- Technology and Cyber Risk
The growing risk of credential compromise as a result of phishing attacks and credential stuffing (use of stolen credentials) means improved controls will likely emerge. Consumer products are starting to provide services that check passwords against those leaked in past breaches. We can expect to see this extend to enterprise products too in 2020. For example, this is already available in Azure Active Directory.
Speaking of phishing, an explosion in the volume and sophistication of phishing attacks is likely to drive improved security awareness culture campaigns as well as better technical controls particularly for mobile devices.
We may also see a phasing out of SMS-based multi-factor authentication in favour of device-based and app-based methods to counter rising cases of SIM-jacking.
77% of reported cyber incident breaches in Australia were as a result of compromised credentials. Half were due to phishing.OAIC – May 2019
Case study: End of Life for Windows XP
Just over 3 years after Windows XP went end of life in April 2014, the unsupported operating system was vulnerable to devastating WannaCry ransomware attacks. While Microsoft took the unusual step of issuing a patch, there’s no guarantee they would do it again.
Managing end of support
This year marks the end of support for a number of major operating systems including Windows 7 and Server 2008 on January 14th and Red Hat Enterprise Linux on November 30th. Other products such as Office 2010 and SharePoint Server 2010 are also reaching end of support on October 13th. It is critical that in cases where these products cannot be upgraded or decommissioned that mitigating controls are put in place as there will no longer be support for security patches.
47% of organisations still use Windows 7.Kaspersky – August 2019
Streamlining supplier compliance
Supply chain security risk will continue to grow as more cloud services are adopted. Proof of compliance from suppliers will only grow as increasingly required by regulators (such as APRA CPS 234). We will likely see new services pop up to standardise and streamline this need for assurance.
Also, as technology products continue to adopt industry standards, such as NIST, in their products, organisations should be looking to adopt these standards internally rather than setting different expectations with suppliers.
Global Public Cloud market revenue is forecasted to grow 82% to US$331 billion by 2022.Gartner – November 2019
Ramping up privacy control demands
There has been a noticeable shift in privacy concerns following a couple of damaging years on the privacy front, from massive data breaches to scandals including most notably with Cambridge Analytica. As a result, consumer products such as from Facebook and Google are increasing implementing more restrictive privacy controls and features. One such example is DNS over HTTPS (DoH) which will likely have big implications on web filtering and surveillance services. These changes will likely see a rise in demand for privacy controls across all manner of products and services through 2020.
Adoption of automation and AI
As attackers adopt Artificial Intelligence for more sophisticated attacks, inevitably defensive technologies will also need to adopt AI for automated detection and response. Emerging examples of AI-based offence methods include adaptive phishing campaigns, automated scanning and use of leaked credentials and use of deep-fakes to fool biometric identification (e.g. facial recognition). Defensive tools, particularly cloud-based ones, will likely respond by enhancing their offerings with more AI-driven detective and responsive capabilities.
Harmonising cloud tools and teams
As the IT landscape continues the march to the cloud, key decisions around security tooling and the security workforce may need addressing. This includes whether to integrate cloud-based security tools with on-premise or to extend on-premise tools to the cloud. Related to this is whether separate security teams should be specialised in cloud or cross-skilled in both on-prem and cloud security disciplines.
Key cyber security dates and events
1. Safer Internet Day on February 11th, Privacy Awareness Week in May and Stay Smart Online Week in October are great ways to promote awareness in your organisation. 2. Lookout for the launch of the Australian Government’s 2020 Cyber Security Strategy later this year. 3. The Open Banking regime will begin in Feb 2020 for the large banks and Jul 2020 for others. Planning is underway to expand to the energy sector.