Security in TrendsCybersecurity risks in technology trends
In today’s world technology evolves rapidly. New tools, approaches, and trends seem to come out on almost a daily basis. It’s our duty to keep pace with these changes, adapt to new technologies and apply all our knowledge, skills, and abilities to find and report all vulnerabilities as soon as possible.
In this article, we will discuss some of the main technology trends for 2019, the cybersecurity risks these trends may cause, and security prospects in upcoming years.
Internet of Things
With the spread of
IoT (Internet of Things) technologies, more devices
are exposed every day to the Internet, but they are not necessarily
IoT devices provide additional entry points for attackers,
giving them a whole repertoire of mechanisms to compromise confidential
Figure 1. IoT Targets, source: Bank Info Security.
According to Bank Info Security , attackers continue
targeting the same
IoT flaws reported and disclosed 3 years ago.
malware, such as
keeps growing, escalating and mutating. Your mobile, webcam, router or
even your printer can be a target. And these attacks are not
particularly difficult to perform; you can even find Youtube
tutorials about them.
If you’re part of the industry, you aren’t safe either, since
SCADA systems, smart sensors, and drives are also
IoT devices that
can be compromised as a result of a
Mirai Botnet attack. This may be
discouraging, even more so if we consider that in upcoming years, the
IoT devices will increase considerably. We can, however,
mitigate some risks now through system hardening, and something as
simple as changing the default credentials as well as using secure
passwords. All of these can prevent an
Companies in the Cloud
Most companies are now migrating to the cloud. The advantages of
Infrastructure as Code (
IaC) are clear: maintainability, scalability,
and pricing, among others. With cloud computing service providers like
Amazon Web Services, Digital
Ocean or Microsoft
Azure with large dedicated teams
maintaining their servers, our small infrastructure team seems obsolete
in comparison. It’s better to outsource this aspect to bigger companies
and stop worrying about physical infrastructure. Well, this is not
completely true. We cannot disregard the security aspect; the providers
fulfilled their duty, now we must fulfill ours.
According to Ben Morris, of
, speaking at Defcon Security Conference
of thousands of
Amazon Elastic Block Storage (
misconfigurations that led to sensitive data leakages: passwords,
authentication keys, and encryption keys, among others.
Figure 2. AWS Alerts on bucket misconfigurations. Source: AWS users leaving sensitive Data.
And what’s worse is in 2018, more than
70 million records were leaked
due to poorly configured
AWS S3 buckets . The
main cause of this kind of vulnerability was again the human factor. A
lack of knowledge or negligence regarding infrastructure settings can
directly impact your company. A weak
AWS configuration can be detected
using automated tools. Asserts, a product we used to offer, detected
these flaws, using the
AWS Cloudtrail module.
However, some of the cloud leakages were also caused by hardware
vulnerabilities , such as
Meltdown  or
Foreshadow , that exploit vendor chips'
vulnerabilities to gain access to shared memory pools on physical
systems. So, it is important to keep up to date with both software and
hardware to avoid these kinds of attacks.
Fluid Attacks, we have all our infrastructure as code. We use
AWS as our cloud computing service
docker to configure our infrastructure, and
Gitlab as service to regenerate our
datacenter on every new
version of our products. We implement infrastructure hardening using
a serverless approach. At
Fluid Attacks, we take security very
seriously, since it’s our value promise.
Machine Learning, Neural Networks, and Artificial Intelligence have
demonstrated that they have several applications, and cybersecurity is
not an exception. This topic has been widely addressed in several blog
entries, so instead, let’s discuss
Fluid Attacks' opinion about the prospects for Machine Learning in the
Fluid Attacks, we do not discourage the use of automated tools in
security tests; However, a real security issue comes up when only
automated tools are used, since these tools can report false positives.
For example, in the case of neural networks, some inputs can
fool the entire algorithm. Automated tools also do
not have the human malice to correlate vulnerabilities and then create
more complex attack vectors. We see machine
learning emerging technologies more as tools rather than the holy grail
of cybersecurity that will replace human
hackers. These tools can help our analysts to
decide where to look first, what portions of code may have
vulnerabilities and require further attention, or which inputs may not
have been properly sanitized.
In today’s world, businesses usually have an online alternative for
purchasing or selling products or services. These online alternatives
have to be handled with extreme care since most cyberattacks aim to
profit from these functionalities. E-commerce attacks come in all shapes
and sizes : phishing, identity theft,
credit card frauds, and more.
Most attacks are based on social engineering. These are attacks that try to trick the victim into performing actions (click a link or provide confidential information) that help the attacker gain control over the victim’s transactions.
Figure 3. Verizon Data Breach Investigations Report 2019. Source: Summary of findings.
According to Verizon, in its annual Data Breach Investigations Report , social engineering is the second most used tactic to extract confidential information. This is worrying because it doesn’t matter how secure an application is if users are fooled into providing access credentials. This, of course, applies to E-commerce as well.
One effective way to help reduce social engineering attacks is to train people via presentations and workshops on how to identify a phishing attack, along with basic security measures they can execute before providing personal information when purchasing online. A few of these are checking the URL and certificates, and being suspicious when the application asks for too much information, etc.
As technology evolves, cybersecurity should evolve as well. But often
what should happen differs from what does happen. Cyberattacks become
more complex and solutions, patches, and fixes take too much time to
develop and deploy. On the bright side, with increasing cyberattacks,
cybersecurity is becoming more relevant. Companies are investing more in
security, developing tools such as machine learning, neural networks,
AIs, and considering security risk consequences before exposing
applications to the Internet. As a result, more companies now believe
Fluid Attacks has always known, security should be applied to the
entire Software Development Life Cycle (