Key thinkers on the biggest stories and security trends of 2018
Additional reporting by James Walker, Catherine Chapman, and John Leyden
When it comes to the security sphere, it’s safe to say that 2018 has been a whirlwind.
Last week, we asked key figures from the infosec community about what they have learned from 2018, and what they will take with them into the coming year.
You can read about what they had to say in Part I of the Swig Security Review.
Below, hear from seven more security experts on what they identified as the top threats from the past 12 months, and what their key predictions are for 2019.
Katie Moussouris, CEO at Luta Security and creator of Microsoft’s bug bounty program
“Bug bounties are more popular than ever, yet we’re seeing virtual train wrecks completely missed in the headlines because it’s not yet popular to point out the naked emperors.
Bounties that are started and then abruptly stopped in a single day should tell us that it’s not the cure-all it has been cooked up to be by aggressive marketing.
Beware the ghosts of mismanaged assets past and patch management nightmare present, because the future predicts a technical debt collector coming for poorly thought out bounties this year. Naughty or nice, there is no shortcut to security.”
Troy Hunt, web security expert and founder of HaveIBeenPwned.com
“This year felt like a really mixed bag of breaches; we had a huge number of smaller ones but also several mega incidents towards the end of the year such as Starwood and Quora.
Increased regulations around the world (GDPR in Europe, NDB in Australia etc) may well be responsible for driving a greater number of disclosures so the number of incidents we’re seeing may well be as a result of increased transparency.”
Mårten Mickos, CEO at HackerOne
“The bug bounty community is a force of nature. Now over 300,000 strong, it gets stronger in two ways. When new or young hackers join, it takes them two-to-three years to build up skill and methods to be highly productive. The other way the community gets stronger is when people who already are experts start engaging. We are seeing pentesters, security professionals, and academic researchers becoming bug hunters in their spare time.
Bug bounties and vulnerability coordination is becoming a best practice among companies and government agencies. From a hacker’s perspective, we will see rapid growth of “scope” in 2019. New customers will open new programs, and old customers will expand scope of their existing programs. More customers than ever before will organize their own live hacking events to get a concentration of results in a short timespan.
Stay curious, tenacious, and patient. Bug bounty hunters are curious by definition. Companies need to become comfortable in being curious about the weaknesses they have. Both sides need to be tenacious because the best bugs are not easy to find and they may not be easy to fix. Finally, the great results of bug bounties emerge not overnight, but over time. There is of course exhilaration when a single critical bug is found and then fixed. But the big bounty earnings and the solid reductions of cyber risk happen over a longer time, step by step.”
Raj Samani, chief scientist at McAfee and Europol cybersecurity advisor
“In 2018 we have seen a number of indictments, most recently against two Iranian nationals for their role in the SamSam ransomware attacks. If we also consider the indictments against Park Jin-hyok and the November indictments by the Eastern District of New York following the losses in digital advertising fraud, it suggests a strategy to identify and bring to justice those behind such crimes.
Without a doubt 2018 has focused on malicious campaigns that seem to point to nation-state actions – OceanSalt, Sharpshooter, [and] the re-emergence of Shamoon, for example, just in the past few weeks. Whilst nation-state activities [are] not new, we have to accept that we are seeing (or indeed identifying) more campaigns targeting organizations across the globe. We could also easily incorporate the rise of cryptojacking in 2018 and the perceived decrease in ransomware families as other key trends for the year.
Our new McAfee Labs threat predictions details seven issues we anticipate for the coming year but for me, the one that particularly catches my attention is the role of social media/networking. We had a brief glimpse of this in the recent sharpshooter campaign.
The elections were influenced, fake news prevails, and our social media followers are all foreign government–controlled bots. At least that’s how the world feels sometimes. To say recent years have been troubled for social media companies would be an understatement. During this period a game of cat and mouse has ensued, as automated accounts are taken down, adversaries tactics evolve, and botnet accounts emerge looking more legitimate than ever before. In 2019, we predict an increase of misinformation and extortion campaigns via social media that will focus on brands and originate not from nation-state actors but from criminal groups.”
John Graham-Cumming, CTO at Cloudflare
“2019 is likely to be the year when serverless moves from a confusing buzzword to widespread adoption. Developers want to be able to write, run, and scale code as easily as is possible, and serverless promises total freedom from the details of containers, VMs or cloud servers creating a developer nirvana.
Serverless has gotten a bad rap for its confusing name, of course there are servers, but we expect 2019 to be the year when application architectures start fully taking advantage of serverless’ ease of use, price and scaling.”
Mary-Jo de Leeuw, director of cybersecurity advocacy for EMEA at (ISC)2
“One of the most prolific issues in 2018 was the surge in activities using spear-phishing, ransomware, and nation-state attacks. The past year saw all three regularly in the news and regularly disrupting business and consumer activities.
In the coming year, I expect spear-phishing to become even more prevalent, with even more targeted and sophisticated attacks being launched against individuals and brands. There will be an upsurge in victims of this kind of attack and the fraud that it perpetrates.
More nation-state attacks are also to be expected in 2019, as warfare and efforts to disrupt society become increasingly digital.
This will also sit alongside more unauthorized surveillance of individuals through the use of both IoT technologies and conventional computer hacking. Ultimately, many of these threats continue to pose a risk because individuals still do not update computer and device operating systems, or install updates for key applications, in a timely manner.
Add to this the increased problem of IoT devices from non-computing manufacturers that are not investing in meaningful ongoing software support for these devices.
Together, this creates an environment where cybersecurity threats like ransomware can and will pose a very real danger in the year ahead without awareness, vigilance, training, and best practice.
The cybersecurity workforce gap is going to cause real problems in 2019. Aside from the obvious lack of skilled professionals to fill vacancies, organizations are likely to find themselves paying far greater salaries and benefits in order to attract talent away from competitors and from other industries as they try to address their skills shortages.
It’s also likely to prompt new approaches to how we try and cover the sector. That means more innovative uses of outsourcing, more shared cybersecurity resources, and more opportunities for practitioners to provide their services to a group of companies rather than just one.
If organizations are going to have to use external skills to help address their shortages, it will only make the need for recognized certifications and qualifications in the space more important.
Ultimately, the cybersecurity industry will change drastically under the influence of new technologies in the year ahead. With or without a cybersecurity workforce gap, the sector is going to be under pressure to add to its ranks of skilled professionals.”
Brencil Kaimba, information security consultant at Serianu
"2018 has been an eventful year. We have seen a lot of cyber vigilance, particularly within financial institutions, and regulators have released a number of guidelines such as the Central Bank Nigeria, SASRA (Sacco Regulator) guidance on Cybersecurity, Ghana’s comprehensive and punitive regulatory requirements, and the ICT ministry’s data protection bill, which is still under review in Kenya. On the flip side, we have also seen an increase in attacks targeting Saccos and other SMEs within Africa. Malware, particularly cryptomining malware, and ransomware have been on the rise. In 2017, we highlighted that cybersecurity spending was at an all-time low. We have seen a slight improvement in this area, mainly due to the increasing regulatory demands for organizations to spend on activities such as vulnerability assessment, penetration testing, training, and other critical cybersecurity controls.
If what we’ve seen in 2018 is something to go by, it’s clear that African threats are unique to African organizations. Our malware samples, attack vectors such as mobile money compromise, SIM swap, etc, are very unique to the continent. Another important thing to note is that most of the attacks are replicated from one organization to another. Information sharing is therefore key.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles” – these words by Sun Tzu summarize our priority for 2019. At the core of it all, cyber visibility and exposure analysis is the single most important thing that organisations need to focus on in 2019. This understanding will allow organizations to answer the elusive questions such as: How exposed are we? Are we spending enough on cybersecurity? What is our risk-reduction cost?
We are continuously looking for partnerships and ways to contribute to the cybersecurity eco-system. Providing insights regarding data protection bills and other laws is one of the key areas that we are actively involved in both Kenya and other African countries."
RELATED Swig Security Review Part I