The first week back to work after the Christmas break is usually a rude awakening from the previous few days feasting and fun. And when it comes to cybersecurity, the chances are you’ll be plunged straight back into it as the black hats look to exploit any weaknesses they can find. As we head into 2019 it will become increasingly clear that organisations must do better — with the people, as well as the process and technology — to manage cyber risk. If they fail, there are some regulators out there about to bare their teeth.'As we head into 2019 it will become increasingly clear that organisations must do better — with the people, as well as the process and technology — to manage cyber risk. ' ~@PhilMuncasterClick To Tweet
As 5G lands, beware IoT risk
The Internet of Things (IoT) is already making a huge impact on society and business, embedded in everything from home devices to drug infusion pumps, manufacturing machinery and cars. As 5G drives an even greater proliferation of smart devices, there will be a two-fold threat to firms. First is the risk of Mirai-like IoT malware infecting unsecured consumer and SOHO-grade devices. The resulting botnets could drive an uptick in damaging DoS, crypto-mining, click fraud and much more. Nokia claimed in December that botnet activity represented 78% of malware detection events in communication service provider (CSP) networks in 2018, up from just 33% in 2016.
Unfortunately, that is an issue that can only be solved with improved education of consumers and better standards. Let’s hope the BSI kitemark starts to have an impact on the market. Second, firms will be increasingly exposed by the convergence of OT with IT: that means old, unpatched kit which is now connected to the public internet. SCADA vulnerabilities, insecure M2M messaging protocols and other parts of the ecosystem will all need risk assessments and mitigations.
Cyber-criminals stay hidden
The job of the IT security professional gets even harder in 2019 as cyber-criminals continue to develop their “living off the land” strategy. This means use of fileless techniques like using PowerShell, macros, WMI and more to stay under the radar of traditional AV tools. This could also include use of unusual file extensions like .WIZ and malware signed with digital certificates, making activity appear legitimate.'The job of the IT security professional gets even harder in 2019 as cyber-criminals continue to develop their “living off the land” strategy.' ~ @philmuncaster Click To Tweet
Security professionals will have to switch off all services like WMI if they’re not being used, and be prepared to gain deeper visibility into unusual network activity.
Beware the supply chain
The past 12 months saw numerous warnings about the risk of attacks via the supply chain. The UK’s National Cyber Security Centre (NCSC), for example, released detailed guidance for firms, warning: “It is clear that even if an organization has excellent cybersecurity, there can be no guarantee that the same standards are applied by contractors and third-party suppliers in the supply chain. Attackers will target the most vulnerable part of a supply chain to reach their intended victim.”
NotPetya is a notable example of the damage a software supply chain attack can do. Magecart digital skimming code was also used against digital suppliers to wreak havoc on hundreds of e-commerce firms last year. Ticketmaster partner Inbenta Technologies was just one of those affected. Firms need to get better at vetting suppliers and carrying out regular audits. As the US-China stand-off heats up, there could even be risks associated with the hardware supply chain.
Here come the regulators
Two new regulations that came into force in May 2018 will help to improve baseline security standards in 2019. With potential fines of up to €20m or 4% of global annual turnover in the offing, both the GDPR and NIS Directive mandate major improvements. If you haven’t already got compliance plans in order, remember that the goodwill of regulators will run only so far. Just one small €20,000 GDPR fine had been issued at the time of writing, and it's true that regulators prefer the carrot to the stick. But this will change. Expect a major fine for a large multi-national in 2019, potentially Marriott International.
This should focus the minds of boards on the task in hand, and could even free-up more cash for security projects.'With better training tools at their disposal — using real-world simulations to educate users in short, sharp bursts — there’s a real chance of changing user behaviour.' ~@philmuncaster Click To Tweet
Building a better first line of defence
Faced with the above, along with the constant challenge of repelling a growing volume of commodity and spray-and-pay malware attacks, security professionals will once again feel the heat in 2019. A persistent skills shortage measured at nearly three million professionals globally will do little to alleviate these growing pressures. A defence-in-depth strategy including endpoint tools, next-gen firewalls and WAFs, email gateway security and much more is essential. But increasingly, security teams will need to reach out to the wider company in 2019.
Effective staff training and awareness raising will be essential this year. For too long the end user has been the weakest link in the security chain, leading to a major increase in phishing threats. Verizon claimed 93% of breaches last year involved phishing, for example. With better training tools at their disposal — using real-world simulations to educate users in short, sharp bursts — there’s a real chance of changing user behaviour.
That’s a trend for 2019 I think everyone would like to be reporting by the end of the year.
Phil Muncaster compte plus de 12 ans d'expérience en tant que rédacteur et éditeur dans le domaine de la technologie. Pendant sa carrière, il a contribué à quelques grands titres du secteur, notamment Computing, The Register, V3 et MIT Technology Review. Après une immersion d'un peu plus de deux ans au cœur de la scène technologique asiatique à Hong Kong, il est de retour à Londres, où il s'intéresse désormais de près à la sécurité de l'information.