A Look into 2019: Cyber Threat Trends

A Look into 2019: Cyber Threat Trends

A lot happened in 2018 - especially on the cyber security side of things.

A lot happened in 2018 - especially on the cyber security side of things. We had some of the biggest data breaches in history in terms of just how many people were affected by the damage put forth by cyber criminals around the world on companies like Facebook and Marriott. 

In an effort to educate ourselves for the future, I decided to ask the experts from The Chertoff Group, a global security advisory firm that enables clients to navigate changes in security risk, technology and policy, to write out a comprehensive list of predicted cyber trends in 2019. They broke it down between cyber threats, cyber policy and cyber market. 

Cyber Threat Trends

Cryptojacking

If the recent and explosive growth of ransomware is an indication of anything, it is that criminal organizations will continue to employ malware for profit. Cryptojacking, otherwise known as “Cryptomining malware”, uses both invasive methods of initial access, and drive-by scripts on websites, to steal resources from unsuspecting victims. Cryptojacking is a quieter, more insidious means of profit affecting endpoints, mobile devices, and servers: it runs in the background, quietly stealing spare machine resources to make greater profits for less risk. Due to its ease of deployment, low-risk profile, and profitability TCG posits that this trend will continue to increase in 2019.

Software subversion

While exploitation of software flaws is a longstanding tactic used in cyber attacks, efforts to actively subvert software development processes are also increasing. For example, developers are in some cases specifically targeted for attack. Malware has also been detected in certain open source software libraries. As software code becomes more complex and dynamic, the opportunities for corruption increase as well. In 2019, we will see a continued increase in the use of third-party applications or services as the “back channel” into networks through the corruption of third-party firmware/software (and updates thereof); such back channels can bypass traditional protective and detection capabilities in place to prevent externally-based incidents and infecting the corporate network.

Rise in attacks to the cryptocurrency ecosystem

“Why do people rob banks? That’s where the money is.” Use of cryptocurrencies for everyday transactions is becoming commonplace, and we will continue to see a related rise in attacks against individuals and organizations who use cryptocurrency as an increasingly standard element of their business operations and transaction options.

Cyber Policy Trends

(Slow) Domestic Movement on Data Privacy and Security Legislation

High profile breaches and implementation of GDPR and California’s Consumer Privacy Act will help to drive domestic efforts on comprehensive data security and privacy legislation, though a divided Congress and limited interest from the White House is likely to slow progress. Expect additional states to follow California’s lead if Congress fails to take action, regardless of lawsuits filed by technology companies or the Department of Justice.

Cyber threats and influence operations

Fear, uncertainty and doubt continue to build around the cybersecurity of state and local election technologies and will only continue to grow as the U.S. looks to the Presidential and general elections in 2020.

Heightened incident disclosure expectations (SEC, etc.)

  • The European Union General Data Protection Regulation (GDPR) became enforceable on May 25, 2018. GDPR includes a requirement that organizations must report a personal data breach within 72 hours after becoming aware of it. Likewise, the New York State Department of Financial Services (DFS) has imposed a requirement that firms subject to its jurisdiction notify DFS 72 hours after determining that either of the following two events has occurred: (1) a breach of personal data breach or (2) events that have a “reasonable likelihood of materially harming any material part of the normal operation(s)” of the regulated entity. These timeframes significantly accelerate reporting timeframes, putting pressure on organizations to mature incident response and resiliency capabilities to be able to meet these new mandates. 
  • Separately, on February 21, the SEC released updated guidance on public company cybersecurity disclosure requirements under Federal securities laws. The guidance focuses on two topics: (1) the importance of maintaining comprehensive cyber policies and procedures, particularly on timely disclosure of material cyber risks and incidents, and (2) the application of insider trading prohibitions to material cybersecurity risks and incidents. Recent incidents at Yahoo, Uber and Equifax have served as forcing function for government and public companies to take a harder look at breach disclosure norms. A threshold disclosure question is one of materiality – i.e., if there is a “substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.” While the Commission provides that “[w]e do not expect companies to publicly disclose specific, technical information about their cybersecurity systems,” there is an expectation that public companies should “disclose the extent of its board of directors’ role in the risk oversight of the company, such as how the board administers its oversight function and the effect this has on the board’s leadership structure.” A key question is thus how senior management and Boards are advancing their understanding of cyber risk such that they can make informed judgments about materiality. Vulnerability equities process

The Vulnerabilities Equities Process (VEP) “balances whether to disseminate vulnerability information to the vendor/supplier in the expectation that it will be patched, or to temporarily restrict the knowledge of the vulnerability to the USG, and potentially other partners, so that it can be used for national security and law enforcement purposes, such as intelligence collection, military operations, and/or counterintelligence.” The exposure and subsequent exploitation of NSA’s Eternal Blue has amplified calls to address the vulnerability equities issue by tilting the scale increasing towards disclosure.

CISA and lingering private sector resistance

The Cybersecurity Information Sharing Act was passed to improve cybersecurity through enhanced information sharing on cybersecurity threats between the public and private sectors. Although it offers liability protections for the private sector, many large companies continue to be reticent to share sensitive, potentially risk-reducing information with peers and the government.

Ambiguity remains for the Lines of Defense

Organizations continue to struggle to define and implement effective First and Second Lines of Defense. While there is a general consensus that First Line consists of information security operations and Second Line is responsible for cyber risk oversight, security practitioners, risk managers and regulatory bodies are not consistently aligned on the practical implementation of these concepts. Ambiguity in this area can have significant organizational and risk mitigation implications.

Cyber Market Trends

Threat emulation to measure effectiveness (ATT@CK)

Organizations are embracing the MITRE ATT&CK model with a slew of new products and services to provide better, granular modeling related to threat tactics, techniques and procedures (TTPs). 2019 will see an increase in products and services that can model threat actor campaigns and suggest mitigation strategies and/or validate people, process, and technologies in place that address these TTPs. [INTERNAL TCG: Example of tool optimization/testing for effectiveness (Verodin, AttackIQ, Darklight, etc.)]

Identity solutions moving to the cloud

Historically organizations have preferred to manage their identity tools and services, especially Active Directory and privileged account management, onsite due to the sensitive nature of the information (“crown jewels”) as well the general importance in protecting the information to maintain business operations. Organizations are increasingly moving to cloud-based IAM solutions to compliment cloud-based application security capabilities. IAM movement to the cloud continues the security product migration first seen by endpoint detection and response products and being adopted across whole segments of the security industry.

Authentication through mobile devices will explode

Acceptance and use of biometrics, facial recognition, QR codes, etc. via mobile devices will increase as organizations and users gain trust that these approaches provide additional security to currently “insecure” elements at places like voting booths, for DMV registration, etc. Greater acceptance trending is also linked to the proliferation of converged physical-cyber security in identity proofing – i.e., need to use facial recognition at facility turnstiles, access WiFi via devices, etc.

Customers will increasingly focus on effective risk management as a differentiator

The operational impacts of notPetya to FedEx and a data breach to Equifax were not just expense items – in both cases, customers voted with their feet and the companies lost revenue. Moreover, Equifax had been certified as against several information security standards (e.g., PCI). Customers will thus not only increasingly look for assurance that service providers have cybersecurity programs in place but will also be looking beyond compliance-based measures to proof of actual effectiveness.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises. 3