2018 Security Predictions (Part 6)
The dichotomy continues: accelerate development, but do so securely since there will be more attacks. Can devs and security teams rise to the task?
Join the DZone community and get the full member experience.Join For Free
Given how fast technology is changing, we thought it would be interesting to ask IT executives to share their thoughts on the biggest surprises in 2017 and their predictions for 2018.
Here's the fifth article sharing what they told us about their predictions for security moving forward. We'll cover the last predictions for 2018 in a future article.
I predict that, in 2018, both the frequency and severity of “Software Supply Chain” attacks will increase. Software supply-chain attacks remind us how important it is to create a well-defended network with visibility at every point in the attack lifecycle, and the ability to identify and stop activity that has strayed from the norm. I suggest organizations prepare for this new era of attacks by investigating how their people, processes, and technology would defend them if their trusted software suddenly turned into malware through an automated update.
We should expect the Shadow Brokers to continue to attempt to profit off their pilfered exploits, and perhaps leak more exploits throughout 2018. It is my hope that the NSA has been able to determine everything that has been stolen by the Shadow Brokers and is working behind the scenes with technology vendors to rapidly fix the vulnerabilities that are certain to come to light.
1. Security budgets will increase
My first prediction is security budgets will grow. There is no evidence to suggest the share of IT budgets allocated to security will decrease in 2018. The massive security incident at Equifax and the catastrophic impact of WannaCry and Petya/Not Petya on large organizations around the globe spurred many companies, both large and small, to evaluate their spending and the allocation of their security dollars.
2. Companies will increase focus on detection and response
Enterprises will focus a significant share of their security dollars on endpoint detection and response (EDR) technologies. Malicious and non-malicious insider incidents continue to wreak havoc on networks, and shoring up defenses at the endpoint can go a long way towards mitigating those threats. The tide has started to shift from focusing on prevention and more on immediate detection and response to incidents. As such, expect to see EDR and similar technologies continue to grab more and more security dollars. These solutions will need to partner with technologies that increase the visibility of both software and hardware assets in the enterprise. Uncovering dark corners and hard-to-manage endpoints will be essential in delivering the rapid response capabilities that are needed to remediate devices in the critical moments after a breach or incident happens.
3. Use of ransomware will expand
The ransomware scourge won’t go away anytime soon. While it looks like fewer and fewer individuals are actually paying out, the ROI for cybercriminals is still massive, and the ease in which ransomware backend infrastructure can be spun up to launch massive attacks continues to get easier for them. Crimeware-as-a-Service continues to enable less-skilled attackers to launch attacks in the hopes of finding riches.
4. API-based attacks will become a bigger deal
There’s a lot of backend traffic flying around the Internet - things the average computer user can’t see. Many of these solutions are not regularly monitored, and some of them use outdated security methods - making them ripe for pilfering. I would be shocked if there wasn’t at least one massive breach in 2018 that involved the exfiltration of large datasets of sensitive information through this method.
5. DDoS will continue to sucker punch assets online
As more and more devices come online, especially ‘smart’ IoT devices, attackers will find ways to zombie them and use them in their massive DDoS armies.
6. ‘Hacking back’ policy will be an increasing concern
I am concerned about recent efforts to make it legal for organizations to ‘hack back’ against attacks on their infrastructure. Two members of the US House of Representatives introduced a bill earlier this year that allows victims to hack their hackers. The trouble is we already know that real, definitive attribution is incredibly difficult - how can we ever really be sure that we’re attacking the real source of an attack? What happens when the source of the attack is from another company that suffered a breach of their own and is being used as an intermediary? Will that company then “hack back the hacking hackers”? Think about how quickly these things could devolve into chaos if organizations are allowed to build red teams with the sole purpose of going on the offensive?
7. State-sponsored attacks will continue unabated
Government agencies on all sides will continue to silently (and not-so-silently) attempt to enter enterprise networks to steal secrets, plant access backdoors, steal private encryption keys, and abscond with internal information to leak.
8. GDPR will levy its first fine, and it will be painful
Looking at GDPR from a different angle, this is a very real threat to the many organizations who haven’t taken it seriously or have not done any preparation for it. We can expect to see at least one major fine levied against an organization who has made the conscious decision to play fast and loose with GDPR and abuse or lose EU citizen data. If I were a CISO in an organization that isn’t ready for GDPR, I’d start dusting off the CV and look to get far, far, away.
Threat actors that affect governments at the national or international level will be most talked about in 2018. The pace of breaches in retail have increased significantly over the last year, and governments are likely to be similarly affected next year. Further, cyber hacking terrorist activities will likely drive governments around the world to seek more surveillance capabilities, which could further clash with privacy advocates. The debate over government surveillance and privacy will reach a new height — but the positive side is that it will also prompt the birth of more secure services to prevent future attacks.
Second, organizations are catching up with the fact that software - which requires frequent updates and releases to drive business value - is being developed by multiple business units spread throughout the organization. Gone is the era where any development outside the centralized waterfall was considered “rogue development.” The “rogue developers” won, and they deploy software with very low latency to a private or public cloud. They are reusing open source, they are doing A/B testing in production, and they don’t have time to stop and wait for the centralized team for manual approval. The right approach is to make sure there are secure automated ways of deploying software in a continuous manner. The security team must offer secure infrastructure to its various DevOps teams, which will work at the same pace as software production, and allow for security feedback at a higher velocity. Automation will provide tremendous security value where it integrates with the process.
The biggest threats are less about technical defects and vulnerabilities and more about the challenges organizations face in managing increasingly sophisticated and automated systems. As organizations across all industries and sizes become more software oriented, their security tools and practices are struggling to keep up with the new platforms and their rapid pace of change. If you’re a CISO, you’re getting pulled in two opposing directions: don’t slow down the innovation in the business, but provide security across a constantly shifting baseline. That’s pretty hard to do and requires a real rethinking of the way we build and operate security organizations.
We will continue to see organizations embrace a managed services model overall in 2018. However, within the cloud space, Platform-as-a-Service (PaaS) is truly positioned for clients to start taking advantage of the benefits that it offers. That’s a huge lift for companies, as managed services in conjunction with PaaS can free up internal resources to focus on initiatives that support and grow the business versus managing the operational side.
In addition to the industry realizing that iOS is a computing platform that needs protecting, 2018 will also usher in the next era in mobile security: compliance. In 2018, compliance mandates will recognize that mobile endpoints are like all others. PCI, HIPAA, NERC, and other regulations will expand their definitions to include information on tablets and smartphones. The logic is simple: if information needs protecting on traditional endpoint computers, it needs protecting on mobile devices.
There will be more major security breaches. The number of security breaches reported in the press has been escalating for many years and the scale of such breaches has been growing too. There is no end in sight. Many of these breaches have resulted in huge costs for the companies involved and the resignation of the board members responsible.
You need to do everything you can to protect your information from attackers, but no matter what controls you put in place, you can never guarantee that you won’t be breached. So, make sure you have well-rehearsed plans for how you’re going to respond. AND make sure you monitor your networks and systems to help you identify when you have been breached. Some of the most expensive breaches are the ones that have gone undetected for weeks, sometimes months, turning an embarrassment into a catastrophe.
If the cryptocurrency bubble continues to grow, it will likely attract criminals on two fronts besides ransomware and cyber extortion — more of them will try to hack into and gain control of high-value crypto accounts, and secondly, the highly appreciated cryptocurrencies will make it easier to fund and operate digital underground markets and cybercrimes on a much larger scale. Also, as Blockchain starts getting adoption in some of the major sectors including financial services, government, and defense, hackers are going to look for vulnerabilities to exploit there as well. We can expect to see some creative attack methodologies on the cryptocurrency and Blockchain front.
In addition to how businesses and regulators respond to the many breaches of the past year, trends we’re thinking about for 2018 include:
Three degrees of separation isn't necessarily a good thing when it comes to your data: In the coming years, there is a possibility that companies will see cyber attacks from vendors of their vendors who have access to their sensitive data. Following major security incidents resulting from third party vendor breaches (as we saw with Target), most companies have established vendor security assessments. What that function doesn’t usually tackle (or have the visibility, time, insight to tackle), however, is the downstream risk of all vendors, leaving many organizations vulnerable to threats.
Face ID and biometrics aren’t ready for business prime time – yet, but there’s a promising future on the horizon. Thanks to Apple and the launch of the iPhone X, we’re now seeing more interest in facial recognition, just as we did with fingerprints when the iPhone 5s was introduced. We might see some large players provision features to support well-known factors, but most likely this form of biometrics won’t yet be a stand-alone high-level security option – at least in the business world. That’s partly due to inherent skepticism as the technology proves itself, but also around privacy concerns and challenges with adoption.
The money is in security orchestration. As we move into 2018, automation is going to be more and more important for the security industry – as both attackers and solutions become more intelligent, the entire security stack must evolve to meet the needs of the modern threat landscape. With more data comes more to review, and security teams need non-manual ways to scale their practices. Companies that deliver security automation will help both make detection and prevent more efficient, and solve challenges around alert fatigue, which continues to be a major challenge for IT.
API security is a new, big gap to close. In recent years, we’ve seen the rise of the API economy. The value of inter-connected applications sharing data with each other has proven to be of immense value, but also significant risk. Today, there’s very little protection from hackers who are attacking API services with both stolen or invalid credentials. Credential stuffing, hijacked cookies, DDoS attacks, data exfiltration, and malicious data deletion will continue to be amongst the top risks which enable the successful exploitation of API vulnerabilities and weaknesses.
Opinions expressed by DZone contributors are their own.