Our first 2019 predictions post from the RSA Conference Advisory Board was not all sunshine and roses — cautious optimism was tabled by the acknowledged distance we must still travel as an industry — and our second set of predictions does not belie that theme. This trepidation does not mean we’re failing however, rather it’s a symptom of humanity’s incredible progress and the inevitable security concerns that always accompany. As the quote goes, “with great power comes great responsibility,” and nowhere is that more true than in the powerful world of cybersecurity.
So fear not, readers! As we launch into the second part of our 2019 predictions from our expanded Advisory Board, remember that any security challenges that come with our torrid pace of technological innovation and global expansion can be addressed. Our approaches must evolve with our advancements.
In fact, many of the world’s top security experts will gather this March in San Francisco to discuss just that. We invite you to join us!
Automation and New Targets
For a decade, January’s free-for-all tech showcase CES has prominently featured new devices connected to the internet, and this year’s show was no exception. But with more connectivity and automation come more targets for bad actors.
Laura Koetzle (VP and Group Director at Forrester) sees home devices as particularly vulnerable access points for hackers in 2019. “Connected home devices come with poorly secured internet connections, plain text data in flight and at rest, and vulnerable applications,” she says. “Determined cybercriminals and nation-state attackers will use these devices as routes to pursue high-value targets” like CEOs and other executives.
John Scimone (CSO, Dell) also identifies potential security holes and big consequences that come with more connected devices. “In 2019 I see the potential for a large-scale attack on IoT with physical world ramifications,” he says. “It may be something as silly as a worldwide reboot of a certain brand’s thermostats when a vulnerability is found, or it could be far more nefarious and consequential for society. The concern lies with the broad proliferation of these devices and the limited secure development practices that are generally being employed by their manufacturers, to where the risks in this realm are really only constrained by the motivations and creativity of an attacker.”
The nature of these attacks, however, won’t be overly sophisticated, predicts Caroline Wong (Chief Security Strategist at Cobalt.io). “The large data breaches that will occur in 2019 will happen because of basic foundational gaps around process. Remember, however, that basic doesn’t necessarily mean simple or easy.”
“The convergence of IT and OT (Information Technology and Operational Technology) in industrial control system environments has changed, and will continue to change, how companies approach security,” says Dawn Cappelli (CISO, Rockwell Automation). “Historically, OT networks were not connected to the internet or to the enterprise network, but now companies are increasingly reliant on those connections for smart manufacturing, data, and analytics”, she says. “We saw recent cyber-attacks span OT and IT. In 2019, companies will stop addressing IT security and OT security separately, and will instead create holistic security strategies that cover the entire enterprise, including internal and external threats.”
As for the “will robots take our jobs?” question: “We are always going to need humans to do security work,” says Wong. “There won’t be a time when everything is automated because the people attacking our systems and infrastructure are intelligent, creative people who may be using technology to automate attacks but who are also using their brains.”
Cappelli, however, sees room for automation within the infosec world. “That’s where we need to go because there’s a shortage of security people for us to hire and the industry needs to respond as quickly as possible to threats,” she says. “We all need to automate as much of our security as we can.”
If 2018 was marked by an increase in foreign attacks from both private actors and nation-states, 2019 will see a continuation and evolution of this theme, some AdBoard members say.
“I predict we will see further increases in geopolitical conflict spilling over to cyberspace, particularly in the areas of information warfare and destructive attacks,” says Scimone.
Koetzle sees this particularly evident in the U.S.-China relationship, which became increasingly fraught in 2018. “With heightened geopolitical tensions in Europe and Asia, and the U.S. and China in a trade war, expect renewed hacking of global companies,” she notes. Koetzle elaborated that eight vertical industries are likely targets: new energy vehicles, next-gen IT, biotech, new materials, aerospace, robotics, power equipment and agricultural machinery. “If you’re in one of these industries, expect a breach.”
Dmitri Alperovitch (Co-Founder and CTO of CrowdStrike Inc.). predicts that “we’ll see Iran resuming attacks on the U.S. in retaliation for sanctions that have gone into place, similar to their response to earlier sanctions when they launched DDoS attacks. We’ll also see activity in the financial sector that might go beyond DDoS attacks.”
To address these foreign threats, Narelle Devine (CISO at the Australian Government Department of Human Services) suggests we “go back to basics, particularly with threats from nation-states. The community as a whole needs to make it harder for others to attack. Australia has the ‘Essential Eight’ strategies for mitigating cyber intrusions which provide guidance on application whitelisting, patching applications, application hardening, macro configuration, limiting administrative privileges, patching operating systems, multi-factor authentication and daily backups. Implementing those alone will significantly improve your position. If it costs the adversary too much time or effort they will most likely look for an easier target.” She notes that these strategies are also good practice for the design, build and run of networks. New laws around reporting, data, privacy and digital fraud are raising awareness that everyone needs to take cyber security and data protection seriously.
Cappelli offers one caution: “My fear is that companies will overlook insider threats because recently the major attacks have been from external attackers, but over the years they’ve been cyclical: insider and outsider. Companies should never let down their guard regarding insider threats”.
Evolution of Authentication
The password has been under attack for years now, with some calling for its swift death and others insisting it remains a legitimate and valuable authentication factor. No matter your side in this partisan debate, one thing is clear: how and where trust is secured is evolving quickly.
“We’re seeing a lot of interest in killing off the password, as evidenced by WebAuthn, and there is lots of discussion in and around zero-trust architecture and how passwords and password management is not getting any better,” says Wendy Nather (Head of Advisory CISOs at Duo Security, now part of Cisco). “I think we will see lots of companies saying they’ve solved the password problem by getting rid of it through things like FIDO2, which are taking the place of the initial log in and password.”
Todd Inskeep (Director, Booz Allen Hamilton) focused specifically on the impact smartphones are having on authentication strategies today. “We’re seeing a lot of efforts with passwords being tied back to cell phones and it feels like a real challenge,” he says. “They don’t have a USB port like laptops. It really feels to me like we’re using the phone as a proxy for the user and phone-based user proxy authentication is becoming the broadest possible solution,” he said.
“I agree,” notes Nather. “The mobile phone is becoming the defacto route of trust, whether for good or for ill, and I expect that to continue with the caveat that for much of the world smartphones are a luxury item.”
Inskeep continues, “that global perspective is important for us as security professionals. We’re seeing biometrics used in India and different methods of trust password being deployed in other countries that can’t be used via the personal ownership of a phone.”
Despite two full posts of predictions from our AdBoard, we’ve barely scratched the surface of what might lie in store for us in 2019. One theme however ran through loud and clear: there remains a strong need to talk more about security to a wider audience. No matter the topic, the threat or the strategy, security impacts every human on this earth.
Caroline Wong summed it up best: “perhaps the biggest problem we have in security is that we have so many people who don’t know how to talk about it. We often lack the skillset to effectively translate infosec concepts to different audiences.”
Will that change in 2019? In the end, only time will tell, but March 2019 in San Francisco will feature no shortage of infosec professionals tackling this exact topic and countless more. Join us!
(This post 2019 and Beyond: The (Expanded) RSAC Advisory Board Weighs in on What’s Next: Pt. 2 originally appeared on the RSA Conference website.)