As 2020 approaches, it’s time to discuss cybersecurity predictions that will impact the industry in the upcoming year. As a CISSP and Chief Information Security Officer for XYPRO, I thought long and hard about what I could say that would be impactful and hasn’t been said before – that’s a tall order! The reality is, what we predicted would be important in 2019, 2018 and even 2017 – is still applicable. A lot of what we predicted back then was never properly addressed and remains a risk today – credential theft and attacks targeting privileged user logins are more prevalent than ever. Currently, the best way to combat these types of attacks is to use 2 factor authentication. Use it for everything. There is no simpler way to state it – but this is still not being done. Risk will continue to increase in 2020. I cover this and other cybersecurity predictions for 2020 in the list below.
Machine Learning (ML) and Artificial Intelligence (AI) Will be Key to Combating Threats – We’ve all heard security vendors discuss ML and AI as features within their products for years. Up until recently, this wasn’t much more than a marketing gimmick. We have not begun to scratch the surface of the capabilities of ML and AI to combat threats. There is a lot of skepticism that has existed for years, but in 2020 we will have no choice. The amount of data being generated is increasing exponentially and the only way to keep up and identify threats is to allow machines to churn through data and trust they will detect the right concerns – then take appropriate action to combat the threat. We are going to see a lot of research, funding and effort invested in these methods. We need to get comfortable with the technology so it can be adopted on a wider scale and evolve. We have no choice. It’s the only way to monitor security going forward.
Attacks on the Edge will Increase – the proliferation of IoT devices, sensors, endpoints and a remote workforce is fulfilling our need for faster information in a mobile method. Edge computing enables us to generate and analyze data for decision making faster than ever before. Research firm IDC estimates at least 40% of IoT-created data is now stored, processed and analyzed close to or at the edge of the network. As we become more reliant on this data and the value it provides, we can’t lose sight of the security concerns that come along with it. Protecting the integrity of data at the source becomes vital. As attacks on edge devices and sensors become commonplace, we’ll see more focus on the security protections necessary to ensure the integrity of the data.
The Cloud Continues to be a Blessing and a Curse – as companies migrate their critical workloads and storage to the cloud, protections offered from the data center dissolve as the perimeter disappears. Aside from all the benefits, scalability and flexibility the cloud provides, it also introduces a new set of security challenges for CIOs and CISOs who are responsible for creating secure environments and keeping company and customer data safe. New technology requires new skill sets and there is a shortage of resources who truly understand how to build secure cloud environments. This risk is compounded by adversaries with unlimited resources at their disposal and the strategy that a hacker needs to only be right once, but a company protecting their data in the cloud needs to be right 100% of the time. Were going to see a lot more breaches similar to the CapitalOne breach as the technology, knowledge and resource gaps widen between hackers and companies who are trying to keep their data safe.
Data Privacy Legislation will Continue to Strengthen – Government agencies have started to take notice how consumer data is collected, used and protected. We saw this with the adoption of GDPR in 2018. California has adopted its own version of GDPR called CCPA. Other states and municipalities are also adopting their own versions of consumer data privacy laws. As this becomes normal, this also creates a fragmented set of local privacy legislation that will make it onerous to conduct business. At some point we will likely see the federal government provide overarching legislation. But in the meantime, as governments get more involved, these types of laws will continue to evolve and strengthen to punish those who are misusing and misrepresenting the usage of consumer data. Is the threat of punishment an effective deterrent?
Election Fraud and Foreign Government Interference is Real – The aftermath of the 2016 elections shined a spotlight on our need for better cybersecurity regulations and controls for the entire U.S. Election System. Specifically, when the Federal Bureau of Investigation (FBI) announced that some state and local election jurisdictions had been the targets of Russian cyberattacks, this jeopardized one of the key tenets of our democracy – free and fair elections.
In January 2017, the United States Department of Homeland Security (DHS) federally designated the election infrastructure used in federal elections as a component of the U.S critical infrastructure. Critical Infrastructure (CI) refers to systems and assets for which “incapacity or destruction would have a debilitating impact on security, national economic security, national public health or safety, or any combination”. Other CI sections include the U.S. energy infrastructure, the Emergency and Financial Services sectors, Food and Agriculture, Transportation Systems, Water and Wastewater, and others.
This federal designation allows DHS to provide security assistance and brings the election infrastructure under a 2015 United Nations agreement stating that “nations should not conduct or support cyber-activity that intentionally damages or impairs the operation of CI in providing services to the public” as well as other benefits and controls from the designations.
Naturally, this designation provoked some concern by state and local officials with regards to federal overreach and autonomy of states to secure their own elections. Some of those concerns have since been mitigated by the federal government’s ability to provide cyber-security funding, assistance, and relief. This will be at the forefront of discussions and controversy heading into the 2020 elections
Password Attacks Will Continue
One of the largest security risks to any organization is the misuse, compromise or sharing of privileged accounts. Privileged accounts provide elevated access for the purpose of performing administrative type functions. They can be administrator accounts, service accounts, firecall or emergency accounts, database connection accounts and applications. Most of these accounts were set up years ago when an application or system was deployed. They typically have multiple integration points. Because of the risk of “breaking something”, the passwords for these accounts are rarely rotated, likely shared and undoubtedly they are improperly stored/protected.
According to the Varonis 2018 Global Data Risk Report – 65 percent of companies have over 500 accounts with passwords that are never rotated. These accounts have a higher risk of showing up in online password dumps with valid passwords. Privileged and service accounts with non-expiring passwords are a cyber criminal’s best friend. Ensuring these passwords are stored properly, changed regularly, meet complexity and compliance requirements and are audited can be overwhelming to implement and manage.
We have seen too many breaches lately targeting privileged accounts and we’ll see these types of attacks increase in 2020. Passwords are archaic. One true way to combat this risk is introducing a second factor for authentication. A second factor does add a layer of complexity to the authentication process, but provides immense value in terms of addressing the risk. We’ve heard for years that 2 factor authentication should be turned on for everything, yet it’s rarely implemented. Until we shift our mindset and sacrifice a little bit of convenience for a massive amount of security – attacks on privileged credentials will continue and increase in 2020.
Steve Tcherchian, CISSP
Chief Product Officer
Steve Tcherchian, CISSP, PCI-ISA, PCIP is the Chief Product Officer and Chief Information Security Officer for XYPRO Technology. Steve is on the ISSA CISO Advisory Board, the NonStop Under 40 executive board and part of the ANSI X9 Security Standards Committee. With over 20 years in the cybersecurity field, Steve is responsible for strategy and innovation of XYPRO’s security product line as well as overseeing XYPRO’s risk, compliance and security to ensure the best experience to customers in the Mission-Critical computing marketplace. Steve is an engaging and dynamic speaker who regularly presents on cybersecurity topics at conferences around the world.