Menu

risks

top cybersecurity risks trends and predictions for 2023

Top Cybersecurity Trends and Predictions for 2023

, , , , , , , , , , , , , ,

Without a doubt, 2022 has been such an eventful year in the world of cybersecurity. There were over 2.8 billion reported cases of malware attacks worldwide and over 236 million reported cases of ransomware attacks just in the first half of the year.

In 2022, the government of Costa Rica declared a state of emergency and Toyota was forced to shut its 14 factories in Japan, following different and several cyberattacks.

As we enter the last few hours of 2022 and look forward to 2023, cybersecurity remains top of the agenda for the leaders of several businesses and organizations worldwide.

It is, therefore, natural to start thinking about what the next year might bring in terms of cybersecurity trends and predictions, and help inform decisions on information security strategies and budgets.

Here are my top 10 cybersecurity trends and predictions for 2023:

Ransomware Attacks

Ransomware attacks, in which hackers encrypt a victim’s data and demand payment to decrypt it, have been a major problem in recent years. These attacks are likely to continue in 2023, as hackers find new ways to target businesses, organizations and individuals across different spectrums in different societies and cultures.

Remote Work Security

The shift towards remote work, accelerated by the COVID-19 pandemic, has created an increased need for secure remote access solutions. The nature of remote work is changing and more organizations are adopting policies and environments that allow their employees to carry out their respective tasks remotely more effectively.

In 2023, we can expect to see a continued focus on this area, as organizations look for ways to protect their networks and data while employees are working remotely.

Further developments in this area include the adoption of virtual private networks (VPNs) and other secure remote access technologies, as well as the implementation of strong authentication protocols and the use of multi-factor authentication.

Another major trend in this space is something known as Decentralized Security; a comprehensive network of proactive and reactive defenses with built-in machine learning features that monitor endpoints, identities, and access regardless of who the users are, what they do, or wherever they may be connected from.

Supply Chain Attacks

Supply chain attacks involve compromising the security of a third-party vendor or supplier to gain access to an organization’s systems or data. These attacks can be difficult to detect and prevent because they usually do not involve any direct interaction with the target organization.

Organizations can establish steps to mitigate against such attacks including implementing secure supply chain practices, conducting thorough random checks on their suppliers, and implementing incident response plans.

A recent policy statement published by the Bank of England outlines regulations that affect financial institutions regarding outsourcing and third-party risk management.

New Technologies & More Attack Vectors

As new technologies emerge, they will also bring new attack vectors for hackers to exploit. In 2023, we may see an increase in attacks targeting the internet of things (IoT), as well as attacks targeting emerging technologies such as 5G networks and quantum computers.

Artificial Intelligence and Machine Learning

Artificial intelligence (AI) and Machine Learning (ML) have already started to play a significant role in cybersecurity, and this is likely to continue in 2023. These technologies can be used to analyze large amounts of data and identify patterns and anomalies that might indicate a security threat.

One example of this is the use of AI and machine learning to analyze log data and identify unusual activity that might indicate a cyberattack. This can help organizations respond more quickly to threats and minimize the damage caused by an attack.

Regulation and Compliance Requirements

As cybersecurity threats continue to evolve and become more sophisticated, we are likely to see increased regulation and compliance requirements in the coming year. This may include new laws and regulations that require organizations to implement certain security measures, as well as increased penalties for organizations that fail to meet these requirements.

Last year, I wrote an article about the Digital Operational Resilience Act (DORA) regulation proposed by
the European Union (EU).

With DORA, the EU aims to harmonize and improve risk management and operational resilience within the financial sector across the region by addressing many of the issues that concern leadership, governance, and continued operations through a severe operations disruption as well as establishing an oversight framework for managing ICT critical third-party providers (CTPPs).

The Council of the European Union (i.e., EU Council) recently adopted DORA as policy across the region.

Evolution of Cyber Threats

Cyber threats are constantly evolving, and we can expect to see new types of attacks and tactics in 2023. As hackers become more sophisticated, they will continue to find new ways to target organizations and individuals.

To protect against these evolving threats, it will be important for organizations to stay informed about the latest developments in cybersecurity and to implement effective security measures. This may involve investing in new technologies and training employees to recognize and respond to potential threats.

Cloud Security Solutions

The use of cloud-based security solutions is likely to increase in 2023, as organizations look for ways to protect their data and systems in the cloud. This may include the use of Cloud Access Security Broker (CASB) services and other cloud security technologies.

Zero-Trust Security Models

Zero-trust security models, which assume that all users and devices are untrusted until proven otherwise, are likely to become more popular in 2023. These models can help organizations protect against insider threats and ensure that their networks and systems are secure.

We can expect more security products and services to be compliant with zero-trust models, satisfying all seven tents of the NIST 800-207 model on zero-trust, as an example.

Data Privacy and Protection

As more data is collected and stored online, the protection of personal and sensitive information will continue to be a major concern in 2023. Organizations will need to implement strong data privacy measures to ensure that they comply with applicable laws and regulations as well as protect against data breaches.

“How do we effectively protect our consumers’ information from unauthorized access, use, and abuse?” This is just one of many pertinent questions that information security and risk leaders must anticipate for the future and plan accordingly.

Cybersecurity Insurance

According to a recent report, the global cybersecurity insurance market size is expected to reach US$32.6 billion by 2028.

As the risks of cyberattacks continue to grow, we can expect to see an increase in the use of cybersecurity insurance in 2023. This type of insurance can helps organizations protect against the financial impacts of a cyberattack and ensure that they have the resources to recover from an incident.

We’re falling into this old habit of trying to treat everything the same as we did in the past… This simply cannot continue. We need to make sure that we are evolving our thinking, our philosophy, our program, and our architecture.

— Sam Olyaei, Gartner Analyst

In conclusion, 2023 is likely to see an increase in supply chain attacks, state-sponsored cyberattacks, a continued focus on the security of remote work, the emergence of new technologies and attack vectors, and the growth of ransomware attacks. However, it will also be a year for some organizations to derive benefits from their investments, preparedness, and innovations in information security and regulatory compliance best practices.

Why Cyber Kill Chain not Sufficient to Protect Your Organization

Why The Cyber Kill Chain Is Not Sufficient to Effectively Protect Your Organization

, , , , , , , , , , , , , , , ,

An epochal shift during the 21st century has led us to enter a new era of technological advancements, where cyber security has become vital in keeping an organization and business secure.

The rise of computers, telecommunications and the internet had opened the doors for cyberterrorism. Cyberattacks had become so rampant that they started to become a threat to the economy. Cybercriminals and hackers have also evolved their digital skills in stealing and destroying other businesses by breaching information security.

Having an effective security system to protect your organization is your best defense against cybersecurity threats. It does not only protect your business but your consumers and employees as well.

Investing in an efficient cybersecurity plan promotes risk management for monetary and reputational damage and ensures data integrity and confidentiality within your organization.

Ignoring cybersecurity is a grieve and an expensive mistake to make. Though it may not eliminate the risk of cyberattacks, a layered security approach can withstand cyber intrusion and assaults.

Lockheed Martin Cyber Kill Chain Framework

The Cyber Kill Chain is a stage-based framework (or methodology, if you like) originally developed by Lockheed Martin which traces the stages of cyberattacks. An adaptation of an established military defense operation, it is a part of their Intelligence Driven Defense Model that identifies vulnerabilities and prevent cyber intrusion activities.

This framework is named “Kill Chain” as it was adapted from a military term related to an attack’s structure. By stopping the attacker at any stage during the assault can break the chain of attack! The adversary must completely advance through all the stages to succeed. Each stage of intrusion will give us the chance to know more about the attacker and use their tenacity as our leverage.

The Kill Chain Framework works in 7 stages:

  1. Reconnaissance – The step where the targets are identified. Adversaries plans and research their target organizations. These intruders will use automated scanners to find weak points in the system. They could scan firewalls to create a point of entry in the system. Detecting the intruders during reconnaissance could be challenging, but it could help reveal the attackers’ criminal intents.

  2. Weaponization – The adversaries start staging their operation. After finding security vulnerabilities in the system, these attackers will develop malware. If their target is document-based, they produce a “decoy” file to present to the victim. They weaponize malware based on the attack’s intention. This is also the stage where adversaries could find ways to reduce their chances of being detected. The defender will not detect weaponization as it happens, but they can figure out the intent by investigating malware artifacts.

  3. Delivery – The adversaries start to launch their operations. The attackers will start sending the malware to the defenders. They will deliver the weapon through email phishing or a removable/portable device. This is a vital stage for the defenders. Blocking the operation should be prioritized at this point. This can be done if the delivery medium is analyzed or targeted servers are detected.

  4. Exploitation – Advancing to this stage is when the attackers start to gain access to their victims. The malicious malware was delivered and breached the secured parameter. Opening a phishing email attachment or clicking on a malicious link has triggered the “zero-day”, a phrase that refers to the exploit code. At this rate, custom capabilities are crucial to stop zero-day exploits. But traditional hardening measures could also help in adding resiliency to the security.

  5. Installation – The hacker, had already established a beachhead at the victim. The malware has installed a backdoor that will serve as a point of entry for the intruder. Some adversaries would ensure that the malware looks like a regular part of the installed operating system. In this stage, it is important to stop the attack by using systems such as the Host-Based Intrusion Prevention System (HIPS). It can alert or block common installation paths.

  6. Command and Control (C2) – The adversaries gain control of the system’s network. The malware has opened a channel of command to remotely manipulate the victim. They can gain access to secure and confidential accounts and could attempt damaging attacks. This stage is the defender’s last chance to block the attack. And this can be done by blocking the C2 channel. This will stop the adversaries from issuing a command to prevent further damage.

  7. Action on Objectives – The adversaries have reached their goals-the stage where the hackers have successfully extracted their needed data from the system. They gained the power to damage further, such as collecting user credentials, destroying the system, or overwriting and corrupting the data. The longer the hacker has access to CKC7, the greater the impact of the damage. This stage could be detected as soon as possible using forensic evidence and network packet capture.

cyber kill chain model

Key Elements of the Cyber Kill Chain:

The Cyber Kills chain was designed to assist companies in developing in-depth strategies for defense. By mapping out the steps that the hackers take to complete a cyberattack, organizations would be able to combat persistent cyber threats.

Since the Cyber Kill was derived from a military model, the main elements of this framework are established to identify adversaries, prepare for an attack, engage, and destroy a target. It can quickly identify and recognize social engineering, insider threats and innovative attacks.

Drawbacks of Kill Chain Framework

The Cyber kill chain is modelled to respond to pre-determined attack sequences. It has been universally adopted for cybersecurity. But like any other model, it is not perfect and has its fundamental flaws.

  1. The model assumes a perimeter focus defense where the main resistance is a firewall. It fails to cover other internal attacks and cyberattack vector paths.

  2. Cyber Kill Chain framework’s phase sequence cannot precisely block all attacks. Most of its phases can be easily bypassed.

  3. The framework only focuses on blocking an attack but fails to define what to do after the adversaries successfully breaches the system.

  4. Once the adversary was able to penetrate the victim’s system, the framework’s timing of the attack in every phase was inconsistent. Adversaries could easily stay dormant for a longer period while they wait for the opportunity to launch their final phase of attack without being detected.

Teams that say their cybersecurity is really good are the ones to worry about. After our breach, the most difficult issue was deciding when it was safe enough to come back online. I learned that really smart engineers can talk English, under extreme pressure.

— Dame Dido Harding, former CEO of TalkTalk

Other Frameworks with Similar Objectives Compared to the Cyber Kill Chain

MITRE ATT&CK vs Cyber Kill Chain

ATT&CK is an acronym that stands for Tactics, Techniques, and Common Knowledge.

The MITRE ATT&CK framework was designed based on observations in the real world. It reflects the different phases of an intruder’s attack lifecycle and the target platforms.

One could argue that there are Cyber Kill Chain and MITRE ATT&CK both share common views and understanding of cyberattacks i.e., most cyberattacks involve adversaries breaking into networks, avoiding getting detected, stealing as much data as they possibly can, interrupting as much network operations as they possibly can, getting out as quietly and stealthily as they got in, making hidden backdoor access available if they ever need to return, etc.

However, compared to Cyber Kill Chain, the Mitre ATT&CK framework maintains a matrix model that has more in-depth details on how the adversary will attack in each stage. Also, Cyber Kill Chain fail to factor in the different techniques and tactics of a cloud-native attack.

The Cyber Kill assumes that the attackers will deliver malware to a target environment but ATT&CK assumes that the adversaries may very well change their goals/objectives mid-way through an attack especially when the success of the attack appears either easier or more difficult than they had initially planned.

Yes, one could argue that the MITRE ATT&CK framework uses Situational Crime Prevention (SCP) techniques, a set of techniques which assumes that the goals/objectives of most adversaries are not linear but influenced/informed by opportunities, constraints, limitations, resistance, and situations presented to them by their targets during the execution of attacks.

Google BeyondCorp vs Cyber Kill Chain

BeyondCorp is an implementation of a zero-trust security concept that creates a zero-trust network. Designed to provide end-to-end real-time protection and platform security. It has embedded data built into the Chrome browser to prevent malware infection from networks and provide phishing-resistant authentication.

Unlike the Cyber Kill Chain framework, Google BeyondCorp “shifts access control from the traditional network perimeter to individual devices”. Its zero-trust access approach users to securely work with untrusted networks even if they are not using a client-side VPN.

NIST Cyber Security Framework (NIST CSF)

The National Institute for Standards & Technology (NIST) Cyber Security Framework (CSF) provides a set of structured standards and measurements for cybersecurity. The framework sets out “standards, guidelines, and best practices to manage cybersecurity-related risks.”

But the downside of the framework is that its 5 categories/elements i.e., Protect, Identify, Detect, Respond and Recover; fail to directly outline how it can dissect a cyberattack incident. It also fails to supply analytic markers to test the detection.

Nevertheless, the descriptive (and not prescriptive) nature of the NIST CSF has made it seem “business-friendly” and therefore, made it possible for the framework to be adopted by businesses and organizations of all sizes and across several industries, particularly organizations in industries that are guided by regulary controls and compliance requirements where industry-uniqueness and specificities are considered important.

data breach

In conclusion, there is no one defense framework or set of techniques that could be considered all-in-one sufficient for all cybersecurity defense requirements.

In a previous article, I had looked at how the proposed Digital Operational Resilience Act (DORA) could impact businesses and organizations once ratified and signed into law.

Given the significant penalties that would be imposed for non-compliance with DORA directives, it is perhaps reasonable to envisage that DORA could eventually have similar, if not greater, impacts in both the UK and the EU region as did GDPR, albeit with very different objectives.

Whilst some of these defense techniques may excel in certain aspects of information security, many of them are complimentary to each other and bring different or much enriched strengths to the conversation.

 

gdpr data regulations in the uk post brexit

GDPR Post-Brexit – The Data Regulation Frontier in the United Kingdom After Brexit

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Yes, Brexit is happening! The United Kingdom is scheduled to exit the European Union by the end of this month i.e. on 31 January 2020. And there are already loud callouts on social media for hundreds of thousands of people to gather in Westminster at 23:00 on 31/Jan/2020 to celebrate Brexit and usher in perhaps what you could call the “new and rediscovered” United Kingdom.

The General Data Protection Regulation (GDPR) came into force in May 2018 across all the European Union (EU) member states and the European Economic Area (EEA). The regulation requires businesses and organisations to protect the personal data and privacy of EU citizens. The regulation aims to give individuals greater control over their privacy, how their personal data is collected, stored, shared, and generally used.

Whenever there are data breaches or information breaches, the regulation requires that “culprit” businesses and organisations must report the events to authorities and inform individuals affected or impacted by such breaches, all within the stipulated time frame; usually within 72 hours of them finding out about the breach. The regulation imposes hefty penalties on non-compliance.

Perhaps it’s fitting to emphasise that the word “organisations” is used here loosely to include for-profit organisations, not-for-profit organisations, and government institutions and offices. Literally speaking, every type of organisation that handles or comes into contact with personal information of people in the EU is factored into the word.

GDPR Basics: Make sure you know what information you hold, where you hold it, why you hold it, and how people consented to give it to you.

— Zoë Findon

The Information Commissioner’s Office (ICO) is the independent data protection and information rights watchdog in the UK. The GDPR regulation was adopted into UK law through the Data Protection Act 2018 (DPA 2018).

According to stats and reports published by the European Commission on the occasion of the first-year anniversary of the GDPR regulation, over two-thirds (67%) of Europeans have heard about GDPR and nearly 90,000 Personal Data Breach (PDB) reports were received across Europe within the first year of GDPR.

In October 2019, Österreichische Post AG (ÖPAG); the national postal service providers in Austria; was fined €18 million (approximately US$20 million) for illegally selling personal data of approximately 3 million Austrians to various third parties.

In January 2019, Google was fined €50 million (approximately US$56 million) by CNIL; the data protection and information rights watchdog in France; for breaching GDPR requirements for transparency and specific, unambiguous consent.

The online advertising industry is behind comprehensive illegal collection and indiscriminate use of personal data

In the UK, more specifically, similar stats and reports from the ICO show that PDB reports went up by over 324% to 14,000 by May 2019 from the previous reporting year when the reports were put together under the previous DPA 1998 legislation.

Some high-profile data breach and non-compliance cases reported in the UK include the maximum fine of £500,000 (approximately US$660,000) issued to Facebook for data breaches that allegedly occurred in 2017. The ICO later admitted that the fine could have been a lot higher under the GDPR legislation.

Under the GDPR regulation, a business or organisation that is found to have infringed on the provisions of the GDPR regulation, could be fined up €20 million (approximately US$22 million), or in some situations, up to 4% of its total worldwide annual turnover in the preceding financial year, whichever is higher.

Just thinking of the huge figure, you can understand the thoughts of the ICO re Facebook, and you might just say that Facebook was lucky, eh?

In July 2019, the ICO issued a notice of its intention to fine Marriott International £99 million (approximately US$131 million) for GDPR breaches relating cyber incidents suffered by the hoteliers which compromised the personal data of approximately 339 million guests globally.

In April 2019, a local government council in the Greater London area was fined £145,000 (approximately US$191,400) for unlawfully disclosing the personal information of more than 200 people.

In November 2018, Uber was fined £385,000 (approximately US$508,200) because the company failed to protect customers’ personal data during a cyberattack.

In May 2018, the UK Crown Prosecution Service (CPS); i.e. the UK equivalent to the U.S. Attorney’s Office (USAO); was fined £325,000 (approximately US$429,000) for the loss of several encrypted DVD discs containing records of police interviews.

A recent information breach (and a major security concern) occurred in the UK when the UK government inadvertently publicly published the full home and work addresses of over 1,000 New Year (2020) Honour recipients on the internet. As we understand it, the ICO is yet to rule on this matter or yet to publicly announced its ruling.

But, perhaps the biggest GDPR fine in the UK so far; in July 2019, the ICO issued a notice of its intention to fine the British Airways £183.39 million (approximately US$242 million) for GDPR breaches relating to cyberattacks suffered by the airline which compromised the personal data of approximately 500,000 customers.

general data protection regulation gdpr

You’d recall that in my article at the start of the year, I reviewed some major breaches that were reported in 2019

I’ve always posited that cybersecurity risks, threats, and attacks pose a significantly high risk to businesses and organisations. This is simply because breaches of information or data could potentially result in financial damages, operational damages, reputational damages, diminished investors’ confidence and exposure to potential regulatory, statutory, and other compliance issues, plus penalties.

The GDPR regulation permits free data flow between EU member states and EEA. But it places stringent rules, safeguards, and controls on the transfer of data from the EU to recipients in a third country, a territory, or an international organisation.

Implicitly, therefore, after 31/Jan/2020, the UK will be considered a “third country” by the EU, and all relevant rules applicable to third countries and international organisations under the GDPR will become applicable to the UK. Conversely of course, after the Brexit date, the EU GDPR will no longer apply to the UK.

So, it’s quite understandable that one of many questions which has repeatedly popped up in conversations with businesses and organisations up and down the country is; what does a post-Brexit UK mean to businesses and organisations in terms of GDPR requirements?

My reassuring response is always; there is no immediate or critical need to fret or be excessively be worried.

According to the ICO, “the UK government intends to write the GDPR into UK law, with the necessary changes to tailor its provisions for the UK (the ‘UK GDPR’).

This implies that the UK government will immediately incorporate the EU GDPR into UK law with only necessary UK-specific changes to bring about the UK GDPR.

If you are a UK business or organisation that receives personal data from contacts in the EEA, you need to take extra steps to ensure that the data can continue to flow after Brexit.

If you are a UK business or organisation with an office, branch or other established presence in the EEA, or if you have customers in the EEA, you will need to comply with both UK and EU data protection regulations after Brexit. You may need to designate a representative in the EEA.

Yes, there would be some changes but these would be absolutely necessary changes, and both sets of regulations are expected to be substantially very similar.

My understanding, therefore, is that any immediate changes that’s required to be made to the UK GDPR will not require complete rework of your existing internal controls, processes, frameworks, policies, procedures, and reporting in your management information systems.

For UK-based SME businesses and organisations that want to keep data flowing between the UK and the EU, the ICO has released an interactive tool that could help you determine whether Standard Contractual Clauses (SCCs) could help you maintain the flow of data, in the event of a no-deal Brexit.

Remember, whatever effective controls and processes you currently have in place to address the EU GDPR regulation, these may require a few changes to ensure they remain relevant to the UK GDPR. But, rest assured, they would still be reasonably effective and applicable post-Brexit. And I expect the ICO would give businesses and organisations some reasonable time to implement whatever necessary changes emerge.

I envisage that the probabilities of cybersecurity risks, threats, and attacks will probably most likely increase/heighten in the few weeks, months, and possibly couple of years right after Brexit. My informed understanding, however, is that whatever effective controls, monitoring, and response strategies & policies you already have in place would suffice, for now. Of course, the key operative word here is “effective“!

3-2-1 backup rule and effective cybersecurity strategy

The 3-2-1 Backup Rule and Effective Cybersecurity Strategy

, , , , , , , , , , , , , , , , , , , , , , , ,

Last week, I wrote an article on top cyber security risk trends and predictions for 2020.

In the article, I reviewed some very significant breaches and attacks that occurred in 2019, touched on common cyber risks, threats, and attacks, and made predictions on what we should expect for 2020.

An interesting conversation kicked off amongst some security professionals on an online professional networking platform a few days. The conversation centred on the 3-2-1 backup rule, and how strategy measures or compares to assessing and preparing for cybersecurity threats & attacks for 2020.

The one question that seemed to pop-out of the conversation is this: Is the 3-2-1 backup rule sufficient enough to constitute or be considered as an effective cybersecurity strategy?

I’ll give my response to this question in the course of this article. But for now, let’s have a bit more contexts, definitions, and discussions on several bits of the subject, shall we?

3-2-1 backup rule diagram
3-2-1 backup rule diagram

What’s the 3-2-1 Backup Rule?

The 3-2-1 backup rule is a best practice data backup strategy that aims to ensure that data is adequately protected and resilient to potential damage and corruption.

The rule states that there should be at least three (3) copies of the data, store two (2) copies on different storage media, and keep one (1) of these copies in an offsite/remote location.

You’d notice, from the image above, that the title on the image states the 3-2-1 Backup Rule but the image appears to suggest that the rule should be called the 3-2-1-0 Backup Rule instead.

A few alternative postulations in the community state that the proper and correct best backup practice strategy should include a step that covers valid and verified data recoverability.

I do agree with the views I’d just cited above, and, thus, I felt the need to capture the 3-2-1-0 steps as also representing the 3-2-1 backup rule.

Anyway, moving on…

Yes of course! Data backup and restore are essential elements of any security strategy that’s worth its weight in salt. Absolutely. Without any doubt.

Every effective Business Continuity and Disaster Recovery (BC/DR) plan needs a very good backup strategy to be successful. The 3-2-1 backup rule is effectively all about redundancy, ensuring data resilience and availability.

As stated by Alex Mayer, “the 3-2-1 backup rule is a good recommended start in building any data protection system – a way to protect your data from loss/corruption…

Consequently, I think we should be very clear about one thing: the 3-2-1 data backup rule is not a panacea for cyber security risks, threats, and attacks.

If your organisation (or one of your clients) had experienced any previous yet successful security attacks, you would learn that data backup is indeed a vital risk mitigating action but:

  1. It does not address or mitigate against potential severe interruptions to business operations (i.e. BC/DR, BAU, MTTR, etc.)
  2. It does not address or mitigate against attacks that target networks and infrastructure
  3. It does not address or mitigate against attacks that make illegal and unauthorised copies of data
  4. It does not address confidentiality or integrity of data nor information; 2 of 3 principles of the cybersecurity triad
  5. It does not address, resolve, or eliminate actors of the attack (both internal & external), and invariably,
  6. It does not eliminate, thwart, or deter/discourage the repeat of the (previously successful) attack or similar attacks.

I can affirm that combating and winning any cyberwarfare against cybersecurity risks, threats, & attacks requires more than implementing the 3-2-1 backup rule.

So, here’s my response to the question raised earlier on: the 3-2-1 backup rule should form a vital part of any good Security Incident and Event Management (SIEM) plan. But it is probably most certainly not a replacement or a substitute for an effective cybersecurity strategy.

top 10 cybersecurity risks trends for 2020

Top Cyber Security Risk Trends & Predictions for 2020

, , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Many security experts would probably agree that 2019 was a very interesting and challenging year. According to a Forbes report, 2019 saw more than 3,800 publicly disclosed data security breaches in the United States within the first 6 months.

The year 2019 witnessed some very large, disturbing, and public-profile information security breaches.

According to the Ninth Annual Cost of Cybercrime Study Report published by Accenture in 2019, the average number of security breaches grew by 11 percent since 2018.

Some of the security breaches recorded in 2019 include (presented in descending breach reported date order):

Gekko Group, a subsidiary of Accor Hotels, in November 2019 with over 660,000 customer records exposed

Quest Diagnostics in June 2019 with about 11.9 million patient records affected

First American Financial Corporation in May 2019 with about 885 million records of mortgage transactions affected

Facebook in April 2019, via third-party hosted servers with over 540 million records exposed

Capital One in March 2019 with over 106 million breached customer information

Fornite, owned by Epic Games, in January 2019 with about 200 million users affected worldwide

We are now only the third day into the new decade and already a retail foreign-exchange specialist company; Travelex; was reportedly forced to shut down its online services following a virus attack on its systems.

Cybersecurity and cyberattack issues are becoming ever-increasing struggles for businesses and organisations. And these can so easily affect all organisations, regardless of size.

With new risks & threats emerging every other day, the risks of compromising customer or employee data are becoming ever increasingly challenging to organisations as more severe consequences are being put in place and followed through by regulatory agencies.

Reputational damages caused by security incidents and data breaches could be incalculable.

data breach

So, with 83% of enterprise workload expected to move to the cloud by the end of this year, here are some security risks and threats that I expect (predict) to cause major headlines this year:

Ransomware

It is reported that a business will fall victim to a ransomware attack every 14 seconds in 2019 and every 11 seconds by 2021. This suggests that a similar prediction for 2020 will put the figure less than every 11 seconds. That is appears to be a worrying prediction.

Ransomware attacks were very prevalent in 2019. With the increase in sophistication and complexities; particularly enterprise ransomware; I envisage this trend will continue in 2020, particularly against healthcare organisations, small businesses, schools, and local government institutions.

Phishing & Social Engineering

According to the 2019 Data Breach Investigation Report published by Verizon, 32% of data breaches involve phishing.

And according to the 2019 Internet Security Threat Report (ISTR) published by Symantec, phishing security incidents have declined year on year for the last four years; I expect this trend to continue.

Formjacking

The report by Symantec reveals that formjacking remains the greatest threat to online retailers and other organisations within goods supply chain. I expect to see this trend continue to rise.

internet of things iot

Internet of Things (IoT)

Gartner projects that there will be around 20.4 billion IoT devices by the end of this year (i.e. 2020).

Symantec reports that, in 2018, network routers accounted for 75% of infected devices, and connected digital cameras accounted for 15% of infected devices. Understandably, routers were the most targeted devices simply because they are gateways (i.e. entry/exit points) from internal networks to the internet.

China, North America, and Europe collectively represent two-third of installed and in-use IoT devices, with consumer items (smart televisions, virtual assistant smart speakers, smart refrigerators, digital set-up boxes, etc.) representing more than 60% of IoT connected devices.

Adoption of 5G technologies, infrastructure, and systems is expected to have a global reach in 2020, and this should give rise to a plethora of new IoT devices.

I envisage that there would be an increase in the number of devices at risk as more consumers and businesses introduce more IoT connected devices to more everyday activities.

Malware

According to a study by Accenture, the average cost of a malware attack on a company is $2.6 million.

Another similar study by IBM, indicates that the average cost of a data breach is $3.9 million.

Given the magnitude of potential damages this could cause to organisations, this appears to be one area of risks and attacks that shows no sign of letting off in 2020.

Mobile Devices

Mobile devices used within corporate environments remain high risk concerns to businesses.

Symantec reports states that, in 2018, 1 in 36 mobile devices had high risk apps installed, and infections on mobile devices were up by a third when compared to 2017.

Mobile devices will become prime phishing attack vectors as attackers continue to employ machine learning and artificial intelligence in attacks.

I envisage that this upward trend is expected to continue in 2020, especially with the anticipated advent of 5G networks and even more mobile devices.

Internal Actors

Insider attacks are forecast to rise in 2020. This is a high impact, high severity, and high probability risk because of the potential for disgruntled or careless employees to inflict great harm on any organisation.

One-third of data breaches involved internal actors.

The human factor remains the weakest link in cybersecurity implementation. Blackmails, hefty bribes, threat to life & family members remain enough duress to make hereto loyal employees to reluctantly reconsider their decisions and choices.

It’s important to emphasise that, as far as regulatory laws and legislation are concerned, the final responsibility and accountability for protecting data in the cloud lies with the organisations that choose to use cloud services, and not the cloud service providers.

This, therefore, mandates that businesses & organisations must ensure that the appropriate and fitting risk mitigating plans, incident response plans, monitoring, controls, and reporting are put in place.

The report by Verizon indicated that 56% of breaches took months to discover. I envisage that effective cyber and information security strategies and implementations could help organisations promptly identify risks, respond and manage security incidents & events.

how much time does it take to perform a security assessment

How long does it take to perform a typical security risk assessment?

, , , , , , , , , , , , , , , , , , , 0

Well, I suppose you; or someone you know perhaps; may have had this question come up during meetings or conversations with clients that are probably looking to “weigh” their cybersecurity investment/capability options.

Well, I’ve been asked this question (or different variances of the same question) a few times in the past few weeks. So, I thought I’d share my thoughts/views on the subject.

I think it’s fair to infer that the question assumes that a breach is yet to take place, and that there is no live security breach as at the time the question was raised. Of course, where the assumption is invalid, the subject would cease to be a risk but would be treated as an actual security incident/event that requires a completely different set of activities including response, containment, and recovery.

So, back to the primary subject; I think that a very simple, straight-to-the-point, and honest response is: “There’s no specific duration or time range that could objectively answer the question correct; it all depends…”

It’s like asking the question: how long is a piece of string?

And come to think of it, could any effective security risk assessment be objectively described as “typical”?

A security risk is never wholly in isolation all by itself. In other words, a security risk is associated with at least one vulnerability that is associated with at least one threat that is associated with at least one asset.

risk-threat-asset-vulnerability

Several industry-acclaimed frameworks, guidelines, standards, and tools share this approach in identifying security risks, and subsequently assessing and managing such risks.

Yes, how long it takes to conduct an effective security risk assessment depends on lots of factors; and until several of these factors are fleshed out, any response provided could simply be total rubbish, I mean seriously.

Risk assessment, risk management; and indeed, corresponding control management; are very contextual, and could be influenced by several disparate factors including:

  1. Security competency of your organisation
  2. Up-to-date risk register and pre-breach playbook (i.e. risk assessment process)
  3. Relevant Knowledge, Skills, & Abilities (KSA) within your organisation
  4. Effective risk management framework or guidelines implemented in your organisation
  5. Incidence response effectiveness including effective BC/DR plans

In conclusion, I must stress that it mustn’t take longer to perform a security assessment than it would take to secure the asset at risk nor should it take longer than is required to achieve relevant underlining business objectives.

Yes, just thought I put that out there too; hopefully, that would address any related thoughts.

risks controls availability planning security incidents

Security Risk Mitigation and Controls – Going Above and Beyond Availability Plans

, , , , , , , , , , , , , 0

According to Werner Vogels, CTO at Amazon.com, “Everything FAILS all the time.” This popular quote lends itself to logical grounds for robust availability plans.

Availability planning aims to put in place plans, processes, and actions that ensure the ability of a system or service to withstand or recover from exceptional events like an infrastructure or component failure.

When you are operating and supporting large, critical, and/or complex business functions, failure must not be treated as an exceptional event. Rather it must to be treated as an operational event; something you expect and anticipate to happen without causing major or severe disruptions to services and support available to business.

And here’s the rub that quite a few senior executives and management teams are rather somewhat oblivious of; risks of disruptions to services are not limited to infrastructure and/or application failures, they also include data security risks, information security risks, and cyber-security risks, e.t.c.

A comprehensive security architecture strategy proactively covers operational failure, disruptions, abuse, damage, threats, attacks, and denials; it goes (and should go) above and beyond a good availability plan.

Security Incident Response Policies and Security Incident Response Plan; both which must be consistent with applicable laws in relevant jurisdictions; must form integral part of your proactive comprehensive architecture, governance, and strategy.

Back To Top
Management Wire

ManagementWire © 2015-2024. All rights reserved.

Terms of Use

Privacy Policy

Cookie Policy

Contact