While it is fairly safe to predict that some security areas will see improvement in the coming year, others will become more problematic. It is these areas of continuing vulnerability that we should all be concerned about, and seek effective solutions.Phishing
Phishing attacks are increasing and likely to worsen, with one out of a hundred emails containing malware. In 2017 alone, $840 million was lost because of phishing exploits, according to the anti-phishing workgroup (APWG).
In 2016, less than 5 percent of phishing web sites were found on HTTPS. One year later, nearly one-third of phishing attacks were hosted on websites with HTTPS, and almost 20 percent were found on HTTPS-protected domains. There are a couple of reasons for the change in the way phishers host their malicious content. First, there are many more HTTPS websites, which means there are more websites that can be compromised. Second, browser security messaging is ambiguous, and now there are a significant number of HTTPS websites hosted on domains registered by phishers. Hackers are also taking advantage of the HTTPS designation, because the perception is the website is legitimate.
According to Verizon’s Data Breach Investigations Report, 30 percent of phishing messages are opened by users, and 12 percent of those users click on the malicious attachment or link. Why are phishing attacks increasing? Simply put, because it’s effective. However, there are extenuating factors that have allowed the problem to worsen.
While standards groups, like the anti-phishing working group, have acknowledged the problem, they’re not coming up with new solutions to combat the issue. It’s a case of dodgeball, while the problem continues to grow.
Hackers are a sophisticated group, and they’re using machine learning to work around the same technology enterprises are using to protect themselves. According to researchers at Webroot, during the first half of 2017, an average of 1.4 million unique phishing websites were created every month. Phishing is a runaway train with no comprehensive solution in sight.Privacy
Privacy has a mixed forecast, improving or getting worse depending on your location. Some geographic regions will see an improvement, while others will continue to struggle. Some of the factors that have led to improvement are the EU’s GDPR, which imposes fines of up to 20 million Euros, and the fact that there is a strong recognition of the problem among other countries. The United States is considering similar laws.
Some of the factors that contribute to the worsening conditions for privacy have to do with the value of search data. Companies are willing to expose themselves to fines, because the profit for this data is worth much more than the fines. For example, Google has a 90 percent share in the search market, and over 50 million user accounts. Google discovered a flaw in its Google+ API with the potential to expose the private information of hundreds of thousands of users. Yet, the company chose not to disclose the vulnerability to its users, or the public. It’s hard to solve a problem, when the problem itself is so profitable.
There are other areas where our privacy is tested daily, from Blockchain, where telephone numbers, home addresses, and emails are permanently stored and recorded, to artificial Intelligence (AI) with facial recognition, used by cameras that can link user Facebook accounts with their locations, and track their location data, among other things. These are all great innovations, but without privacy considerations built in from the start, these advancements continue to erode our private lives.
Many states are considering enacting their own privacy laws. Unfortunately, these efforts are being led by entities with their own privacy concerns, and they certainly aren’t impartial entities with the best track record.Encryption
Encryption is an area that will see an improvement next year. There are a number of reasons behind this prediction. Google is now requiring HTTPS everywhere, and the industry is committed to developing better post quantum crypto algorithms. NIST, Microsoft, and the IETF are coming out with better encryption technology, and there are new regulatory compliance requirements on the horizon.
The rapid increase in the adoption of encryption is having a positive impact, with approximately 80 percent of all traffic and half of all websites now encrypted. The primary driver for encryption is economics. In fact, there is an economic deterrent for not having encryption. Most users will not conduct business with companies that have a history of security breaches. According to Deloitte, one-third of consumers will stop working with a business following a cyber security breach, even if they don’t experience a material loss. And if your company is breached, 30 percent of customers will leave, while 60 percent will consider leaving.
Encryption technology is becoming more effective. For example, the new TLS 1.3 will make the Internet more secure and trusted. Financial PKI now requires encryption, and the PCI Security Standards Council has released version 2 of the PCI point-to-point encryption solution requirements and testing procedures. This will help improve credit card security, as merchants and technology providers determine how encryption can complement compliance with the PCI Data Security Standard.Identity
The security forecast for identity issues is expected to be a mixed bag in the coming year. A factor that supports an improvement is the strong interest from certain browser vendors that support Blockchain, Financial PKI, and Legal Entity Identifier (LEI).
The ability to identify and acknowledge devices with certificates, allows companies to lock out devices that don’t have certificates. While this doesn’t impact user identity, it does have significant consequences for companies with large numbers of IoT devices, ensuring the legitimacy of those devices.
Identity protection is an interesting challenge, and a difficult problem to solve. Part of the problem lies in trying to convince consumers to care enough to protect themselves, before they become victims. The same is true for IoT device identity; convincing companies using these devices, and the vendors producing them, to build in protective measures before they are hacked.
The issue of identity protection is now being used for brand recognition, with the open standard Brand Indicators for Message Identification (BIMI), that uses a protocol built on the DMARC anti-spoofing email standard. This gives participating companies, like Yahoo, Groupon, Aetna, Agari and others, free brand impressions, while boosting their email trust.
We keep coming up with new ideas and reinventing the wheel, without fixing the underlying issues. However, anytime there is a financial benefit, there is far more motivation to push for improvements.Device Management
Device management continues to be complex and problematic, and may worsen in the coming year. Some of the factors include IoT botnets and compromised devices, such as, cameras, routers, DVRs, wearables and other embedded technologies that are infected with malware. Additionally, there is a new variant, Mirai, that targets Linux servers.
The challenges for secure device management are numerous, due in large part to a need for industry standards, and a lack of concern by manufacturers. Fortunately, there is significant regulatory concern and support building, including the California law on IoT, the Securing IoT Act, the Cyber Shield Act, and the SMART IoT Act. Similarly, we are seeing more connected device manufacturers showing interest in certificate-based authentication, encryption and device integrity. Security is definitely top of mind as a recent 2018 State of IoT Security survey shows that 8 in 10 organizations have security as their top concern for IoT. And the companies doing the best with security are experiencing benefits to their bottom line, and avoiding major incidents and the resulting losses.Automation
Automation security will continue to expand next year. Some of the reasons for this include large-scale deployments of IoT devices, an industry effort to secure automation, CAA record checking, auto-configuration, and containerization for deploying and running distributed applications.
Today’s solutions for protecting enterprises against security threats must have automation. A significant number of security incidents involve human error. Gartner forecasts information security spending to exceed $124 billion in 2019, yet these programs can be inadequate in preventing the misconfiguration of firewalls, or forgetting to patch security vulnerabilities on servers. Manual tasks bring risks, and they are a security breach waiting to happen. Automating security tasks is the best way to minimize risk.Authentication
Authentication processes will become more secure next year. Some of the factors for this include 15 percent growth in multi-factor authentication, and biometric authentication becoming standardized. Another reason authentication may improve is due to Secure Quick Reliable Login (SQRL). This is a new system that mitigates many of the problems associated with passwords. SQRL is a free and open-source program that replaces the traditional username and password web authentication process. Using public-key cryptography, users generate a single master token that interfaces pseudonymously with websites, enabling login without having to disclose personal information or passwords.
However, some challenges remain, like password inadequacies. Roughly half of them are weak, including Mimikatz, that represents 27.2 percent of malware, and 75 percent of malware delivered via web.Biggest Impediments to Improvement
There are obviously many security risks that need to be addressed to ensure trusted connectivity, communications and commerce, and the challenges to overcome those risks are many. User apathy is rampant, as individuals simply don’t make their privacy a priority, until their privacy is violated. Enterprises struggle with a lack of skilled staff that still rely on manual tasks, where devices, users and data are growing exponentially. Standards groups are not working together as closely as they should. There are potential conflicts between standards. Patent protections are beginning to get in the way of securing our users and devices. For example, the wireless communication industry is ready for digital certificate security. However, some industry developments are blocked by companies asserting their patents, claiming patent infringements, effectively preventing adoption of critical security technology.
Growth is creating greater risk, and generating new challenges. The ever-increasing number of IoT devices that are not secured, millions of new websites coming online every month, and vast amounts of data crossing our networks and filling storage facilities will just keep compounding the security conundrum.