by Ian Heritage
Consumer and enterprise security are usually treated as two discrete areas. But increasingly in 2019 we’ll see a convergence of threats. Ultimately, every employee is also a consumer — one who may work from a home filled with unsecured smart devices, exposing corporate systems and data to new threats.
The coming year therefore requires enterprise IT security teams to think more broadly about the risks facing their organisation, and ensure they have the policies and technologies in place to mitigate them.
Trouble on the home front
Over 13% of the UK workforce now works from home: that’s more than four million employees. Yet as we argue in our 2019 predictions report, Mapping the Future, this will represent a key challenge to corporate IT security over the coming year. Home networks are already connected to printers, storage devices, smartphones, tablets and laptops which could be used in both consumer and corporate scenarios. But increasingly they will be joined by smart devices like connected speakers, TVs, lights, cameras and much more.
Trend Micro has already highlighted systemic vulnerabilities in smart speakers. The concern is that these types of attack will move beyond the theoretical in 2019 and into the real world as devices are used as a stepping stone into corporate networks.
The smart home threat doesn’t end there. The continued manufacture of insecure devices and poor user awareness will create a fertile breeding ground for Mirai-like attacks in 2019. Known vulnerabilities and factory default log-ins could provide a perfect means to compromise devices en masse, conscript them into botnets and launch DDoS, credential stuffing and other attacks on corporates. The FBI has already been forced to issue a warning to consumers about the risks — IT departments also need to be aware.
Three more to watch
These challenges must be balanced with a number of other burgeoning cyber threats in 2019. These include:
Business Process Compromise (BPC) attacks are set to take another twist as hackers look to compromise the automation software increasingly at the heart of modern organisations. This is a threat that will extend out to the supply chain.
So-called “living off the land” techniques will continue to evade traditional AV controls. They include use of: rare file extensions like .URL and .PUB; fileless components like PowerShell; digitally signed malware; new activation methods like Mshta; email accounts and online storage as C&C access points; and modified legitimate system files.
Nation states will look to expand their offensive cyber capabilities in ever greater numbers. The bad news is that innocent organisations are likely to be caught in the middle of escalating geopolitics. Those in the legal sector and any critical infrastructure firms are particularly at risk, although as the latest attribution on the Marriott hackers has highlighted, state-sponsored attacks could hit any sector.
Layer up for protection
Faced with escalating threat levels, organisations need to take a defence-in-depth approach. After all, no single, silver bullet solution can effectively tackle such a wide range of black hat tactics. A cross-generational blend of techniques should be applied, ideally including the following:
- Malware prevention (behavioural analysis, machine learning, web reputation etc)
- Network security (intrusion prevention, firewall, vulnerability analysis).
- Email and collaboration security
- System security (application control, integrity monitoring, log inspection).
- Specialised detection engines for unknown threats such as custom sandboxing, and global threat intelligence
- Endpoint security
- Integrated data loss prevention
We also want to see more IoT manufacturers build security into their products from the start, and hopefully a BSI kitemark will finally start to have an impact on the industry in 2019. Consumer-employees must play their part too, by being more vigilant at their desk and ensuring smart home equipment is securely configured. The coming year will demand a greater level of tech-savvy from home workers: companies unable to get those assurances and/or mitigate remote working risks may find themselves exposed.