Looking Ahead to 2019: Breaches, Regulations and MoreA Summary of the Best Predictions for Next Year
What's ahead for the cybersecurity landscape in 2019? We've received many lists of predictions from vendors and analysts for next year, and we've picked out five of the most interesting ones.
See Also: You've Got BEC!
Paul Barnes, senior director of product strategy, Webroot:
"There will be a state-sponsored service breach of critical infrastructure leading to loss of life and an extended time frame to return to normal operations."
This scenario has been creeping closer to reality. The attacks against Ukraine's power grid in 2015 and 2016 were among the first and most notable examples of how a targeted cyberattack could disrupt critical infrastructure. Those attacks, blamed on a suspected Russian-linked group nicknamed Sandworm, fortunately only resulted in a loss of power and not life. But industrial control systems remain a big concern for national governments. And there's a chance that even if attackers don't intend for their attack to have fatal consequences, fatalities result nonetheless. Fingers crossed (see: Power Grid Malware Platform Threatens Industrial Controls).
Morey Haber, chief technology officer, and Brian Chappell, senior director, enterprise and solutions architecture, BeyondTrust:
"Privileged attack vectors will continue to be the number one root cause of breaches for both consumer and business data. While Gartner has acknowledged that privileged access management is the top security priority for 2018, many organizations are still in denial of their privileged account risks, which frequently stem from poor password management hygiene. 2019 will see even more high-profile breaches. Organizations must discover and manage their privileged accounts because the attack vector is not going away anytime soon, and ugly newspaper headlines will continue to plague boardrooms."
We're written a lot of those ugly headlines this year. Our modest in-house prediction is that we're not going to have any problems finding plenty of those headlines to write in 2019. The risk of takeovers of privilege accounts is one of the greatest challenges facing organizations. Better password management should be a top priority, as well as regular reviews of access controls, deactivation of unused accounts and behavioral monitoring to detect if something strange is going on. But it's a mighty complicated task, and not everyone is going to get it right every time.
Bogdan Botezatu, senior e-threat analyst, BitDefender:
"Here's a positive prediction for a change: Thanks to the EU's renewed efforts to protect personally identifiable information - in the form of the General Data Protection Regulation that took effect in May this year - we should expect fewer 'credential leaks' to occur, or, at least the very least, make the headlines. Security incidents will be more thoroughly contained at an organizational level in an effort to avoid penalties that could forces a business into bankruptcy."
We hope GDPR is driving better account credential storage and security practices. But while larger companies were somewhat ready for GDPR when it went into effect in May, mid-size to smaller ones were still trying to understand and implement its requirements. Undoubtedly, GDPR is proving to be a big motivation to improve IT security, but we think this prediction may be too rosy - as much as we'd like to see fewer credential leaks. At minimum, organizations should use bcrypt for hashing passwords, because it makes it much more difficult for attackers to discover plain-text passwords (see: Fighting Credential Stuffing Attacks).
Tom Kellerman, chief cybersecurity officer, Carbon Black:
"For my semi-bold 2019 prediction, I'm saying that steganography (the practice of concealing a file, message, image or video within another file, message, image or video) makes a comeback."
Steganography is an ingenious practice that stretches back centuries. It involves the concealment of something - like a message or code - in a way that's only decipherable to those in the know. Steganography perfectly applies to software. A few years ago, a version of the notorious Zeus banking Trojan retrieved a crucial configuration file embedded in a jpeg photo. Placing malware components in what appear to be harmless files gives attackers another tool to conceal their activity. The key to keeping persistent access to organizations is staying under the radar, and steganography can help.
The analysts at Forrester:
"The California Consumer Privacy Act will spur other U.S. states to enact privacy laws. While not as comprehensive as the EU's General Data Protection Regulation, California's Consumer Privacy Act of 2018 does give residents some powerful privacy rights. ... Despite recent murmurs from the Senate Commerce Committee, federal government dysfunction means that there's virtually no chance of a comprehensive national privacy law in the next three years. We predict that, by the end of 2019, at least five additional states - including Massachusetts, New Jersey, New York, Vermont and Washington - will pass their own privacy laws, creating a patchwork of rules for firms to comply with. ..."
The freewheeling days of companies selling and sharing personal data with third parties may be coming to an end. In the wake of Facebook's data breaches, Google's problems with its social network and a raft of other personal data leaks this year, lawmakers and the public are increasingly calling for better security, transparency and accountability.
California's Consumer Privacy Act is the strongest among the 50 states. But a mix regulations across the states mean some consumers have more rights than others, which is a landscape that also makes compliance difficult. A federal privacy law that reflects the prevailing wisdom of privacy experts would give companies and consumers reassurance. As Forrester points out, however, that's not likely in the cards. President Donald Trump's administration has sought to reduce regulations, and a Republican-controlled Senate is unlikely to embrace what would be a complicated law that would invariably increase costs on companies (see: Analysis: California's Groundbreaking Privacy Law).