, which will ultimately ensure the continued growing adoption of this important security step by both businesses and their users.

To Keep Up With Mobile Malware, Two-Factor Authentication Will Look Different -- Chester Wisniewski, Principal Research Scientist at Sophos

Mobile malware has remained steady over the last few years and will continue to be a problem in 2019 as cybercriminals find new ways to target the high-powered computers we carry around with us every day.

For example, delivering six-digit secrets via SMS text message is a common method for two-factor authentication, yet we see this being compromised by criminals using malware and even SIM swapping attacks. In 2019, we hope to see the industry make a more concerted effort toward push notifications for two-factor authentication, which are much harder for cybercriminals to intercept or redirect.

About the Author

Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive

Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes the magazine's Security Technology Executive, Security Business, and Locksmith Ledger International, and the top-rated website SecurityInfoWatch.com. He is also the host of the SecurityDNA podcast series.Steve can be reached at [email protected]