Three cybersecurity predictions for 2018, according to Twitter

ByKayne

On December 12th, I moderated the #securityinsiderchat on Twitter, where more than twenty cybersecurity experts gathered to discuss their predictions for 2018. It’s always a pleasure and a privilege to learn from a diverse gathering of people and to read their ideas over the course of nearly 300 tweets. Plus, it’s an excellent opportunity to post animated cat gifs in the context of work.

Three major themes emerged during the hour-long chat:

We’re going to see more end-user cybersecurity training.

A common theme across numerous Twitter chats I’ve participated in and moderated during 2017 was the need to train end users to reduce the number of unintentional cybersecurity mistakes in the workplace. The frequency and variety of this training will vary as the training content providers work to differentiate their products in an increasingly crowded marketplace. However, buying training alone will continue to be insufficient. Users from the boardroom to the mailroom need to have a sense of shared ownership and responsibilities in securing their organization’s assets. Organizations that get this right will suffer fewer unintentional breaches, such as disclosures of privileged credentials, business email compromise fraud, and ransomware attacks.

Consider the 2014 breach of JP Morgan Chase. A privileged administrator fell for a phishing campaign and gave out their password for a vulnerable machine on the network. That machine did not have Multi-Factor Authentication (MFA) enabled. With a single password and a single configuration error, the attackers were able to steal information related to 76 million households and 7 million small businesses.

Administrators who don’t move to short-lived systems will spend most of their time patching.

Sumo Logic’s Vice President, George Gerchow, dropped a bomb when he said organizations should “[q]uit patching, move to immutable images as fast as possible while getting rid of legacy dependencies.” George’s point was that cloud-based organizations can deploy short-lived virtual machines or containers that have a lifetime of a day or less and are deployed based on a continuously updated master image. This removes the requirement for organizations to patch multiple systems, as there’s only a small set of images that need to be maintained. This is a future-looking architecture, and newer organizations should be able to adopt this mentality.

Unfortunately, organizations with even a small amount of history are inevitably going to have legacy systems. Given the current cadence of patches provided by vendors, legacy systems may soon be defined as any system that’s existed for more than a month. Administrators of these systems will need to choose from one of three unpalatable choices: long, tiresome, and repetitive tasks of deploying software updates on a nearly continuous basis; choosing to implement patches on a less frequent basis and thereby risk pulling an Equifax; or purchasing and implementing automated software to handle the constant stream of updates. On a positive note, the frequency of patches should help validate disaster recovery plans, as systems will need to be rebooted on a far more regular basis.

Organizations whose core competency is not security will need to turn to experts.

Companies are currently struggling with a lack of qualified personnel for cybersecurity roles. Part of this is because while certifications are good for getting jobs, they’re not so useful for doing the actual work. There’s also an unfortunate lack of diversity in cybersecurity, both in terms of gender and in terms of desirable college degrees, whether by unconscious bias or by deliberate hiring requirements. Companies that continue to try to hire from this small field will see market economics at work firsthand, as too many companies try to recruit too few ideal candidates.

Consequently, there will be an increase in the number of expert firms and managed services to address the underlying knowledge gap at organizations that can’t afford the going market rate. These providers may include consulting firms, managed service companies, outsourced security operations centers, training companies, and red teams. These third parties will help companies to identify risks earlier and develop mitigation strategies for organizations whose business differentiator is not cybersecurity. This will be no different from the use of specialized marketing firms or accounting firms to supplement an organization’s internal resources.

 

The underpinning for these three predictions is the fact that cybercriminals will continue to invest in developing new cyberweapons and attack infrastructure to make illicit profits in 2018. We’ll continue to see the threat worsen until organizations remove the profit incentive for criminals, or at least make it prohibitively expensive for them to operate.

Similar Posts

  • How can a security automation tool help mitigate unknown threats?

    ByKayne

    A security automation tool allows people to focus on the more interesting threats — those alerts that have passed a threshold that the automation algorithms can’t sufficiently remediate, or where closing the threat might alert the adversary to a forensic investigation. This is the type of work that security teams enjoy — actively hunting for adversaries and ethically engaging before cleaning up the damages and closing any observed vulnerabilities that were exploited.

  • Are we building cyber vulnerability into EV charging infrastructure?

    ByKayne

    “Right now, there’s a bit of a Wild West mentality out there,” said Kayne McGladrey, field chief information security officer at security software company Hyperproof and a senior member of the Institute of Electrical and Electronics Engineers. “Companies are incentivized for being first to market, not necessarily most secure to market. Because security costs money and because it requires time and resources, naturally that becomes a lower priority.”

  • Security in 2022 – Ransomware, APT groups and crypto exchanges pose key challenges

    ByKayne

    Adopting zero trust strategies are a potential solution to mitigate the challenges of ransomware, bulk intelligence data collection, and technical threats to cryptocurrency. As zero trust is predicated on a continuous authentication of user and device identities based on prior known-good behaviors, unusual events from previously unknown devices will be far less frequent and the telemetry far more obvious for investigation by blue teams.

  • What Thoma Bravo’s latest acquisition reveals about identity management

    ByKayne

    Identity management of users and devices is key for CISOs to manage the risks associated with unauthorized access to sensitive data and systems, according to Kayne McGladrey, Field CISO at Hyperproof and IEEE senior member. “From a control operations standpoint, the two most important capabilities are the ability to validate a user’s behavior when it deviates from the norm, and the ability to quickly de-provision access when it is no longer needed,’’ McGladrey told VentureBeat.

    For example, if a user regularly logs in from Washington State using their Windows-powered computer to access a single program, there’s little reason to prompt them for a second authentication factor, he said. “But when the device changes, perhaps a new Mac computer that’s not configured correctly, or their location suddenly changes to Australia, they should be prompted for multifactor authentication as part of identity validation before being allowed to access those data,” McGladrey said. When a user leaves an organization, their identity access should be rapidly revoked across all platforms and devices. Otherwise, organizations run the risk of a threat actor using the older access and credentials, McGladrey added.

  • Why enterprises need cyber insurance — how and what to buy

    ByKayne

    “It should be a strategic choice for a company to transfer certain business risks associated with cybersecurity threats, which exceed an acceptable level of risk, to an insurer,” says Kayne McGladrey, a senior member of the IEEE. “The expectation is that the insurer will help lessen the financial impact of significant cyber incidents or data breaches.”

    However, this approach assumes companies maintain risk registers with clear definitions and measurement criteria for various risk categories, he notes. “It also presumes they use compliance operations to continuously assess the effectiveness of their current controls in reducing or mitigating these risks.”

  • Yahoo porn hacking breach shows need for better security: 5 ways to protect your company

    ByKayne

    Security expert Kayne McGladrey, who serves as director of security and IT at Pensar Development and is a member of the Institute of Electrical and Electronics Engineers, said companies need to add extra steps to everything.

    “The company could choose to add friction, whether it’s multi-factor authentication or an email link just to put a little additional scrutiny and raise the bar so it is materially more difficult for threat actors who have obtained someone’s credentials to be able to reuse those,” he said.

    “The benefit of this strategy is that it applies universally. All of the automated attacks these days around credential stuffing and credential spraying do what the Yahoo hacker had done on a much larger scale. They get compromised credentials and test them across a whole bunch of websites using a distributed botnet.”