2018 may have been filled with cybersecurity incidents, but the infosec community is gearing up for what the New Year will bring. From emerging cyber-threat attacks surfaces, new APT groups, and more regulations around data privacy, 2019 is set to be another big year in the cybersecurity space. Here are the top cybersecurity trends to look out for in 2019.
More Spectre-Like Flaws
2018 started with a bang after the disclosure of two hardware-based side-channel flaws, Spectre and Meltdown. The two impacted a wide range of microprocessors used in the past decade in computers and mobile devices, including those running Android, Chrome, iOS, Linux, macOS and Windows – and over the year, fresh variants continue to emerge. Security experts predict that Spectre variants will continue to be discovered in 2019. “The chip flaws announced in 2018 may have been the most pervasive examples of memory attack surface vulnerabilities we’ve seen to date, but it certainly won’t be the last,” Ellison Anne Williams, CEO of Enveil, said in an email.
Sophisticated IoT Attacks
The Internet of Things (IoT) market is set to explode – but many of these devices are built with little-to-no security in mind. Since the Mirai botnet emerged in 2016, researchers have seen IoT devices being harnessed maliciously to launch an array of threats – including cryptomining,ransomware and mobile malware attacks. That will only get worse: “In 2019, IoT threats will become increasingly sophisticated, shifting from botnets and stray ransomware infections to APTs for surveillance, data exfiltration and direct manipulation of physical world to disrupt operations,” said Joe Lea, VP of Product at Armis.
Ransomware is Back
When it comes to cyber-threats, the infosec community expects cryptomining to fall off the grid – and ransomware to return to the scene. Cryptomininghas not been as profitable for many cybercriminals as they originally hoped – it turns out, it only makes money when an attacker can infect tens or hundreds of thousands of devices. Ransomware however remains lucrative: “SamSam, for example, has made almost $6 million from ransomware attacks using open RDP servers as a method of entry],” said Recorded Future's senior technical architect, Allan Liska. We are already starting to see new ransomware variants copy this model, and we expect to see a new crop of ransomware families continue to expand on this method of attack.”
Operational Technology and IT Converge
With the growing adoption of remote monitoring in industrial environments, operational technology (OT) and IT are converging – and critical systems are increasingly vulnerableto cyberattacks. “OT security will come into sharper focus as IT infrastructures and OT environments converge,” said Armis’ Lea. “Smart, connected devices will become standard in manufacturing plants, utilities and other areas with critical infrastructure, where digital meets physical operations. This will increase the potential for remote attacksthat disrupt or sabotage robots, sensors and other equipment that drive much of machinery and infrastructure behind our everyday lives.”
With vulnerability patching a constant focus in 2018, the narrative around the process of vulnerability disclosure is evolvingfrom the 90-day guideline from time of disclosure to issuing a patch. “Due to the significance vendors place on vulnerability discovery -- whether through bug bounty programs, variant analysis or pen-testing -- I expect the average time from discovery to patch, and hence disclosure, to shorten from 90 days to 30 or less,” said Pavel Avgustinov, co-founder and vice president of platform engineering at Semmle.
Biometrics have moved to the forefrontin 2018 as a top way to authenticate people for banks and other institutions. However, 2019 could bring more security incidents tied with the data behind biometric systems. “Severalmajor leaksof biometric data have already occurred,” saidYury Namestnikov and Dmitry Bestuzhev, researchers with Kaspersky Lab.
Supply Chain Attacks
In 2019, “We will see cybercriminals continue to focus on attacking critical software supply-chain infrastructure to conduct larger attacks,” Deepen Desai, with Zscaler, said in a post. Attackers have started recognizing the advantages of supply-chain attacks – starting with the June 2017 NotPetya campaign, which rapidly spread to wipe data from thousands of computers around the world. 2018 saw a significant amount of supply chain-targeted attacks, involving companies like Delta Airlines to Best Buy.
With several giant data privacy scandalserupting in 2018 – most notably Facebook’s Cambridge Analytica incident–security researchers think that 2019 will see more legislation and regulatory efforts when it comes to data privacy. “Security and privacy create strange bedfellows on Capitol Hill, pairing far-left progressives with libertarian conservatives,” said Dave Weinstein, vice president of threat research at Claroty. “Lawmakers will likely take their cues from the EU by mimicking many aspects of GDPR. That said, expect Silicon Valley, not Washington, to write the rules on privacy as their lawyers and lobbyists have long anticipated this day coming.”
While 2018 was the year that the EU’s General Data Protection Regulation(GDPR) was implemented, security experts believe that 2019 will truly begin to show what kind of unanticipated impact the regulatory effort will have on data privacy and transparency. “In 2019, we will see companies bringing in additional staff, tools and trainings to untangle the data chaos, so they can leverage their valuable data while staying compliantwith GDPR,” Daniel Mintz, chief data evangelist for Looker, said.
Apache Struts Flaws
After researchers discoveredtwo critical Apache Struts vulnerabilitiesin 2018, they believe there will be another major breach announced soon that stems from flaws in this software, which notoriously was at the heart of the Equifax breach. “Apache Struts presents a unique challenge because it is baked into so many other programs that are designed to be internet-facing, which means that a traditional vulnerability scanner may not detect Apache Struts, but the botnets scanning for the vulnerabilities will pick it up,” Recorded Future’s Liska said.