Foresight is a powerful human capability – and one that is integral in the field of cybersecurity. Today I revisit the predictions I made a year ago about what we could expect to see in this industry in terms of breaches, malware, regulations, and technological developments. I examine whether these predictions came to pass, to what degree, and why they did (or, did not). I then make new predictions for 2020. Read on so you can plan for what these possibilities mean for your organization, its security, and the data it handles.
First off, I’ll own it; of the six predictions I made around this time last year, two did not precisely come true. Of course, that means a solid four did, which isn’t bad when you're trying to predict the future. Let’s look at the factors that contributed to each of them:
We talked about it on social, but don’t take our word for it – here’s the coverage. Cylance’s AI-driven prevention system from Blackberry was duped, allowing the top ten worst malware infections to be whitelisted and get past this AI-driven defense. I need to clarify – this is not condemning the possibilities AI affords us; we’ve embraced this technology here at ActZero too. The difference is our hybrid approach, of augmenting and enhancing our Threat Hunters’ capabilities and efficiency with AI. See my colleague Perry Kuhnen’s post on why we still need that human element.
While we did see targeted infections of ransomware at prevalent targets (including hospitals, municipalities, and government buildings to name a few), none of these were based on radically new ransomware processes. While the names were new (like Ryuk, as delivered by Trickbot), their speed of encryption, and infectiousness remained largely the same. It wasn’t a particular advancement in the software that enabled this, but the continued negligence to implement good hygiene practices, and the continued inefficacy of (solely) preventative security solutions. It’s ironic – this prediction may not have come to pass, yet the outcome of it remained largely the same.
That said, it may be that I was just a couple of months off: sounds like the next generation of ransomware may have been created in the lab just last month – so it may be in the wild soon. Nyotron has demonstrated their ability to maliciously alter files (including encryption) without operating on the disk itself – strictly within the memory (RAM) – in a technique called RIPlace. Maybe I was just a little ahead on the timelines for this prediction?
We also haven’t seen ransomware specific to your virtual environment. So, strike two for me… but the rest are all hits! I’d add that while it may not have happened this year, I still think this type of ransomware variant is forthcoming.
While you may not have noticed a service disruption from it, the Capital One data breach perpetrated by Paige Thompson did come to pass in 2019 (she was indicted earlier this year) – this, to me, constitutes a successful prediction. But Adam, you might say, Capital One isn’t a cloud service provider! Allow me to explain: Thompson was an Amazon employee who breached potentially dozens of AWS clients, attributed to her unrestricted access as a malicious insider. According to coverage on the story, AWS had misconfigured their firewalls enabling this malicious access to over 30 companies data. So, no service disruption, but a configuration error by a cloud provider, and multiple data breaches and cryptojacking of a cloud provider’s clients, that was perpetrated by a (former) employee of a cloud provider – sounds close enough to me.
Another successful prediction. My evidence? MS snatching up the JEDI contract. Let’s face it; this ultimately boils down to a separate (stricter) internet for DoD and Intelligence departments in the US government (ok, maybe not "for all"). As for geographic blocking at the public level, sure, this hasn’t made its way to individual/consumer facing ISPs, but firewall managers everywhere are doing this more and more for specific geographies that are outside where businesses are operating. Get ready for the downstream impact of this decision as it develops – could we be in for a revival of the mainframe at the national, corporate, or consumer cluster level? Probably not – but we have to consider what a stricter internet means in the balance of safety and access to public information.
While the ‘global’ label may not be there, we did see a record number of fines, and a host of new regulations as inspired by EU’s GDPR, across the globe – with reach and enforceability that extends beyond national borders. Ahem, Facebook anyone? (I wrote a post back in February about what Facebook’s GDPR fine means for midsize enterprises) Laggard legislators are catching up, and innovators are evolving and fine tuning these regulations to enable rigorous enforcement. Which brings me to my first 2020 prediction…
Laggards will catch up – even the least developed nations will need to adopt privacy legislation in order to enable the mere presence of foreign companies in their economies. The UN even has a conference about this, and reports that only 21% of countries are without privacy/data protection legislation (with another 12% without data to protect). I predict that this gap will close this year.
On the other side of that coin, more developed (greater grossing) countries such as BRIC economies will rachet up enforcement significantly. Expect this in two areas: data privacy and security at the business level for both domestic and international entities operating in these economies; harsher sentencing for malicious actors in the cybersecurity space. My money is on both.
I predict that we’ll see a new type of hack, and one that will make social engineering even more convincing. Think about all those spam emails that come from “your CEO” – and how much more convincing it would be if there were a video of them instead! Yes, the AI-driven deepfake stands to move beyond celebrity-impersonating pornography, and into the world of social engineering. While it may not be deepfakes specifically, having seen demonstrations of Google’s AI ‘phone operator’ which engaged in conversation convincing enough to have people believe they were talking to a real human, I see it as only a matter of time before impersonation becomes augmented by AI, one way or another.
Sure, everybody hates spam, and we got enough of it in 2019. But I predict 2020 will be significantly worse, as small to mid-size enterprises will be faced with more Phishing attacks than ever before. We’ve been seeing this ramp up for a while – but in 2019 we saw a lot more chatter about spam in both MS and Google’s support communities. As organizations of all sizes move their internal communications from email to other solutions (Teams, Slack, Hangouts, etc) email providers will need to do more to innovate their way out of this problem – and SMBs will need to ensure they’re implementing what they can to protect their employees, partners, and customers.
There you have it – my cybersecurity predictions reviewed for 2019, and revealed for 2020! Agree? Disagree? Have predictions of your own? Comment below or on social media and tell me how you really feel! If you want to get ahead of these cybersecurity predictions, ActZero has services to combat these (and other) cybersecurity and privacy concerns.