IT security news in 2018 was dominated by data breaches – and data protection and privacy regulations like Europe’s General Data Protection Regulation (GDPR) designed to limit the damage of such breaches.
Massive breaches at the likes of Marriott and India’s Aadhaar national citizens database underscored the need for regulations like GDPR and the California Consumer Privacy Act, which will continue to drive cybersecurity spending in 2019, including for GDPR-related consulting and services.
And a growing number of companies are waking up to the fact that data breach prevention is not always possible, and are therefore enhancing their detection and response capabilities.
As a result, 2019 is likely to be another record year for IT security spending and a bumper year for IT security vendors. Gartner predicts that, worldwide, the IT security solutions market will increase by almost 9% from 2018’s estimated $114 billion to over $124 billion.
eSecurity Planet‘s 2019 State of IT Security survey found that security spending by large corporations is strong enough to possibly exceed those expectations.
Compliance and data breaches will continue to be big news in 2019. Here are the rest of eSecurity Planet‘s predictions for the top IT security trends in 2019, 10 in all if you’re counting, including a few new attack vectors that could make headlines in the year ahead.
- Software supply chain
- Mobile security
- Nation-state attacks
- Be prepared
For years we have all been told to encrypt our data, but in 2019 organizations will start to realize that encryption is not the answer to all their security problems, according to Ramon Krikken, an analyst at Gartner. It didn’t help Equifax, as the company learned to its detriment.
“Many people overestimate the power of data at rest encryption,” he said. “To provide real protection, you need to encrypt higher up the stack, and the problem is that disk encryption is hard, but application-level encryption is even harder.”
He said all it takes is someone “walking in the front door” of an application using compromised database administrator credentials or internal user credentials, or someone leaving an open S3 file share by accident, and data can still be compromised even if it is encrypted at rest.
“2019 will be the year that people wake up to the fact that encryption is not as effective as they think,” he concluded. “That’s unfortunate, because people don’t like hearing that the main ingredient of their security strategy actually isn’t effective.”
2018 saw the rise of cryptojacking, which uses malware or other means to infect end-user computers with software that hijacks system resources and sets them to work mining cryptocurrencies such as Bitcoin.
The problem for the perpetrators of cryptojacking is that individual systems lack resources, while far greater computing resources are to be found in public clouds such as Amazon AWS.
So in 2019, the bad guys will likely step up their efforts to compromise cloud administrator accounts using new or known vulnerabilities, by phishing for administrator credentials, or perhaps by buying them from disgruntled employees. With a compromised account they can spin up virtual machines running mining software, and in many cases these can go undetected for a considerable amount of time.
The first hint that an organization may get that their account has been compromised will be when they receive their monthly bill and discover that it is far higher than they expect. Even then it may not be easy to identify why the bill has gone through the roof, and which unauthorized virtual machines are to blame.
Many organizations have allowed their developers to dip their toes in the water when it comes to container technology, and in 2019 these organizations will begin implementing them in production environments in earnest. One key driver for that is that many legacy applications run on Windows Server 2008, and as that operating system is deprecated, an enticing solution to this problem is to containerize those applications and run them on a modern server operating system like Windows Server 2016.
The risks that are introduced with container technology are not necessarily new – the technology is ultimately just another abstraction layer – but the problem is that the technology itself is relatively new. “The security and management tools for containers aren’t all ready while the risks aren’t fundamentally different, so there is a period where these support tools are still catching up,” said Krikken. “That is a dangerous place to be.”
Ransomware exploded onto the public consciousness in 2017 following the WannaCry outbreak, and a series of follow-up ransomware attacks that saw high-profile victims such as San Francisco Muni. But the latter part of 2018 saw very few high-profile ransomware victims hitting the news. It’s all gone quiet on the ransomware front.
But the problem of ransomware has not gone away, and in 2019 it is likely to be back with a vengeance. “Ransomware attacks come in waves, and I am sure it will make a return in 2019,” said Krikken. “Many companies have implemented ransomware defenses, but in 2019 it will again hit some companies badly.”
Software supply chains are a huge potential security risk, and a software vendor’s software update package could potentially be compromised so that any customers that download and install the update would unwittingly introduce malware into their systems. The compromise itself can happen on the vendor’s servers, on a third-party distribution system, or even while in transit to the customer using a “man-in-the-middle” attack.
Software update supply chain attacks are becoming increasingly prevalent: In 2016 they were almost unheard of, but in 2017 there was an average of one attack every month, according to Symantec. This trend has continued in 2018, and will likely become a real problem in 2019.
This type of attack is particularly dangerous because it is a type of amplification attack: Compromising one software update can result in the infection of a much larger number of customers who apply the update without taking adequate security precautions such as checking checksums or update hashes, and scanning and testing updates in a sandboxed environment.
The scale of DDoS attacks has been ramping up dramatically over the last few years, from a few Gbps, to hundreds of Gbps, to an astonishing 1.7 Tbps in 2018. One reason for this is the trend of so-called “botnet herders” moving away from compromising PCs to use in distributed attacks to compromising the exploding number of often very insecure IoT devices. Another is the ability of these herders to exploit vulnerabilities in services such as DNS to amplify their attacks.
In 2019 there will more exploitable IoT devices connected to the internet than ever before, and hackers will always find more ways to exploit them more effectively using new amplification attacks. That means that DDoS attacks measuring in excess of 2 Tbps are likely to become increasingly commonplace.
But a more disturbing trend that is likely to emerge is an increasing number of lower bandwidth DDoS attacks aimed at smaller organisations, according to Krikken. “Attackers are going to go downstream, as their attacks can be automated and it costs them very little. It also makes them harder to tackle as you will have to start monitoring network behavior, not just traffic volume.”
Endpoints will always present a security risk, but BYOD programs mean there are a huge variety of mobile devices, including smartphones and tablets as well as much more homogenous PCs and laptops, and also IoT devices to support.
Over the last five years or so, the security of most mobile devices has improved immeasurably, and mobile device management and enterprise mobility management tools have also become increasingly effective. But this can lull security teams into a false sense of security, Krikken believes. “The biggest challenge is the fact that there is such a huge variety of devices, and they are used by users.”
Careless users are often the weakest link in any organization’s security, and in 2019 it’s likely that malicious actors will see increasingly powerful and well-connected smartphones or tablets as easy ways into organizations’ crown jewels.
Defending an organization’s data against determined attackers is hard and perhaps even impossible, but in 2019 we may see attacks against critical infrastructure such as power networks carried out by agents of nation states. A successful attack on this critical infrastructure could have devastating effect on many organizations, no matter how good their own IT security posture might be.
The problem is that there is not much that an individual organization can do to prevent such attacks, because they are likely to come from compromised IoT devices, according to Sean McGrath, a privacy expert and cybersecurity advocate at BestVPN.com. “While this might sound like a problem for governments and businesses to focus on, the reality is that any major threat to critical infrastructure will be powered by the devices in our homes,” he said.
Krikken agrees that IOT devices will continue to cause headaches for security professionals. In addition to being used in distributed attacks, he believes that industrial IoT devices will increasingly be seen as a new attack surface ripe for exploitation. “We see the IoT area and control systems, and we think we will start to see incidents that compromise industrial control systems to cause environmental hazards.”
Predicting what will be prove to be the biggest security threat in 2019 is difficult, and it is always possible that something completely new will appear and catch everyone by surprise.
It’s possible, but it’s unlikely. Probably it will be something that, in hindsight at least, was entirely predictable. “Major threats don’t just fall out of the sky, they emerge over the horizon,” Krikken said.
The best advice is to take a good look at your security posture and shore up your vulnerabilities in order of risk.