The cybercrime underground is not known for playing by the rules. So we can’t expect it to follow the Gregorian calendar in terms of new black hat trends. Nevertheless, the end of another 12 months is as good a time as any to take stock.
It’s clear that organisations are investing ever greater sums in cloud-based systems to spur digital transformation. Gartner claims worldwide spending on public cloud will grow 17.5% this year, for example. Yet at the same time, investments in security technology, processes and training may not be keeping up. Just 10% of European and US firms are “cyber ready”, according to insurer Hiscox. This is a concern. As predicted, IoT threats, fileless malware, supply chain risk and skills shortages have all soared this year. And the regulators have shown they’re ready to fine big if firms are letting their customers down.
So what can we say about 2019? Here are my top five takeaways:
The shared responsibility dilemma
Organisations appear to be getting more confident about cloud security. A recent Barracuda Networks poll of 850 global security professionals found that 44% believe cloud deployments are as secure as on-premises environments, with 21% claiming they’re even more secure. What’s more, 60% said they are “fairly” or “very” confident that their organisation’s use of cloud technology is secure.
It’s great they feel this way. But according to the shared responsibility model, cloud risk must be managed by both provider and customer. It’s somewhat reassuring, therefore, that the same respondents highlighted concerns around compliance and visibility, and said they were reluctant to host highly sensitive data like customer information (53%) and internal financial data (55%) on cloud servers. There’s clearly a better understanding that although the underlying infrastructure may be secure, work is still required to improve data security on top of this.
Human error becomes a major problem
As organisations build out their cloud infrastructures, complexity increases. According to IBM, 85% of them now use multi-clouds. This multiplicity of heterogeneous vendors and systems plus complex policies on access management, makes it increasingly difficult for cloud customers to fulfill their end of the shared responsibility model. Inevitably, human error has led to serious data leaks over the past year, from a huge variety of organisations.
The more concerning news is that these leaks are increasingly morphing into full-scale breaches as hackers realise just how easy it is to find and exploit exposed cloud servers. Hackers demanded ransoms from a Mexican bookstore, after it exposed over two million customer records online in a MongoDB database, and a major hotel chain. Meanwhile, a misconfigured web application firewall (WAF) running on AWS led to the breach of 100 million customers and applicants of US bank Capital One.
Email is still critical
While threats targeting next-generation digital systems are on the rise, the old favourites remain popular. Email was still the number one threat vector in 2019 and is likely to remain that way for some time. Some 82% of global IT security pros polled by Barracuda Networks earlier this year said they’d faced email attacks over the previous 12 months and three-quarters (74%) said they’re having a direct business impact in the form of lost productivity (48%), downtime (36%), damage to IT reputation (28%) and recovery costs (20%).
Social engineering continues to be at the heart of the problem for organisations, enabling BEC and phishing attacks — the latter leading to information theft or installation of ransomware, banking trojans and other threats. Despite rising spending levels, the report found that few firms were investing in advanced tooling such as automated incident response, dedicated spear-phishing protection and tools to prevent account takeover.
C-suite under fire
Increasingly in 2019, these social engineering attacks were targeted at senior executives. This makes sense: time-poor C-suite members are arguably more likely to click through on phishing emails and their accounts are highly prized by attackers.
According to Verizon’s most recent Data Breach Investigations Report, senior executives are 12 times more likely to be the target of social engineering incidents, and nine times more likely to be the target of social breaches than in previous years. This makes it more important than ever to include executives and their assistants in staff security awareness programmes.
Credential stuffing super-charges account takeover
Account takeovers (ATOs) are often facilitated by phishing attacks designed to harvest log-ins. But an increasingly popular tactic in 2019 was credential stuffing. Hackers simply buy large sets of log-in data on the dark web and feed it into automated scripts to try the same passwords on a range of other sites. Because we often tend to reuse passwords, some of them work, unlocking potentially lucrative accounts.
In the corporate sphere, an ATO could be the first stage in a data breach. Alternatively it could facilitate a BEC attack, if the compromised account of a C-suite exec is used to trick a finance department employee to wire funds to an external bank account. It’s believed that tens of billions of credential stuffing attempts are conducted each year, at an estimated cost to US firms alone over $5bn annually. More secure authentication including password managers and 2FA is vital.
Next time, we’ll take a look at some 2020 predictions.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.