Reflections on 2020 and 2021 Cybersecurity Predictions
We are breaking our usual silence with our annual cyber security predictions….
Reflecting back on our 2020 predictions –
1. Year of the IoT CISO – 2020 did not quote on quote became the “Year of the IoT CISO”, but we certainly observed more demand for security professionals that understand full-stack IoT development. As things evolve this trend should continue.
2. Adoption of 5G will introduce a number of problems – 2020 was supposed to be the big transition for 5G, Covid-19 put a damper on that... 5G service is still spotty... The only observed problem so far were the attacks on 5G towers – there was an attack surface, but it was physical not software 🙂
3. More attacks on infrastructure – there were no major direct infrastructure attacks in 2020, but with COVID-19 pandemic showed the weaknesses and dependencies in the supply chain more clearly. Even though there were no major events in 2020, we suspect a major infrastructure attack is still not off the table in the future; it is just a matter of time. Also the fallout from SolarWinds incident may have some downstream effects on the infrastructure in 20201.
4. Cloud transition continues – COVID-19 definitely emphasized this prediction – transition to the cloud was stronger than ever.
5. Ransomware alive and well – unfortunately this year from county governments to technology companies to hospitals many entities were targeted by cyber criminals; for a reason, they were getting paid… We heard about some of these due to required disclosures, but a good chunk was handled under the table. Healthcare was especially targeted given the pressure they under due to the pandemic, which made them easier paying targets. Given the success in this style of attack we expect this to continue in 2021 as well.
6. Information warfare continues to evolve – In 2020 we saw that information warfare is used by domestic and foreign adversaries very effectively- but there were numerous examples of disinformation incidents fueled by social media adding to the already tense social climate… On the deep fake front - there were not so many high-profile deep fake incidents as we predicted, there was definitely developments on detection and public awareness.
7. ML is a double edged sword – Based on the events observed in 2020 ML definitely failed on the defensive side; but malware is definitely getting smarter and harder to detect. We ended the year with SolarBurst - It provided a deep insight into how evolved cyber adversaries are; fallout from the incident still continues and we may never know the true impact on the U.S.
8. Privacy issues continue – a lot more states in the U.S. jumped on the California CCPA’s bandwagon; GDPR is in full-gear, privacy is definitely scrutinized more than ever before... Regardless of all these positive changes on the privacy front the constant stream of breaches in 2020 continued; helped increase user awareness as well as creating breach-fatigue… Recent data from Risk Based Security revealed that the number of records exposed has increased to a staggering 36 billion in 2020.
9. Cybersecurity skills gap is still there and will get bigger – there are a lot of posers out there – gap is still alive and well and increasing…
10. Business and IT alignment will remain a work in progress – in 2020 we still observed that cybersecurity is getting lost in the layers of corporate bureaucracy; lack of understanding of security operations compounded by lack of automation among so called ISRM teams slows the momentum of progress. This is works in the advantage of the attackers.
Security execution must be risk driven and with momentum it is doomed to fail if it is reactive – meaning after the fact….
Overall, except predictions number 2 &3 we were pretty spot on. 80% accuracy – we’ll take it…
Now on to 2021...
1. Larger attack surface - The pandemic definitely sped up the digital transformation – number of people utilizing cloud services and sharing data online increased astronomically. Coupling that with 2020’s 36 billion leaked user credentials it is inevitable.
Humans will still be the weakest link in cyber security in 2021… Invest in Information Security Awareness Training – contextualized security awareness training is key for your employees to relate to the problem – their situational awareness = improved data security…
Depending on your industry your ROI may be well worth the training price.
If you do not have the budget, some things to consider:
1. Start the New Year with a password refresh.
2. Use social media sparingly 🙂
3. Trust, but verify
4. Check multiple sources – before forwarding on content…
2. Surveillance and Privacy at constant odds – Covid-19 pandemic certainly is pushing the society in a more Orwellian direction… Although many states in the U.S. and countries instituted privacy and data residency regulations – thanks to mobile phones (the best surveillance devices ever invented) contact tracing conducted by private companies and countries takes privacy concerns to a new level…
Who you come close to, your whereabouts are all under a microscope… I can hear people saying I have nothing to hide and this is for the good of humanity… That may be true, but it is only a matter of time the pattern analysis obtained here will be used for governance.
In addition, given the number of breaches in 2020 it would not be farfetched to expect this information to leak at some point time.
3. Expect a Domestic Surveillance Program – If you followed SolarWinds attack (aka SolarBurst) at the end of the year you will remember that the attacks came within the U.S.; the intelligence community has already voiced concerns on not being able to conduct domestic surveillance… This a bit ironic, because with Edward Snowden’s revelations we all know there was already illegal domestic surveillance…
This year maybe the year to legitimize the domestic surveillance…
4. Information warfare continues to evolve – State sponsored information warfare will continue to evolve – main objective will still be industrial espionage with a side of regime change…
5. More attacks on infrastructure – We decided to keep this one from 2020… We predict that the space is the new battle ground, with the attack surface increasing in earth’s orbit; satellites will be a prime target for service disruption…
6. From globalism to nationalism – data is king, it is what drives the ML/AI movement. Countries are becoming more protective of their data; they are beginning to see how their citizen’s information can be used by foreign countries, sometimes in ways that can impact the societal fabric.
In addition, countries are more cognizant about global giants making money on their citizens and they are demanding their share more forcefully.
On the other hand businesses want to keep their operating costs down, and their data in a single location where they can easily analyze and monetize.
Expect these trends to continue in 2021. More compliance requirements mean entering foreign markets will be harder than ever for the small tech companies. This will cause a market shift for the smaller shops and alter the tech market.
7. Moving to the cloud will continue – as people are staying home longer entrepreneurs are seeing different opportunities for cloud services. This will attract more users to cloud services driving revenue for cloud infrastructure and SaaS providers; and more of consumer and enterprise data onto these cloud applications.
If you are a business entity make sure you have a decent data classification / labeling approach and that these applications do meet your company's data regulation requirements. If you are a consumer familiarize yourself with the security and privacy settings of these applications... Always remember "the cloud is somebody else's server" and the breaches that you read in the news are real...
8. Supply chain attacks will continue – industrial espionage is alive and well and will continue in 2021. A supplier is the best way of infiltrating multiple targets of interest in one blow; the SolarWinds incident was a great illustration of how effective it is; expect this to continue in 2021...
Analyze your supply chain and understand your risk – enforce cybersecurity standards through your contracts; request periodic reviews from your vendors.
9. Shift towards Zero-trust and Automation – Attacks in 2020 showed that static defense and implicit trust does not work. Expect a shift towards zero-trust systems and more so towards automation. Momentum is key in defense-in-depth (kinetic defense); without automation there is no momentum; breaches will continue, invest in automation… By invest I do not mean go buy a million dollar solution. That almost never solves the problem… Analyze your business operations and implement the right solution for the right problem… You might think we are a small company – how can we do this? It is not that hard:
a. Identify your operational areas that can be automated
b. Risk classify them
c. Pick the most impactful one
d. Score a quick win!
This is in essence a type of OODA Loop – if still do not know what to do seek help from a professional…
Consider designing for zero-trust in your new system/software designs…
10. Business and IT alignment will remain a work in progress (from 2018)
I think this will be valid for ages – at least until we reach a common process maturity and automation across all industries… Will just repeat the same prediction from 2018 word by word…
When business requirements clash with security mandates this can set the stage for conflict. Balance is required and risk elimination isn’t a practical option. The root cause is often a lack of understanding along the stakeholder chain – from CEO down to security analyst. This fundamental communication gap means that
- Establish a common language – demonstrate that the information security team understands the pain points of the business by connecting, correlating and communicating information security activities according to their business impact
- Leverage the language of money – partner with the business by showing the value created by information security investment in terms of mitigated business impact
- Focus on mutual priorities – leverage business impact and return on investment to agree on the most urgent activities for the information security team; this will allow the team to focus their scare resources on value-add activities
In closing – security is not for convenience, but automation can aid significantly in easing the discomfort… And before you implement a security solution always think of these 3 things:
1. What are you trying to protect?
2. For how long?
3. How much are you willing to spend?
And you will come to the right conclusion…. Stay safe!!!