The beginning of the end for the password, more regulation and more IoT risks -- cybersecurity predictions for 2019
When we looked at security predictions at this time last year some experts were predicting that we'd see attacks on cryptocurrencies and that we'd continue to see a rise in the scale and profile of attacks.
They've been proved right on both counts over the course of 2018, so what is next year going to have in store? We've canvassed the views of a number of industry figures to find out what they see as the key security issues for 2019.
The end of the password
The end of the password as a prime security measure is something people have talked about for a long time. But are we now reaching a tipping point? After a number of high profile breaches people are finally going to be fed up thinks Adam Kujawa of Malwarebytes Labs "I'm really hoping that we’ll start to see a bigger adoption by large organizations of multi-factor authentication, to make it so that whatever information is stolen it won’t really matter as it will be impossible to log in. Will we see the end of passwords in 2019? No. it's going to take years to roll out across the board, but I am excited to see what companies start doing to address the problem."
The fact that relying on passwords alone is inadvisable is echoed by Jarrod Overson, director of engineering at Shape Security, "Breach disclosures due to credential stuffing attacks have seen a sharp ramp up in 2018 with Macy's, Uber, Dunkin Donuts and HSBC all falling victim. I imagine this is going to be a trend that continues to increase in 2019 because of regulatory requirements, heightened sensitivity, and increasing attacker sophistication."
Irina Shamkova, SVP of product management at Intermedia expects biometric security to gain in importance, "With more and more personal and business information being stored in the cloud, internet speeds increasing and the ease of access to information always improving, devices are becoming of secondary importance. In the coming years, expect to see employees have the ability to sign onto any computer or communications device with a retinal or other biometrics scan to easily access their virtual desktop, load any tools (including collaboration tools), and quickly pull all of their documents. The device will simply be a window to access information, not it’s home."
But biometrics may not be infallible. Forcepoint's global CTO, Nico Fischbach, believes that, "Hackers will steal the public's faces in 2019 [because] facial recognition has serious vulnerabilities."
2018 saw the introduction of GDPR in Europe and the trend towards more regulation is expected to continue. "The enforcement ramifications as a result of General Data Protection Regulation (GDPR) compliance are yet to be seen," says Rod Oancea, director, governance and compliance services at InterVision. "Many businesses are still attempting to cope with how to meet the regulation’s extensive reach and requirements. Expect some fairly large penalties and fines in 2019 to show up in national and international news headlines from GDPR; and while US regulation around privacy has lagged behind historically, high-profile incidents and the resulting public interest has brought the stigma of data breaches to the (very costly) forefront. In turn, anticipate increased focus on what could have been done to prevent breaches, scrutiny on the effectiveness of data protection and security, and a higher bar for compliance with an ever-evolving number of requirements. As the outright and pervasive costs of non-compliance and breaches continue to grow, many organizations will need to invest in their security and data privacy practices, especially proactively in solution design."
But the push to privacy and data protection may come at a price for innovation according to Chris Byers, CEO of Formstack, "Countries that continue to push data protection and privacy will lag behind countries with less structure and requirement. As countries continue to press forward with making privacy a high value they may not realize that they are giving up ground in innovation. Innovation thrives in countries that support it through legislation and laws that support a free economy with low barriers to entry. The deeper the investment in privacy and protection, the less we will see innovation thrive."
The rise in numbers of IoT devices presents risk too. Raj Samani, chief scientist and fellow at McAfee says, "When you bring connected devices into the home, you need to make sure you enjoy using it in a safe and risk-free way. While these threats can seem scary, people can do a number of things to easily protect their smartphones, and therefore their smart homes, from malware. There's mobile security that warns you about risky apps before you download or use them and it often comes down to simple things such as being savvy with your passwords. If you have the right security in place, there’s no reason to be scared of smartphones or smart homes."
"Hackers are exploiting the woefully inadequate security on smart home devices to build powerful botnets, capable of delivering devastating DDoS attacks. Again, this is something we’re only likely to see more of. As use of the Internet continues to balloon at an exponential rate, we will see both the number of attacks and the fallout caused by them grow in severity," says Sean McGrath, privacy expert and cybersecurity advocate at BestVPN.com.
Panda Labs echoes this view in its annual report, "In 2019 we are likely to see an increase in attacks not just on routers, but on IoT devices in general. There are two main reasons for this: one the one hand, these devices’ default security leaves much to be desired, with default passwords or simply no passwords at all. On the other hand, these devices are more difficult to update, and many users don’t even know how to do so."
The Wi-Fi that connects these devices is expected to come under threat too. "While WPA3 has undergone significant improvements over WPA2, it still does not provide protection from threat categories that operate primarily at Layer 2 and include: rogue APs, rogue clients, evil twin APs, neighbour APs, ad-hoc networks and misconfigured Aps," says Corey Nachreiner, CTO at WatchGuard Technologies. "We think it is highly likely that we’ll see at least one of these threat categories used to compromise a WPA3 network and our money is on the Evil Twin AP."
ESET's Senior Security Researcher Stephen Cobb, "I predict that criminals will continue to expand their abuse of remote access functionality, often via Remote Desktop Protocol (RDP). When RDP is poorly installed on systems that can be reached directly via the internet it can be attacked to gain unauthorized access. At that point, criminals can employ native operating system tools to stealthily abuse these compromised machines -- a technique known as 'living off the land' -- for a variety of malicious purposes, based on their configuration and connectivity."
Addressing the skills shortage
Jason Haddix, VP of researcher growth at Bugcrowd sees crowd sourcing as a way of addressing the security skills shortage, "Moving to new technology environments is going to require more skill and education to combat the new vulnerabilities that may appear, as well as increased crowdsourcing to keep pace with the growing attack vectors. We’re also going to see new inroads into different crowdsourced security applications like forensics, threat hunting, and more. The skill shortage is growing at alarming rates so the industry will need to double down on recruitment and education to continue to build out the security community. Diversity was a big and important topic in 2018 and we'll no doubt see a strong emphasis on and encouraging and building diversity into the security community in 2019. Next year it's going to be about the individual contributors and tracking skill sets. We will eventually get to a point where a security professional can work from anywhere. It's already beginning with many supplementing income or working part time in the crowdsourced security space. We’re already seeing the shift occur -- the train has left the station."
"It's no secret that one of the key reasons organizations tend to adopt a more reactive approach to security is because of a shortage of skilled security workers," says Jim Barkdoll, CEO at TITUS. "2019 will see that shortage continue, however, a new class of organization is rising to address this gap – orchestrators. These independent specialists assist organizations in tying together their existing security investments and solutions to realize a truly end-to-end security solution. These orchestrators will see challenges from big vendors looking to capitalize on this trend, however, as those vendors often offer only proprietary solutions, there will continue to be room for these independent firms."
Are there any other security issues on the horizon that we haven't covered? Let us know.