Cybersecurity: new vulnerabilities for 2019

Source: Synopsys. Dr Huuck.

When it comes to cybersecurity, the messages of past years remain the same. We can't be too careful. It gets ever easier for cybercriminals. They continue to attack, and there is a lot more to attack.

With so many large-scale security breaches in the past year alone, it could even be said that we are no longer shocked. This is a problem in itself, says Dr Ralf Huuck, Senior Technologist at Synopsys. We have sustained so many security breaches that initial shock and concern about security breaches is slowly moving to acceptance and shoulder-shrugging, said Huuck.

“For 2019 we won’t see fewer breaches, but we might care less, until more physically evident disasters strike,” he warned.

Source: Check Point.

Jarvis.

Check Point Software Technologies has identified the same phenomenon, calling it 'mass complacency'. Tony Jarvis, CTO, APMEA, Check Point said, “No longer are data breaches isolated events. We are now seeing cases of individuals having their personal data compromised for the second or third time. Companies themselves are being hit successfully with subsequent attacks.

"All of this will contribute to an apathetic mindset that 'the worst has already happened', which is extremely dangerous. In fact, it has been brewing for a while, as research by ISACA in 2017 found that only 50% of CIOs and IT leaders took any meaningful action towards improving security following the WannaCry ransomware attack. Many are using their security budgets to meet compliance requirements and avoid fines, while we should be striving to turn the situation around.”

Source: SolarWinds. Bertucci.

“While we don’t see breaches slowing down, we are predicting that small and mid-sized businesses (SMBs) may be the easiest targets in 2019. With weaker security, a lack of user education, and fewer trained professionals, these factors dramatically simplify the opportunity for breaches. Hackers will easily be able to access their data and target SMBs for more money,” said Destiny Bertucci, Head Geek, SolarWinds.

Malware-as-a-service gets more efficient

Not that it would be easy change things when McAfee is predicting a stronger, more effective criminal underground in 2019. “Cybercriminals are quickly fortifying the malware-as-a-service market by aligning to sell modular attack components. These one-stop shops make it easier for criminals of all experience and skill levels to execute successful attacks. This market consolidation will continue in 2019 and cybercriminal enterprises are expected to flourish as established cyber gangs partner with other top-level services such as money laundering, evasion techniques, and vulnerability exploits.

"As evidenced by conversations within the underground community, an increase is expected in mobile malware, botnets, banking fraud, ransomware, and attempts to bypass two-factor authentication,” said a group of McAfee thought leaders from McAfee Labs, McAfee Advanced Threat Research, and members of McAfee’s Office of the CTO, including Eoin Carroll, Taylor Dunton, John Fokker, German Lancioni, Lee Munson, Yukihiro Okutomi, Thomas Roccia, Raj Samani, Sekhar Sarukkai, Dan Sommer, and Carl Woodward.

Source: Lenovo. Lanci.

We are our own worst enemy

“The growth of mobility, bring your own device (BYOD), remote working and the gig economy have all contributed to the security challenges companies are facing today. Well-meaning employees who ignore – or don’t understand – security protocols can expose enterprises to considerable security threats, financial loss and reputational damage. Digital natives are accustomed to technologies that are more ‘intimate’ in terms of personal data access, but people of all ages can be guilty of prioritising convenience over compliance,” observed Gianfranco Lanci, COO, Lenovo.

"Companies will need to understand their multi-generational workforce, to better manage and protect devices as well as develop strong security protocols and practices.”

Source: RSA. Ng.

Nigel Ng, VP, International, RSA, highlighted shadow IT, where employees build and use systems and solutions inside companies without explicit organisational approval, as a growing digital risk in the region. “We will potentially see data breaches (in 2019) targeting organisations through this growing exposure surface,” he cautioned.

“Smaller teams within the same organisation are doing things their own way. Craving more agility and faster delivery, they end up creating their own IT environment that is usually cloud-based and unmanaged by the IT infrastructure team and outside the scope of the risk and compliance teams. Shadow IT creates a back door and it’s a growing danger.”

Source: Trend Micro.

Jain.

Nilesh Jain, VP of SEA & India of Trend Micro is of the same mind. “In 2019, the growing trend of employees taking advantage of remote-working or working-from-home arrangements is inadvertently contributing to an ever-enlarging shadow IT enterprises need to deal with. Remote working challenges the visibility of enterprise data movements whenever employees use their home Internet to access cloud-based apps and collaboration software for work purposes,” he said.

Poor cyber hygiene

Neglecting basic security practices simply amplifies the risk. Sanjay K. Deshmukh, VP and MD, Southeast Asia and Korea, VMware, said the VMware Banking Consumer 2020 Study revealed that under a quarter of Southeast Asia consumers (24%) practice good cyber hygiene by using different passwords and logins for online apps and services that store their credit card details or financial data, which exposes them to greater risk of financial fraud.

“An earlier survey i.e. the VMware Digital Workspace 2017 highlights more than a third of workers in Southeast Asia as using unapproved personal devices for work, increasing companies’ vulnerability to data breaches,” he said.

Source: VMware. Deshmukh.

“To combat poor cyber hygiene practices and increased susceptibility to multiple attack vectors, organisations can no longer use today’s reactive approach to enterprise security. Security needs to be intrinsic across any app, any cloud, any device and organisations need to leverage 'homecourt advantage' – a new security model that focuses on identifying which behaviours are normal or odd within their digital ecosystem rather than trying to mitigate every single threat activity, many of which turn out to be false alarms.”

It may sound self-evident, but patching vulnerabilities once there is a patch available should be done as soon as possible. Such a practice is also part of good cyber hygiene. Yet Jain predicts that 99.99% of successful exploit-based attacks will come from 'n-day vulnerabilities'.

“These are the vulnerabilities for which patches have been made available for weeks or months but haven’t been applied yet,” he said. “Here are the numbers: on average, it takes IT 30 days to apply a patch to a vulnerability that has been disclosed, while it only takes hackers one day to try to exploit that vulnerability,” he said.

Intellectual property is open to attack

Source: Sophos.
McKerchar.

Ross McKerchar, Chief Information Security Officer at Sophos, also highlighted the software supply chain as being vulnerable. “Everyone relies a huge amount nowadays on open-source libraries that are often maintained very informally by loose-knit communities that are easy to infiltrate. This used to be the domain of nation states but the criminals are getting in on the action,” he warned.

Another source of vulnerability will be application programming interfaces (APIs). Phil Odence, GM, Black Duck On-Demand at Synopsys said, “In 2019, companies will start to become sensitive to their developers’ use of calls out to third-party APIs. It’s a blind spot in the vast majority of IT organisations, similar to the way that open source was 10 years ago.

Source: Synopsys. Odence.

“Most companies understand the importance of ensuring that the APIs they publish are secure from outside attack, but few are even tracking their own code’s use of web services via calls to third-party APIs from the inside out. Although there are other legal and business risks that come with reliance on third-party services, the visibility will likely arise from companies having to account for confidential data they are inadvertently passing to unknown and untrusted sources outside their firewalls.”

Black Duck conducts open source audits.

F5 Networks discusses security in the context of application capital – where the value of a company will increasingly reside within its applications and data while agreeing with Lanci's point on convenience over compliance.

Source: F5 Networks. Veloo.

“F5’s Curve of Convenience research found that more than half of Asia Pacific consumers prioritise security over convenience in their app experience. Now, more than ever, businesses need to enhance and secure their application capital in order to thrive in the digital economy, just as they do with their financial capital,” said Mohan Veloo, Regional Tech Lead, Asia Pacific, China and Japan, F5 Networks.

“Most organisations have on average over 200 applications, which also means more consumer and corporate data than ever at their disposal.”

Pressure to deploy, scale and manage the growth of application portfolios quickly and securely, while creating a seamless experience for the end-user can lead to complex infrastructures and increase the attack surface, Veloo said.

“As the threat landscape continues to evolve, businesses need to devote an appropriate level of energy and resources to manage and monitor their application portfolio in the digital economy. Only then will we be able to provide a secure foundation for growth in applications that benefits the masses,” he recommended.

Explore:

Browse the full list of 2018 round-ups and 2019 predictions in TechTrade Asia

Read the TechTrade Asia blog post on McAfee's view of the Q318 threat landscape