Monday, December 21st, 2020
Key Cybersecurity Insights For 2021
New cyber security challenges continue to rise every year, but 2020 will be remembered for the uncertainty and rapid change it brought for the infosec space. We saw a year of heightened cyber-crime as well as the reintroduction of cyber gangs that were thought to be exhausted. Cybercrime is still a highly lucrative business, and it is estimated that it will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. Particularly, with Ransomware attacks on the rise, they are now estimated to cost global organisations $20 billion in 2021. Cybercrime communities are getting stronger with criminals exchanging information and tools that allow them to launch better, bigger and more lucrative attacks.
Moreover, the complexity and increased cost of cybersecurity will force infosec professionals to seek integrated solutions with a focus on risk-based investment prioritisation that enables businesses to focus on their biggest threats.
One trend that remains is that the most common point of entry for cyber criminals is still email and the lack of user awareness continues to be a prevalent risk for organisations. Cloud misconfigurations and poor application security are risks that will continue to grow next year, forcing IT executives and CISOs to rethink their DevOps and Cloud strategies.
Looking back at the year 2020, it becomes more evident than ever just how much impact geopolitics and global events have on cybersecurity – and in 2021, this will continue as geopolitics is likely to underpin cybersecurity threats throughout 2021. In the first half of 2021 some key events will impact the geopolitical arena, global economics and therefore the threat landscape. With a new US President taking over in 2021, many expect the US foreign policies and relations to relax. With the little backing that president-elect Biden has in the US Senate this may take longer than expected, which in turn may have an impact on the motivations of nation-state sponsored attacks.
So, with that in mind, what is the landscape for cybersecurity and the evolution of threats in 2021? We have put together a list of the top cybersecurity trends that security professionals should be aware of.
CSOs & CISOs Will Look To Merge Security Solutions As A Result Of Reduced Budgets
After years of developing and moving forward, many organisations may not be prepared for the reduced budget for cybersecurity in 2021. IT saw a decrease of almost 10% in 2020, this trend is expected to continue into 2021. According to Forrester, U.S. tech investments will fall by a further 1.5%, which equates to a $135 billion drop from 2019’s peak.
By 2023, 30% of a CISO’s effectiveness will be directly measured on the ability to create value for their business. With this in mind, leaders will need a plan to balance cost reduction with optimisation efforts in a push to close the digital transformation gap.
Aa a result, the convergence of security services will be key to achieving this. CSO’s and CISO’s will turn to technologies that integrate multiple services into one platform in order to maximise savings. The correct security platform for organisations will offer unified visibility and intelligence, along with a consistent experience to strengthen security posture, without having to replace existing solutions or add new technologies. This will prove a good option for many organisations as security leaders fight to overcome the obstacles of limited budgets and over-burdened security teams.
Ransomware Will Shape the Threat Landscape
Ransomware attacks can quickly disrupt the operations and cripple businesses functions by cutting off access to critical information within minutes. In the year 2020 we have seen many examples of ransomware attacks disrupting hospitals, manufacturing sites and even critical infrastructure operations. In a recent survey published by IBM, ransomware hit manufacturing companies hardest, as they accounted for nearly a quarter of all the incidents responded to in 2020, followed by the professional services sector and then government.
Even as company leaders become more aware of ransomware, the threats will still come through and organisations will continue to buckle at their mercy, as ransomware gangs continue to innovate both their technology and their criminal strategy at an accelerating pace. The threat actors groups will continue to collaborate closely with their peers in the criminal underground and together they will innovate their operations in order to become even more disruptive, engage in extortion and request higher demands. RDP will be the number one attack vector for ransomware.
In 2020, ransom demands grew rapidly, with some reaching as high as $40 million. In Q3 2020, the average ransom payout grew to $234,000 from $111,600 in the previous quarter. We envisage that by the end of Q1 2021, the average ransom payout will grow to $300,000.
Phishing Is Here To Stay – And It’s Only Getting Bigger
Phishing will continue to dominate in 2021 particularly as we see many organisations continue to allow their employee to work remotely. As this trend continues so too does the organisations’ lack of visibility over their employees, which provides more opportunities and points of entry for cybercriminals to access systems, data and information. Here are 2020 phishing statistics and information on their impact:
- A single spear-phishing attack costs an average of $1.6 million.
- 85% of organisations have suffered from phishing attacks.
- Only 3% of users report phishing emails to their management
- 97% of users could not identify a sophisticated phishing email
- Nearly 1.5 million new phishing sites are created each month
In 2020 we saw a spike in COVID-19 related Business Email Compromise (BEC) attacks, and this trend will continue to grow in 2021. A BEC attack, also known as man-in-the-email, involves cyber criminals masquerading as, or directly compromising a business email account in order to extort trusting individuals into taking a certain action. In the case of invoice and payment fraud, the BEC attack will usually target a business’s finance department and pose as a vendor or senior management and will ask for a payment to be made to a fraudulent bank account.
Even with the best Secure Email Gateways (SEG) in place, BEC attacks are successful due to the fact that there are highly targeted in nature and socially engineered – designed to leverage human nature. Generally, 1-3% of phishing emails make it past an organisation’s filters and gateways. With only approximately 1 in 10 user-reported emails being verified as actually malicious, the high-risk phishing attacks and threats often don’t get managed.
In order to combat this, organisations need to ensure employees undergo security awareness training and have the knowledge and skills they require to identify and mitigate phishing attempts and threats. Organisations need systems in place that allow their employees to report suspected phishing/spear phishing emails.
Data Breaches Caused By Insider Threats Will Increase
According to Forrester, insider incidents whether they be accidental or malicious, will be a factor in a third of all data breaches in 2021, up from 25% today. This will be caused by a combination of the evolution to remote working and the fear of job loss, and the ease with which data can be moved. Moreover, in the second half of 2020 we saw an increase in rogue activities perpetrated by foreign nations, businesses or competitors in which a spy or insider is recruited to gain access to critical or non-public information at a business or government institution. We envisage that in 2021, state-sponsored insider threat attacks will continue to rise.
An insider threat is when a past or current employee, contractor or business partner who had or has authorised access to your organisation’s network systems, premises or data, and uses this access to compromise the confidentiality, integrity or availability of such systems and data. As mentioned above, insider threat incidents can happen for a wide range of reasons, from cyberespionage to unintentional actions by good people. Insider threats can include:
- Theft of intellectual property (IP) or trade secrets
- Unauthorized trading
- State-sponsored Cyberespionage
- I.T infrastructure sabotage
Insider threats bring with them unique security challenges. These challenges stem from the fact that these threats are created by insiders in plain sight and as a result, are extremely difficult to detect. Unlike normal attackers, insiders did not need to “break in” because they already have access to the systems, networks and computers and have knowledge pertaining to the location of critical assets. Additionally, these insiders are already within the confines of the organisations thus making their illicit activities harder to detect via traditional detection methods.
The rise in insider threats will mean that organisations need to have better controls in place for DLP (Data Loss Prevention), Information Classification and PAM (Privileged Access Management).
Better Alignment of DevOps and Security
Organisations worldwide are embracing cloud transformation to better engage their employees, customers and other stakeholders through increased development of apps and infrastructure-as-code. The acceleration of cloud adoption during the pandemic has shifted the software security landscape drastically and so DevOps security is key to organisational success in a post pandemic environment. As a result, cloud transformation as well as the delivery velocity will have a big impact on software security in 2021.
Organisations will need to scale security beyond the AppSec team, especially when using open source. The volume of open source vulnerabilities will always be greater than the bandwidth available in AppSec to address them. Developers need to be enabled to have their open source code checked and fixed without disrupting the app dev pipeline. Application security will continue to evolve into a risk-based vulnerability management approach that seeks to implement more automation as part of the software development and delivery pipeline.
Cloud Security Threats Will Continue To Prevail
In 2021, organisations will need to employ a cloud security strategy that not only enables significant workplace transformations (i.e. remote working) but also ensures the organisation’s ability to secure critical systems and sensitive customer/internal information. A major security incident or data breach as a result of a cloud misconfiguration for example can have significant financial consequences and/or irreparable damage to a company’s brand and reputation. Based on our research, it generally takes companies approximately 260 days to trace cloud misconfigurations. So, why and how do cloud misconfigurations occur?
It is easy to assume that security technologies will keep us safe from hackers who trawl the internet looking for software vulnerabilities to exploit. But nothing could be further from the truth. Security is underpinned as much by user behaviour as it is by the technology solutions that enforce it and so it is no surprise that human error is a major cause of organisations’ compliance problems and in obstructing their digital transformation to the cloud. As misconfigurations don’t exist within a computer’s operating system, they are less visible to traditional security testing tools, which means they can often go undetected without constant monitoring from dedicated security teams. Businesses need to know what misconfigurations are imminent within their organisation and how serious they are in order to reduce the risk of a serious vulnerability. A cloud misconfiguration occurs when a cloud-related system, asset, or tool is not configured properly. This improper setup may in turn jeopardise the security of your cloud-based data depending on the affected system, asset, or tool. Examples include:
- EBS data encryption is not turned on.
- Unrestricted outbound access
- Access to resources is not provisioned using IAM roles.
- EC2 security group port is misconfigured.
- Publicly exposed cloud resources.
- EC2 security group inbound access is misconfigured.
- Unencrypted AMI is discovered.
- Unused security groups are discovered.
- VPC Flow logs are disabled.
As a result, scanning for vulnerabilities alone is often not enough to manage risk in their cloud infrastructures; complete visibility into your infrastructures is key and with this a strategy to prevent and detect misconfigurations needs to be put in place.
Potential Linux Threats On The Rise
In 2020 we saw a dramatic increase in ransomware attacks mainly against Microsoft Windows systems such as Active Directory. Many organisations have started bracing themselves against ransomware attacks and improving their defences, response and restore capabilities. So far Linux based DBs have not fallen victim to crypto locker attacks. With increasing improvements of countermeasures for Microsoft based systems, it is only natural that adversaries start looking at Linux, as this OS is often deemed too hard to hack and often less protected than their counterparts. In the last six-month threat reports showed that Russia’s GRU crew is developing and using Malware for Linux in the wild successfully. In August 2020, the FBI warned about a cyberespionage threat to Linux called Drovorub. This was developed by Russian military hackers and has been deployed in real-world attacks.
These incidents have been highly targeted for now, but show that adversaries develop tools and tactics to attack Linux based systems.
Mitigation against Linux ransomware threats is no different from mitigation against Windows ones: organisations need to get the security basics right: addressing the human factor with a focus on security awareness and training, multiple intrusion prevention layers from simple spam-filtering to DNS protection, patch management, the principle of least privilege and robust password management.
In terms of what companies are going to face over the next year, there are at least five key considerations they need to focus on in order to handle this transformation securely:
Invest in Proactive Measures. A proactive security approach allows an organisation to understand where risks and vulnerabilities lie so they can be mitigated. Organisations need to invest in penetration testing, threat intelligence, incident management plans, security awareness training and endpoint protection at a minimum. Furthermore, employing MDR (Managed Detection and Response) systems allows for a much more proactive form of protection than traditional security measures. They leverage advanced analytical tools to scrutinise events on a network and recognise potentially dangerous behaviour “before” it has a chance to materialise into a serious breach or attack.
Rethink your application security programme. IT executives, application owners, and CIOs know they need to implement comprehensive application security programs to meet compliance requirements and prevent security breaches. Start by reviewing your internal SDLC process, secure development policies and look at ways of best implementing the Security by Design process. We recommend reviewing Annex A.14.1 of ISO 27001:2013
System acquisition, development and maintenance for best-practice around ensuring a robust DevOpsSec programme!
Don’t forget about the Human Element. The human element cannot be neglected. Digital transformation is something almost all people are experiencing in their daily lives, but often with behaviour that involves risks for information. As a result, it is important to work on preventing the company’s information from being vulnerable to social engineering attacks by having the right security awareness programme in place, with a combination of online modules, onsite classroom type sessions and regular phishing simulations. Give your users means and processes for reporting suspected phishing emails that evade your secure systems.
Invest in cloud security. Cloud security is evolving at lightning speed, becoming more about governance than visibility. A hurried cloud migration reveals more security threats than organisations originally considered. The best solution for ensuring that extra layer of security is CASB, even if you are in transition or have already migrated.