It’s become an annual tradition here at VDA that we take a pause around this time of the year and think about what we might see in the year to come as it relates to cyber security. We do have some ideas for what to expect in the coming year, but first let’s look back and see what happened in relation to our last year’s predictions.
Last year we were hopeful that basic security precautions would become more commonplace, especially with device manufacturers. On this front, during 2018, one of the most interesting pieces of news that we saw was a new law passed by California making it the first state to mandate “reasonable” security features designed to prevent unauthorized access. These measures will hopefully include secure default passwords, and promoting security conscious choices. That’s pretty refreshing, really!
With that done, let’s move on to predictions for 2019!
IOT Vulnerabilities Will Continue To Be A Problem
Two of our consultants (Michael and Greg) mentioned that they foresee IOT related security issues to continue to be a problem in 2019. This is primarily due to two factors – the exponential increase in connected devices, and also the adoption of 5g networking technology increasing the number of devices directly connected to the internet. Those factors combined brings about much more attack surface area than there has ever been in the past. Add to that the generally older-style (C, C++) coding that is prevalent on embedded devices, and you have a recipe for exploitation.
Many IOT device manufacturers favor speed of development and feature sets over baking in security. IOT devices also can have other wireless functionality such as Zigbee and Zwave – and are those protocols perfectly secure? There are no standards for security in IOT devices, aside from the “reasonable” standard just created by California (mentioned above), so showing due diligence when it comes to securing the devices and equipment produced or owned by your organization is increasingly important. You might want to hire an experienced IOT penetration testing group like VDA to assess your devices if you have any questions on that front.
Individual Account Security Is More Important Than Ever
As businesses have been moving to the cloud, this leads to more attack surface area that is beyond the traditional “network perimeter”. This new expansion to distributed domains means that items like file storage, intranets, CRM’s, and more become accessible anywhere in the world – in some cases using federated login tied to a SSO provider like Google Oauth. All of this can be great for productivity, but unfortunately it also means that critical information could be only one compromised account away from being breached. VDA team members Michael and Jared both cited that attacks against cloud based services will continue to rise, ratcheting up the threats faced by organizations with cloud or hybrid infrastructure. Greg also highlighted the continued issue of weak passwords, which also affects cloud services, as a continued problem for 2019.
The only way to mitigate these threats combine adding Multi Factor Authentication with good user awareness training – even 2FA tokens can be phished.
Regulatory Pressure Continues To Build
Over the past few years governments have continued to scrutinize information security practices and are beginning to move towards enacting regulations to change them. The GDPR law in the European Union, for example, went into effect during 2018 and there are suits pending against tech giants Facebook and Google. While it remains to be seen what effect the GDPR itself will have on security, in 2019 there will be more scrutiny than ever on organizations like Facebook as we consider what data these tech giants have collected on us as individuals and how they are using (or misusing it). Both Nick and John think this will be an area to watch over the next year.
Cyber Crime Continues To Evolve
During 2018 we saw lots of interesting trends relating to cyber crime in our day to day work. Whether it’s malware that has some new tricks, or techniques for phishing that we have not seen before, cyber criminals are constantly upping their tradecraft. During 2018 one interesting case was the Mealybug group that essentially built a business on providing malware delivery services to other malicious actors. Mealybug is the group behind the famous Emotet custom malware that was previously used to target banking customers in Europe, and VDA recently helped a customer that ran into one of their wares in the wild.
Mealybug offers various malware services, but their bread and butter is being a delivery service for other threat groups. The business model looks something like this: I need my malware to be delivered en-masse to a group of people or company. That is Mealybug’s specialty, so I use their delivery service and give them a cut of the profits from the bitcoin ransom that the company pays out.
VDA Engineers James and Matt views this trend, of malicious threat actors working together, as one of the scary trends that will continue to play out in 2019.
More Great Customers
The team members at VDA are looking forward to continuing our work of providing expert level security services to our clients. We are very grateful that there are other people and organizations out there that care about moving the ball forward when it comes to increasing security, and we excited about doing our part! Cheers to 2019! May you all have the very best.