by Bharat Mistry
It’s that time of the year again when we look to the future to arm cybersecurity professionals with a few predictions of what might head their way in 2019. But the truth is that there’s little in store that they’ve not seen already. In fact, the defining threat trends of the coming year may well be those that have plagued organisations for the past decade: vulnerabilities, stolen credentials and social engineering.
The best way to equip your organisation against these going forward is to follow best practices, layer up defences across the IT infrastructure and improve user awareness programmes.
Tens of thousands of vulnerabilities are discovered and responsibly disclosed every year. It is these that will be the main threat to firms in 2019, rather than so-called zero-day exploits. The growing administrative burden on firms to prioritise and patch all of their systems will continue to create gaps for the bad guys to exploit. A key example here was WannaCry, which exploited a patched Microsoft SMB vulnerability.
Next year, 99.99% of successful exploit-based attacks will involve vulnerabilities for which patches have been available for weeks or even months but haven’t yet been applied. SCADA human-machine interfaces (HMIs) will account for a growing number, exposing OT systems to sabotage, extortion or attacks targeting corporate networks and data. The number of new SCADA vulnerabilities reported to the Zero Day Initiative jumped 30% from 1H 2017 to the first half of this year. Expect it to jump again in 2019.
We’re also predicting a rise in cloud vulnerabilities, such as the recent critical flaw found in popular container orchestration platform Kubernetes. As cloud adoption grows in 2019, it’s only natural that it will come under increasing scrutiny from attackers. Misconfigurations and stolen credentials will also make it easier for hackers to hijack cloud accounts. The result: more major data breaches and illegal crypto-mining operations.
The keys to the kingdom
In fact, corporate account credentials have always been one of the weakest links in the security chain — partly because they rely on that other weak link, the user. Too often employees use simple, easy-to-guess or crack log-ins and/or reuse them across multiple accounts because of the overwhelming number of accounts they have to manage in the modern age.
That’s why we can expect more cloud accounts to be targeted in 2019, alongside a major rise in credential stuffing-based fraud as attackers leverage breached log-ins. In the smart home space, poor device security which allows factory default log-ins to persist will be targeted by a rise in Mirai-like IoT “worms”. The impact on firms could be severe: a new breed of botnets driving DoS, crypto-mining and more.
Another tried-and-tested tactic set to continue in 2019 is phishing. Unlike exploit kits, which have seen a decline from the 14.4m we detected in 2015 to just 281,000 in 2018, phishing URL detections have risen from 5.4m to 210.5m over the same period. We’ll increasingly see social engineering tactics used across channels, including SMS and messaging apps, as well as SIM-swap fraud.
This isn’t to say that 2019 will be all about the old, of course. We predict that the black hats will also start using AI tools to analyse data on executives to improve the success of targeted attacks.
A new focus
Most of the risks highlighted above may have been with us for a while. But in 2019 there will be an even greater need to find ways to mitigate them as GDPR and NIS Directive regulators look for cases of non-compliance. Expect the first major 4% fine to be levied in the coming year, most likely prompting a new wave of compliance-related spending.
So where should spend be focused? As the above should clearly demonstrate, modern cyber threats can take many forms. There’s simply no single silver bullet to tackle them all. Instead, IT security teams must look to layer up cross-generational blend of defences at the endpoint, networks, hybrid cloud server and web/email gateway levels. It’s also crucial to combine this with a renewed focus on user education. There are now free tools available which are designed to run real-world simulations and provide detailed feedback for IT teams.
With this information to hand we can finally start to change user behaviour, and turn that weak link into a solid first line of defence. For the full report, please click here.