Happy New Year! The beginning of a new year is a great time for both reflection and forecasting. Looking back on the past 12 months, the cybersecurity landscape is no less rocky than it was in previous years. However, by examining the terrain, organizations can get a handle not only on current threats, but those on the horizon as well.
GDPR Compliance
A key security development in 2018 was the implementation of the (GDPR) in the European Union (EU). The law became enforceable in May and applies to any organization established in the EU or that is processing data belonging to data subjects in the EU. It requires organizations put appropriate security measures in place to implement the regulation. It also regulates data sharing between organizations and third parties. However, questions remain as to what compliance entails in certain circumstances when data is being shared.
A survey by Versasec, a provider of identity and access management solutions, found that 6 months after the roll-out of GDPR, the cost of compliance for many businesses (41%) was higher than expected. The biggest challenges, the survey found, are educating employees (27%); a lack of necessary resources to implement the regulation (23%); communicating with customers (20%); and addressing technical issues in a timely manner (20%). Getting a handle on GDPR compliance will continue to be the focus of businesses that operate in the EU as they balance the regulation’s business, compliance, and security impact.
Hardware Security & the Supply Chain
The year started with the emergence of 2 critical hardware security issues—Meltdown and Spectre. The discovery of these vulnerabilities, which can be exploited to allow attackers to steal data, sent mini-shockwaves throughout the industry, as they affected everything from desktop computers to laptops to cloud servers. While patches and updates provided some protection, malware attempting to target the vulnerabilities emerged and multiple variants of Meltdown and Spectre were discovered. The presence of the vulnerabilities served as a reminder that the technology underpinning the software and services that organizations adopt can be just as vulnerable as anything else.
Later in the year, hardware security took yet another hit, when news reports claimed Chinese intelligence had placed malicious computer chips inside equipment used by 30 companies, including Apple and Amazon, which both denied the report. Regardless of its veracity, the story put a spotlight on the issue of supply chain security. In fact, the U.S. Department of Homeland Security established the creation of the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force, which is focused on identifying and managing challenges to the protection of the global ICT supply chain.
Thus, we can expect a growing emphasis on supply chain and hardware security continuing into 2019. As Meltdown and Spectre have shown, hardware vulnerabilities are hard to mitigate once they are discovered and require high levels of coordination and cooperation throughout the industry to resolve. This makes them ripe for continued research by attackers looking for ways to compromise systems and go undetected.
However, the supply chain includes more than simple hardware. When it comes to application development, the use of third-party software libraries also provides an attractive vector for attackers. In June, Ticketmaster announced that its U.K. operation was compromised by an attacker that exploited vulnerable JavaScript code in a customer support product from Inbenta Technologies. An investigation determined that the JavaScript was customized by Ibenta to meet Ticketmaster’s particular requirements and was added to the Ticketmaster payment page without Ibenta’s knowledge.
As soon as the vulnerability was discovered, the Ibenta product was disabled across all Ticketmaster sites. Nevertheless, the attack exposed the data of up to 40,000 customers. The situation underscores the importance of tight, automated code review processes that include both the code your organization develops internally and the code provided by others.
Data Exposures
Finally, 2018 continued to see data exposure through both breaches as well as misconfigurations and errors in public cloud. Amazon S3 bucket misconfiguration was a major culprit for data exposure related to user error. Accenture, Go Daddy, and Medcall Healthcare Advisors all suffered from incorrect configuration their S3 buckets leaving both business servers and users data exposed to the public.
Major breaches still took place as well. In some case it highlighted that not all organizations are able to handle breaches appropriately or transparently. In some sense, we may be getting desensitized to breaches in the news but certainly we’re sensitive when an organization seems to try to hide what happened. As additional breaches continued, we saw more scrutiny placed on companies. This was particularly the case with Facebook as more questions arose about additional apps exposing data as well as concerns related to the Russia electioneering effort.
Looking to 2019: Security and Beyond
Looking back at trends from the past year not only helps us see how the cybersecurity industry has transformed, but also allows us to look at where it may be headed. Based on some of the aforementioned trends, as well as other notable incidents in 2018, we’ve developed a few predictions for the world of cybersecurity in 2019, including:
- Regulatory compliance and hardware and supply chain security will likely continue to be issues.
- The evolution of cloud security solutions as it relates to containerization and serverless computing will be a critical driver in cybersecurity.
- The challenges of tool sprawl will continue to be an issue for organizations, particularly as they adopt more cloud services. This will encourage organizations to look for vendors that can provide unified visibility and security management across their IT environment, whether it is multi-cloud, hybrid, or on-premises.
- This same desire for consolidation will extend to the market, with mergers and acquisitions occurring as big players gobble up smaller tool vendors.
- MSPs will be targeted with much more focus in 2019 as they have admin access into their customers’ systems, as well as a wide footprint for victims, and their security controls are lacking.
- Ransomware will continue to be prevalent even as the market has stabilized.
- Public cloud PaaS solutions will be targeted (Lambda, for example) due to the lack of ability to provide security controls on the platforms.
- Actors will begin to leverage more of the security automation enterprises have deployed as part of their attacks, including counter intel activities.
- Continued trade war will see increases from nation-state actors looking for intellectual property.
- Because of the rash of breaches involving the theft of large caches of credit card data in the second half of 2018, we could see a slight decrease in the prices for stolen credit card information due to the potential increase in inventory available to cybercriminals.
The new year always brings the unexpected. Here’s hoping security providers, technologies, and practices will be enough to answer the call.