What to expect in 2020: Despite the best efforts of security and development teams, vulnerabilities will continue to creep into software. “Most software today is very insecure. That will continue in 2020, especially with 90% of applications using code from open-source libraries,” says Chris Wysopal, co-founder and CTO at Veracode. “We’ve seen some positive AppSec signs in 2019. Organizations are increasingly focused on not just finding security vulnerabilities, but fixing them, and prioritizing the flaws that put them most at risk…. Our data suggests that finding and fixing vulnerabilities is becoming just as much a part of the process as improving functionality.”
Best advice for 2020: As the Veracode research shows, scanning and testing your apps for vulnerabilities more frequently while prioritizing the most severe flaws to be fixed is an effective defense. Wysopal also urges companies to keep an eye on security debt. “One of the growing threats within application security is the notion of security debt – whether applications are accruing or eliminating flaws over time,” he says. A growing security debt leaves organizations exposed to attacks.
“Just as with credit card debt, if you start out with a big balance and only pay for each month’s new spending, you’ll never eliminate the balance,” Wysopal says. “In AppSec, you have to address the new security findings while chipping away at the old.”
Cloud services/hosted infrastructure incidents
Forty-three percent of enterprise businesses had security incidents that affected third-party cloud services in 2019, according to Kaspersky’s IT Security Economics in 2019 report. Although cloud-related incidents didn’t make the SMB most frequent list, they were expensive for smaller companies, which often are more dependent on hosted services. The average incident that affected hosted infrastructure for SMBs was $162,000.
One area that saw an uptick in activity in 2019 was online payment fraud. The Magecart criminal group in particular was quite busy this past year. The group uses code that takes advantage of misconfigurations in the cloud to modify shopping cart code. The businesses using the online ecommerce services are unaware of the change until customers complain of fraudulent charges.
Organizations still need to worry about misconfiguring cloud services in a way that leaves data exposed on the internet. Attackers regularly scan the internet to grab this exposed data. Fortunately, cloud platform vendors such as Amazon and Google have rolled out new tools and services in 2019 to help organizations properly configure their cloud systems and find errors that leave data unprotected.
What to expect in 2020: The staying power of the malicious code and the financial reward (Magecart’s haul alone is estimated to be millions of dollars) means online payment fraud will increase in 2020. Magecart’s success is bound to inspire imitators. Organizations will counter this and other cloud threats by spending more on cloud security. According to the IDG Security Priorities Study, only 27% of organizations have cloud data protection technology in production, but 49% are researching or piloting it.
Best advice for 2020: Conduct source code reviews of your ecommerce scripts and Implement subresource integrity so that modified scripts are not loaded without your permission. Make sure your cloud providers conduct assessments of their own code to prevent fraud. Do regular scans for configuration errors that expose your data on the internet.
IoT vulnerabilities
The internet of things (IoT) and the data it generates was the second most impactful trend on security practitioners in 2019, according to the Security Industry Association (SIA) 2019 Security Megatrends report. The growth of IoT is nothing short of manic and difficult to predict. Research firm Statista estimates there will be between 6.6 billion and 30 billion internet-connected devices in 2020, a range too large to be helpful.
The threat IoT poses has been front of mind in 2019 for most organizations. The Marsh Microsoft 2019 Global Risk Perception Survey found that 66% of respondents saw IoT as a cyber risk; 23% rated that risk “extremely high.” “These IoT devices are soft targets for adversaries because they are often unpatched and misconfigured, and they're ‘unmanaged’ because they don't support endpoint security agents,” says Phil Neray, vice president of industrial cybersecurity at CyberX. “As a result, they can easily be compromised by adversaries to gain a foothold in corporate networks, conduct destructive ransomware attacks, steal sensitive intellectual property, and siphon computing resources for DDoS campaigns and cryptojacking.”
CyberX’s 2020 Global IoT/ICS Risk Report breaks down the most common security gaps that make IoT devices vulnerable over the past 12 months. It shows significant improvement in a few areas. Remotely accessible devices dropped 30 percentage points with the vulnerability found on 54% of surveyed sites. Direct internet connections also fell from 40% to 27%.
On the downside, outdated operating systems were found at 71% of the sites versus 53% the previous year, and 66% of the sites failed to do automatic antivirus updates compared to 43% the previous year.
What to expect in 2020: Neray sees the risk from exposed IoT devices increasing in 2020 as the number of connected devices increases and ”the motivation and sophistication of nation-state adversaries and cybercriminals increases.” Industrial environments such as energy utilities, manufacturing, chemicals, pharmaceuticals and oil and gas will especially be at risk, he says. “These compromises can lead to even more serious consequences including costly plant downtime, threats to human safety and environmental incidents.”
Neray identifies building management systems (BMS) as a prime target for attackers. “They're typically deployed by facilities management teams with minimal expertise in security, often unknowingly exposed to the internet, and typically not monitored by corporate security operations centers (SOCs).”
Best advice for 2020: Neray advises companies to follow a multi-layered defense-in-depth strategy incorporating
- Stronger network segmentation
- Restricted remote access to industrial control networks by third-party contractors with strong access controls such as 2FA and password vault
- Agentless network security monitoring to rapidly detect and mitigate IoT attacks before adversaries can blow up or shut down their facilities.
Ultimately, the best defense depends more focus on organizational rather than technical approaches. “In the TRITON attack on the safety systems of a petrochemical facility in Saudi Arabia, for example, one of the key deficiencies was that no one considered themselves ultimately responsible for the security of the industrial control network,” says Neray. “As a result, there were serious lapses in security monitoring and no one checked that the firewalls in the DMZ had been properly configured by the outsourced firms that installed them. Our advice for CISOs is to step up to the plate and take ownership of IoT and OT security and treat IoT and OT security in a holistic manner alongside IT security, integrated into your SOC workflows and security stack.
Cryptojacking
Let’s end this list with some good news: Cryptomining attacks are expected to decline in 2020. Although cryptomining attacks did not make the most-frequent list for either enterprises or SMBs on Kaspersky’s IT Security Economics in 2019 report, they proved costly for enterprises in 2019. The average financial impact for them was $1.62 million.
What to expect for 2020: Cryptomining incidences rise or fall with cryptocurrency values, but the ease with which attackers can execute a cryptojacking scheme means this threat will persist through 2020. “Mining has been steadily declining throughout 2019 and we do not see any reason for this tendency to change,” says Galov.” Cryptomining has become less profitable, not without the influence of cryptocurrencies that have taken the fight against this threat.”
Best advice for 2020: Use a security solution that detects cryptomining threats and keep an eye out for spikes in cryptocurrency values, which will encourage more cryptojacking attacks.