Security 2018 Surprises and 2019 Predictions (Part 1)
More breaches as companies move to the cloud and struggle to implement DevSecOps.
Join the DZone community and get the full member experience.Join For Free
Given the speed with which technology is changing, we thought it would be interesting to ask IT executives to share their thoughts on the biggest surprises in 2018 ad their predictions for 2019. Here's the first of several posts on what they told us about security.
Last year, we predicted developers would become more ingrained in the security element, specifically the CI processes. This prediction played out pretty much as expected — in the early days, we had to do a lot of evangelism about why it was valuable to have security embedded in the development process. Today, though, we don’t have to explain that, not only to customers already get it. They’re usually asking for help doing it. The big shift is that most savvy developers realize embedding security early actually makes their jobs easier so there’s a personal motivation to do it, beyond the obvious security advantages.
Equifax was a good example of what I often talk to customers about: most attacks do not involve awe-inspiring skill and 0-day exploits; those aren’t needed because so many well-known CVEs are out there and organizations are typically so far behind the curve in fixing them that they’re the path of least resistance. Similarly, there’s little value in trying to find the best firewalls and runtime technologies if you’re going to ignore the basics and just keep software up to date. The trend of having security embedded earlier in the development process helps with this, but as an industry, we need to move from a visibility to an enforcement model. Specifically, to ensure that vulnerable components can’t be deployed in the first place and to integrate security tooling into the CI/CD flows to do that automatically, as part of every deployment.
DevOps to DevSecOps...it’s become clear that the most successful enterprises effectively leverage technology for competitive advantage are those that have created an organizational environment that balances speed of delivery with a cross-team responsibility for security. This trend will accelerate and become best practice in the enterprise as well as work its way into the mid-market. The tools available to effectively build, ship, run, and secure application code are pervasive and becoming better understood certainly by the development teams, but more so in the security side of the house as well.
We expected DevOps and SecOps (aka DevSecOps) would take off. What has happened is that there is still pushback as to how to automate and potential job loss.
Security, especially across multiple clouds and in combination with on-prem, will continue to be top of mind. Additional awareness of both insider and external threats must be combined with effective tools that balance protection and usability. More CISOs will peer with CIOs as opposed to reporting to them.
Don Boxley, CEO and Co-Founder,
It was extremely surprising given the number of well-publicized data breaches where perimeter security was almost always to blame, that more was not done to ensure perimeter security, that alternative approaches were not demanded by the C-suite, and that more IT professionals did not find themselves with their heads on the chopping block.
The amount of money flowing into blockchain startups without real uses for the technology has been surprising. While some actual innovation is taking place, it has a long way to go to live up to the hype and the dollars associated with it.
Ransomware attacks on city services. The Wanna-cry ransomware attacks of 2017 were a wake-up call to the healthcare industry about the threat and disruption of cyber-attacks. It brought attention to cybersecurity to a much broader public audience. Unfortunately, attackers upped their game to successfully attack Atlanta (and Baltimore, Dallas, San Francisco, and Charlotte). The March 2018 attack in Atlanta cost over $2M for incident response and another $9.5M to repair the damage. Months after the ransomware attack, Atlanta still deemed over 30 percent of programs once considered mission critical, practically inoperable.
The SamSam ransomware used in Atlanta used brute force techniques to guess weak passwords. The attack crippled city services including utilities, law enforcement, and bill payment, forcing a return to handwritten transactions. City services typically involve numerous software applications and staff accounts where the SamSam techniques can be successful. Let’s hope that other cities, regions, and states take note and prepare themselves.
The magnitude of the damage was my security surprise for 2018.
I believe we will see a lot more “Atlantas” (e.g., city/state government under broad attack). They are a soft target; we have many targets and ransomware pays sometimes. Much like the election system, there are so many out-of-date systems used for HR, IT, etc. that I think we will see a lot more of those.
Other 2019 cybersecurity predictions include:
Increase in social media infiltration
Exploiting company’s fear of damaged reputation from attacks
Better alignment between CISO and C-Suite
Integration of security efforts for IT/OT infrastructure
Ransomware attacks have declined after several years of steady growth, but we haven’t solved the problem. Companies haven't gotten better at encryption or backup, so why did attackers back off ransomware attacks? Likely because attackers have found that quality over quantity in attacks is more profitable, or that data in hand is far more valuable than potential ransom for inaccessible data.
We’re on track to see almost 5 billion records compromised in data breaches for 2018. The prediction is that the number of records compromised in publicly disclosed data breaches for 2019 will surpass the population of planet Earth (7.6 billion people).
Opinions expressed by DZone contributors are their own.