Making cybersecurity predictions is fun, but not necessarily helpful to security professionals who must decide which threats for which they should be the most prepared. “You can't really make a good prediction about what the future's going to hold because it's always the stuff that comes out of left field that really becomes the problem,” says Chad Seaman, senior engineer on Akamai's security intelligence response team.
If your biggest threat for 2020 is something new and unpredictable, how can you best focus your efforts in the coming year? Start by looking at how this year’s biggest threats are likely to change in 2020 in terms of scale and tactics.
CSO has reviewed the leading research on the most common, significant threats of 2019 and asked those researchers for their advice on where those threats will trend and how organizations might adjust their defenses against them in 2020. Here’s what we learned.
Malware infections of devices
Protecting endpoints has continued to be a battle for organizations. About half of all organizations suffered a malware infection on company-owned devices in 2019, according to Kaspersky’s IT Security Economics in 2019 report. Half also saw malware infections on employee-owned devices.
For the enterprise, malware infections on company devices was the most expensive incident cited on the Kaspersky report with an average cost per incident of $2.73 million. That number was significantly less for SMBs at $117,000.
What to expect in 2020: Dmitry Galov, security researcher at Kaspersky, sees the risk from employee-owned devices increasing in 2020. He sees a greater willingness for companies to allow employees to use their own devices to cut costs, enable remote work, and increase employee satisfaction. As a result, attackers will target personal devices as a way to bypass corporate defenses. “By default, users’ personal devices tend to be less protected than corporate devices as the average users seldom apply additional measures to protect their phones and computers from potential threats,” he says. “As long as this trend continues, company and employee-owned device infections will arise. This vector of attack remains attractive because the attacker no longer needs to target corporate accounts (for instance, with phishing emails sent to corporate mail).“
Best advice for 2020: Companies must review and update their policies around personal devices, and then enforce those policies, Galov believes. “Strict company policies regarding security, correct rights management and provision of users with security solutions are on the list of must haves to protect the company and its data,” he says. “As well as managing technical issues, security awareness trainings are important because they can cultivate standards of cyber hygiene among employees.”
Phishing
Nearly a third of all breaches in the past year involved phishing, according to the 2019 Verizon Data Breach Investigations Report. For cyber-espionage attacks, that number jumps to 78%. The worst phishing news for 2019 is that its perpetrators are getting much, much better at it thanks to well-produced, off-the-shelf tools and templates.
Akamai’s SOTI Report: Baiting the Hook broke down the phishing-as-a-service offered by one phishing kit developer. This developer has a storefront and advertises on social media. Prices start at $99 and go up depending on the mailing services selected. All the kits come with security and evasion features. “The low prices and top-tier brand targets are attractive, creating a low bar for entry into the phishing market for criminals looking to set up shop,” said the report’s authors. Among those top-tier brands targeted are Target, Google, Microsoft, Apple, Lyft and Walmart.
What to expect in 2020: Phishing kit developers will offer more refined products, further lowering the skill required to launch a phishing campaign. According to the IDG Security Priorities Study, 44% of companies say that increasing their security awareness and staff training priorities is a top priority for 2020. Attackers will respond by improving the quality of their phishing campaigns by minimizing or hiding common signs of a phish. Expect greater use of business email compromise (BEC), too, where an attacker sends legitimate-looking phishing attempts through fraudulent or compromised internal or third-party accounts.
Best advice for 2020: Keep your anti-phishing training up to date and make it ongoing. To combat BEC, have policies in place that require any employee receiving a request regarding money or payment instructions to confirm by phone.
Ransomware attacks
Ransomware attacks are not the most common cybersecurity incident, but they can be among the most costly. Roughly 40% of SMBs and enterprises experienced a ransomware incident in 2019, according to Kaspersky’s IT Security Economics in 2019 report. At the enterprise level, the average cost per incident was $1.46 million.
Endpoint protection tools are getting better at detecting ransomware, but that has made ransomware developers better students of the techniques those tools use, according to the Sophos Labs 2020 Threat Report. “It is a lot easier to change a malware’s appearance than to change its purpose or behavior, which is why modern ransomware relies on obfuscation to be successful,” says Mark Loman, director of engineering for next-generation tech at Sophos. “However, in 2020, ransomware will raise the stakes by changing or adding traits to confuse some anti-ransomware protection.”
Some of that obfuscation is to make the ransomware appear to be from a trusted source. The Sophos reports cites several examples:
- Crafting a script listing targeted machines and incorporating them together with the PsExec utility from Microsoft Sysinternals, a privileged domain account, and the ransomware.
- Leveraging a logon/logoff script via a Windows Group Policy Object
- Abusing the Windows Management Interface to mass distribute inside a network
What to expect in 2020: Loman sees ransomware attackers continuing to tweak their methods to give themselves an edge. “Among the most notable advancements is an increase in ransomware attackers raising the stakes with automated, active attacks that blend human ingenuity with automation tools to cause maximum impact,” he says. “Additionally, by encrypting only a relatively small part of each file or booting the operating system to a diagnostic mode where anti-ransomware protection is often unavailable, attackers will continue to evade most defenses.”
“Ransomware attacks have been loud this year and there is no reason for this type of threat to decline,” says Kaspersky’s Galov.” Ransomware increasingly targets infrastructure, organizations and even smart cities.”
Ransomware developers will make their code more evasive so that they can establish a foothold in a system, encrypt more data without being noticed, and possibly scale operations to other networks. “This year we saw the appearance of attacks even on Network Attached Storage (NAS), which is largely considered secure and safe from such threats,” says Galov.
Best advice for 2020: As always, the best defense against ransomware is to have current, tested backups of all critical data. Keep those backups isolated from your network so they, too, aren’t encrypted by the ransomware. Employee training is critical, too. “In order to protect themselves from ransomware, organizations need to implement strict security policies and introduce cybersecurity trainings to the employees,” says Galov. “Additional protective measures, such as securing access to data, ensuring its backups are stored securely and implementing application whitelisting techniques on servers, are required.”
“It is vital to have robust security controls, monitoring and response in place covering all endpoints, networks and systems, and to install software updates whenever they are issued,” says Loman.
Third-party supplier risk
Both enterprises and SMBs saw incidents involving third-party suppliers (both services and products) at a similar rate, 43% and 38%, respectively, according to Kaspersky’s IT Security Economics in 2019 report. Most organizations (94%) grant third-party access to their network, according to a survey by One Identity, and 72% grant privileged access. Yet only 22% felt confident those third parties weren’t accessing unauthorized information, while 18% reported a breach due to third-party access.
The Kaspersky study shows that both SMBs and enterprises are forcing third-party suppliers to sign security policy agreements—75% of SMBs and 79% of enterprises use them. That’s making a big difference when it comes to getting compensation from third parties when they are responsible for a breach. Of enterprises with a policy in place, 71% reported they received compensation, while only 22% of companies without a policy received compensation.
What to expect in 2020: Businesses will become more digitally connected with their suppliers and partners. That raises risk as well as awareness of that risk. Unfortunately, attackers are becoming more sophisticated.
“Recently, we've observed some new groups such as BARIUM or APT41 engage in sophisticated supply chain attacks against software and hardware manufacturers in order to penetrate secure infrastructures around the world,” says Galov. “These include two sophisticated supply chain attacks uncovered in 2017 and 2019: the CCleaner attack and ShadowPad, and other attacks against gaming companies. Dealing with a compromise from one of these threat actors is a complex process, as they usually leave backdoors allowing them to return later and cause even more havoc.”
Best advice for 2020: Know who has access to your networks and ensure they have only the privileges they need. Have policies in place for communicating and enforcing rules for third-party access. Make sure you have a security policy in place for all your third-party suppliers that spells out responsibilities, security expectations, and what happens when an incident occurs.
“The best organizations can do to protect themselves from such attacks is to make sure that not only they, but also their partners, follow high cybersecurity standards,” says Galov. “If third-party suppliers get any kind of access to internal infrastructure or data, cybersecurity policies should be established before the integration process.
DDoS attacks
Forty-two percent of enterprises and 38% of SMBs experienced a distributed denial of service (DDoS) attack in 2019, according to Kaspersky’s IT Security Economics in 2019 report. That’s on par with ransomware incidents, which get much more media attention. From a financial perspective, DDoS attacks cost SMBs an average of $138,000.
Attackers continue to innovate to improve the effectiveness of their DDoS attacks. In September, for example, Akamai reported a new DDoS vector: Web Services Dynamic Discovery (WSD), a multicast discovery protocol to locate services on a local network. Using WSD, attackers can locate and compromise misconfigured, internet-connected devices at scale to amplify the scope of their DDoS attacks.
What to expect in 2020: Kasperksy’s Galov sees DDoS attacks staying “quite prominent” in 2020 thanks to the rise of 5G and numbers of IoT devices. “The conventional boundaries of critical infrastructure such as water supply, energy grid, military facilities and financial institutions will expand much further to other unprecedented areas in a 5G-connected world,” he says. “All these will require new standards of safety, and the increased speed of connection will pose new challenges in stopping DDoS attacks from happening.”
Best advice for 2020: Do everyone a favor and check your internet-connected devices for misconfigurations and unpatched vulnerabilities. “It's security hygiene, basic security hygiene,” says Akamai’s Seaman.
Unfortunately, that won’t help the risk of DDoS attacks aided by connected consumer devices. “Grandma going to Best Buy to pick up a new webcam to put on the driveway so she can see who pulls in isn't going to know about the hygiene of this device,” says Seaman. “That's where we continue to see the bigger problems, and it's not grandma. It's really some guy in Vietnam who has a VDR security system for his small shop. The last of his concerns is whether his webcam being used to DDoS a bank.”
Application vulnerabilities
According to Veracode’s State of Software Security Vol. 10 report, 83% of the 85,000 applications it tested had at least one security flaw. Many had much more, as their research found a total of 10 million flaws, and 20% of all apps had at least one high-severity flaw. That leaves a lot of opportunity in terms of potential zero-day vulnerabilities and exploitable bugs for attackers to take advantage of.
The report authors see optimism in some of the data. Fix rates, especially for high-severity flaws, are improving. The overall fix rate is 56%, up from 52% in 2018, and the highest severity flaws are fixed at a rate of 75.7%. The biggest positive, however, is that a DevSecOps approach with frequent scanning and testing of software will drive down the time to fix flaws. Median time to repair for applications scanned 12 times or fewer per year was 68 days, while an average scan rate of daily or more lowered that rate to 19 days.