Malware infections of devices
Protecting endpoints has continued to be a battle for organizations. About half of all organizations suffered a malware infection on company-owned devices in 2019, according to Kaspersky’s IT Security Economics in 2019 report. Half also saw malware infections on employee-owned devices.
For the enterprise, malware infections on company devices was the most expensive incident cited on the Kaspersky report with an average cost per incident of $2.73 million. That number was significantly less for SMBs at $117,000.
What to expect in 2020: Dmitry Galov, security researcher at Kaspersky, sees the risk from employee-owned devices increasing in 2020. He sees a greater willingness for companies to allow employees to use their own devices to cut costs, enable remote work, and increase employee satisfaction. As a result, attackers will target personal devices as a way to bypass corporate defenses. “By default, users’ personal devices tend to be less protected than corporate devices as the average users seldom apply additional measures to protect their phones and computers from potential threats,” he says. “As long as this trend continues, company and employee-owned device infections will arise. This vector of attack remains attractive because the attacker no longer needs to target corporate accounts (for instance, with phishing emails sent to corporate mail).“
Best advice for 2020: Companies must review and update their policies around personal devices, and then enforce those policies, Galov believes. “Strict company policies regarding security, correct rights management and provision of users with security solutions are on the list of must haves to protect the company and its data,” he says. “As well as managing technical issues, security awareness trainings are important because they can cultivate standards of cyber hygiene among employees.”
Nearly a third of all breaches in the past year involved phishing, according to the 2019 Verizon Data Breach Investigations Report. For cyber-espionage attacks, that number jumps to 78%. The worst phishing news for 2019 is that its perpetrators are getting much, much better at it thanks to well-produced, off-the-shelf tools and templates.
Akamai’s SOTI Report: Baiting the Hook broke down the phishing-as-a-service offered by one phishing kit developer. This developer has a storefront and advertises on social media. Prices start at $99 and go up depending on the mailing services selected. All the kits come with security and evasion features. “The low prices and top-tier brand targets are attractive, creating a low bar for entry into the phishing market for criminals looking to set up shop,” said the report’s authors. Among those top-tier brands targeted are Target, Google, Microsoft, Apple, Lyft and Walmart.
What to expect in 2020: Phishing kit developers will offer more refined products, further lowering the skill required to launch a phishing campaign. According to the IDG Security Priorities Study, 44% of companies say that increasing their security awareness and staff training priorities is a top priority for 2020. Attackers will respond by improving the quality of their phishing campaigns by minimizing or hiding common signs of a phish. Expect greater use of business email compromise (BEC), too, where an attacker sends legitimate-looking phishing attempts through fraudulent or compromised internal or third-party accounts.
Best advice for 2020: Keep your anti-phishing training up to date and make it ongoing. To combat BEC, have policies in place that require any employee receiving a request regarding money or payment instructions to confirm by phone.
Ransomware attacks are not the most common cybersecurity incident, but they can be among the most costly. Roughly 40% of SMBs and enterprises experienced a ransomware incident in 2019, according to Kaspersky’s IT Security Economics in 2019 report. At the enterprise level, the average cost per incident was $1.46 million.
Endpoint protection tools are getting better at detecting ransomware, but that has made ransomware developers better students of the techniques those tools use, according to the Sophos Labs 2020 Threat Report. “It is a lot easier to change a malware’s appearance than to change its purpose or behavior, which is why modern ransomware relies on obfuscation to be successful,” says Mark Loman, director of engineering for next-generation tech at Sophos. “However, in 2020, ransomware will raise the stakes by changing or adding traits to confuse some anti-ransomware protection.”
Some of that obfuscation is to make the ransomware appear to be from a trusted source. The Sophos reports cites several examples:
Crafting a script listing targeted machines and incorporating them together with the PsExec utility from Microsoft Sysinternals, a privileged domain account, and the ransomware.
Leveraging a logon/logoff script via a Windows Group Policy Object
Abusing the Windows Management Interface to mass distribute inside a network
What to expect in 2020: Loman sees ransomware attackers continuing to tweak their methods to give themselves an edge. “Among the most notable advancements is an increase in ransomware attackers raising the stakes with automated, active attacks that blend human ingenuity with automation tools to cause maximum impact,” he says. “Additionally, by encrypting only a relatively small part of each file or booting the operating system to a diagnostic mode where anti-ransomware protection is often unavailable, attackers will continue to evade most defenses.”
“Ransomware attacks have been loud this year and there is no reason for this type of threat to decline,” says Kaspersky’s Galov.” Ransomware increasingly targets infrastructure, organizations and even smart cities.”
Ransomware developers will make their code more evasive so that they can establish a foothold in a system, encrypt more data without being noticed, and possibly scale operations to other networks. “This year we saw the appearance of attacks even on Network Attached Storage (NAS), which is largely considered secure and safe from such threats,” says Galov.
Best advice for 2020: As always, the best defense against ransomware is to have current, tested backups of all critical data. Keep those backups isolated from your network so they, too, aren’t encrypted by the ransomware. Employee training is critical, too. “In order to protect themselves from ransomware, organizations need to implement strict security policies and introduce cybersecurity trainings to the employees,” says Galov. “Additional protective measures, such as securing access to data, ensuring its backups are stored securely and implementing application whitelisting techniques on servers, are required.”
“It is vital to have robust security controls, monitoring and response in place covering all endpoints, networks and systems, and to install software updates whenever they are issued,” says Loman.
Third-party supplier risk
Both enterprises and SMBs saw incidents involving third-party suppliers (both services and products) at a similar rate, 43% and 38%, respectively, according to Kaspersky’s IT Security Economics in 2019 report. Most organizations (94%) grant third-party access to their network, according to a survey by One Identity, and 72% grant privileged access. Yet only 22% felt confident those third parties weren’t accessing unauthorized information, while 18% reported a breach due to third-party access.
The Kaspersky study shows that both SMBs and enterprises are forcing third-party suppliers to sign security policy agreements—75% of SMBs and 79% of enterprises use them. That’s making a big difference when it comes to getting compensation from third parties when they are responsible for a breach. Of enterprises with a policy in place, 71% reported they received compensation, while only 22% of companies without a policy received compensation.
What to expect in 2020: Businesses will become more digitally connected with their suppliers and partners. That raises risk as well as awareness of that risk. Unfortunately, attackers are becoming more sophisticated.
“Recently, we've observed some new groups such as BARIUM or APT41 engage in sophisticated supply chain attacks against software and hardware manufacturers in order to penetrate secure infrastructures around the world,” says Galov. “These include two sophisticated supply chain attacks uncovered in 2017 and 2019: the CCleaner attack and ShadowPad, and other attacks against gaming companies. Dealing with a compromise from one of these threat actors is a complex process, as they usually leave backdoors allowing them to return later and cause even more havoc.”
Best advice for 2020: Know who has access to your networks and ensure they have only the privileges they need. Have policies in place for communicating and enforcing rules for third-party access. Make sure you have a security policy in place for all your third-party suppliers that spells out responsibilities, security expectations, and what happens when an incident occurs.
“The best organizations can do to protect themselves from such attacks is to make sure that not only they, but also their partners, follow high cybersecurity standards,” says Galov. “If third-party suppliers get any kind of access to internal infrastructure or data, cybersecurity policies should be established before the integration process.
Forty-two percent of enterprises and 38% of SMBs experienced a distributed denial of service (DDoS) attack in 2019, according to Kaspersky’s IT Security Economics in 2019 report. That’s on par with ransomware incidents, which get much more media attention. From a financial perspective, DDoS attacks cost SMBs an average of $138,000.
Attackers continue to innovate to improve the effectiveness of their DDoS attacks. In September, for example, Akamai reported a new DDoS vector: Web Services Dynamic Discovery (WSD), a multicast discovery protocol to locate services on a local network. Using WSD, attackers can locate and compromise misconfigured, internet-connected devices at scale to amplify the scope of their DDoS attacks.
What to expect in 2020: Kasperksy’s Galov sees DDoS attacks staying “quite prominent” in 2020 thanks to the rise of 5G and numbers of IoT devices. “The conventional boundaries of critical infrastructure such as water supply, energy grid, military facilities and financial institutions will expand much further to other unprecedented areas in a 5G-connected world,” he says. “All these will require new standards of safety, and the increased speed of connection will pose new challenges in stopping DDoS attacks from happening.”
Best advice for 2020: Do everyone a favor and check your internet-connected devices for misconfigurations and unpatched vulnerabilities. “It's security hygiene, basic security hygiene,” says Akamai’s Seaman.
Unfortunately, that won’t help the risk of DDoS attacks aided by connected consumer devices. “Grandma going to Best Buy to pick up a new webcam to put on the driveway so she can see who pulls in isn't going to know about the hygiene of this device,” says Seaman. “That's where we continue to see the bigger problems, and it's not grandma. It's really some guy in Vietnam who has a VDR security system for his small shop. The last of his concerns is whether his webcam being used to DDoS a bank.”
According to Veracode’s State of Software Security Vol. 10 report, 83% of the 85,000 applications it tested had at least one security flaw. Many had much more, as their research found a total of 10 million flaws, and 20% of all apps had at least one high-severity flaw. That leaves a lot of opportunity in terms of potential zero-day vulnerabilities and exploitable bugs for attackers to take advantage of.
The report authors see optimism in some of the data. Fix rates, especially for high-severity flaws, are improving. The overall fix rate is 56%, up from 52% in 2018, and the highest severity flaws are fixed at a rate of 75.7%. The biggest positive, however, is that a DevSecOps approach with frequent scanning and testing of software will drive down the time to fix flaws. Median time to repair for applications scanned 12 times or fewer per year was 68 days, while an average scan rate of daily or more lowered that rate to 19 days.
What to expect in 2020: Despite the best efforts of security and development teams, vulnerabilities will continue to creep into software. “Most software today is very insecure. That will continue in 2020, especially with 90% of applications using code from open-source libraries,” says Chris Wysopal, co-founder and CTO at Veracode. “We’ve seen some positive AppSec signs in 2019. Organizations are increasingly focused on not just finding security vulnerabilities, but fixing them, and prioritizing the flaws that put them most at risk…. Our data suggests that finding and fixing vulnerabilities is becoming just as much a part of the process as improving functionality.”
Best advice for 2020: As the Veracode research shows, scanning and testing your apps for vulnerabilities more frequently while prioritizing the most severe flaws to be fixed is an effective defense. Wysopal also urges companies to keep an eye on security debt. “One of the growing threats within application security is the notion of security debt – whether applications are accruing or eliminating flaws over time,” he says. A growing security debt leaves organizations exposed to attacks.
“Just as with credit card debt, if you start out with a big balance and only pay for each month’s new spending, you’ll never eliminate the balance,” Wysopal says. “In AppSec, you have to address the new security findings while chipping away at the old.”
Cloud services/hosted infrastructure incidents
Forty-three percent of enterprise businesses had security incidents that affected third-party cloud services in 2019, according to Kaspersky’s IT Security Economics in 2019 report. Although cloud-related incidents didn’t make the SMB most frequent list, they were expensive for smaller companies, which often are more dependent on hosted services. The average incident that affected hosted infrastructure for SMBs was $162,000.
One area that saw an uptick in activity in 2019 was online payment fraud. The Magecart criminal group in particular was quite busy this past year. The group uses code that takes advantage of misconfigurations in the cloud to modify shopping cart code. The businesses using the online ecommerce services are unaware of the change until customers complain of fraudulent charges.
Organizations still need to worry about misconfiguring cloud services in a way that leaves data exposed on the internet. Attackers regularly scan the internet to grab this exposed data. Fortunately, cloud platform vendors such as Amazon and Google have rolled out new tools and services in 2019 to help organizations properly configure their cloud systems and find errors that leave data unprotected.
What to expect in 2020: The staying power of the malicious code and the financial reward (Magecart’s haul alone is estimated to be millions of dollars) means online payment fraud will increase in 2020. Magecart’s success is bound to inspire imitators. Organizations will counter this and other cloud threats by spending more on cloud security. According to the IDG Security Priorities Study, only 27% of organizations have cloud data protection technology in production, but 49% are researching or piloting it.
Best advice for 2020: Conduct source code reviews of your ecommerce scripts and Implement subresource integrity so that modified scripts are not loaded without your permission. Make sure your cloud providers conduct assessments of their own code to prevent fraud. Do regular scans for configuration errors that expose your data on the internet.
The internet of things (IoT) and the data it generates was the second most impactful trend on security practitioners in 2019, according to the Security Industry Association (SIA) 2019 Security Megatrends report. The growth of IoT is nothing short of manic and difficult to predict. Research firm Statista estimates there will be between 6.6 billion and 30 billion internet-connected devices in 2020, a range too large to be helpful.
The threat IoT poses has been front of mind in 2019 for most organizations. The Marsh Microsoft 2019 Global Risk Perception Survey found that 66% of respondents saw IoT as a cyber risk; 23% rated that risk “extremely high.” “These IoT devices are soft targets for adversaries because they are often unpatched and misconfigured, and they're ‘unmanaged’ because they don't support endpoint security agents,” says Phil Neray, vice president of industrial cybersecurity at CyberX. “As a result, they can easily be compromised by adversaries to gain a foothold in corporate networks, conduct destructive ransomware attacks, steal sensitive intellectual property, and siphon computing resources for DDoS campaigns and cryptojacking.”
CyberX’s 2020 Global IoT/ICS Risk Report breaks down the most common security gaps that make IoT devices vulnerable over the past 12 months. It shows significant improvement in a few areas. Remotely accessible devices dropped 30 percentage points with the vulnerability found on 54% of surveyed sites. Direct internet connections also fell from 40% to 27%.
On the downside, outdated operating systems were found at 71% of the sites versus 53% the previous year, and 66% of the sites failed to do automatic antivirus updates compared to 43% the previous year.
What to expect in 2020: Neray sees the risk from exposed IoT devices increasing in 2020 as the number of connected devices increases and ”the motivation and sophistication of nation-state adversaries and cybercriminals increases.” Industrial environments such as energy utilities, manufacturing, chemicals, pharmaceuticals and oil and gas will especially be at risk, he says. “These compromises can lead to even more serious consequences including costly plant downtime, threats to human safety and environmental incidents.”
Neray identifies building management systems (BMS) as a prime target for attackers. “They're typically deployed by facilities management teams with minimal expertise in security, often unknowingly exposed to the internet, and typically not monitored by corporate security operations centers (SOCs).”
Best advice for 2020: Neray advises companies to follow a multi-layered defense-in-depth strategy incorporating
Stronger network segmentation
Restricted remote access to industrial control networks by third-party contractors with strong access controls such as 2FA and password vault
Agentless network security monitoring to rapidly detect and mitigate IoT attacks before adversaries can blow up or shut down their facilities.
Ultimately, the best defense depends more focus on organizational rather than technical approaches. “In the TRITON attack on the safety systems of a petrochemical facility in Saudi Arabia, for example, one of the key deficiencies was that no one considered themselves ultimately responsible for the security of the industrial control network,” says Neray. “As a result, there were serious lapses in security monitoring and no one checked that the firewalls in the DMZ had been properly configured by the outsourced firms that installed them. Our advice for CISOs is to step up to the plate and take ownership of IoT and OT security and treat IoT and OT security in a holistic manner alongside IT security, integrated into your SOC workflows and security stack.
Let’s end this list with some good news: Cryptomining attacks are expected to decline in 2020. Although cryptomining attacks did not make the most-frequent list for either enterprises or SMBs on Kaspersky’s IT Security Economics in 2019 report, they proved costly for enterprises in 2019. The average financial impact for them was $1.62 million.
What to expect for 2020: Cryptomining incidences rise or fall with cryptocurrency values, but the ease with which attackers can execute a cryptojacking scheme means this threat will persist through 2020. “Mining has been steadily declining throughout 2019 and we do not see any reason for this tendency to change,” says Galov.” Cryptomining has become less profitable, not without the influence of cryptocurrencies that have taken the fight against this threat.”
Best advice for 2020: Use a security solution that detects cryptomining threats and keep an eye out for spikes in cryptocurrency values, which will encourage more cryptojacking attacks.
Artificial intelligence (AI) has become integral to practically every segment of the technology industry. It’s having an impact on applications, development tools, computing platforms, database management systems, middleware, management and monitoring tools—almost everything in IT. AI is even being used to improve AI.
What changes in core AI uses, tools, techniques, platforms, and standards are in store for the coming year? Here is what we’re likely to see in 2020.
AI hardware accelerators have become a principal competitive battlefront in high tech. Even as rival hardware AI chipset technologies—such as CPUs, FPGAs, and neural network processing units—grab share in edge devices, GPUs will stay in the game thanks to their pivotal role in cloud-to-edge application environments, such as autonomous vehicles and industrial supply chains.
Nvidia’s market-leading GPU-based offerings appear poised for further growth and adoption in 2020 and beyond. However, over the coming decade, various non-GPU technologies—including CPUs, ASICs, FPGAs, and neural network processing units—will increase their performance, cost, and power efficiency advantages for various edge applications. With each passing year, Nvidia will draw more competition.
Industry-standard AI benchmarks will become a competitive battlefront
As the AI market matures and computing platforms vie for the distinction of being fastest, most scalable, and lowest cost in handling these workloads, industry-standard benchmarks will rise in importance. In the past year, the MLPerf benchmarks took on greater competitive significance, as everybody from Nvidia to Google boasted of their superior performance on these. In 2020, AI benchmarks will become a critically important go-to-market strategy in a segment that will only grow more commoditized over time. As the decade wears on, MLPerf benchmark results will figure into solution providers’ positioning strategies wherever high-performance AI-driven capabilities are essential.
AI modeling frameworks will converge on a two-horse race
AI modeling frameworks are the core environments within which data scientists build and train statistically driven computational graphs. In 2020, most working data scientists will probably use some blend of TensorFlow and PyTorch in most projects, and these two frameworks will be available in most commercial data scientist workbenches.
As the decade proceeds, the differences between these frameworks will diminish as data scientists and other users value feature parity over strong functional differentiation. By the same token, more AI tool vendors will provide framework-agnostic modeling platforms, which may offer a new lease on life for older frameworks in danger of dying out. Accelerating the spread of open AI modeling platforms is industry adoption of several abstraction layers—such as Keras and ONNX—that will enable a model built in one framework’s front-end to be executed in any other supported framework’s back-end.
By the decade’s end, it will become next to irrelevant which front-end modeling tool you use to build and train your machine learning model. No matter where you build your AI, the end-to-end data science pipeline will automatically format, compile, containerize, and otherwise serve it out for optimal execution anywhere from cloud to edge.
SaaS-based AI will reduce enterprise demand for data scientists
This past year saw the maturation of machine learning as a service offerings from AWS, Microsoft, Google, IBM, and others. As this trend intensifies, more business users will rely on cloud providers such as these to supply more of their AI requirements without the need to maintain in-house data science teams. By the end of 2020, SaaS providers will become the predominant suppliers of natural language processing, predictive analytics, and other AI applications, as well as platform services and devops tooling. Those enterprises that maintain in-house AI initiatives will automate data scientist jobs to a greater degree, thereby reducing the need to hire new machine learning modelers, data engineers, and anciillary positions. Over the decade, most data scientists will find gainful employment primarily with SaaS and other cloud providers.
Enterprise AI will shift toward continual real-world experimentation
Every digital business transformation initiative hinges on leveraging the best-fit machine learning models. This requires real-world experimentation in which AI-based processes test alternative machine learning models and automatically promote those that achieve the desired result. By the end of 2020, most enterprises will implement real-world experiments in every customer-facing and back-end business process. As business users flock to cloud providers for AI tooling, capabilities such as those recently launched by AWS—model-iteration studios, multi-model experiment tracking tools, and model-monitoring leaderboards—will become standard in every 24x7 AI-based business application environment. Over the decade, AI-based automation and devops capabilities will spawn a universal best practice of lights-out AI-based business process optimization.
AI will automate AI developers’ core modeling function
Neural networks are the heart of modern AI. In 2020, an AI-driven methodology called neural architecture search will come into enterprise data scientists’ workbenches to automate the practice of building and optimizing neural networks for their intended purposes. As neural architecture search gains adoption and improves, it will boost data scientists’ productivity by guiding their decisions regarding whether to build their models on established machine learning algorithms, such as linear regression and random forest algorithms—or on any of the newer, more advanced neural-network algorithms. As the decade proceeds, this and related approaches will enable continuous AI devops through end-to-end pipeline automation.
AI-driven conversational user interfaces will eliminate the need for hands-on in most apps
AI-based natural language understanding has become astonishingly accurate. People are rapidly going hands-free on their mobiles and other devices. As conversational user interfaces gain adoption, users will generate more text through voice inputs. By the end of 2020, more user texts, tweets, and other verbal inputs will be rendered though AI-driven voice assistants embedded in devices of every sort. Throughout the decade, voice assistants and conversational UI will become a standard feature of products in every segment of the global economy, with keyboards, keypads, and even on-screen, touch-type interfaces diminishing in usage.
Chief legal officers will mandate end-to-end AI transparency
AI is becoming a more salient risk factor in enterprise applications. As enterprises confront an upswell in lawsuits over the socioeconomic biases, privacy violations, and other unfortunate impacts of AI-driven applications, chief legal officers will demand a complete audit trail that reveals how the machine learning models used in enterprise apps were built, trained, and governed.
By the end of 2020, chief legal officers in most enterprises will require that their data science teams automatically log every step in the machine learning pipeline while also generating a plain-language explanation of how each model drives automated inferencing. As the decade proceeds, a lack of built-in transparency will become a predominant factor in denying AI project funding.
Finally, we can safely assume that calls for regulation of AI-based capabilities in all products—especially those that use personally identifiable information—will grow in the coming years. Apart from the growing emphasis on AI devops transparency, it’s too early to say what impact these future mandates will have on the evolution of the underlying platforms, tools, and technologies.