Predictions in Cyber Security for 2019 – Part 2
In case you missed it, Part 1 of this series can be found here.
This post is part 2 in a two-part series on cybersecurity predictions for 2019.
As you prepared yourself ahead of time for a new year of cyber threats, below we list 3 MORE activities and trends most likely to affect your business:
IoT-Based Events Are Going to Move Beyond Huge DDoS Assaults to More Dangerous, New Forms of Attack
Within recent years, huge botnet-powered DDoS (distributed denial of service) attacks exploited a multitude of infected IoT devices to send out crippling traffic volumes to victims’ sites. These types of attacks have not received that much media attention of late; however, they continuously happen and will remain to be threats in the future. We may expect to see poorly secured IoT devices that are targeted for additional harmful purposes at the same time. Among the most troubling is going to be attacks against IoT devices which bridge the physical and digital worlds. Some of those IoT enabled items are kinetic, like cars and additional vehicles, whereas other ones control critical systems. We should expect to witness increasing quantities of attacks against IoT devices which control crucial infrastructure like power distribution, as well as communications networks. Plus, as home-based IoT devices become increasingly ubiquitous, there’ll probably be attempts in the future to weaponize them–say, for example, by one nation shutting down thermostats in a home in an enemy state within a harsh winter season.
Attacks which Exploit Supply Chain Will Increase in Impact and Frequency
One growing typical target of attackers includes the software supply chain, with attackers putting malware into otherwise legit software packages at its usual distribution location. These types of attacks might happen within production at the software vendor or at a 3rd-party supplier. The usual attack scenario includes the attacker replacing a legit software update with a malicious one to distribute it surreptitiously and quickly to intended targets. All users who receive the software update automatically will have their computer infected and give the attacker a foothold within their environment.
Such attacks are growing in sophistication and volume and it’s possible to see attempts that infect the hardware supply chain down the road. For instance, an attacker might alter or compromise a chip or add source code to firmware of an UEFI/BIOS before these types of components are shipped out to a multitude of computers. These types of threats could be extremely challenging to remove, probably persisting even after the impacted computer is rebooted or its hard disk is reformatted.
Here’s the bottom line: attackers will continuously look for more sophisticated and new chances to infiltrate the supply chain of businesses they’re targeting.
Growing Privacy and Security Concerns Are Going to Drive Increased Regulatory and Legislative Activity
The EU’s mid-2018 implementation of the GDPR (General Data Protection Regulation) likely will prove to be simply a precursor to numerous privacy and security initiatives within countries outside the EU. Canada already has enforced GDPR-like legislation, and recently, Brazil passed new privacy legislation that was similar to GDPR, that is due to enter into force in the year 2020. India and Singapore are getting together to adopt breach notification regimes, whereas Australia already has adopted various notification timelines compared with GDPR. Several additional countries worldwide have adequacy or are negotiating GDPR adequacy. Within the United States, right after GDPR arrived, the state of California passed a privacy law that was considered to be the roughest in the U.S. to date. We should expect the complete impact of GDPR to become clearer around the world in 2019.
Congress, at the United States federal level, already is wading deeper into privacy and security waters. This type of legislation will probably receive more traction and might materialize in 2019. Inevitably, there’ll be an increased and continued concentration on election system security as the United States 2020 campaign for president gets underway.
While we are pretty sure to witness upticks in regulatory and legislative actions to address privacy and security needs, there’s a possibility for some requirements to prove to be more counterproductive than useful. For instance, regulations that are too broad may prohibit security businesses from sharing even generic details in their efforts to counter and identify attacks. If poorly conceived, privacy and security regulations might create fresh vulnerabilities even while they close others.
TSI Cyber is a full-service information security consulting firm and managed security service provider specializing in helping clients identify and remediate threats and protect against risks to their IT infrastructure. For more information on how we can protect your business contact TSI today!