Blog

Cybersecurity Predictions for 2021 from the (ISC)² Community of Security Professionals (Part 2)

Feb 12, 2021

His new program is running smoothly-GettyImages-665418054 By Diana-Lynn Contesti, CISSP-ISSAP, ISSMP, CSSLP, SSCP

John Martin, CISSP-ISSAP, CISM

Richard Nealon, CISSP-ISSMP, SSCP, SCF

In part one of this blog series, we discussed privacy, remote access (aka Work from Home), insider threats, data leakage, Zero Trust Architecture (ZTA) and security architecture. To continue this discussion, we believe that 2021 will still see folks working from home; thus, the risks due to insider threats and data leakage will continue to grow. However, we believe that there are other concerns for information security professionals, including edge computing, 5G, IoMT/IoT, AI and ransomware.  

Edge Computing

Edge Computing is a distributed computing framework that brings enterprise applications closer to data sources such as IoT devices or local edge servers. This proximity to data at its source can deliver strong business benefits, including faster insights, improved response times and better bandwidth availability. Gartner estimates that by 2025, 75% of data will be processed outside the traditional data center or even cloud platforms. Sending all that device-generated data to a centralized data center or to the cloud causes bandwidth and latency issues. Edge computing offers a more efficient alternative. Data is processed and analysed closer to the point where it is created. Because data does not transverse over a network to a cloud or data center to be processed, latency is significantly reduced.

Some of the issues to be faced are likely to be machine to machine communication, as well as person to machine communication. Can we trust the authentication capabilities from a machine to another machine to actually exchange information securely? This means Zero Trust Security and architecture needs to be put in place.

5G

As 2020 draws to a close and 2021 looms in, we believe that 5G will play an integral role in security with it being everywhere and always connected.

The business case for 5G:

There are a small number of industries that will greatly benefit from the wider bandwidth and capacity to support a large number of IoT devices with greater reliability.

However, in our opinion the primary motivation to move networks to 5G is being driven by the network providers in their effort to recoup the major investment costs necessary to implement the technology. What this fundamentally means is that 5G is being sold to the general public as a must have by marketing machines, when in reality (with a small number of commercial exceptions) most of us just DON’T NEED IT and are serviced perfectly well by 3G and 4G, where these are generally available.

Coverage

When we look at a global coverage map for 5G a couple of things really stand out:

  • Coverage is very sketchy – Germany, Switzerland, and the Netherlands; Central England (major cities) and The Republic of Ireland; Costal and Eastern USA; Thailand, Singapore and Japan; and the southeastern coastline of Australia are the only areas with reasonable (i.e., better than sparse) coverage. Even in these locations there are major 5G gaps.
  • 5G does not really exist in Central or South America, Africa, The Middle East (other than some parts of Saudi Arabia), the Indian subcontinent, mainland China, Northern or Southern Europe, Russia, the majority of South East Asia or the rest of Australia.
  • Linked to the business case above, the reason for this limited coverage is the investment required (many more transmitters are required for 5G than for 4G, and the new network needs to be built from scratch). Network providers will not invest in this major infrastructure roll-out unless they can see a return on investment. What we see from the above coverage is the roll-out of a technology that only services the wealthy. This economic division will remain for a long period, with most of the world continuing to be unable to take advantage of or have access to 5G technology for 10 years or more.

Risks around 5G include:

  • Distributed routing: currently networks are based on centralised switching, accomplished with hardware. All traffic passes through a central hub. This limits how data can enter and creates gates that data must pass inspection or cleaning to enter. It also enables administrators to easily quarantine data that fails to pass security tests. 5G networks, however, are software based and use a distributed, digital routing approach. This method creates more points of entry for data and requires security checkpoints to be widely distributed. This distribution makes it more difficult to identify and restrict malicious data.
  • Bandwidth expansion. Often network security solutions are designed to monitor network traffic in real-time, inspecting each packet as it comes in. This is possible because the rate of data is limited by network connections, preventing solutions from getting overwhelmed. Limits are necessary to keep networks secure. The 5G network allows data transfers that are faster than the current solution can handle.
  • Internet of Things (IoT) vulnerabilities
    • IoT devices’ capabilities will grow considerably from 5G enhancements. Currently, these devices are used to control a wide range of functions and processes, from traffic signals to factory machinery. Increased performance enables IoT devices to be used with more advanced Artificial Intelligence (AI) and can provide higher volumes of sensor data. This creates opportunities for incidents impact that were previously impossible and makes them an appealing target for attackers.
  • Software Virtualization
    • 5G technologies replace hardware appliances with virtualizing software for high-level network functions. This software performs functions based on common internet protocol languages and operating systems. Since functionality is not physically restricted by hardware, it is more remotely accessible to attackers. This introduces concerns that were not previously present and for which many security solutions are not adequate.

Failures are likely to be due to underinvestment. If manufacturers treated IoT devices like endpoints, then real time endpoint detection and response agents could be installed on them. This would allow security staff to investigate attacks as incidents occur and respond by remotely taking action on the IoT devices, such as isolating them on the network, wiping them or reimaging them.

Foundational Cybersecurity Activities for IoT Device Manufacturers NISTIR 8259 May 2020 – https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259.pdf

If you are interested in contributing to 5G cybersecurity, then go to the National Cybersecurity Center of Excellence (NCCoE) and sign up. Also have a close look at the building blocks, another mention of Zero Trust Architecture along with other elements.

The security of 5G is inextricably linked to IoT. There are some minor (security/operational) concerns about the technology itself (e.g., the expanded number of points-of-contact required, the operational ability to monitor them and keep them updated), but the major security concerns of 5G are really the major security concerns about the IoT devices attached to the network as endpoints (see below).

Internet of Things (IoT)

We have been discussing IoT for several years and we are now seeing standards being developed.  According to various reports, 75% of all IoT projects fail due to the technical and business challenges these projects face. We anticipate that this trend will continue into 2021; however, we feel that there will be a shift to more successful projects as we are finally seeing standards for manufacturers to follow and implement. The security professional will still be faced with the challenge of choosing the best devices for their environment.

Many folks are still not familiar with all the terminology and technology associated with IoT. This is a quick reference:

https://www.isc2.org/-/media/ISC2/Resource-Thumbnails/Resource-Center/eBooks/ISC2-IoT-Lexicon.ashx?la=en&hash=71CB188AD8954030FD3DDD9F67408FA183A8893A

We believe that 2021 will see the emergence of the Internet of Medical Things (IoMT). What is it? Simply put, it is a wireless communication network (medical devices and people) that allows the exchange of medical information. This implementation will allow medical staff to provide a better quality of service related to patient care. We anticipate that, along with IoT, we will see standardization of the protocols for these devices.

For purposes of this discussion, IoT is broken down into several subsections:

  • Consumer IoT

The growth in consumer IoT has provided (as a side product) the largest attack vector ever imagined by cyber criminals. The estimated number of IoT devices at the time of writing is somewhere between ten and twenty billion, and this is expected to double in the next four to five years[1]. The vast majority of these are consumer based (voice-controlled streaming, lighting, and heating sensors and controllers, doorbells and security cameras, smart TVs, etc.) devices with a low (i.e., $10 – $80 per unit) and medium ($300 – $1,000) retail cost.

This group poses a risk as we see an increase in these devices being brought into the workplace, whether it be work from home or the corporate office, and the loss of critical data can be realized.

We are seeing organizations (such as DigiCert) engaging with various manufacturers to install digital certificates on IoT devices while keeping the cost to the consumer low. However, we believe that some organizations/manufacturers will continue to avoid the issue of security or, if they address it, they will pass all costs on to the consumer. However, there are still outliers who will not comply with regulations or security safeguards, so it is still a buyer-beware marketplace.

Infrastructure IoT

Gone are the days when these systems were standalone bastions that could not be accessed via the Internet (some of us remember the old GPAC systems that worked like trojans and never needed to be patched; however, we believe this is an attack vector that has recently come into its own. The recent supply chain attack using technology such as SolarWinds highlights this.

For additional assistance, we found the GICSP – GIAC Global Industrial Security Professional certification, which used the DoD i140 (DoDD 8570 baseline information assurance. https://www.giac.org/certifications/dodd-8140

Male-Doctor-IT-Professional-Talking-Healthcare-Security-Meeting-1189303727 Internet of Medical Things (IoMT)

We believe that attacks on IoMT will become the emerging vector. To be beneficial, these devices must be instrumented – measuring, sensing and visualizing the exact condition of a patient even remotely; Interconnected, communicating and interacting with each other and intelligently responding to change, predicting and optimizing future events. IOMT

Reference: https://www.ibm.com/downloads/cas/D4WA40ZX

They are all interconnected and form a complete ecosystem between the electronic distributors, software and connectivity, homecare givers, health-related services, healthcare providers and those who pay for such services. This is an area which is underestimated. In light of COVID-19, and with lack of security intelligence, monitoring and incident response, this will become a major battle ground in 2021 and the future.  This is another area where ransomware can encroach on health providers and directly access patients’ lives – hence the reason why many health providers simply pay up because lives are at stake. They are simply not prepared to be attacked and do not have the expected security hygiene.

Ransomware

Ransomware will continue to increase not only in the sheer numbers but also the types of organizations that are being targeted. We believe it will continue to be the fastest growing cybercrime in 2021 with a focus on manufacturing, targeting industrial control systems (ICS). Tied to the growing IoT marketplace, we foresee this attack vector increasing. In 2020, we saw an increase of 145% in the growth of these attacks and anticipate seeing an additional growth in this arena in 2021 of about 100-150%.

To understand the motivation for the growth in ransomware, it’s best to remember the quote (mistakenly attributed to Willie Sutton but allegedly made up by a reporter)

“So, Willie, why do you rob banks?

 Because that’s where the money is!”

Ransomware, to its perpetrators, is a faceless attack that generally causes little impact on its victims. It’s perceived by them to be almost 100% successful; cheap and easy to carry out and carries almost 0% chance of prosecution and conviction (i.e., it’s the perfect way to get “free” money).

The average ransom demand has doubled over the years.

Ransomware families have started collaborating with each other for better efficiencies and greater opportunities.

Topical events, such as the COVID-19 pandemic, are being weaponized to craft malspam.

Ransomware operators are expected to refine their strategies that are already successful, instead of developing newer ones. Thus, in 2021, organizations should expect more targeted attacks, especially on large firms that have a lot to lose. Which means, your cybersecurity insurance premiums will be going up accordingly. The FBI and other government agencies have been asking organizations to not pay ransoms. However, companies have been seen negotiating and paying to get their data back. If payments are made and companies agree to pay double and triple the initial ransom demand, targeted ransomware attacks will continue even beyond 2021.

It will continue to run rampant. You can assist clients by emphasizing that the use of encryption for private data is crucial to your operations, or invest in a solid backup scheme. This will improve their cybersecurity posture and blunt the impact of a ransomware attack.

A good approach is to ensure you commence using Full Homomorphic Encryption (FHE), which has been years in development, but it is now available as a cloud service or as a development kit.

https://www.zdnet.com/article/ibm-launches-experimental-homomorphic-data-encryption-environment-for-the-enterprise/

This of course is far from reality. The real cost of ransomware is endured by society (even when it’s targeted at large corporations, it’s passed on to their customers). As one insurance fraud ad says, “It’s like them putting their hand into your pocket and taking your money.” More worrisome is when ransomware is targeted at critical infrastructure. While the death of a German hospital patient[2] in September of last year cannot be directly attributed to ransomware, the fact remains that she had to be diverted more than 30km from her nearest hospital because it was undergoing a ransomware attack. Similarly, a wave of ransomware attacks hit U.S. hospitals in October of this year as COVID-19 cases spiked.

As ransomware attacks continue to be more and more profitable, the conclusion is that it will continue to grow as one of the “easiest/no risk” crimes for both small-time criminals and large organized gangs. In the Netherlands, for example, there has only been one successful prosecution in relation to ransomware. Two brothers, the authors of ‘CoinVault’ and ‘Bitcryptor’ ransomware were arrested, convicted, and sentenced in 2018 to 240 hours of community service. [3]

These compromises will continue to target medical systems, medical development, ICS systems and also financial systems. We do not believe that any industry will not be targeted.

The cost to industry will continue to grow and we recommend that security professionals ensure:

  1. Adequate security awareness training
  2. Proper backups
  3. When possible, cyber insurance to cover these types of events
  4. Security hygiene

Artificial Intelligence/Augmented Intelligence (AI)

For this blog, we will be discussing Augmented Intelligence as we do not believe true Artificial Intelligence is available.

Note: The term Augmented Intelligence is used rather than Artificial Intelligence, as no one has successfully passed Alan Turing’s original test so far.

 https://en.wikipedia.org/wiki/Turing_test

Augmented Intelligence is changing the game for cybersecurity, analyzing massive quantities of risk data to speed response time and augment under-resourced security operations.

How Augmented Intelligence helps: AI technologies like machine learning and natural language processing enable analysts to respond to threats with greater confidence and speed.  

Learn

  • AI is trained by consuming billions of data artifacts from both structured and unstructured sources, such as blogs and news stories. Through machine learning and deep learning techniques, the AI improves its knowledge to “understand” cybersecurity threats and cyber risk.

Reason

  • AI gathers insights and uses reasoning to identify the relationships between threats, such as malicious files, suspicious IP addresses or insiders. This analysis takes seconds or minutes, allowing security analysts to respond to threats up to 60 times faster.

Augment

  • AI eliminates time-consuming research tasks and provides curated analysis of risks, reducing the amount of time security analysts take to make the critical decisions and launch orchestrated response to remediate the threat.

FAQ

https://www.ibm.com/security/artificial-intelligence

The key issue here is ethics and integrity. Assume that Augmented Intelligence (AI) is already within our living rooms and cars, and even our pockets. The issues are:

  • Without proper care in programming AI systems, you could potentially have the bias of the programmer play a part in determining outcomes. We have to develop frameworks for thinking about these issues – it is an extremely complicated area. Despite this, the bad guys are already using it against legitimate companies and exploiting it to identify their next targets.
  • Another issue is that machines get biased because the training data they are fed may not be fully representative of what you are trying to teach them. This may not only be an unintentional bias due to a lack of care in packing the right training dataset, but also an intentional one caused by a malicious attack that hacks into the trading dataset that somebody’s building just to make it biased.

There is no universally accepted ethical system for AI. AI can be used for social good, but it also be used for other types of social impact in which one man’s good is another man’s evil. We must always remain aware of this.

Cybercriminals are leveraging artificial intelligence for malicious use, both as an attack vector and an attack surface, according to Europol, the United National Interregional Crime and Justice Research Institute (UNICR).

“We expect to see criminals exploiting AI in various ways in the future. It is highly likely that cybercriminals will turn to AI with the goal of enhancing the scope and scale of their attacks, evading detection, and abusing AI both as an attack vector and an attack surface.

We foresee that criminals will use AI to carry out malicious activities to victimize organisations via social engineering tactics. Using AI, cybercriminals can automate the first steps of an attack through content generation, improve business intelligence gathering, and speed up the detection rate at which both potential victims and business processes are compromised. This can lead to faster and more accurate defrauding of businesses through various attacks, including phishing and business email compromise (BEC) scams.

AI can also be abused to manipulate cryptocurrency trading practices. For example, we saw a discussion on a blackhatworld[.]com forum post that talks about AI-powered bots that can learn successful trading strategies from historic data to develop better predictions and trades.

Aside from these, AI could also be used to harm or inflict physical damage on individuals in the future. In fact, AI-powered facial recognition drones carrying a gram of explosive are currently being developed. These drones, which are designed to resemble small birds or insects to look inconspicuous, can be used for micro-targeted or single-person bombings and can be operated via cellular internet.

According to a recent article by Trend Micro ( https://www.trendmicro.com/en_us/research/20/k/the-dangers-of-ai-and-ml-in-the-hands-of-cybercriminals.html ), “AI and Machine Learning (ML) technologies have many positive use cases, including visual perception, speech recognition, language translations, pattern-extraction, and decision-making functions in different fields and industries. However, these technologies are also being abused for criminal and malicious purposes. This is why it remains urgent to gain an understanding of the capabilities, scenarios, and attack vectors that demonstrate how these technologies are being exploited. By working toward such an understanding, we can be better prepared to protect systems, devices, and the general public from advanced attacks and abuses. “ 

References:

https://securitybrief.co.nz/story/cybercriminals-are-leveraging-ai-for-malicious-use

https://documents.trendmicro.com/assets/white_papers/wp-malicious-uses-and-abuses-of-artificial-intelligence.pdf

Well, it seems that this second blog was longer than expected and we have not touched on digital transformation, supply chain or MSSPs. Watch for our third blog on these topics. Seems that 2021 and 2022 may be years to watch for information security.

 

[1] https://www.statista.com/statistics/1101442/iot-number-of-connected-devices-worldwide/

https://www.softwaretestinghelp.com/iot-devices/

[2] https://www.zdnet.com/article/first-death-reported-following-a-ransomware-attack-on-a-german-hospital/

https://www.technologyreview.com/2020/11/12/1012015/ransomware-did-not-kill-a-german-hospital-patient/

[3] https://brill.com/downloadpdf/journals/eccl/28/2/article-p121_121.xml