2020 Prediction Contributors: Morey Haber, CTO/CISO at BeyondTrust and Christopher Hills, Sr. Solutions Architect, Office of the CTO at BeyondTrust
It’s possible that the earliest security predictions began on that old medium known as “print”, but that medium’s notoriously poor search capabilities mean the answer remains elusive. One thing’s for certain, the practice of security predictions has evolved over the year to now showcase a diversity of flavors that range from the practical and scientific to the fanciful. While some security soothsayers “predict” trends that are already well underway and established, others seem to rely on the cyber-equivalent of water-witching sticks to issue wild prophecies.
What does BeyondTrust presage for 2020?
A confluence of factors means 2020 is primed for the breakout of some spectacular new threat vectors as well as the re-emergence of some old threat vectors that present new wrinkles. We also provide 5-year cyber threat predictions that highlight emerging technologies and tectonic tech shifts that will have profound implications for securing the businesses of the future, upending some of today’s standard security practices.
The Death of Traditional Software Piracy, The Rise of Malware Auto-Updates
Just over 10 years ago, the Internet was riddled with Warez, keygen (key generators), and pirated software websites. It was easy to find versions of your favorite operating systems, applications, and tools with cracked versions and license keys that operated under the guise of being free—even though they were illegal and probably infected with malware.
With the paradigm shift to the cloud and application stores, many of these popular applications have disappeared from Warez sites, resulting in a welcome decrease in malware-infected applications downloaded by users. So, threat actors have concocted new attack methods. Since many of the cloud-based applications auto-update, cybercriminals are now targeting cloud-based update mechanisms. The attack techniques waged include man-in-the-middle attacks, spoofed DNS, stolen keys, and even compromising cloud accounts to infect applications and auto-update unsuspecting end users with malware.
Since the vast majority of users unreservedly trust the auto-update mechanisms of their applications, they are oblivious to the threats when their cloud connection is compromised. In 2020, this topic will command headlines as high-profile applications and operating systems are exploited by these cunning emerging threats.
Reruns of Old CVEs
January 2020 will usher at the end of life of Windows Server 2008 R2 and Windows 7. With millions of devices still running these operating systems, a myriad of vulnerabilities will continue to exist unless they are patched, or the operating systems are replaced. Microsoft is unlikely to patch any new Critical vulnerabilities, which will pose an unacceptable risk to many organizations. These assets and their vulnerabilities will be documented on vulnerability reports as an end of life operating system and vulnerabilities that are aging. These make for an easy asset attack vector for threat actors, and this will be especially true for new vulnerabilities that have no remediation path after January 2020.
To that end, vulnerabilities uncovered years ago will return to the cyber spotlight because of active exploitation and their age. This will make an old CVE a “new” threat. And, since it is costly and potentially technically difficult to replace some of these end-of-life operating systems, 2020 will experience threat actors actively assailing these systems since they present the lowest hanging fruit in many organizations for exploitation.
Identity-Theft Royal Flush – Owning Every Account an Individual Owns
For the last several years, we have witnessed a surge of privileged attack vectors. A typical modus operandi involves threat actors compromising accounts to gain a foothold, then engaging in lateral movement, and then compromising additional assets and accounts via stolen credentials. The end goal varies—from the exfiltration of sensitive data to gaining a persistent presence or causing business disruption. The year 2020 expects to showcase more of this, but there will be an additional component in a lateral movement that security professionals need to raise visibility for; account-to-account lateral movement compromising a user’s entire identity.
As threat actors refine their strategies, they will begin to target all the accounts associated with an identity (human or non-human) and impersonate users via DeepFake technology. This will be characterized, not only by DeepFake email and SMS messages, but also a distinct rise in sophistication that entails DeepFake phone calls with spoofed accents and vocal patterns, social media hijacking, and even biometric hacking based on data that has already been compromised. Identity theft will bluntly occur due to malicious artificial intelligence software used to impersonate an identity in novel ways we have not even yet conceived.
An Election on the Edge of Cybersecurity
It matters not whether you are Republican, Democrat, Libertarian, Green Party, an Independent—or even unable to participate in the U.S. elections—the potential for election hacking has implications for everyone.
The votes in the next major U.S. elections will most likely be tabulated and recorded by a person, by voting precinct, by county, and by state. At each step in the voting process, paper and electronic systems will record our votes and be stored in secure systems to tally who our next president and regional government officials will be. This is a contentious election cycle. Considering all the previous allegations regarding voter fraud and foreign government hacking of our electoral system, as well as old school paper ballot issues (i.e. hanging chads), the 2020 United States election will doubtlessly prove to be one for the record books—and potentially one to dread.
While data loss security incidents tend to dominate news cycles, election security helps to really bring the critical issue of data integrity into focus. For the upcoming election, it’s not a matter of who actually wins, but rather whether or not the votes, storage, and tallying of the populace’s opinion has been tampered, altered, hacked, or degraded in any fashion that will make headline news and cast doubt on the integrity of the entire process. This will be true regardless of whether or not threat actors or foreign governments truly succeed in altering the outcome of the United States electoral process.
Ethical hackers have already demonstrated at cybersecurity conferences the vulnerability of electronic voting systems. The risks of voter fraud, through electronic hacking, will be a top news story in 2020. The issue will particularly be stirred up by those individuals who find themselves at the losing end of the final ballot numbers. If the U.S. presidential race is close, hacking will become the center of attention and cybersecurity forensics will be required to prove, or disprove, whether or not a threat actor truly succeeded in altering the election. This will also play out in congressional races and other down-ticket offices, potentially undermining leadership for our next slate of elected representatives. We will all be waiting breathlessly long after the final vote has been tallied to learn if the vote integrity, and security, has been upheld.
The Next Five Years
The End of End-User Passwords
There is a push by major operating system and software application vendors to remove the dependency on passwords for end-users. Authentication techniques—from biometrics to keyboard pattern recognition—have proven reliable enough to make this a reality. In the next five years, expect to see these techniques go mainstream and gain corporate acceptance. The average non-IT end user will no longer require a password for routine computing. However, expect credentials and passwords for privileged accounts and legacy systems to stick with us for at least 10 more years.
The Rise of Next-Gen Processors
Microprocessors based on x86 and x64 technology are beginning to show their age. While we can expect them to persist for the next 20 years, ARM-based computers and tablets are on the rise. A next-generation Windows and MacOS is rumored to already be running on ARM. These processors herald a tidal shift in terms of security, power, and even performance. In the next 5 years, expect the shift from legacy CPU architectures to ARM. The benefits of security protection strategies, as in ChromeOS, will become more mainstream as they operate on these next-gen processors. We will require new security solutions to protect against the unique characteristics inherent of these new devices as threat actors learn to leverage them.
Facial Recognition-Based Transactions
Overseas, there was a recent demonstration of a vending machine authorizing a transaction strictly based on facial recognition technology. In addition, major airlines in the United States have been experimenting with facial recognition to authorize boarding passes versus paper, photo ID, and even passports. While this technology is still relatively immature, it shows substantial promise. It also has the potential to introduce new extraordinary security risks and data privacy concerns.
Within the next 5 years, expect facial recognition technology to mature and be available in our daily lives. This technology will also provide the basis for many password-less authentication techniques as discussed above. However, using facial recognition technologies as a means of authentication or authorization presents vexatious cyber risk and data privacy concerns that will need to be addressed before it is widely used around the world. This includes how to securely store and process facial biometrics, how images are linked to individuals, and most importantly, how to reconcile identity conflicts when identical twins or family members can be used to spoof this technology.
Cloud Security and Landscape
I know we bludgeon the cloud angle to death, but the ever-popular cloud-based architecture and modeling will continue to grow. The cloud market continues its massive expansion with more demands for availability, scalability, and security. Over the next five years, cloud offerings will double, even triple, what they are today.
Inevitably, we will witness an uptick in cloud-based threat vectors and the need for stronger security baked into cloud offerings. Cybercriminals will continue to invest strong focus and resources on leveraging cloud-based threat vectors since the environment is still fluid and evolving, which increases success in finding security gaps and targeting data at scale.
We foresee demand for technologies that secure cloud-based assets, cloud-based identities, cloud-based keys, and all other aspects of cloud continuing to ramp up over the next 5 years.
Cybersecurity predictions are more than just a fun exercise. The more CISOs and other IT staff understand the security implications of evolving technologies, the better prepared they are to make the right investments for their business. Its the difference between being proactive versus reactive, and having a security approach that enables new technologies and business opportunities, versus one that clamps down on them.
About the Author
With more than 20 years of IT industry experience and author of Privileged Attack Vectors and Asset Attack Vectors, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees the vision for BeyondTrust technology encompassing privileged access management, remote access, and vulnerability management solutions, and BeyondTrust’s own internal information security strategies. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science in Electrical Engineering from the State University of New York at Stony Brook.