Should AULD attack types be forgot
and never brought to mind?

As I sit writing this article on New Year’s Eve, that’s the song that’s running through my mind. It’s inevitable that my thoughts are centered on what this past year brought us in terms of device, network, and cloud security. That includes both the bad and the good.

We saw new and more sophisticated ransomware attacks, nearly 8 billion records exposed through over 5000 of data breaches (as of November, according to Risk Based Security as reported by CNET), threats targeting mobile devices, containers, popular security tools such as Kubernetes, and other modern technologies.

But we also saw advances in IT security that will help keep our data and applications safer.  Organizations and individuals are finally recognizing the futility of the old username/password authentication method and are moving to implement multifactor authentication, hardware authentication, biometrics, etc. Sophisticated techniques such as user behavioral analytics can help detect compromised accounts more quickly and artificial intelligence (AI) with machine learning can pinpoint anomalous activity and help detect malware before it has a chance to do harm.

Before we embark on a new year that will undoubtedly bring unexpected challenges, let’s take a brief look back at the good, the bad, and the ugly parts of the 2019 security landscape and the lessons we can take away from some of the major security incidents.

The Internet of Insecure Things

The Internet of Things (IoT) has grown by leaps and bounds over this past year. According to Statista’s figures, the installed base of IoT connected devices world-wide is approximately 26.66 billion at the end of 2019, up from 23.14 billion in 2018. That number is projected to climb to more than 30 billion in 2020 and over 75 billion by 2025.

Businesses and individuals are embracing the convenience and other benefits of “Internetizing” everything from light bulbs, thermostats, and household appliances to factory equipment and company vehicles. Enterprises glean valuable insights into their customers’ use of their products and services through analyzing data collected by sensor-driven IoT devices. In the medical field, retail, aviation, financial services, manufacturing, and so many other arenas, IoT is used to engage customers, enhance productivity, manage inventory, and much more.

However, up until recently the big elephant in the IoT room was security.  With so many different vendors making so many different devices – and many of those companies focused on functionality, not security – IoT has been widely recognized as a security nightmare. According to a Forrester study this year, 80% of enterprises know that they need to address unmanaged and IoT security polices but don’t know where to start.

According to Forbes, the incidence of attacks on IoT devices surged by 300% in 2019. The ongoing threat of the Mirai IoT botnet and Kaspersky’s report that they had detected more than 100 million attacks on “smart” devices in the first half of 2019 helped to bring the problem into the public eye. The good news is that in 2019, it seemed that companies making IoT devices finally began to get serious about building more protections into their products –  but they still have a long way to go.

All the “-ishing” variants

Phishing, spear phishing (more targeted phishing), vishing (voice phishing), smishing (SMS phishing) – according to Verizon’s 2019 Data Breach Investigation Report, 32% of data breaches this past year involved some form of phishing, which involves convincing users to open a malicious email attachment, visit a malicious web site, or download malicious software with the ultimate goal of getting them to provide personal or confidential information.

According to Statista, global Internet portals, banks, social networks, payment systems, and online stores are the top 5 organizations most targeted by phishers. Microsoft researchers found that spear phishing attempts doubled over the year.

Because phishing often relies on conning users into revealing their user names and passwords, though, they can often be thwarted by multifactor authentication. Now that companies are moving to MFA, the phishers are finding that those credentials are useless to them without access to the second authenticating factor, which is often the user’s phone or a smart card or token that remains physically in the user’s possession.

Cyber hostage takers

Targeted ransomware attacks posed a big problem throughout the year, with an increased focus on health care institutions, local governments, and for some reason, Canadian businesses. ZDNet reported that ransomware attacks had also hit more than 500 U.S. schools as of September.

And that’s not all. Ransomware is getting more sophisticated, with large scale multi-stage attacks on big  organizations with wide attack surfaces becoming more common. This year these attackers whose malware holds data hostage upped their game and began publishing data from their victims who refuse to pay, according to Krebs on Security.

The good news here is that even these advanced ransomware attacks usually begin with a phishing scam. User education is key to defending against them, and more organizations are learning to be proactive and train users on how to recognize and reject these tactics, and to have frequently updated backups of important data that’s kept offline where it’s safe from ransomware.

Even if your company doesn’t fall into one of the commonly targeted categories mentioned above, it’s important to be vigilant. Some security experts are predicting that in the coming year, ransomware attackers will expand their scope, and that new favorite targets are expected to be research institutions, TV/media outlets, the shipping and transportation industry, and the energy grid and other public utilities.

Summary

IoT attacks, phishing, and ransomware are only a few of the attack types that we faced in 2019, and we can expect to see these and more in the new year.  Attackers work overtime to stay two steps ahead, but at the same time they’re becoming more sophisticated, so are the security measures and mechanisms that are available to protect against them. Changes are coming to the cybersecurity field in 2020, and those who keep their security skills and expertise up to date will be in demand in the job market. New job titles, such as that of chief cybercrime officer (CCO) are likely to emerge.

Finally, as AI improves and becomes more integrated in our IT strategies, our business functions, and our personal lives, it will inevitably be used by attackers to increase the effectiveness of their attacks. The flip side of that is that AI-enabled analysis can make virus and malware detection more accurate and be used to increase the effectiveness of our defenses.

This next decade is certain to bring challenges we can’t even anticipate yet. It is also sure to bring opportunities we never dreamed of. It’s an exciting time to be in the IT security field.