What do cybersecurity experts from different fields think will go down in 2019? Here are some of their predictions.
Apathy Will Set In
“We are about to enter an era of mass complacency. While in the past, headlines on data breaches caught attention and left readers shocked and concerned, today they are increasingly becoming the norm. No longer are data breaches isolated events; we are now seeing cases of individuals having their personal data compromised for the second or third time and companies being attacked again and again. All of this will contribute to an apathetic mindset in 2019 – a the-worst-has-already-happened mentality that is extremely dangerous.
Research by ISACA in 2017 found that only 50% of CIOs and IT leaders took any meaningful action towards improving security following the WannaCry ransomware attack. Many are using their security budgets to meet compliance requirements and avoid fines, when they should be striving to turn the situation around.
At the same time, 2019 will herald in a raft of laws aimed at alleviating the situation. 2018 has been a significant year from a regulatory perspective. GDPR came into effect and certain countries have begun bolstering security requirements around critical infrastructure. California has introduced a Privacy Act similar in nature to the GDPR, and has upped the ante by being the first state in the US with an Internet of Things cybersecurity law.
The proliferation of such laws is needed not only because new technologies necessitate guidance around their lawful use but also to compel organisations to meet certain minimum requirements.
Perhaps the largest surprise from a regulatory perspective throughout 2018 relates to mandatory disclosure laws. These laws, which require organisations to disclose details of data breaches, have been blatantly ignored by those who'd prefer to keep such attacks out of the public eye. Knowingly violating the law is a practice that we can only hope will decline as social pressure to announce such breaches ramps up.”
Tony Jarvis, Chief Technology Officer, AMA, Check Point Software Technologies
A Lot More Phishing, A Lot Fewer Ransomware Attacks
“Phishing attacks will increase exponentially. The days of poorly worded messages filled with grammatical errors and cut-and-pasted logos are over. Messages are now more succinct and do a much better job of masquerading as legitimate correspondence. This will increase the success rate of phishing attacks. In fact, spear-phishing (phishing designed to target specific individuals or roles in a company) will become the norm. Since the cost and risk of mounting phishing attacks to plant malware or to steal credentials are so disappointingly low, phishing will continue to be one of the most prevalent attack vectors used by malicious individuals.
Meanwhile ransomware attacks will decrease. However basic malware will become commonplace. Once the holy grail of hackers (and feared by corporate security professionals), ransomware has decreased over the last year or so and that downward trend will continue into 2019. This is because fewer companies paid ransoms to recover data than expected, while malware/ransomware defences have improved. Ransomware will, however, remain in the hacker’s toolkit, but will be used mostly as a distraction, to divert attention to files locked by ransomware, while a data harvesting attack is silently occurring elsewhere in the network. Whether delivered via email or visits to malicious websites, basic malware (keylogging, data mining and so on) will also increase as an attack vector of choice because of its simplicity and effectiveness.”
Gene Scriven, Chief Information Security Officer (Senior VP of Global Information Security) at ACI Worldwide
IoT-Based Events Will Move Beyond Massive DDoS Assaults To New, More Dangerous Forms of Attack
“In recent years, massive botnet-powered distributed denial of service (DDoS) attacks have exploited tens of thousands of infected IoT devices to send crippling volumes of traffic to victims’ websites. Such attacks have not received much media attention of late, but they continue to occur and will remain threats in coming years. At the same time, we can expect to see poorly secured IoT devices targeted for other harmful purposes. Among the most troubling will be attacks against IoT devices that bridge the digital and physical worlds. Some of these IoT enabled objects are kinetic, such as cars and other vehicles, while others control critical systems. We expect to see growing numbers of attacks against IoT devices that control critical infrastructure such as power distribution and communications networks. And as home-based IoT devices become more ubiquitous, there will likely be future attempts to weaponise them.”
Hugh Thompson, Chief Technology Officer, and Steve Trilling, Senior Vice President and General Manager, Security Analytics and Research, at Symantec
IoT Cyber Attacks Will Surge
“IoT attacks will remain an issue in the year to come. In Asia Pacific, many countries are moving forward with Smart City and Smart Nation initiatives. This opens the opportunities for a new wave of IoT cyber attacks.
In the healthcare and retail industries, we'll be seeing many more attacks. The reason is that the value of the data these industries are collecting is increasing. Investments must be made to protect the data within these industries and beyond.
In 2019, industrial control systems (ICS) and operational technology (OT) organisations will begin waking up to the changes taking place in the cyber landscape. I predict that we'll see more security investments occurring in this space. At the same time, security testing of OT (embedded) systems will grow considerably.
Security training is imperative. Attacks could be approached from a data poisoning perspective in which faulty information is intended to influence organisational decision making through the sensors deployed within the target city or nationwide. We'll also see the same old issues persist: hardcoded credentials and unpatched components, not very well designed OTA updates and continuous update policies.”
Olli Jarva, Managing Consultant, Synopsys
Security By Design And Standards
“Currently software is still largely written without formal standards and processes behind it. Unlikely building bridges, software development is not a standardised repeatable job. That said, open source has been on the rise for a long time and is now commonplace.
I believe trust will grow in common building blocks based on open source software. Moreover, vertical software development standards will emerge more strongly. More effort will be placed on standards, audibility and accountability as seen in safety critical systems such as cars and aircrafts, where lives depend on correct software execution. These standards might evolve from the bottom up or they may be government regulated. Potential new verticals on the rise for this are financial services, solutions built around blockchain and security based on mobility solutions.
In 2019, we might see a rise of consortia within verticals to establish more security standards that are domain specific and that improve trust and interchangeability. Much of this might be built on open source components.”
Dr. Ralf Huuck, Senior Technologist, Synopsys
Security Of Process Plants Will Be In The Spotlight
"Due to developments in recent years, the security of process plants will be in the focus in the coming year. Stress will be laid on three main points: First, basic protection of existing facilities which means properly applying state-of-the-art technology. Second, the identification and elimination of vulnerabilities. Third, the understanding and implementation of organisational and normative requirements. Other important trends of the future are open architectures, modular engineering and integrated diagnostic concepts."
Dr. Alexander Horch, VP R&D and Product Management, HIMA
Attackers Will Increasingly Capture Data in Transit
“We are likely to see attackers exploit home-based Wi-Fi routers and other poorly secured
consumer IoT devices in new ways. One exploit already occurring is marshalling IoT devices to launch massive cryptojacking efforts to mine cryptocurrencies. In 2019 and beyond, we can expect increasing attempts to gain access to home routers and other IoT hubs to capture some of the data passing through them. Malware inserted into such a router could, for example, steal banking credentials, capture credit card numbers or display spoofed, malicious web pages to the user to compromise confidential information. Such sensitive data tends to be better secured when it is at rest today. For example, eCommerce merchants do not store credit card CVV numbers, making it more difficult for attackers to steal credit cards from eCommerce databases. Attackers will undoubtedly continue to evolve their techniques to steal consumer data when it is in transit.”
Hugh Thompson, Chief Technology Officer, and Steve Trilling, Senior Vice President and General Manager, Security Analytics and Research, at Symantec
Many Jobs Will Be Taken Over By AI
“Many more business jobs will be staffed by bots in the year to come. Many people will learn that artificial intelligence (AI) and machine learning (ML) are already all around them, often making decisions that affect their lives, their families, their health and their jobs. If you think the average person is average, wait until you find yourself yelling at a bot over the phone.”
Sammy Migues, Principal Scientist, Synopsys
More Corporate Adoption Of Behavioural Biometrics, More Industrial IoT Disruptions
“In Asia, we are far more accepting of using physical attributes like facial recognition or fingerprints to authenticate credentials. While passwords may change, physical biometrics are genetic and specific to each person, making it even more lucrative for hackers to exploit the serious vulnerabilities present in biometrics authentication. In 2019, we will see companies add behavioural biometrics with strong authentication, either based on advanced technology like FaceID or 2FA to provide a continuous authentication by incorporating a person’s physical actions which will be very hard to mimic.
Also, IoT devices are gaining in popularity in Southeast Asia, from consumer homes to industrial IoT to initiatives like lampposts in Singapore’s Smart Nation project. While attacks on consumer IoT are prevalent, the possibility of disruptions in manufacturing and similar industries raises the severity of the threat. In industrial IoT, attackers will target the underlying cloud infrastructure as millions of devices are connecting to the cloud for updates and maintenance. The access to these multi-tenanted and multi-customer environments will help attackers launch widespread attacks that will reap them much bigger rewards.”
William Tam, Director of Sales Engineering, Asia Pacific, Forcepoint
Security Teams Will Need More Development And Engineering Skills
“Security teams used to focus on firewalls and endpoints and many security professionals cut their teeth as system and network administrators. Nowadays infrastructure is defined by code, breaches are increasingly caused by weak applications and automation is essential for under-staffed teams. This is changing the skillset required by security pros. We now also need to have a deep understanding of applications and an ability to build automation into our tools and processes.”
Ross McKerchar, Chief Information Security Officer at Sophos