Blog

Cybersecurity Predictions for 2021 from the (ISC)² Community of Security Professionals (Part 3)

Mar 12, 2021

SupplyChain_Computer By Diana-Lynn Contesti, CISSP-ISSAP, ISSMP, CSSLP, SSCP

John Martin, CISSP-ISSAP, CISM

Richard Nealon, CISSP-ISSMP, SSCP, SCF

In part one of this blog, we discussed privacy, remote access aka work from home (WFH), insider threats, data leakage, zero trust architecture (ZTA) and security architecture. In part two of the blog, we discussed Edge Computing, 5G, IoMT/IoT, AI, and ransomware.

Now into the third month of 2021, we foresee issues related to supply chain (both consumer goods and security vendors), digital transformation and digital health vaccine passports

Supply Chain (Consumer Products)

As 2020 progressed along with the COVID-19 pandemic, we began to see a slow down in the delivery of consumer products. As Diana Contesti says, “I ordered a new stove in July of 2020, and finally took delivery in early February 2021. I was told that the vendor could not source all the required parts due to manufacturing and shipping issues.”  We also saw that certain products became scarcer or more expensive as time passed in 2020. As 2021 opens, we are still seeing this trend, a short supply of goods or goods simply costing more. We expect this trend to continue throughout 2021.

According to WEF, ( https://www.weforum.org/agenda/2020/09/how-to-build-supply-chains-fit-for-the-future/ ) protectionism is likely to make supply chain resiliency harder to attain, and with it costs are predicted to increase. If one looks at the current situation in the United Kingdom with the new variant of COVID-19, despite Brexit discussions going on, all borders to U.K. are being shut down; therefore, denying them essential food and medical supplies. Yet, they are actively rolling out vaccines for their population. The article goes on to say “One obvious lesson from the pandemic is that digital capabilities such as predictive modelling, big data and partner integration are driving business flexibility. When things are relatively stable, those digital capabilities provide a competitive advantage. In times of disruption, they give companies the ability to optimise schedules, ports, modes, vendor, and other variables, adjusting on the fly to events that could otherwise provide calamitous, even ruinous.”

Addressing Supply Chain Risks:

  1. Always select vendors with care
  2. Assess your readiness
  3. Boost cyber resilience
  4. Have a run book handy

Supply Chain (Security Vendors)

Throughout 2021 and 2022, we foresee a shrinking of the supply chain (fewer vendors to manage). This will be likened to the old computer associates’ model (one supplier for everything) and will see big players gobble up smaller niche providers to meet customer demand.

How will this work with the current situation with the apparently state-based attack against FireEye? FireEye is a security company of 25 years, whereby its opensource security tools were obtained via an advanced API attack. This was quickly followed after analysis and realisation that a large number of global organisations had been compromised. A great deal of global companies and government systems had been compromised to such an extent that the only way forward was to “burn their systems down” and start again. These attacks will continue into 2021 and will increasingly be targeted against nations critical infrastructure. Without power, essential services cannot run and which disrupts communications and potentially causes the deaths of people who need medical supplies. Add to this, ransomware extortion attempts with very heavy demands, the world cannot go on allowing such cybercrimes, even if they are state funded or carried by proxies as fall guys. The world does need to unify against such threats, and to ensure that law enforcement, tracking and tracing can be carried out by global agreements to protect nations welfare.

No single security vendor can hope to win the cybersecurity battle, which is ensuing around us, almost invisible to many, at different levels. It is important that in order to win this battle between legitimate business vs cybercriminals, the good guys need to put aside their grievances from old and collaborate openly to contribute for the greater good of society. This means alliances will be formed, to assist everyone to protect organisations and our space in society, with openness via Open-Source Software and to openly integrate and share APIs.

The sharing of security intelligence, via integrations with their respective solutions, APIs means a new world of collaborative and openness in recognition, that no single organisation can solve or break the hold on cybercriminal activities. It has to be a joint affair. There are major collaborations going on in the background, with the sharing of security intelligence, which is badly needed, due to the great number of new vulnerabilities arising or being developed by the criminal elements.

A good example is the Global Cybersecurity Alliance https://www.globalcyberalliance.org/

The old-world routine of throwing resources in the shape of human beings, has led to an overall shortage in skilled people, to the point we need Artificial intelligence to augment and teach new blood to assist organisations, in this increasingly never-ending battlefield.

One of the targets which has occurred, but is likely to occur again in 2021, is the increased compromise of Managed Security Providers (MSP), with limited funding, investment thinking that it will not happen to them, but they are actually prime targets. How easy to get into targets, but creating a false company, signing up for services and hiding their activities, whilst compromising the very clients the MSP are attempting to protect. Security needs to be everywhere, including MSPs, to ensure that their reputation is not tarnished through negligence by ensuring their own security controls are not compromised.

Well, the Supply Chain has definitely come to roost via FireEye and SolarWinds situations and is still playing out at the present time. So, this is now a classic example and a wakeup call for organisations worldwide.  Look at the New Zealand Reserve Bank incident recently, where a third-party supplier called Accellion, was providing a legacy Secure File Sharing service, which was compromised, and the resultant actions taken: https://www.rbnz.govt.nz/our-response-to-data-breach

Digital Transformation

It is in fact organisational transformation; a full explanation and its benefits can be found at https://ibm.co/3l0fF1D

The downside of digital transformation is the lack of visibility of exactly where the organisations data or where data assets reside, once the digital transformations commence – they become very easily detached and fragmented all over the place. These transformations leave organisations vulnerable to ransomware attacks and misconfiguration, which may lead to data disclosure and privacy breaches.

However, like many things in this world, everyone has a different interpretation. We are really interested in the after affects, which results in data being distributed widely amongst cloud service providers within public, private or even data centres and often many organisations have no visibility of what controls are in place to protect their clients and their own organisations data. This approach has led to situations whereby organisations have no real-world view of exactly how their data is protected and they have no clear idea of what their own responsibilities from a legislative perspective, let alone the cloud providers responsibilities. There have been many instances of AWS S3 Buckets being leaked via misconfiguration or Microsoft Blobs. Data is becoming highly fragmented, distributed widely, and in many cases, organisations are driving for the benefits for data analysis, and cost reductions through not having to own the infrastructure, but pay for what they use type model. Security & Privacy has to be built in by design from the outset, it cannot be left to the end of the transformation project.

This area is becoming increasingly associated with ransomware attacks, as more organisations move their data into cloud providers environments, they must understand their responsibilities, the value of their data assets, and ensure they have complete visibility of what controls are in place wherever it resides.

Privacy within modern vehicles – global police forces are finding that given the amount of smart information available within modern cars, i.e., equivalent of a smartphone, can actually assist them to resolve crimes within forensics investigations:

https://www.nbcnews.com/tech/tech-news/snitches-wheels-police-turn-car-data-destroy-suspects-alibis-n1251939

It’s clear that everything we have discussed in this three-part blog is inter-related and must all be considered when an infosecurity professional sits down to determine what the corporate architecture should look like or even which tools, they will attempt to budget.

The National Security Agency (NSA) has recently released some interesting guidance on “Zero Trust,” and several of the use cases include digital transformation, and supply chain attacks.

Additional guidance here:

https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2515176/nsa-issues-guidance-on-zero-trust-security-model/

Another alarming issue is the protection of Critical Infrastructure or Operating Technology as highlighted in the IBM X-Force Threat Intelligence index for 2021.

https://www.ibm.com/security/data-breach/threat-intelligence

The number one threat is ransomware, and the second highest attacked industry is Manufacturing, so heed our predictions well – they are on par with what is going on globally around the world.

Digital Health Vaccine Passports

New in 2021 is the concept of digital health vaccine passports being developed by many nations; however, this will be controversial, with calls of discrimination against those who feel that everyone will be unfairly scrutinised, and the usual effect, will be that people will rebel unless this is handled very maturely and respective fully for all global cultures. However, there are many others who, just wish to return to the old ways, of making capital gains and denying the many lessons learned, before the next variant of COVID-19 is determined and found resistant. This will not be an easy journey for many, even if you do want to go abroad soon, it could be a lot longer. We foresee the need for this type of document beginning in 2021 and most likely extending into 2021. Like regular passports, due care will need to be taken to ensure that they are not easily forged.

These passports, or lack of, will have an effect on the supply chain for consumer products.

We have covered several issues in our three blog posts, and we would like your input on our hits and misses. We will come back in the August/September timeframe to review these predictions and may make some new ones.