By Diana-Lynn Contesti, CISSP-ISSAP, ISSMP, CSSLP, SSCP and John Martin, CISSP-ISSAP

In February 2020, we put together our thoughts on Security Predictions for the upcoming year in a two-part series (Part 1 , Part 2 ). Little did we know that COVID-19 would happen and change the way that folks work in our organizations, nor we as security practitioners work.

In our original blog, we suggested that the following issues would be of concern to the industry:

• Data Privacy changes
• Lack of secure coding practices
• 5G and WiFi-6
• Phasing out passwords
• Lack of perimeters
• Backups and their role with ransomware

We believe that we got several predictions right. However, due to COVID-19, we have moved a few to 2021 or beyond, increased concern over a couple and added two new ones.

Predictions Moved to 2021

Lack of secure coding and development techniques 

We still feel that many organizations want development to happen as quickly as possible but focus on this key issue may be delayed until mid-2021. It is still critical that security be implemented into the Software Development Life Cycle (SDLC) beginning in the design phase and each subsequent phase. This means actively introducing SecDevOps into the DevOps SDLC, especially where organizations have adopted Agile methodologies and the resultant culture.

Phasing out of passwords and what that would mean to the industry. Is the replacement secure enough?

This is still a valid concern for the balance of 2020 and is rising in concern due to the COVID-19 and all the remote workers. However, we do not feel that this will be a priority for organizations until early 2021. Human factor design as suggested by NIST 800-63b should be followed.

Ongoing Predictions for 2020

Internet of Things (IoT), Industrial Internet of Things (IIoT) and Operating Technology (OT) related to the state of digital certificates

This area is beginning to explode, and we only expect it to continue to grow in 2020. We have seen estimates that by 2025 there will be 25 billion connected devices with a financial value of $1.1 trillion dollars.

This issue is becoming increasingly important as more people are working from home using these devices to connect not only to the corporate backbones but also to Industrial Control Systems.

Agencies are beginning to develop standards for the security of these devices. ETSI has just announced their standards and we expect to see standards coming from other agencies.

It is also fast becoming a privacy issue as well, as the FBI released an advisory on Black Friday (the day after Thanksgiving in the United States) due to the vast number of smart devices being purchased with no knowledge of default security settings e.g. direction connections to the Internet via Wi-Fi, Bluetooth and traditional 3G, 4G communications systems, allowing bad actors to access cameras, speakers and potentially introduce malware into the affected systems.

We see this as being an area of concern in 2021 and for several years thereafter.

Backups will play a key role in preventing ransomware

With the advent of COVID-19, we believe this area has risen in concern (or at a minimum should be rising) to organizations and believe that resources are well spent on backups that can be used to prepare an organization for a potential attack.

Since March of 2020, there has been a huge increase in Ransomware attacks against various organizations; unfortunately, many of them being medical facilities. An emphasis on backups (potentially including cloud-sync) as a preventative measure against ransomware, but always ensure the storage systems are always working correctly. Any anomalies must be investigated promptly.

We advise organizations to:

• Educate their users
• Have a regular schedule for backups
• Do not pay the ransom. Paying ransom just perpetrates the cybercriminal to do further damage because they know you are willing to pay up and are not resilient.
• Be careful about cyber insurance as some cyber-criminals are double dipping and extortion attempts are flourishing.
• Ensure you are prepared with Incident Response Plans, which are regularly tested, and Public Relations announcements updated accordingly.

Lack of Perimeters

Perimeters are quickly evaporating as organizations have sent employees home to work remotely and will most likely be doing so for the foreseeable future. We believe that organizations will be focusing on contracts with their suppliers and thatmore focus will be placed on controlling gaps. Privacy issues are also arising due to the amount of PII being handled by employers via their home systems. A lot of organizations are evaluating Zero Trust Security principles and methods of protecting data assets wherever they reside i.e. at home, within organizations, data centers or even in the Cloud.    

Data Privacy Changes

Data Privacy has exploded in ways that we never expected. New laws are continuing to be developed and implemented.

The California Consumer Protection Act (CCPA 2018) became effective July 1, 2020, so we have not seen fines being implemented on this yet. States and countries are implementing new Data Privacy laws causing security professionals to continue to track what is happening.

At an extremely high level, the key points that we are seeing across all these new laws include:

• Corporations need to assign the responsibility for data privacy to one individual (they all call it different names, but they are basically the same)
• Data breaches must be reported to the appropriate department
• Define a user’s rights as it pertains to information regarding them
• Defines the right of children (typically those under 14)
• Details what the corporation holding the data can and cannot do with the data

We foresee Data Privacy being a concern for Security professionals going forward and our best advice here is to continue to adhere to the CBK for the CISSP or SSCP when attempting to protect user/customer data.

5G networks and the high speed of WiFi-6

High speed telecommunications networks with great bandwidth and speed capabilities are being introduced within many countries and there has been a growing fear of radio communications technology, resulting in the burning down of cell towers, especially within heavily populated communities. The issue has been promulgated via social media outlets like Facebook, WhatsApp and Instagram causing some mass hysteria.  5G systems have been deployed within lamp posts within Europe, using 23 Centimetre frequencies (very short and line of sight), with very low power.  

New Predictions

Remote Access – Work from Home

In February 2020, we understood that some people did work from home and that corporations and security folk were looking at technologies that would meet not only the companies needs but would also provide both security and privacy with respect to the data.

In mid-March, many organizations sent employees home to work and there was a sudden explosion in the need. The need not only included emails but included remote access to data (financial, medical, manufacturing systems, ICS, etc.) and remote meetings.

Some organizations were okay as they had technologies in place to handle meetings, but others relied on technologies like Zoom, Slack, TikTok etc. We have seen the stories of the data leakage on some of the technologies available, including the siting of servers within China and Russia and manufacturers have guaranteed fixes.

Amazingly internet bandwidths (at least in the Americas) have been able to handle the load.

However, there are still issues that we believe will plague security and privacy folk alike:

• Who is seeing the data on the home screen?
• Who can access the data from the home computer?
• What anti-malware is in place for those computers?

These and others were concerns prior to COVID-19 and have not been answered.

It is our feeling that remote access or work from home will continue for a number more months and organizations will be hit with breaches related to the data (be it ransomware, malware or security breaches.

Edge Computing

Edge Computing has been launched during 2020, this is a distributed computing paradigm, that brings computation and data storage closer to the location where it is needed, to improve response times and save bandwidth. It also means that countries decide to bring their data closer to their nations, ensuring data sovereignty. However, it needs to be well managed and depends on a strong telecommunications management structure. Edge Computing is likely to have a positive contribution for both privacy and security controls within nations, and has a high probability of being adopted, as more and more data analysis, Artificial Intelligence (AI) and Robotic Processing Analytics (RPA) are adopted globally.

Cyber Insurance

We foresee a growing demand for Cyber Insurance in the coming months and into early 2021. With more users working from home and the increase in Ransomware attacks in the last several months, organizations are looking to purchase insurance to ensure that they survive and do not close their doors. 

We feel that Cyber Insurance could provide an organization with the resources needed to respond to an attack. Organizations will also seek out Cyber Insurance as privacy laws continue to be introduced, they are forced to assure that client data is protected, and they have a fail-safe to keep their doors open.

While we see an increase in the demand for this type of policy, we caution organizations to understand all the terms and conditions in the policy. Some policies dictate who can and cannot be used to investigate issues, they also detail what is and what is not covered. In one recent case (Mondelez), the carrier would not pay the organization as they classed the attack as an “Act of War.”

Going forward, we believe that insurance providers will seek to limit their liability and we will see a much clearer delineation of events being covered.

Ransomware

Since COVID-19, we have seen an explosion of attacks due to ransomware. Unfortunately, these attacks focused on the medical community.

We foresee the number of attacks increasing throughout the balance of 2020 only complicated with the increase in remote working and BECs (Business Email Compromise), phishing, ransomware and insider threats. In fact, it has been reported that during COVID-19, ransomware, phishing and insider threats have increased and will continue to increase into 2021 and beyond.

One of the latest ransomware attacks, the Sodinokibi/REvil is being used to attack large firms and capture personal data on organizations and people. The group responsible is threatening to release personal data unless their ransom is paid. We forecast that this trend will continue and increase in frequency, and more data will be made available on the Dark Web for sale.

The best advice to security professionals is:

• Ensure that adequate backups are taken and validated, wherever they reside on tape, Flash or even in the cloud.
• Continue to educate ALL users (this includes senior management) on large amounts of data on various organizations and threatening to release person data of individuals. Provide positive attribution to employees for supporting security awareness programs and award good behavior.
• We still advise not paying the ransom
• If you purchase insurance be weary that some scammers are now trying to double dip through extortion attempts
• Ensure your organizations Incident Response Plans actually work and are regularly tested.
• Organizations need to plan for resilience, to reduce the likelihood to their business operations.

We believe we came close on our predictions and did not foresee changes to some of them.

We recommend that practitioners look to the (ISC)² CBKs (CISSP, SSCP, CAP, CSSLP) for guidance on these issues and also look the training offered by (ISC)² to help understand some of the techniques that can be leveraged to solve some of the problems.

If you have do not have the time straight away to study, then (ISC)² offers a range of shorter express learning courses, which are free to members and are available to others for a fee. You can find these courses here: https://www.isc2.org/Development/Express-Learning-Courses