Experts from The Chertoff Group, a global security advisory firm that enables clients to navigate changes in security risk, technology and policy, developed a list of the biggest cyber threats to watch out for in 2019.
If the recent and explosive growth of ransomware is an indication of anything, it is that criminal organizations will continue to employ malware for profit. Cryptojacking, otherwise known as “Cryptomining malware”, uses both invasive methods of initial access, and drive-by scripts on websites, to steal resources from unsuspecting victims. Cryptojacking is a quieter, more insidious means of profit affecting endpoints, mobile devices, and servers: it runs in the background, quietly stealing spare machine resources to make greater profits for less risk. Due to its ease of deployment, low-risk profile, and profitability TCG posits that this trend will continue to increase in 2019.
While exploitation of software flaws is a longstanding tactic used in cyber attacks, efforts to actively subvert software development processes are also increasing. For example, developers are in some cases specifically targeted for attack. Malware has also been detected in certain open source software libraries. As software code becomes more complex and dynamic, the opportunities for corruption increase as well. In 2019, we will see a continued increase in the use of third-party applications or services as the “back channel” into networks through the corruption of third-party firmware/software (and updates thereof); such back channels can bypass traditional protective and detection capabilities in place to prevent externally-based incidents and infecting the corporate network.
Rise in attacks to the cryptocurrency ecosystem
“Why do people rob banks? That’s where the money is.” Use of cryptocurrencies for everyday transactions is becoming commonplace, and we will continue to see a related rise in attacks against individuals and organizations who use cryptocurrency as an increasingly standard element of their business operations and transaction options.
Cyber Policy Trends
(Slow) Domestic Movement on Data Privacy and Security Legislation
High profile breaches and implementation of GDPR and California’s Consumer Privacy Act will help to drive domestic efforts on comprehensive data security and privacy legislation, though a divided Congress and limited interest from the White House is likely to slow progress. Expect additional states to follow California’s lead if Congress fails to take action, regardless of lawsuits filed by technology companies or the Department of Justice.
Cyber threats and influence operations
Fear, uncertainty and doubt continue to build around the cybersecurity of state and local election technologies and will only continue to grow as the U.S. looks to the Presidential and general elections in 2020.
Heightened incident disclosure expectations (SEC, etc.)
- The European Union General Data Protection Regulation (GDPR) became enforceable on May 25, 2018. GDPR includes a requirement that organizations must report a personal data breach within 72 hours after becoming aware of it. Likewise, the New York State Department of Financial Services (DFS) has imposed a requirement that firms subject to its jurisdiction notify DFS 72 hours after determining that either of the following two events has occurred: (1) a breach of personal data breach or (2) events that have a “reasonable likelihood of materially harming any material part of the normal operation(s)” of the regulated entity. These timeframes significantly accelerate reporting timeframes, putting pressure on organizations to mature incident response and resiliency capabilities to be able to meet these new mandates.
- Separately, on February 21, the SEC released updated guidance on public company cybersecurity disclosure requirements under Federal securities laws. The guidance focuses on two topics: (1) the importance of maintaining comprehensive cyber policies and procedures, particularly on timely disclosure of material cyber risks and incidents, and (2) the application of insider trading prohibitions to material cybersecurity risks and incidents. Recent incidents at Yahoo, Uber and Equifax have served as forcing function for government and public companies to take a harder look at breach disclosure norms. A threshold disclosure question is one of materiality – i.e., if there is a “substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.” While the Commission provides that “[w]e do not expect companies to publicly disclose specific, technical information about their cybersecurity systems,” there is an expectation that public companies should “disclose the extent of its board of directors’ role in the risk oversight of the company, such as how the board administers its oversight function and the effect this has on the board’s leadership structure.” A key question is thus how senior management and Boards are advancing their understanding of cyber risk such that they can make informed judgments about materiality.
Vulnerability equities process
The Vulnerabilities Equities Process (VEP) “balances whether to disseminate vulnerability information to the vendor/supplier in the expectation that it will be patched, or to temporarily restrict the knowledge of the vulnerability to the USG, and potentially other partners, so that it can be used for national security and law enforcement purposes, such as intelligence collection, military operations, and/or counterintelligence.” The exposure and subsequent exploitation of NSA’s Eternal Blue has amplified calls to address the vulnerability equities issue by tilting the scale increasing towards disclosure.
CISA and lingering private sector resistance
The Cybersecurity Information Sharing Act was passed to improve cybersecurity through enhanced information sharing on cybersecurity threats between the public and private sectors. Although it offers liability protections for the private sector, many large companies continue to be reticent to share sensitive, potentially risk-reducing information with peers and the government.
Ambiguity remains for the Lines of Defense
Organizations continue to struggle to define and implement effective First and Second Lines of Defense. While there is a general consensus that First Line consists of information security operations and Second Line is responsible for cyber risk oversight, security practitioners, risk managers and regulatory bodies are not consistently aligned on the practical implementation of these concepts. Ambiguity in this area can have significant organizational and risk mitigation implications.
Cyber Market Trends
Threat emulation to measure effectiveness (ATT@CK)
Organizations are embracing the MITRE ATT&CK model with a slew of new products and services to provide better, granular modeling related to threat tactics, techniques and procedures (TTPs). 2019 will see an increase in products and services that can model threat actor campaigns and suggest mitigation strategies and/or validate people, process, and technologies in place that address these TTPs. [INTERNAL TCG: Example of tool optimization/testing for effectiveness (Verodin, AttackIQ, Darklight, etc.)]
Identity solutions moving to the cloud
Historically organizations have preferred to manage their identity tools and services, especially Active Directory and privileged account management, onsite due to the sensitive nature of the information (“crown jewels”) as well the general importance in protecting the information to maintain business operations. Organizations are increasingly moving to cloud-based IAM solutions to compliment cloud-based application security capabilities. IAM movement to the cloud continues the security product migration first seen by endpoint detection and response products and being adopted across whole segments of the security industry.
Authentication through mobile devices will explode
Acceptance and use of biometrics, facial recognition, QR codes, etc. via mobile devices will increase as organizations and users gain trust that these approaches provide additional security to currently “insecure” elements at places like voting booths, for DMV registration, etc. Greater acceptance trending is also linked to the proliferation of converged physical-cyber security in identity proofing – i.e., need to use facial recognition at facility turnstiles, access WiFi via devices, etc.
Customers will increasingly focus on effective risk management as a differentiator
The operational impacts of notPetya to FedEx and a data breach to Equifax were not just expense items – in both cases, customers voted with their feet and the companies lost revenue. Moreover, Equifax had been certified as against several information security standards (e.g., PCI). Customers will thus not only increasingly look for assurance that service providers have cybersecurity programs in place but will also be looking beyond compliance-based measures to proof of actual effectiveness.