The whole tech industry is dynamic and constantly changing. And if you’re in IT security, you’re in a unique position that the changes can be forced upon you by techniques developed by malicious hackers. That means that there’s always something new going on in the industry, trends are constantly changing, and there are also some techniques and tools whose usefulness has fallen by the wayside.
It can be hard to cut through the hype when it comes to tech security trends: every company with a product to sell wants to convince you that they’re in line with the cutting edge of the market. To help you get a sense of what’s really hot or cold in today’s security world, we peek under the hood to look at the numbers that matter, from spending to effectiveness.
11 hot (and not) cybersecurity trends:
- Hot – Credential stuffing
- Hot – Collaboration app security
- Not – Ransomware
- Hot – Banking trojans
- Hot – The internet of things
- Not – Artificial intelligence
- Hot – Quantum cryptography
- Hot – Phishing
- Not – Antivirus
- Hot – Multifactor authentication
- Not – The blockchain
Hot: Credential stuffing
Every year it seems that there’s a constant drip-drip of major hacks at big companies that result in millions of username/password pairs being compromised. The real-world consequences of these attacks are what’s known as credential stuffing, when an attacker uses long lists of stolen login credentials in large-scale automated attempts to log in to various websites. The attackers are relying on the fact that many of us use the same username and password on multiple sites. Thanks to the attacks’ automated nature, even if only a small percentage of the stolen login credentials are a positive match, it can still be worth the attackers’ while.
“We need to make user credentials more secure,” says Kristen Ranta Haikal Wilson, Cofounder, Head of Product Management, and CMO at PasswordPing. “By screening for compromised credentials proactively during login, password reset and account activation, organizations can heavily mitigate online account takeover and fraud with very little impact to the end user.”
Key numbers: In 2018, 60 percent of customer login traffic at airlines — and 91 percent at retail outlets — consisted of credential stuffing, according to Sharpe Security.
Hot: Collaboration app security
More and more teams are coming to rely on apps that help them coordinate and collaborate at work. Perhaps the most prevalent is Slack, the increasingly omnipresent messaging and collaboration platform, but this category also includes virtual workspaces like SharePoint and filesharing and syncing apps like Dropbox. These tools are great for productivity, but they open another attack surface. “As more organizations adopt these essential applications, they are inadvertently expanding the number of channels that hackers can leverage to distribute malicious content,” says Yoram Salinger, CEO of cybersecurity-as-a-service provider Perception Point. And since many are web-based or cloud services that are installed by individual business units without consulting IT, they often fly under the radar when it comes to security.
Key numbers: In a survey conducted by Perception Point, over 80 percent of respondents say that employees in their organization share files and URLs via these collaboration services — files that security staff would scan if shared by email or other more conventional means, but that don’t get that treatment via collaboration apps.
Ransomware is a pernicious form of malware that seizes control of a compromised computer and hold data for ransom, threatening to encrypt it permanently unless the victim pays up. In particular, the WannaCry and NotPetya attacks of 2017 really brought this form of malware into the public consciousness.
Thus, it may come as a surprise to learn that overall ransomware attacks are on the decline, along with a corresponding decline in exploit kit activity. Most ransomware attacks in 2018 were delivered via phishing, which explains why the whole center of gravity of this genre of malware shifted from consumers to email-centric enterprises.
Key numbers: Overall ransomware activity dropped by 20 percent during 2018. When WannaCry and Petya variants are stripped out of those numbers, the drop is even steeper: 52 percent.
Hot: Banking trojans
The famous criminal Willie Sutton, when asked why he robbed banks, supposedly said “Because that’s where the money is.” Increasingly, malware authors are taking that maxim to heart. A slew of trojans have hit the scene that are specifically focused on gaining access to user accounts at financial institutions. These trojans spread in the usual way — phishing sites, hijacked emails, and the like — but once installed become laser-focused on user interaction with banking sites, attempting to harvest login information via keylogging and other spyware techniques, which is then reported back to the criminal controllers.
Key numbers: In the last year, these trojans became a particular threat in the mobile realm, especially on Android. McAfee estimated that 2018 saw a 77 percent spike in banking trojans in 2018.
Hot: The internet of things
The internet of things (IoT) is an umbrella term that covers a disparate host of gadgets smaller and simpler than a computer, connected to a wireless network, and deployed for specific purposes. These gadgets range from industrial sensors to smart home thermostats and deliver on the promise that the internet can go beyond something we only see on screen and truly interact with the “real world.”
Unfortunately, IoT devices are often nonstandardized, lack built-in security, are difficult to administer remotely, and have just enough inherent functionality to be hacked. One of the biggest IoT blowups of recent years was the Mirai botnet, which enrolled internet-connected CCTV cameras in an attack that aimed to settle scores among Minecraft players but accidentally took down a big chunk of the internet in the process.
Key numbers: Security experts know that that IoT gadgets need to be locked down — or at least kept quarantined from the internet at large — if the technology is to survive. In an analysis of academic security research over the past decade, Crossword Cybersecurity estimated that the number of projects focusing on IoT have spiked 123 percent over the past decade — with 14 percent of all such projects now focusing on IoT.
Not: Artificial intelligence
It at first might seem weird to classify AI under the “not” umbrella, as you can’t throw a brick without hitting a pile of press releases from security companies touting their artificial intelligence offerings — sometimes dubbed “machine learning” or “deep learning.” But there’s a bit of a backlash brewing. Rene Kolga, senior director of product and marketing for Nyotron, says, “Mention artificial intelligence to a CISO and watch their reaction. Overuse by every marketing organization on the planet has resulted in AI fatigue and a complete loss of meaning. Some sober voices, like Raffael Marty at Forcepoint, now even talk about the problems that arise from AI and ML in cybersecurity.”
Key numbers: The Ponemon Institute estimates that false positive rates for AI-driven endpoint security solutions are nearing 50 percent.
Hot: Quantum cryptography
Current methods for encrypting communications are not inherently secure. Instead, they rely on the exchanges of cryptographic keys that can in theory be broken by an attacker; the security relies on the fact that those keys can only be unraveled using computationally intensive mathematics, to the extent that the difficulty of the problems makes this an impractical attack method — for now.
Because if there’s one thing we know about computers, is that over time the new ones can crunch numbers more quickly. And the upcoming generation of what’s known as quantum computers — computers that work on the principles of quantum mechanics rather than binary computation — will be able to make short work of the previously near-impossible encryption problems.
The answer is to fight quantum physics with quantum physics. Quantum key distribution replaces our current cryptographic key infrastructure with one that can achieve theoretically perfect security. Due to the fact that you can’t observe a quantum state without altering it, computers that have shared keys via special hardware will be instantly alerted if a man-in-the-middle attack is attempting to snoop on their conversation.
Key numbers: This may all sound futuristic, and most estimates are that widespread quantum computing is somewhere between five and twenty years away. But that doesn’t mean resources are being put into security that can fight it. Over the decade of academic studies that it analyzed, Crossword Cybersecurity found that the number of projects focusing on quantum cryptography spiked 227 percent.
Phishing — the art of tricking users into giving up login information — certainly isn’t novel at this point, but that hasn’t stopped it from being a favorite of attackers. And while we mostly associate phishing with email, attackers are taking advantage of a wide variety of attack vectors to fool their victims today. “Increasingly, employees are being subjected to targeted phishing attacks directly in their browser with highly legitimate looking sites, ads, search results, pop-ups, social media posts, chat apps, instant messages, as well as rogue browser extensions and free web apps,” says Atif Mushtaq, CEO and founder of SlashNext. “Most IT leaders also do not realize how fast phishing threats move, typically lasting minutes to just a few hours before sites are taken down and cybercriminals move on to evade existing security controls.”
Key numbers: According to the 2019 Verizon Data Breach Investigations Report, 93 percent of confirmed data breaches ultimately involved a phishing attack.
Symantec declared antivirus dead almost five years ago now, but the product segment keeps shuffling through IT like a zombie, helped along a bit by regulations that require many industries to maintain antivirus protection. But despite ongoing attacks from worms and other forms of malware, it’s a defense mechanism that IT pros see as largely antiquated, unable to keep up with increasingly sophisticated attacks and completely oblivious to important vectors like phishing emails.
Key numbers: A SANS Institute survey revealed that less than half of cyberattacks are detected by antivirus software.
Hot: Multifactor authentication
Many of the security holes discussed in this article come down to this: if a password is somehow stolen, then the attacker gains unlimited access to private information or functionality. To overcome this difficulty, a security system should treat those passwords as just one of several factors needed to access restricted data. These factors could include something the user knows (like a password), something they have (like a security token), or something they are (which comes into play with biometric security). A classic example is an ATM machine, which requires both a PIN and a physical card to access; many websites now require both a password and a code sent via text message to the user’s phone to log in.
Key numbers: As mass hacking attacks have left passwords less reliable, more and more companies are turning to multifactor authentication for security. According to Okta’s 2019 Business@Work report, a reassuring 70 percent of companies are using two to four factors for security — that’s up from 65 percent the previous year.
The price of bitcoin dropped by almost 80 percent in 2018, and while bitcoin and the blockchain are not the same thing, interest in blockchain-based security technologies seemed to drop almost as fast —Nyotron’s Kolga, says investment in this technology “froze.” On the other hand, there’s always a silver lining to these things: the drop in bitcoin value also led to a corresponding drop in cryptomining attacks, which hijack victims’ computers and force them to mine bitcoins to enrich the attackers.
Key numbers: A recent survey of execs found only 1 percent intended to roll out blockchain tech at their firms; Forrester Research estimates that 90 percent of corporate blockchain experiments never reach production.
Timeless (and hot) advice: Don’t chase trends
While we hope these points have brought into focus some of the evolving challenges in IT security, we also want to point out that certain best practices will continue to underpin how smart security pros approach problems, no matter what the flavor of the month is. “Enterprises are going back to the basics: patching, inventory management, password policies compliant with recent NIST directives,” says Kayne McGladrey, IEEE Member and Director of Security and Information Technology at Pensar Development. “Enterprises are recognizing that it’s impossible to defend what can’t be seen and that the easiest wins are to keep systems up to date and to protect against credential stuffing attacks.”
- Content by: Josh Fruhlinger, posted March 11, 2011 at https://www.csoonline.com/article/3262972/7-hot-cyber-security-trends-and-4-going-cold.html?upd=1552676036634
- Image credit: CSO Online