Three cybersecurity predictions for 2018, according to Twitter

ByKayne

On December 12th, I moderated the #securityinsiderchat on Twitter, where more than twenty cybersecurity experts gathered to discuss their predictions for 2018. It’s always a pleasure and a privilege to learn from a diverse gathering of people and to read their ideas over the course of nearly 300 tweets. Plus, it’s an excellent opportunity to post animated cat gifs in the context of work.

Three major themes emerged during the hour-long chat:

We’re going to see more end-user cybersecurity training.

A common theme across numerous Twitter chats I’ve participated in and moderated during 2017 was the need to train end users to reduce the number of unintentional cybersecurity mistakes in the workplace. The frequency and variety of this training will vary as the training content providers work to differentiate their products in an increasingly crowded marketplace. However, buying training alone will continue to be insufficient. Users from the boardroom to the mailroom need to have a sense of shared ownership and responsibilities in securing their organization’s assets. Organizations that get this right will suffer fewer unintentional breaches, such as disclosures of privileged credentials, business email compromise fraud, and ransomware attacks.

Consider the 2014 breach of JP Morgan Chase. A privileged administrator fell for a phishing campaign and gave out their password for a vulnerable machine on the network. That machine did not have Multi-Factor Authentication (MFA) enabled. With a single password and a single configuration error, the attackers were able to steal information related to 76 million households and 7 million small businesses.

Administrators who don’t move to short-lived systems will spend most of their time patching.

Sumo Logic’s Vice President, George Gerchow, dropped a bomb when he said organizations should “[q]uit patching, move to immutable images as fast as possible while getting rid of legacy dependencies.” George’s point was that cloud-based organizations can deploy short-lived virtual machines or containers that have a lifetime of a day or less and are deployed based on a continuously updated master image. This removes the requirement for organizations to patch multiple systems, as there’s only a small set of images that need to be maintained. This is a future-looking architecture, and newer organizations should be able to adopt this mentality.

Unfortunately, organizations with even a small amount of history are inevitably going to have legacy systems. Given the current cadence of patches provided by vendors, legacy systems may soon be defined as any system that’s existed for more than a month. Administrators of these systems will need to choose from one of three unpalatable choices: long, tiresome, and repetitive tasks of deploying software updates on a nearly continuous basis; choosing to implement patches on a less frequent basis and thereby risk pulling an Equifax; or purchasing and implementing automated software to handle the constant stream of updates. On a positive note, the frequency of patches should help validate disaster recovery plans, as systems will need to be rebooted on a far more regular basis.

Organizations whose core competency is not security will need to turn to experts.

Companies are currently struggling with a lack of qualified personnel for cybersecurity roles. Part of this is because while certifications are good for getting jobs, they’re not so useful for doing the actual work. There’s also an unfortunate lack of diversity in cybersecurity, both in terms of gender and in terms of desirable college degrees, whether by unconscious bias or by deliberate hiring requirements. Companies that continue to try to hire from this small field will see market economics at work firsthand, as too many companies try to recruit too few ideal candidates.

Consequently, there will be an increase in the number of expert firms and managed services to address the underlying knowledge gap at organizations that can’t afford the going market rate. These providers may include consulting firms, managed service companies, outsourced security operations centers, training companies, and red teams. These third parties will help companies to identify risks earlier and develop mitigation strategies for organizations whose business differentiator is not cybersecurity. This will be no different from the use of specialized marketing firms or accounting firms to supplement an organization’s internal resources.

 

The underpinning for these three predictions is the fact that cybercriminals will continue to invest in developing new cyberweapons and attack infrastructure to make illicit profits in 2018. We’ll continue to see the threat worsen until organizations remove the profit incentive for criminals, or at least make it prohibitively expensive for them to operate.

Similar Posts

  • The Jobs of Tomorrow: Insights on AI and the Future of Work

    ByKayne

    Kayne McGladrey, IEEE Senior Member, noted that the use of generative AI models in business hinges on their ability to provide accurate information. He cited as examples studies of AI models’ abilities to extract information from documents used for financial sector regulation that are frequently relied on to make investment decisions. “Right now, the best AI models get 80 percent of the questions right,” McGladrey said. “They hallucinate the other 20 percent of the time. That’s not a good sign if you think you are making investment decisions based on artificial intelligence telling you this is a great strategy four out of five times.”

  • Passwords, Multi-Factor Authentication and Cybersecurity

    ByKayne

    Device location and user behavior can shed a lot more light on a login attempt, yet not all MFA solutions currently incorporate them, says McGladrey. If organizations switched to better access management systems, the cost to successfully infiltrate accounts would rise exponentially, barring “all but the best-funded nation-state actors and APTs.”

  • Hack Me If You Can

    ByKayne

    A hacker can say that an institution has 90 days to fix a vulnerability before publicly divulging the secret, and for the vulnerable bank or credit union, that might come off as extortion or a threat. However, it is well within the boundaries of normal security research to do that, according to Kayne McGladrey, Field CISO for the security and compliance company Hyperproof.

    “If the company doesn’t respond in a timely manner, that’s where you can get vulnerability disclosures after a reasonable period of time, like 90 or 120 days, or 180 days, depending on which philosophy the researcher subscribes to,” McGladrey said. “That’s all well within the ethical boundaries of a normal security researcher.”

    The key difference between an ethical and unethical hacker — between extortion and responsible disclosure — is what the hacker does with the vulnerability.

    “I think it’s very possible to say you can prove you can use this vulnerability — maybe it’s to steal a whole bunch of credit card information — without actually doing it,” McGladrey said. “You just show that you can.

  • What to Know About the Proposed New HIPAA Rules

    ByKayne

    If approved, the proposed new HIPAA rules will reshape the landscape of healthcare cybersecurity, partially addressing the recent OIG report’s findings on the ineffectiveness of current HIPAA audits. For CISOs, these changes present both opportunities and challenges as they work to enhance their organizations’ cybersecurity practices. The updated compliance requirements for electronic protected health information promise significant benefits but also come with associated costs. As these rules are open for public comment over the next sixty days, healthcare CISOs have a window to provide their insights and influence the final regulations, ensuring they align with the practical realities of safeguarding sensitive health data.