Next Year Security Predictions, Again?

So years ago I was a big fan of doing (and reading) security predictions and did them pretty religiously every year (for example 2007, 2008, 2011). Apart from most other “predictioneers”, I’d actually check how I did next year (2007, 2008, 2010 checked). BTW, in January 2020 I plan to write a blog post that checks my 2010 security prediction that aimed at 10 years in the future!

BTW, you may be curious why I stopped doing them? Well, because I saw a very clear pattern emerge: if you are boring (“Windows 2003 attacks will continue unabated”), you are often correct. If you are exciting (“Sex robots will kill people”), you end up wrong — and also become a laughing stock of the community. All in all, the Feynman principle killed all the fun of predicting for me back in 2011. Put differently, betting against the Amara Law (i.e. predicting that new technology will NOT have an impact in the short term) is a winning — but boring — prediction recipe.

Now, it so happened that I got suckered into doing predictions again. Working together with Brandon Levene here, here is what we cooked up (reposted from Chronicle blog, with some edits for clarity and voice)

Brandon Levene, Head of Applied Intelligence, Chronicle

Global law enforcement will dedicate increased resources to combat crimeware

Crimeware is a more likely business threat than APT attacks, yet law enforcement has been unable to defend against it. Efforts have been limited by time and geography, giving crimeware operations time to adapt tools for maximum impact. In 2019, law enforcement began to coalesce around crimeware. From IC3 to Interpol, there was an increased frequency in crimeware reporting and counteroperations. In 2020, crimeware initiatives will improve. There will be better public, private sector collaboration to develop strategies to defend against it. Crimeware will become a priority instead of a side effort, and law enforcement capabilities to combat its impact and scope will improve.

Beware the rise of credential stuffing

2019 has seen 1,272 data breaches to date, exposing more than 163M records. Attackers have latched onto transactional data — social security numbers, phone numbers, personal addresses, medical records, etc — and will redouble their use of it in the coming year. In 2020, expect to see credential stuffing — automated login requests of breached username/password pairs in order to fraudulently gain access to user accounts across a multitude of websites — grow in frequency and commonality as an aftershock of data breaches. As more data becomes available for exploitation, credential stuffing will become a more viable method of monetization for attackers.

The rise of crypto crimeware

In October, the cryptocurrency market hit $253 billion. As the market continues to grow, attackers will target it, bringing a rise in crypto-related cybercrime in 2020. Expect a swell of crypto-specific crimeware in the year to come, including more miners, more wallets being targeted and stolen, and a rise in ransom demands in crypto.

Security will get more transparent

As enterprises shed legacy colocation tools, and continue to pursue cloud deployments of tools, security will follow suit. Security services and platforms will continue to migrate to the cloud, and a new paradigm of security will emerge. In 2020, the focus of security in cloud environments will shift to access management, monitoring, and proactive scanning in order to facilitate better, more secure cloud transitions.

Dr. Anton Chuvakin, Head of Security Solutions Strategy, Chronicle

Healthcare and state agencies will be hit the hardest

Healthcare and local governments are two of the most vulnerable industries, and there’s a good chance that the current ransomware epidemic (and other attacks) will continue to hit them hard. Between 2009 and 2018,there were 2,546 healthcare-related data breaches, exposing 190M records, while more than 40 municipalities fell victim to cyberattacks this year. These industries often lack effective security controls as they wrestle with low budgets and understaffed (and often under-skilled) IT teams, and attackers recognize them as low-hanging fruit. The 2018 Atlanta attack is the best example of this, as 1,500 and 2,000 security vulnerabilities were found in the city’s systems, allowing bad actors to deploy SamSam ransomware. Hospitals and municipalities aren’t prepared for last year’s threats, and they’ll continue to get hit with tried and true attacks, rather than more sophisticated threats.

As rapid cloud migration continues, there will be more cloud customer breaches

The public cloud services market is expected to grow to $250B by 2020. As cloud migration continues to accelerate, new risks have emerged, and some even originate from the past. Security teams are bringing outdated thinking to the cloud, trying to protect systems and technology as if they were on-premise. Legacy thinking manifests in many technology purchases and security practices. For example, 451 Research found that half of DevOps teams failed to incorporate application security into their CI/CD workflows. This allows some of the 1990 security issues like SQL injection to persist in 2020 IT environments. Security is seen to slow down the CI/CD process, yet web apps are one of the most popular attack vectors for malicious attackers. Legacy thinking will continue to be transferred to the cloud in 2020, creating critical security problems for organizations. In fact, it appears that some of the risky practices that have been outgrown in mature on-premise data centers have reappeared in cloud environments. Security “regress”! 🙁

Futuristic hacking won’t materialize

While advancements in attack techniques like malicious AI or side-channel attacks in the cloud have theoretically added variety to attackers’ playbooks, it’s unlikely we’ll see futuristic attacks hit you in 2020. Attackers look for the path of least resistance when it comes to targets, and they have enough in existing attack surfaces and emerging attack techniques — like cryptojacking and attacks vs the container ecosystem. Now, it is very possible that a novel attack technique will be used to hit a well hardened target, but it’s something neither enterprises nor SMBs will need to worry about. There’s enough to gain from existing ecosystems, and FUDy futuristic threats won’t materialize for most.

Geopolitical conflict will spur fragmentation in cloud

As geopolitical tension grows, seams of fragmentation in the digital universe are emerging and expanding. For example, some Chinese-made smartphones were blocked from using Google apps due to China-US trade conflict. In addition, Russia is creating its own sovereign internet, and China has been rumored to build its own operating system to replace U.S.-made operating systems nationwide. Some countries refuse to buy Russian anti-virus, while others balk at security tools that back-end to US cloud providers — and another batch won’t buy a Chinese firewall. A less extreme example is the European trend of pushing for more data sovereignty and data residence requirements. In 2020, these seeds of fragmentation will take root and the ramifications of geopolitical conflict will present itself in more IT and security markets, from security to cloud computing.


Next Year Security Predictions, Again? was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.


*** This is a Security Bloggers Network syndicated blog from Stories by Anton Chuvakin on Medium authored by Anton Chuvakin. Read the original post at: https://medium.com/anton-on-security/next-year-security-predictions-again-995e58e8a07?source=rss-11065c9e943e------2