Predictions are tough, but even moreso in the chaotic world of cyber security. The threat landscape is huge, offensive and defensive technologies are evolving rapidly, and nation-state attacks are increasing in terms of scope and sophistication.
This cyber “fog of war” makes it hard to see or assess every trend. Last year, for example, CSO’s predictions for 2018 did not anticipate the rapid rise of cryptomining. In hindsight, this relatively easy to execute, lower risk way for cyber criminals to monetize their efforts should have been an obvious choice.
This year, we asked CSO staff and contributors to tell us the biggest events or trends they anticipate for the next 12 months. Here are their top 9.
1. Ransomware tapers off, but still wreaks havoc
Ransomware will taper off as criminals shift to other ways to generate revenue. “While ransomware will still be a problem, it will be more of a focused, targeted attack,” says Steve Ragan, CSO’s senior staff writer. He cites the declining number of ransomware attacks. According to Kaspersky, the number of users who encountered ransomware in 2017 and 2018 fell by nearly 30 percent over the 2016 to 2017 time period.
‘The randoms went down, and the targeted ones were big news,” says Ragan. For example, the ransomware group responsible for SamSam is now focusing primarily on a relatively few U.S. companies, mainly municipal and healthcare organizations, according to Symantec.
The reason for the decline is that criminals are finding cryptojacking and other schemes are more effective money-makers. The number and quality of ready-made cryptomining tools means that criminals don’t need to be technically skilled. That’s reflected in the 44.5 percent rise in number of users that have experienced a cryptomining attack in the past year, according to Kaspersky. “Hidden coinminers continue to proliferate in 2019, and malware authors are taking advantage of them to disrupt your business,” says CSO contributor David Strom. “Cryptomining will continue to be a threat as long as attackers can make quick cash from the infections.”
2. Regulation and public sentiment on privacy will drive data protection policies
Last year, CSO predicted that the European Union (EU) would quickly punish a few companies in violation of its General Data Protection Regulation (GDPR) to make an example of them. That didn’t happen. The threat of penalties over compromised personal information will still have a huge effect on security operations in 2019 nonetheless.
Those penalties are likely coming. “The EU will break some fingers with the GDPR,” says CSO Senior Writer J.M. Porup. “Enforcement is going to be harsh beginning in the first half of 2019. Companies engaged in surveillance capitalism, like Google and Facebook, are in for a rough few years.” Hundreds of complaints have been filed, including some against Google and Facebook.
In 2019, we’ll see how the EU will react to those complaints. That will provide some much-needed clarity regarding the risk that GDPR and other privacy regulations present. If the GDPR doesn’t react, then that’s telling, too. It sends the message not to take the regulation seriously.
Rising concern over how companies use and protect personal information will encourage many Americans to hold those companies more accountable. “The reaction by consumers to constant security breaches and other unethical information disclosures (e.g., Facebook) leads U.S. consumers to demand more default privacy and control over their own information,” says CSO contributor Roger Grimes.
Grimes expects to see an effort to enact privacy laws similar to GDPR nationally in 2019. The California Consumer Privacy Act has already passed into law and goes into effect in 2020. On November 1, Sen. Ron Wyden introduced a bill titled the Consumer Data Protection Act (CDPA), which has stiff penalties, including jail time, for privacy violations.
Given the federal government’s current state of effectiveness, that bill is unlikely to gain much traction. In the meantime, most organizations that handle consumer data in the U.S. will look to other regulations such as the GDPR and CCPA for guidance. “California and New York will continue to drive the conversation around consumer data privacy, while Washington drags its heels,” says Porup.
“Companies will … start seriously thinking about a privacy-first approach to data, especially as these laws expand to more jurisdictions, and to narrowly targeted verticals, such as banking, medical and payments,” says CSO contributor Maria Korolov. “That will require some major changes in how companies collect, use, and share data.”
3. Expect more nation-state attacks on and surveillance of individuals
State-conducted or sponsored targeted cyberattacks on journalists, dissidents and politicians will continue to grow. Like-minded governments will turn a blind eye to such attacks on their own soil.
The worst possible outcome of a nation surveilling its own citizens played out in the case of Saudi journalist Jamal Khashoggi. Israeli newspaper The Haaretz reported that the Saudi government used Israeli cyberweapons to track Khashoggi while he was in Canada.
The Israeli government appears to be a major exporter of technology that other governments can use to spy on its citizens. Another Haaretz story reports that multiple countries are using Israeli software to target dissidents and homosexuals.
4. Microsoft will move Advanced Threat Protection (ATP) to all its mainstream products
Windows 10 Advanced Threat Protection (ATP) is a service that allows anyone with an E5 license to see under the hood and review what an attacker did to a system. It relies on telemetry that is enabled when the computer is linked to the ATP service.
The software giant will move to fortify its continuing efforts to build a security-focused brand image by making ATP standard with all Windows versions. “This will be a key selling point in choosing Windows products over IBM's Red Hat in the coming year,” says CSO contributor and Windows expert Susan Bradley.
5. We will determine that voter fraud occurred in the mid-term elections
The confirmation of voter fraud will spur calls to better protect and enroll people in online voter processes. The conflict between those who want to make voting as accessible as possible and those who want to protect the integrity of the process will remain, however.
“We have a need to ensure that everyone can register and vote online, but we will need to take major steps to ensure we can do so safely and properly,” says Bradley.
6. Multi-factor authentication will become the standard for all online transactions
Though far from a perfect solution, most websites and online services will abandon password-only access and offer additional required or optional authentication methods. For a while, the different forms of multi-factor authentication will likely confuse and frustrate users.
“Only using a password to authenticate is increasingly leaving us open to phishing and other attacks,” says Bradley. “But the fact that all the vendors are implementing different systems to authenticate means I'm being driven slightly crazy with all of the two-factor authentications I'm having to manage. It won't be better until a more standardized process is settled on.”
Those standards, at least on the vendor side, are on the way. “With FIDO2 browser enhancements and the Duo/Cisco acquisition, it could tip the scales. Expect to see more innovation here in the coming year that makes it easier and more compelling to use MFA than not to,” says Strom.
7. Spear phishing becomes even more targeted
Attackers know that the more information they have about you, the better they can craft a successful phishing campaign against you. Some are using tactics that are a bit creepy. “One of the trending changes in spear phishing are phishing campaigns where the hacker breaks into an email system, lurks and learns,” says Grimes. “Then they use the information they have learned, as well as taking advantage of the relationships and trust built between people who regularly communicate with each other.
One area where Grimes sees this happening more is mortgage wire fraud, where home buyers are tricked into wiring closing fees to a rogue party by an email arriving from a trusted mortgage agent. “The hacker breaks into the mortgage lender’s (or title agent’s) computer and takes note of all the upcoming pending deals and their closing dates,” he says. “Then the day before the mortgage agent would normally send out an email telling the client where to send the closing money, the phisher uses the mortgage agent’s computer to beat them to the punch. The unsuspecting client wires the money, which is rarely recovered, and ends up losing the house (unless they can come up with another substantial closing payment, which most can’t do).”
8. Nations will make an effort to establish cyberwarfare rules
Even in physical warfare, most nations have agreed upon a basic set of rules, such as no torture, no poison gasses, or no slaughtering of civilians. The rules set boundaries that could align much of the world against nations that cross them.
No such rules exist for cyberwarfare, and some nations seem to believe they can do almost anything with near impunity. “North Korea hacks Sony Pictures. Russia hacks industrial critical control systems and tries to influence the elections of other nations. China steals intellectual property. And the U.S. and Israel use malware to destroy nuclear equipment,” says Grimes. “Digital boundaries are being tested, and some nation states are starting to push back. Expect there to be a Geneva Convention for digital warfare coming soon.”
Rules or no rules, some nations will continue to push boundaries when it comes to cyber warfare. “Cyber attackers will continue to have a safe haven in Russia and China and North Korea,” says Korolov. “They will have more resources at their disposal than ever, either from their government backers or from the financial windfalls of this year's ransomware and cryptojacking attacks. They will use these resources to find new attack vectors and to improve the resilience and adaptability of their malware. The situation will continue to get worse until something very major changes in global geopolitics, which won't be until the next U.S. presidential election, at the earliest.”
9. More organizations will require masters degrees in cybersecurity for CSOs/CISOs
Cybersecurity training will continue to mature, and certificates alone will no longer be enough to take the next step in a security professional's career, Porup predicts. “The hodge-podge system of security certifications has failed to provide the right kind of education and training,” says Porup.
"Cybersecurity training will continue to mature, and certificates alone will no longer be enough to take the next step in a security professional's career," Porup continues. "Masters degrees in cybersecurity are popping up all over the place, including at prestigious universities like UC Berkeley and NYU, and more and more companies will be looking to hire CSOs/CISOs with the cross-disciplinary skills acquired from a masters degree."