1 year ago


2018 predictions Rik

2018 predictions Rik Ferguson, Trend Micro: executives should prioritise vulnerability management. Tod Beardsley, Rapid7: cyber criminals will continue to spend their efforts on much softer targets. More integrated collaboration is required The likes of NSC and GCHQ are being effective in their limited remits and are busy disrupting many adversary groups. But they need to move faster and cannot be limited to cybercrime. There must also be a focus on state-sponsored hacktivism and other sophisticated attacks, and levels of awareness and associated education should be increased concurrently. TOD BEARDSLEY, RESEARCH DIRECTOR, RAPID7: In an online world dominated by FAMGA (Facebook, Amazon, Microsoft, Google and Apple), I expect to see very few actively exploited vulnerabilities in newly created and distributed software from these mature technology vendors. The hegemony of these companies will ensure a highly secure operating environment within each of their areas of dominance. Occasional issues will surface, of course, but, on the whole, the computing environment for the average person will have a marked lack of 'classic' software vulnerabilities. However, this lack of 'new' bugs will not put cyber criminals out of business. They will continue to spend their efforts on much softer targets. These would include older software stacks that rarely see regular software updates - multifunction printers, home and enterprise switches and routers, and Internet of Things devices that ship old and unpatchable software. I also expect to see continued sophistication on the part of attackers in their ability to trick, scam and phish credentials out of users, where either no bugs, or old bugs, are required for successful exploitation. ANDY HARRIS, CHIEF TECHNOLOGY OFFICER, OSIRIUM: There were some near misses, in terms of cloud side data breaches in 2017.Given the speed of the development of clouds, we predict a major cloud side breach in 2018. By this, we mean a breach that happened within cloud security at the virtual machine hypervisor level, rather than the level of the operating systems and containers that the customer organisation provisioned. With almost certainty, this breach will have a pivotal insider element. The net result will be that cloud employees will be subject to greater screening and better salaries. It's pretty obvious who will pay, but the greater question is when; our guess is that investmentdriven land rush will prevail and cloud prices will remain low until 2019. As always, data security will revolve around the people that have access to privileged accounts. The Privileged Access Management (PAM) market will continue to grow, but in different areas; more insourcing and more dedicated and outsourced security operation centres. The cloud market will wake to the need for PAM and outsourcers in chains of outsourcing will be reviewing their contracts, in terms of security. In our part of the market, tasks will grow yet again. Privileged Robotic Tasks already form a large part of security and network operations for larger customers and we predict we will see a roll down effect to the mid-market, where those with security responsibilities will want to reduce the number of people that can use unfettered privileged accounts. CHARL VAN DER WALT, CHIEF SECURITY STRATEGY OFFICER, SECUREDATA: The 2007 financial crisis brought to light just how interconnected today's economy really is. All areas of business were affected, with exposure to debt being shared. The cybersecurity industry is no different. Security 'debt' is a liability or obligation to pay or render something. 14 computing security March/April 2018 @CSMagAndAwards

2018 predictions Technical Debt is already a well understood concept in software development - the cost of additional rework caused by choosing an easy solution now, instead of using a better approach that would take longer or cost more. This translates well into security; not as the potential downside resulting from a decision to compromise, but as the direct, concrete, real-time and quantifiable cost of a trade-off between the best possible approach to securing something and the more attractive, practical, convenient or affordable approach. Security debt can be compared to monetary debt. If debt is not repaid, it can accumulate 'interest' and grows over time until it is repaid. It sits on a business' balance sheet in big red letters for all the world to see, speaking to the very heart of the business - its value. If business have more liabilities in the form of security and other debt than it has assets, then you're bankrupt and eventually you must fail. In 2018, we may see the damaging effects of Security Debt that has been stacking up in the form of legacy code, third party libraries and dependencies, and even architectures used by companies. This has been building up for the past 30 years and may be catastrophic, if the right set of circumstances come to pass. Companies have been living on borrowed security for too long and 2018 may the year when those debts get collected. RIK FERGUSON, VP OF SECURITY RESEARCH, TREND MICRO: We at Trend Micro are constantly scouting out future threats that will have the greatest impact for businesses and we predict which vulnerabilities will make the biggest waves in the coming year. Many devastating cyberattacks in 2017 leveraged known vulnerabilities that could have been prevented, had they been patched beforehand. This trend will continue next year, as corporate attack surfaces expand and expose more security holes. While this remains a challenge for enterprises, executives should prioritise vulnerability management as they make 2018 cybersecurity plans, particularly in the looming shadow of GDPR implementation. Ransomware will continue to be a mainstay, due to its proven success. There will be an increase in targeted ransomware attacks, in which the criminals go after a single organisation to disrupt operations and force a larger ransom payout. Business Email Compromise (BEC) attacks will also continue to gain popularity with attackers, as the return on investment for successful attacks is quite high. PAUL MCEVATT, SENIOR CYBER THREAT INTELLIGENCE MANAGER, FUJITSU UK & IRELAND; BRYAN CAMPBELL, SENIOR SECURITY RESEARCHER, FUJITSU UK & IRELAND: Cyber Threat Intelligence (CTI) can be defined in many different ways and it can simply be a threat feed. In the coming year, it will be important to use threat intelligence to provide an early warning system to customers and context to threats. In short, by doing the hard work, so customers don't have to be dependent on the service and level of access, suppliers can actually block threats before they have a chance to do any damage. That threat intelligence, in most cases, is simply providing guidance on 'protecting' using basic defences such as patch management. It's challenging in any corporate environment expressing the severity of a vulnerability not only as a technical risk, but also a financial, human and business risk. In a perfect world we would patch all the things, but reality dictates an alternative practical world. More often than not, patching a financial system for a critical vulnerability in Java the day before end of the financial year will not whet many appetites through fear of breaking the system, despite successful pre-production patching. Combining vulnerability management with threat intelligence is a great use case for protecting corporate environments. Customers are right to be worried about the next strain of global cyber-security incidents, but with last year's Petya and Wannacry outbreaks, the malware used an SMB vulnerability for propagation known months earlier that simply needed patching. For example, here at Fujitsu, we actually provided a threat advisory on that patch to CTI customers three months before Petya spread. What's more, we also provided our CTI customers with a threat advisory of the Apache Struts vulnerability Equifax was exploited with several months earlier. We also observed exploits in the wild for this attack, so there was clearly a high impact. The line between cyber security and politics is distorted with continued reports of election tampering or breaches of government agencies and departments. Investigations surrounding the US Election will rumble on into 2018 with core concerns around the manipulation of security controls and 'sleight of hand'. There were reports of similar inferred disruptive activity during the 2017 French election. In recent years, senior members of political parties around the world became all too familiar with concepts such as 'Phishing' and 'Incident Response'. In the case of the Democratic National Committee (DNC), the infamous compromise, which Crowdstrike traced back to Russia, the monthly cost of the incident response to remove the attackers from the DNC network was reportedly $50k a month. @CSMagAndAwards March/April 2018 computing security 15