Cyber security in 2021: A White-hat hacker’s view
Mon 15 Feb 2021 | Marc Rogers
Okta’s Marc Rogers assesses looming dangers in supply chain security, IoT and smart devices, evolving attacks and the real aftermath of remote work
With chaos and uncertainty reigning, 2020 created near-perfect conditions for cybercriminals. The COVID-19 pandemic transformed the way we live and triggered a mass migration to digital channels as companies virtually replaced in-person interactions for employees and consumers alike. Over ten months in, the pandemic rages on, and cyber security threats are accelerating.
While vaccine distribution is underway, the pandemic’s economic and social fallout will take time to mend. Threat actors see opportunity during turbulent times, which is why the world, including institutions from hospitals to schools, faced unparalleled cyber threats last year.
By November, more than 28,000 common vulnerabilities and exposures (CVEs) were recorded, not to mention the countless ones that went unreported.
Unsurprisingly, as initial concern began mounting surrounding the pandemic, the first quarter of 2020 saw a 61% uptick in targeted attacks compared to the last quarter of 2019.
As malware, DDoS, and phishing threats grew steadily, security professionals were on high alert all year, scrambling to protect hospitals at the height of the pandemic, and shield businesses after a rapid shift to remote work and digital-first experiences for consumers.
2020 wrapped up with the largest cyberespionage campaign in history, highlighting deep flaws in how we manage supply chain security. So, after a year of high stakes and alarming new records, here’s what I predict 2021 will bring:
Supply chain security becomes more vital than ever
Every organisation, whether public, private or federal, uses suppliers. Be it for software production or logistics management, these suppliers are given unprecedented levels of access through the very nature of their roles, from the organisation that coordinates logistics of moving products around to providers that supply automation to build critical software products. The sum total of how good your organisational security is may boil down to how well a company 3,000 miles away manages its own security.
The fact that the Solarwinds cluster of incidents were so overwhelmingly effective means two things for 2021. The first is that we should expect more supply chain attacks. Once a technique proves to be successful, it is invariably repeated and copied.
The second is that smart organisations will begin to further scrutinise the pedigree of all suppliers and the software tools and components used to carry out their mission. While this may seem obvious, it is clear that very few companies have a good picture of exactly which third parties have access to their business.
The real aftermath of remote work arrives
After a sudden shift, remote work is now here to stay. But if companies continue allowing employees to work remotely, they must tackle the technical debt left behind from the urgent shift to remote infrastructures.
According to IBM, around two-thirds of C-suite executives said the pandemic accelerated their digital transformation plans. This acceleration often involved substantial architectural changes, leaving critical security vulnerabilities exposed.
Given these new and unprotected vulnerabilities, the number of breaches is likely to increase in the coming year. Since the switch to remote work, no major data breaches have yet originated from an individual employees’ house and personal technology. That’s likely to change in 2021 as threat actors target unprotected perimeters.
As they adjust, we’ll also see more companies adopt intelligent, dynamic security architectures such as zero trust. IBM also found that 76% of executives aim to make cyber security more of a priority over the next two years, and almost half expect to use advanced technology like AI to protect their businesses from threat actors.
While embracing new remote working norms creates a workforce more resilient to business continuity challenges, it also poses new problems. Traditional infrastructure like telecommunications focused on urban centres and traditional workplaces.
ow, networks in small towns face loads nobody imagined a year ago, and cellular stations further from large commercial centres receive more traffic than those in former business parks and co-working locations. Likewise, business-critical traffic is passing over networks not factored into pre-2020 plans, posing substantial challenges.
IoT and smart devices mature
With more remote workers, personal IoT and smart devices will pose more significant threats to corporate security. Given how much time we spent at home this year, we’ve grown more accustomed to these devices. They automate our lives, entertain us, and even monitor our health.
Smart devices’ medical-grade sensors now track users’ activities and medical data, like heart rates and oxygen levels. But do those who use or even create these devices know where this data goes? How it’s managed or secured? Even with these questions unanswered, the smart device market keeps growing.
This means IoT will begin to mature from a security standpoint as new frameworks and policies across countries emerge. The UK offers Secure by Design, a set of resources for securing consumer smart devices. Across the pond, the US Senate recently passed a bill that mandates security requirements, like identity management and configuration management, for IoT devices purchased by the government.
Other countries, including Australia and Malaysia, are also working to formalise security frameworks and expectations. These all address similar problems, like ensuring users don’t rely on weak default passwords and manufacturers adopt bug programs. This will push manufacturers to implement stronger security measures for new devices in the coming years, but what about the millions of devices left behind?
New guidelines and more robust policies signal that we’re making progress with IoT security, but they’re not a silver bullet. And this market will continue to grow as consumer demand and expectations increase.
Attacks will continue to evolve, but so will our ability to assess them
Next year, new areas of the security industry will come into their own, especially those focused on developing our ability to monitor and assess the new attack surface. With so many workers who have privileged access to sensitive data now scattered across the world, traditional security approaches hardly work or simply fail.
We faced many challenges this year in securing a distributed workforce, combatting surges in ransomware and phishing, and battling targeted attacks on essential industries. But these challenges will give rise to a new wave of innovation. Behavioural analytics, device identification, and intelligent risk management will be critical areas of focus for the industry moving forward.
To say 2020 was a trying year is an understatement. But even with all of its challenges, many that are far from resolved, together we’ll continue to reckon with the year’s aftermath, sooner rather than later. Throughout everything, the resilience and tenacity of the security industry shone through and proved that we’re more prepared for new challenges than we think.
This year, I believe we have many of the necessary tools to tackle these problems. In many cases, it’s just a matter of time and technology. While we adapt, however, we need to make a commitment to drop the baggage from past years. Ransomware attacks are still trivial, causing unprecedented harm. Vulnerabilities appearing in the wild are still as basic as things like directory transversal attacks. As an industry, we must come together with governments, combine tools with policy, and confront some of these simple yet incredibly harmful problems, once and for all.