State of Cybersecurity 2020-21, III

This post is the third and last part of the State of Cybersecurity 2020-21. Of course, to close the subject, we have to emphasize the year that is soon to come, and for which many people in the field of cybersecurity are making some predictions.

Apparently, based on ENISA's report, we'll continue to see an increase in malware activity in the coming years. These cyber threats are regularly improving their characteristics, including, for example, new propagation mechanisms. File types like disc image files (i.e., IMG, ISO) are becoming famous for spreading malware, apart from the typical XLS, PDF, DOC and ZIP files. Once the malware is installed, it allows recognition and movement on the victim's systems and affects their operation or steals data.

On the other hand, there are omens about the expansion of attacks on the mobile sector. Users are now more and more dependent on it, even in their businesses. "Fraudulent apps, SIMJacking and operating systems exploits make these devices the weakest link." Similarly, there are current warnings about the possible growing impact of attacks on companies via IoT devices. These machines are increasing in number and have the reputation of not being up to date in terms of security. They can mean easy entry points into companies' networks for cybercriminals.

Highly planned and targeted ransomware attacks on the public sector, especially government and healthcare organizations, may keep their expansion during the COVID-19 pandemic. We'll undoubtedly continue to observe what is currently presented in ENISA as an emerging trend: "Attackers […​] spending more time gathering intelligence about their victims, knowing exactly what to encrypt, achieving maximum disruption and higher ransoms."

For more information on what's currently representing a trend among cybercriminals and may continue to do so in the near future, we invite you to check the first post of this series. At this point, we want to highlight some preventive approaches that we believe will continue being trends in the coming year.

A crucial suggestion for your organization's security, which we at Fluid Attacks never get tired of sharing, is to shift the 'security element' to the left. In short, this means that any company creating or using software (almost all of them today) should think about its security and apply it from the beginning. This methodology belongs to the DevSecOps approach. There, security testing must be continuous —covering the whole software development lifecycle (SDLC)—, and ensures significant savings in time and money. Then, for the next year, many businesses should move away from the approach of searching for and identifying vulnerabilities in their systems and software only after deployment to production. In such cases, attackers may already have access to the gaps. And these issues may not be immediately remediated and may require considerable time, effort and money due to their quantity and complexity.

Cloud services adoption will continue to increase over the next year as multiple firms adapt to the much-requested remote working. (Learn here about our experience.) These firms should be aware of the flaws (mainly related to unintended misconfigurations) that are often reported regarding this type of service. Defects that have many times resulted in significant data breaches. On their side, cloud service providers have the challenges of keeping solutions up to date and, at the same time, implementing methods for identifying configuration errors asap.

Concerns will remain in many companies because some remote workers are not familiar with proper security controls and practices. We have already mentioned that attackers are at this time paying too much attention to the human factor to penetrate organizations' systems. And they'll surely keep on doing so. That's why training staff and creating a cybersecurity culture will continue to be a priority to protect data assets.

Companies will need to continually reevaluate their cybersecurity, protect every endpoint and maintain necessary security controls after this digital transformation forced by the pandemic. Many organizations concerned with their security, following many decision-makers' advice, will begin to employ a zero-trust approach, implementing a strict restriction of access and verification of everything. They should always recognize that although in most cases the threats are external, criminals can also be part of their staff. A firm adequately prepared for cyber threats in 2021 will appreciate the benefit of handling multi-factor authentication processes. It will also ensure that its employees create sufficiently complicated passwords and change them with a specific frequency. Some companies will even start using biometric authentication methods, such as face verification for their staff, and why not, for their customers or users.

By 2021 the idea of valuing and recommending manual more than automatic work will be kept active, just for a matter of results. As discussed in part II, the excess of false negatives and positives in automatic tools' operations continues to make ethical hackers an essential factor in evaluating IT security. Following the x or y technique, an automated procedure delivering results will always be insufficient compared to a comprehensive process covering a mixture of automatic and manual hacking. The technological advances are quite useful to us as they are to you. However, we recommend that you do not let yourself be seduced by the skills that many firms intend to confer on their testing tools.

Finally, hoping that we'll see a more clear and promising future amid so much uncertainty, many businesses must continue their adaptation in cybersecurity. With the help of experts, each company persistently has to stay informed about the risks and the best prevention strategies to be implemented right away. Besides, every staff must be trained as a group and maintain a collaborative effort that in 2021 and the next years will allow their systems and assets to be as protected as possible.

Do you have any questions? Do not hesitate to contact us!