Key thinkers on the biggest security stories and trends in 2020
It’s safe to say that 2020 has been a year like no other, with the Covid-19 pandemic dominating headlines worldwide.
Within the cybersecurity sphere, the ripple of changes to the way we work and live have resonated loudly.
From navigating the security risks of working from home to cybercriminals taking advantage of the pandemic, the cyber-threats have been widespread and varied – not to mention the effects social distancing has had on the hacking community as conferences and meet-ups were forced to go virtual.
But while 2020 might be a year that many would rather forget, it’s important to also recognize the effort and contributions of the security community, as its members stepped up the fight against cybercrime amid this new wave of challenges.
The Daily Swig spoke to some of the industry’s key thinkers to take a retrospective on an eventful year and look forward to what 2021 will bring.
Hackers’ rights and VDPs – ‘It’s time for policy leaders to lead’
Chloé Messdaghi, chief strategist at Point3 Security and co-founder of Women of Security (WoSEC)
“If this surreal year has taught everyone anything security-wise, it’s this: attackers are immensely clever, and most organizations need an awful lot more help than they currently have on hand. That’s where hackers come in.
Every organization can benefit by tapping some of the best infosec minds to help identify their vulnerabilities before an attacker exploits them, but for too long, companies have embraced denial or perhaps just ignorance about their blue teams’ ability to find threats. Meanwhile, policy leaders have remained mum or worse, and the hacker community has faced prosecution.
It’s time. Our policy leaders need to promote vulnerability disclosure policies (VDPs) that actively encourage independent researchers to help harden the security of both public and private sector entities.
Chloé Messdaghi
It’s unacceptable that today, only 7% of Forbes’ Global 2000 currently have a published policy that set clear guidelines for scope of vulnerability discovery, removes the fear of prosecution or retribution, provides compensation, and ensures clear channels and processes for reporting and timely mitigation of vulns.
RELATED Safe harbor needs to be built to protect ethical hackers
All too often, an independent researcher (hacker) finds a significant cybersecurity gap in a known corporation, only to have the organization ignore their warning and perhaps even condemn them for rooting around in the network.
One social media company’s executive said that they don’t need a vulnerability program because they have a security team, which is a lot like saying, “I’ve got a general practitioner, so why do I need a specialist?”
As with so many societal wrongs, informing the public and correcting misperceptions begins with changing the language. The first step is widespread education so that from the C-suite to the full organization, it’s understood that the terms “hacker” and “attacker” are not interchangeable, and in fact are polar opposites… and hackers are your friends who keep you safe.
But without having a vulnerability disclosure policy, only one out of four hackers will report the vuln. This leaves you to be vulnerable to the attacker who finds the vuln who doesn’t report it and actually exploits it.
When looking at how to be better in 2021, have vulnerability disclosure policies. By creating a safe channel for hackers to report a vuln, it will protect you, your product, and your company from being taken advantage by attackers.
Follow Chloé on Twitter.
Big Game Hunting: Malware creators profit in 2020
Bharat Mistry, UK technical director at security vendor Trend Micro
“Throughout 2020 we saw cybercriminals thrive at an exponential rate by coming up with novel threats and strengthening existing ones.
Malicious actors took advantage of the global pandemic by launching a slew of Covid-19-themed attacks using a diverse array of lures across a wide range of platforms such as emails, social media, malicious websites, and fake mobile apps.
Despite the 68% drop in detections, ransomware remains the biggest threat as operators arm malware with new capabilities to aim for bigger targets coined as ‘Big Game Hunting’, netting an average payout of $1.3 million in the first quarter of 2020.
Some ransomware operators went further and threatened to expose the stolen data publicly.
Bharat Mistry
With businesses shifting to remote working, cybercriminals went after tools used in these environments, such as video conferencing apps.
We also found malware families such as a Coinminer and WebMonitor bundled with video conferencing app installers.”
Follow Bharat on Twitter.
‘2020 has been a year to remind us of the basics’
Ken Munro, founder of Pen Test Partners and IoT security expert
“2020 strikes me as a year of fast change and high pressure in the cyber space, two terms that rarely end well for security.
BAU security assurance went sideways as everyone enabled remote working. Mistakes were made, though many businesses successfully continued to function. However, the new normal of remote working made rich pickings for scams and phishing. Overworked security teams attempted to review the emergency changes made retrospectively, though hackers often found those mistakes first.
Breaches and ransomware spiraled as a result, with cyber insurers starting to suffer from increased claims rates. Premiums have leapt already.
For predictions of the future and 2021, we should simply look backwards.
Ken Munro
Vendors will make unrealistic claims about products, a new three letter acronym will become the buzzword, and security buyers will be distracted from the basics by the next big breach.
On the day that the Solarwinds story broke, some of our team took Domain Admin at a FTSE 100 firm with ‘Password123’.
We need to look backwards and resolve the same, boring issues of the past rather than buying the next sexy product: we need to work on people, passwords and patches. 2020 has been a year to remind us of the basics.”
Follow Ken on Twitter.
‘Every industry became a target’
Clar Rosso, CEO at security certification organization (ISC)2
“If 2020 is remembered for anything other than Covid-19, it should be as the year the world underwent a collective digital transformation – whether it wanted to or not.
With such rapid, unplanned, and extensive digital change, every industry became a target – from retail to government services, from healthcare to media, from education to financial services.
Recent headlines about large-scale breaches may have the masses talking, but the (ISC)2 2020 Cybersecurity Workforce Study found that 18% of cybersecurity respondents reported an increase in security incidents as early as the second quarter of 2020, immediately following the majority of organizations transitioning to remote work environments globally.
Clar Rosso
The same study also found that, more than any other security area of focus, cybersecurity professionals plan to develop their skills in cloud computing security within the next two years.
We now consume much more in our everyday working and personal lives digitally as a by-product of Covid-19 precautions. This has had a profound impact on cybersecurity professionals. It has altered the way we train and educate our professionals, with all-digital remote learning now overtaking traditional classroom-based training.
It also has altered the way organizations work and deliver their products and services, placing pressure on business and consumer broadband services, video conferencing and cloud platforms.
This is going to continue into 2021, as even with the promise of vaccines, an immediate snap back to pre-Covid working arrangements and environments is unlikely to happen soon – if ever.
Covid-19 response measures hit cybersecurity professionals hard. According to the (ISC)2 study, 30% of cybersecurity staff were asked to orchestrate a wholesale shift to secure remote working within 24 hours, and nearly half (47%) were required to deliver it within a week. It was a time when business continuity plans were tested more than ever. Encouragingly, these plans proved effective, with 92% of respondents reporting that they felt their organizations were at least somewhat prepared for the transition to remote work.
We also saw unprecedented change in the composition of the cybersecurity workforce and the shortage of skilled professionals. Through our annual Cybersecurity Workforce Study, we found that the global workforce grew from 2.8 million to 3.5 million. Covid-19, Brexit and planned elements of digital transformation all contributed to the growth.
At the same time, we have seen the global skills gap in cybersecurity drop for the first time since we started monitoring annually. Year-on-year, the gap has fallen from 4.07 million to 3.1 million. The sharp rise in hiring accounts for some of this, as does the stark contraction of key economies in the face of the initial Covid-19 outbreak, which saw countries such as the UK experience an 11% contraction of the national economy.
While GDPR continued to loom over Europe, with over €220 million ($270 million) in fines handed out across Europe this year for a variety of data breaches, the impact has largely been overshadowed by other events. Nonetheless, two and a half years into the GDPR era, it continues to be a genuine issue for organizations of all sizes going into 2021, with regulators across the region not afraid to exercise the full extent of its punitive fine structure as airlines, telecoms companies, search engines and hotels have learned this past year.
In the UK, we’ve seen considerable work on the part of industry and government to elevate and professionalize cybersecurity training and skills development. Development of the UK Cyber Security Council has taken place throughout the year and is set to launch in the second quarter of 2021, creating an umbrella body to champion cybersecurity education and skills, and support organizations and individuals with professional development objectives.”
Follow ISC2 on Twitter.
Improving the state of open source security
Clint Gibler, head of security research at r2c and creator of the the tl;dr sec newsletter
“While there were a number of continued challenges in open source software security in 2020, there were also some promising developments.
First, the challenges.
We continue to see supply chain attacks on open source libraries, such as malicious JavaScript packages on NPM or Docker container images with embedded cryptocurrency miners.
To be honest, I’m surprised this hasn’t been a bigger focus of attackers, given the benefits and relatively low effort required: upload a malicious package or backdoor an existing one and gain access to developers’ machines at a number of organizations, rather than having to find a way into each company.
Clint Gibler
This challenge is exacerbated by the fact that most package repositories (e.g. NPM, RubyGems, PyPI, etc.) seem to lack significant resources to continuously monitor and detect malicious uploads.
In comparison, Google Play and the Apple App Store have entire teams dedicated to building automated tooling to defend their ecosystem at scale and reverse engineer potentially malicious apps.
RELATED Semgrep: Static code analysis tool from r2c helps ‘eliminate entire classes of vulnerabilities’
On the positive side, we see continued and new efforts in spreading security knowledge and improving the state of open source software security.
Flagship OWASP projects continued strong, with a new version of the Web Security Testing Guide being released, new content for the Cheat Sheets project (like GraphQL), and more.
And a relative newcomer: the Open Source Security Foundation (OpenSSF), a collaboration of companies including Facebook, GitHub, GitLab, Google, Hacker One, NCC Group, Trail of Bits, and many more.
So far, the OpenSSF has released the security scorecard project, a tool aimed at gauging the trustworthiness of open source projects, and the CVE Benchmark, an open source collection of over 200 historical JavaScript/TypeScript vulnerabilities (CVEs) with associated metadata, for the purpose of benchmarking security testing tools.
While there is still much to be done, it’s great to see traction behind these cross-company efforts to improve the security of the open source ecosystem.”
Follow Clint on Twitter.
Bug bounty growth amid a year of ‘sudden and forced change’
Casey Ellis, founder, chairman, and CTO at Bugcrowd
“Both individually and collectively, 2020 was a year of sudden and forced change. With it came forced acceleration of the usage, development, and deployment of technology. Meanwhile, adversaries know that chaos is a ladder, and just about every category of threat actor has ramped up their efforts across almost every sector.
This new threat landscape led to a boom in crowdsourced cybersecurity and the crowd itself as businesses looked for ways to strengthen their security posture.
Bugcrowd’s 2021 Priority One Report found crowdsourced cybersecurity growing in popularity due to the rapid digital transformation many organizations underwent this year.
Casey Ellis
Bugcrowd saw a 50% increase in platform submissions, including a 65% increase in Priority One (P1) submissions in the past 12 months.
Of course, enterprises weren’t the only target. Governments realize the scale and distributed nature of cyber threats and acknowledge the league of good-faith hackers available to help them balance forces. When faced with an army of adversaries, an army of allies makes a lot of sense.
It was a good year for cybersecurity policy, too. Governments are leaning into the transparency inherent to a well-run Vulnerability Disclosure Program to create confidence.
The CFAA was debated in the Supreme Court, and early signs from that debate favor good-faith hackers previously chilled by anti-hacking laws. The confidence, ease of explanation, and inevitability of security research are making the decision to treat hackers as the internet’s ‘immune system’, an easier choice for governments to make in 2021 and beyond.
Follow Casey on Twitter.
Read Part II of the Swig Security review 2020.
Additional reporting by Adam Bannister, James Walker, and John Leyden.
YOU MIGHT ALSO LIKE Latest web hacking tools – Q4 2020