Security in Trends

Cybersecurity risks in technology trends

Blog Security in Trends

| 4 min read

Contact us

In today’s world technology evolves rapidly. New tools, approaches, and trends seem to come out on almost a daily basis. It’s our duty to keep pace with these changes, adapt to new technologies and apply all our knowledge, skills, and abilities to find and report all vulnerabilities as soon as possible.

In this article, we will discuss some of the main technology trends for 2019, the cybersecurity risks these trends may cause, and security prospects in upcoming years.

Internet of Things

With the spread of IoT (Internet of Things) technologies, more devices are exposed every day to the Internet, but they are not necessarily secure. IoT devices provide additional entry points for attackers, giving them a whole repertoire of mechanisms to compromise confidential information.

Main IoT Targets

IoT Targets, source: Bank Info Security.

According to Bank Info Security [1], attackers continue targeting the same IoT flaws reported and disclosed 3 years ago. IoT malware, such as Mirai, keeps growing, escalating and mutating. Your mobile, webcam, router or even your printer can be a target. And these attacks are not particularly difficult to perform; you can even find Youtube tutorials about them.

If you’re part of the industry, you aren’t safe either, since PLCs, SCADA systems, smart sensors, and drives are also IoT devices that can be compromised as a result of a Mirai Botnet attack. This may be discouraging, even more so if we consider that in upcoming years, the amount of IoT devices will increase considerably. We can, however, mitigate some risks now through system hardening, and something as simple as changing the default credentials as well as using secure passwords. All of these can prevent an IoT attack.

Companies in the Cloud

Most companies are now migrating to the cloud. The advantages of Infrastructure as Code (IaC) are clear: maintainability, scalability, and pricing, among others. With cloud computing service providers like Amazon Web Services, Digital Ocean or Microsoft Azure with large dedicated teams maintaining their servers, our small infrastructure team seems obsolete in comparison. It’s better to outsource this aspect to bigger companies and stop worrying about physical infrastructure. Well, this is not completely true. We cannot disregard the security aspect; the providers fulfilled their duty, now we must fulfill ours.

According to Ben Morris, of Bishop Fox [2], speaking at Defcon Security Conference #27, hundreds of thousands of Amazon Elastic Block Storage (EBS), have misconfigurations that led to sensitive data leakages: passwords, authentication keys, and encryption keys, among others.

AWS misconfigurations

AWS Alerts on bucket misconfigurations. Source: AWS users leaving sensitive Data.

And what’s worse is in 2018, more than 70 million records were leaked due to poorly configured AWS S3 buckets [3]. The main cause of this kind of vulnerability was again the human factor. A lack of knowledge or negligence regarding infrastructure settings can directly impact your company. A weak AWS configuration can be detected using automated tools. Asserts, a product we used to offer, detected these flaws, using the AWS Cloudtrail module. However, some of the cloud leakages were also caused by hardware vulnerabilities [3], such as Spectre [4], Meltdown [5] or Foreshadow [6], that exploit vendor chips' vulnerabilities to gain access to shared memory pools on physical systems. So, it is important to keep up to date with both software and hardware to avoid these kinds of attacks.

Get started with Fluid Attacks' Vulnerability Management solution right now

At Fluid Attacks, we have all our infrastructure as code. We use AWS as our cloud computing service provider, terraform and docker to configure our infrastructure, and Gitlab as service to regenerate our datacenter on every new version of our products. We implement infrastructure hardening using ephemeral secrets in a serverless approach. At Fluid Attacks, we take security very seriously, since it’s our value promise.

Machine Learning

Machine Learning, Neural Networks, and Artificial Intelligence have demonstrated that they have several applications, and cybersecurity is not an exception. This topic has been widely addressed in several blog entries, so instead, let’s discuss Fluid Attacks' opinion about the prospects for Machine Learning in the cybersecurity field

At Fluid Attacks, we do not discourage the use of automated tools in security tests; However, a real security issue comes up when only automated tools are used, since these tools can report false positives. For example, in the case of neural networks, some inputs can fool the entire algorithm. Automated tools also do not have the human malice to correlate vulnerabilities and then create more complex attack vectors. We see machine learning emerging technologies more as tools rather than the holy grail of cybersecurity that will replace human hackers. These tools can help our analysts to decide where to look first, what portions of code may have vulnerabilities and require further attention, or which inputs may not have been properly sanitized.

E-Commerce

In today’s world, businesses usually have an online alternative for purchasing or selling products or services. These online alternatives have to be handled with extreme care since most cyberattacks aim to profit from these functionalities. E-commerce attacks come in all shapes and sizes [7]: phishing, identity theft, DDOS, credit card frauds, and more.

Most attacks are based on social engineering. These are attacks that try to trick the victim into performing actions (click a link or provide confidential information) that help the attacker gain control over the victim’s transactions.

"Verizon findings"

Verizon Data Breach Investigations Report 2019. Source: Summary of findings.

According to Verizon, in its annual Data Breach Investigations Report [8], social engineering is the second most used tactic to extract confidential information. This is worrying because it doesn’t matter how secure an application is if users are fooled into providing access credentials. This, of course, applies to E-commerce as well.

One effective way to help reduce social engineering attacks is to train people via presentations and workshops on how to identify a phishing attack, along with basic security measures they can execute before providing personal information when purchasing online. A few of these are checking the URL and certificates, and being suspicious when the application asks for too much information, etc.


Conclusions

As technology evolves, cybersecurity should evolve as well. But often what should happen differs from what does happen. Cyberattacks become more complex and solutions, patches, and fixes take too much time to develop and deploy. On the bright side, with increasing cyberattacks, cybersecurity is becoming more relevant. Companies are investing more in security, developing tools such as machine learning, neural networks, and AIs, and considering security risk consequences before exposing applications to the Internet. As a result, more companies now believe what Fluid Attacks has always known, security should be applied to the entire software development lifecycle (SDLC).

References

Subscribe to our blog

Sign up for Fluid Attacks' weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by Logan Weaver on Unsplash

Introduction to cybersecurity in the aviation sector

Photo by Maxim Hopman on Unsplash

Why measure cybersecurity risk with our CVSSF metric?

Photo by Jukan Tateisi on Unsplash

Our new testing architecture for software development

Photo by Clay Banks on Unsplash

Protecting your PoS systems from cyber threats

Photo by Charles Etoroma on Unsplash

Top seven successful cyberattacks against this industry

Photo by Anima Visual on Unsplash

Challenges, threats, and best practices for retailers

Photo by photo nic on Unsplash

Be more secure by increasing trust in your software

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial
Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.