Sunday, December 30, 2018

Cybersecurity Predictions and a Wish List for 2019

© 2018 Bob Carver, CISM, CISSP, M.S.
As in recent times, the cyber threats will continue to get worse before they get better.  Those that think “good enough” security or risk management will be sorely disappointed in the large gaps they will leave open for the cybercriminals and nation-state actors to easily breach and compromise their enterprise.
© 2018 Bob Carver, CISM, CISSP, M.S.
As in recent times, the cyber threats will continue to get worse before they get better.  Those that think “good enough” security or risk management will be sorely disappointed in the large gaps they will leave open for the cybercriminals and nation-state actors to easily breach and compromise their enterprise.
  • Cybercrime as a Service (CaaS) will continue to increase. There is no need to be a malware/exploit writer yourself if you can simply buy or rent. It is much easier to set up a cybercrime business than it is to open a corner store in your neighborhood. Just open an appropriate cryptocurrency account and make your payment to your cybercrime vendor of choice. Their customer support and malware/exploit guarantees will rival, if not beat, the best premium, legitimate software vendors.
  • We will continue to see increased manipulation of standard processes and utilities to compromise, manipulate and exfiltrate data. This includes escalating privileges to utilize those processes that are often whitelisted in most endpoint security systems. It will all look legitimate to the average user/endpoint security but it will be malicious.
  • We will start seeing more machine learning malware that plays games with machine learning endpoint and intrusion detection algorithms to avoid detection. This will result in “My machine learning is better than your machine learning.” You can guess who will often win.
  • Intrusion detection systems will have continued decreased visibility in data flows and malicious activity due to encryption. Gartner has already predicted that in 2019, 80% of all traffic will be encrypted and 70% of malicious traffic will be encrypted. Will we be ready to detect what is happening in those malicious obfuscated traffic flows?
  • IoT (Internet of Things) wreaking security havoc is not going away. Consumer routers, webcams, security cameras and other Internet connected consumer goods continue to have poor or marginal security. I predicted in 2016 these problems would arise even before Mirai, Hide ‘n Seek, Gafgyt and the like. Unless people, organizations and manufacturers are held to some level of responsibility, we will have more of the same.
  • Insurance Policies may be less likely to pay cyber insurance claims. Of course they want and need to be profitable. There are multiple areas in your cybersecurity policy you might want to review with a fine tooth comb. Recently one insurance company denied claims related to Not Petya infections, claiming they were an Act of War or Force Majeure. Additional clarifications and negotiations probably need to take place in that area. Next verify you have the people, processes and technology in place that are required by your policy and then check the fine print for exclusions.
  • One or more businesses may have to claim bankruptcy or cease to exist (at least in their current form) due to overwhelming expenses that are required as a result of a major breach.
  • The autonomous machine learning bots are coming. At least one or more Proof of Concepts have been tested and refined. This means that little or no traditional command and control (North-South Internet) traffic is needed to execute reconnaissance, exploitation and complete exfiltration; or worse yet, destroy or manipulate data. No more telltale beaming of C2 traffic. Monitoring of files, processes whether on disk or memory and visibility into East-West traffic will be necessary now more than ever.
  • Security Scores for companies are a work in progess. Just like FICO or credit scores have been in place for decades in an attempt to measure credit risk, security scores will eventually be utilized for third party risk, supply chain risk, mergers and acquisitions, overall corporate risk and pricing models for cyber insurance. 
  • “Good enough security” will eventually be seen for what it really is “Not Good Enough.” Underestimating your adversary will eventually be seen as naive and “penny pinching will be exposed as pound foolish.” Third-party partner risk, mergers and acquisitions and insurance underwriting will eventually be affected by the business entity’s perceived or actual risk. Due to this additional clarity of risk, those that are deemed a higher risk may be forced to pay for that risk.
  • Firmware/hardware and side channel attacks will happen at nation state and high- end cybercriminal level. This will put more pressure on designing a better Zero Trust TPM (Trusted Platform Model.) Unfortunately with current hardware and operating systems, these attacks may be relatively invisible.
  • New record fines will be assessed for breaches related to GDPR.
  • Some major supply chains and/or third party corporate partners will be breached and will wreak havoc for all the entities that are interconnected or interdependent. This may create a new demand in cyber specialists to specifically focus on supply chain and third-party cyber-risk management.
  • Threat Hunting - in large corporations should be a top priority since many threats are simply not seen in on endpoint and intrusion detection systems. Not just searching for known documented threats, but searching for the unknown. Complete logs, processes, changes and data flows (North-South and East-West) are needed. Ideally, those data flows should be correlated to a process on the endpoint whether on disk or memory.
Wish List
  • Secure our voting systems and back all votes with paper ballots. Anyone, regardless of party, living in a real democracy should want a voting system that cannot easily be rigged to change votes for the candidate that has access to the vulnerable voting machines. BlackHat Las Vegas this year displayed a 12 year old breaking in and changing votes on a current voting machine. Known possible manipulation is often not investigated and swept under the rug.  In the meantime, while we are re-inventing a more secure system, we need to stop handing over the source code of these voting machines to foreign entities that may want to manipulate the end results of our elections.
  • Make into law who is going to be responsible for the security of IoT and will be required to take appropriate action when things go wrong. At present no one is taking responsibility. There needs to be a delineation of responsibility between the following:
- The owner of IoT
- The manufacturer
- The ISP
- The government
  • The Boardroom needs to increase their knowledge and involvement in overseeing risk management in cybersecurity and cyber resilience. A static check box mentality doesn’t work in this extremely dynamic attack environment.  Dynamic analysis through frameworks such as NIST CSF needs to be utilized. The attributes of quality in NIST CSF are not easily translated into a consistent quantifiable model that can be utilized for benchmarking. It will not be easy to come to an agreement on a consistent way to measure across institutions, industries or market verticals as well as the size of the business. Essentially “one size” does not fit all. Risk optimization is closer to the process of getting fit for a custom-tailored suit than reporting a series of standardized checkboxes with weighted ratings.
2019 and beyond will no doubt be interesting for all of us, stretching those that will be attempting to adapt to this increasingly dynamic threat environment and may be harsh for those that are settling for “good enough” security.