As enterprises get comfortable with remote work, their priorities are going to shift. Cybersecurity will be forefront in the year ahead between concerns about cyber espionage and ongoing nation-state attacks, and federal cybersecurity organizational efforts. Remote work has accelerated enterprises are turning zero trust architectures to improve their security.
As work returns to the “new normal,” whatever that may end up looking like, security attention will shift increasingly from securing remote workers. Here’s what I expect to be among the primary focus points.
As enterprises shift to increased remote work for the foreseeable future, they will take a closer look at the security of their staff’s home networks
While the bulk of peoples’ focus was on other things, IoT security has remained top of mind. And it wasn’t a quiet year when it came to IoT attacks. According to Nozomi Networks’ analysis, in the first half of last year, threats against and actual attacks upon operational technology and IoT networks. “The factors that contributed to the increase in attacks include the sharp rise in IoT devices and connections, and the COVID-19 pandemic that’s sweeping the planet and keeping workers at home, and the ever-larger number of cyber criminals who now have access to or have developed increasingly more sophisticated tools,” Silviu Stahie wrote in his post, IoT Botnet Attacks on the Rise in 2020.
In the fall, Avira Protection Lab found a new Mirai variant, named Katana, which has application-layer distributed denial of service attack features and unique encryption keys for each source, self-replication, and secure command and control capabilities.
The variant targeted existing IoT vulnerabilities. “It is important to safeguard IoT endpoints installed in consumer environments. The industry needs to start adopting best practices to improve device security to ensure that their IoT devices are reliable products and are regularly patched,” they concluded in their update.
It’s good advice, considering research from Forescout, which released a report in December that found IoT devices littered with vulnerabilities. “Millions of consumer and enterprise IoT devices have software flaws in their TCP/IP stacks that could result in remote code execution, denial of service, or a complete takeover of a device. Forescout nicknamed the batch of vulnerabilities Amnesia:33. Devices from as many as 150 vendors are likely vulnerable,” wrote Data Breach Today’s Jeremy Kirk regarding the 33 flaws Forescout found in open-source TCP/IP stacks.
Since the 2016 Mirai botnet attack, attacks on IoT devices have been top of mind. As you may recall, the attack that disrupted the Doman Name System service provider Dyn and led to widespread Internet outages throughout the U.S. and Europe consisted of a collection of 100,000 IoT Devices. The Mirai variants followed, such as this one that exploited a vulnerability in network-attached storage devices. Throughout 2021 expect more threats and attacks to occur and more uncovered vulnerabilities.
Another area to watch will be the security guidelines for vendor IoT device makers to follow expected from NIST.
In healthcare, the move to telehealth will force an increased focus on cybersecurity
Let’s hope that the healthcare industry doesn’t see another year like 2020 for a long time, if ever, with the industry’s strains associated with the novel coronavirus, the shift to telemedicine, along with the rise in the ransomware plague and other electronic attacks.
While the industry is investing in security, the pandemic has made the situation much more challenging for the industry, as we covered here. And as enterprises make the investments necessary to modernize and enhance their technology, it may also provide an opening to modernize and improve their security. The telehealth market is expected to grow from about $61 billion in 2019 to a whopping $560 billion by 2027.
A new administration renewed cybersecurity focus
Federal cybersecurity efforts in recent years have been tumultuous. In November 2018, President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018, which solidified the formation of CISA. Since then, the agency has proven itself to play a central role in national cybersecurity efforts, including election security and as a security services provider to the private sector.
In a controversial move, the president fired Chris Krebs, the director of CISA, after Krebs issued a statement that said there was “no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.”
Then came news of the SolarWinds Orion software supply chain attack. A widespread network monitoring and management tool was compromised, and potentially thousands of customers, including U.S. federal agencies, were impacted. “My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office. We will elevate cybersecurity as an imperative across the government, strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyber-attacks. But a good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyber-attacks in the first place. We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners. Our adversaries should know that, as President, I will not stand idly by in the face of cyber assaults on our nation,” the incoming administration said in a statement following the software supply chain attack.
Between concerns about election security, cyber espionage, and ongoing nation-state attacks, as well as federal cybersecurity organizational efforts, cybersecurity is going to be forefront in the year ahead. It appears there will be a White House cybersecurity czar position created, as dictated in the recently passed defense policy bill. The cybersecurity position will be exclusively focused on digital security, and the position would have direct access to the president.
Insider threats remain a significant risk
In the year ahead, enterprises are going to have big challenges with the insider threat. Not just with nefarious insiders stealing company data and secrets, although that’s always a risk. It’s also about accidental slips and mistakes by insiders that place information at risk.
Consider the most recent Data Exposure Report from Code42, conducted by Ponemon Institute. Ponemon Institute researched this report. The survey was completed by 623 IT security leaders and 586 business decision-makers from the U.S. All respondents were familiar with their organizations’ approach to securing sensitive information.
The report found 59% of IT security leaders say insider threat will increase or increase significantly in the next two years primarily due to users having access to files they shouldn’t, employees’ preference to work the way they want regardless of security protocols, and the continuation of remote work. More than half (53%) of security teams are blind to users moving files to untrusted domains. And 56% of security teams lack historical context into user behavior. In other words, security teams have no idea when an employee may become an insider risk. 66% of IT security leaders believe their budget for insider risk is insufficient, and 54% of them spend less than 20% of their budgets on insider risk. 40% say they do not regularly – or ever – assess their technologies’ effectiveness in mitigating the insider threat.
Software supply chain security gains spotlight
As previously mentioned, the SolarWinds attack was an attack on a very popular network monitoring and management tool that opened customers up to attack. As the name implies, software supply chain security is about the security of vendors’ software and things like open-source components. If these components are compromised, the attackers can compromise every place that software is installed.
That attack allegedly worked in part through access to SAML token-signing certificates, a poorly secured FTP server, and a backdoor inserted into a widespread network monitoring and management tool that may have affected upwards of 18,000 users.
Ponemon’s 2018 Data Risk in the Third-Party Ecosystem found that 59% of more than 1,000 respondent companies in the U.S. and U.K. said they had been victims of a data breach caused by a third party or vendor during the previous year. Another 22% said they didn’t know if they had been or not.
In the next year, supply chain security is going to take a front seat of attention. While firms that still haven’t got security essentials down should probably focus on that, those with mature programs in place will shift more resources to inventorying, evaluating the security, and managing the security of their third-party software. They are going to work to standardize and automate these processes.
The move toward remote worker is driving increased interest in zero-trust architectures
In some way, you’ll find user credentials used as part of the attack throughout the vast majority of incidents. At least in part, the attackers are successful due to the relative immaturity in how they manage user identities and the associated credentials. These challenges are only going to grow as enterprise environments grow more complex, with increasing reliance on close services and the embrace of microservices architectures. It makes it challenging to be sure that the right people can only access the resources they should.
Improving that security situation is one of the reasons why more enterprises are turning to zero trust architectures. With zero trust, there is the requirement that all users prove they are trustworthy before they are permitted access. By some estimates, zero trust will grow 20% annually through 2024.