Blog

Security Predictions for 2020 from the (ISC)² Community of Security Professionals (Part 2)

Feb 05, 2020

Connected-car

By Diana-Lynn Contesti, CISSP-ISSAP, ISSMP, CSSLP, SSCP  and John Martin, CISSP-ISSAP

Continued discussion from Security Predictions for 2020 from the (ISC)² Community of Security Professionals (Part 1 )

Internet of Things (IoT), Industrial Internet of Things (IIoT) and Operating Technology (OT) related to the state of digital certificates

  • The issue is not just self-signed digital certificates or expired certificates. Many of these devices have digital certificates, which need to be managed via a Key Management System and maintained. The fallout, of course, is that without proper controls, these devices can and will be compromised. Currently, the onus is on the consumer to ensure that they know what they are purchasing is actually secure – which is almost an impossible job.  So, the CCPA 2018 and related SB-327 “Connected Devices” legislation gives a clear directive to manufacturers they have full responsibility to ensure that their solutions can be maintained, secured and updated at all times.
  • This area will become a major concern in 2020, especially after the study on RSA digital certificates state within these IoT devices:  https://www.computing.co.uk/ctg/news/3084715/iot-encryption-weak?utm_source=Adestra&utm_medium=email…

Phasing out of passwords and what that would mean to the industry Is the replacement secure enough?

  • In this increasingly high-speed connectivity world of networks, passwords need to be eliminated. Passwords are too cumbersome and prone to error, which then leads to compromised systems.
  • According to the World Bank, digital identity is an economic driver for each and every nation around the world, regardless of whether the nation uses a centralised Trust Network or Self-Sovereignty approach i.e. user centric approach. Trust and Identity go hand in hand.
  • It is suggested that 80% of the world’s passwords are compromised.
  • Users online have in excess of 90 accounts, each requiring separate passwords.
  • It is estimated that 51% of all passwords are re-used.
  • The average cost per Help Desk interaction due to a forgotten password is U.S.$71.
  • We need password-less authentication and for higher authentication requests we need at least two factor authentication processes for a wide range of applications and apps.
  • An improved focus on human-factors in authentication design — as suggested in NIST 800-63b .

Backups will play a key role in preventing ransomware

  • This prevention of ransomware is linked to organisational preparedness, as witnessed in the past few months in the U.S. and elsewhere. Ransomware has a devastating effect on companies or agencies abilities to operate, including airports, health organisations and critical services. Having backups is a major concern, but how an organisation actually copes with Ransomware extortion attempts is important as well.
  • An emphasis on backups (potentially including cloud-sync) as a preventative measure against ransomware, but always ensure the storage systems are working correctly at all times. Any anomalies must be investigated promptly.
  • The message to all organisations is to be prepared, and do not pay the ransom. Paying ransom just perpetrates the cybercriminal to do further damage because they know you are willing to pay up and are not resilient. Cyber Shield
  • If you have cyber insurance and the use it to pay the initial demand, it can make the organisation an even larger potential target. It shows they have cyber insurance and are prepared to use it to give themselves space to cope with the operational disruption. There is no guarantee the cyber-criminal will be ethical and actually give them the cryptographic key to unlock their encrypted data.
  • IoT embedded systems, and essential operational systems, if compromised could just as easily be used to trigger further extortion demands within the infrastructure of the organisation, without their realisation.

 Lack of Perimeters

  • It does not matter whether you are contemplating Private Cloud, Public Cloud, or Hybrid Cloud, to obtain high grade services such as Artificial Intelligence, Robotic Processing Analysis (RPA), Big Data or accessing the latest mobile applications. You should be driven by Who, What, Where, and When is your data accessed and is it authorised?
  • The sooner people and organisations realise that there is “no perimeter” anymore and that wherever their data exists, appropriate security controls need to be applied and maintained.
  • Segregation and separation, regardless of whether their data is held in cloud-based applications or within containers or microservices, needs to be secured and controlled.
  • External and internal security testing for applications, Software Development Life Cycle, needs to be applied and not merely swept under the carpet.
  • The use of Software Derived – Wide Area Networks, (SD-WANs) are becoming the norm. This is driven by the “Zero Trust Security” philosophy which is a journey and must be undertaken and driven successfully within organisations.
  • Do not entirely depend on your cloud provider contract. Understand their responsibilities, ensure you are fully prepared to control the gaps, and protect your organisation’s and client’s data.
  • There will be an increase in the use of digital certificates and therefore key management for every service will be essential.
  • It is suggested that Nation-state actors will continue to help spread disinformation through online Microsoft Active Directory’s propagated by Silicon Valley giants.

The group came up with quite a list of issues that they will face in 2020, some very close to what the vendors are predicting however looking at it from a what should I do, what shouldn’t I do, where do I find advice, who can I talk to.

We recommend that practitioners look to the (ISC)² CBKs (CISSP, SSCP, CAP, CSSLP) for guidance on these issues and also look the training offered by (ISC)² to help understand some of the techniques that can be leveraged to solve some of the problems.

If you have don’t have the time to study, then (ISC)² offers a range of shorter express learning courses, which are free to members and are available to others for a fee. https://www.isc2.org/Development/Express-Learning-Courses

Collated by Diana-Lynn Contesti and John Martin on behalf of the (ISC)² Community.