Key thinkers on the biggest security stories and trends in 2019

2019, what to say?

From keynote speaker controversies, to hacktivism of a Google Chromecast variety, the year in infosec has certainly been a test of what divides us can only make us stronger – plus bugs, and lots of them.

As the take up of IoT expanded the threat landscape, companies around the world warmed to the idea of crowdsourced security, with many implementing their own bug bounty programs and vulnerability disclosure policies, aided by the almighty GDPR data protection legislation, now a year old.

There were cybercrime gangs, acts of war debated, and the fight over encryption continued, as consumers remained conflated over whether or not it was safe to use a Huawei phone.

Gone in a blink of an eye, The Swig decided to speak to some of the industry’s top gurus and unsung heroes to discuss their key takeaways from 2019, as well as their top priorities for 2020.

Feliz Navidad!

Laura Kankaala, security researcher at Detectify

“2019 has been eventful security-wise. It’s been a record year for sensitive data breached. It seems that in a considerable number of those cases the reason for the breaches was loose perimeter security in cloud services or by third parties having too much access to data.

Exposed databases or other data storages that are hosted in different cloud platforms are treasures for hackers. It is very trivial for an attacker to go on Shodan and look for them. No authentication, or weak passwords can lead to massive data breaches. The reason why these data storages are left exposed is because default configurations are not changed or due to human error. These are interesting because these little misconfigurations can expose a lot of sensitive data on users or employees of a company.

Another long-running web security threat is the Magecart hacking collective. This is basically a form of credit card skimming – but it happens online on e-commerce platforms. Obtaining credit card information is directly beneficial for malicious actors, because they can be sold online for easy money.

LISTEN NOW SwigCast, Episode 4: MAGECART

A lot of the biggest cloud providers are by default very mature when it comes to security. Naturally there will always be blindspots and new vulnerabilities are found, especially when new services are added to the service catalogues of cloud service providers. However, many vulnerabilities or misconfigurations actually originate from the web applications or software that is hosted in the cloud and are not necessarily vulnerabilities in the Platform-as-a-Service or Software-as-a-Service solutions.

When it comes to security researchers, I feel that the rhetoric surrounding vulnerability disclosure is getting better and we are seeing less conference talks where a security researcher is laughing at vulnerabilities. It’s good that a lot of people in the security community have begun to see mutual respect as something to strive for.

It’s important to cultivate an environment of collaboration between security community and security teams in companies. I believe bug bounties and responsible disclosure policies have aided in this, because it has made collaboration easier and security researchers less hesitant when reporting vulnerabilities.

But do we still have a long way to go? I think so, because there’s still plenty to do to fix the internet and remove the grey area of security research, such as what constitutes as a proof-of-concept exploit (or what goes overboard), ‘out of scope’ issues and impact assessment.”

Mohammed Aldoub, independent security engineer 

On AppSec and cloud security...

“This year I’ve noticed more effort being done into security of software dependency, and I think that’s one of the most important AppSec issues. We’ve also noticed lots of serverless security acquisitions happening so we know for sure that serverless security is now being put on the map of the big business side in cybersecurity. It also happens that dependency security is one of the most important aspects of serverless security, and you can see that it's going to have more focus.

I think more focus now needs to be put into more precise dependency security – for example, pinpointing actual invocation of vulnerable code paths in dependencies instead of just checking the hash of library files against a database. Remediation actions also will need to be vastly improved beyond just alerting or issuing automatic pull requests.”

On industry challenges...

“How do we keep up with the same issues but on cloud and serverless technology? A few examples to deliver the point:

  • How many defenders know what cloud logs (e.g. Cloudtrail) mean in terms of security? 
  • How many AWS clients know how to use AWS Athena to hunt in their cloud logs for suspicious activities?
  • Granted, we have difficulty understanding security aspects of regular OS and server logs, let alone the ever-changing logging formats in the cloud; but we have no options. Either we as an industry keep up with what development and cloud industries produce, or the gap becomes wider, we become bigger roadblocks, and these modern environments become prohibitively difficult to secure.

    There is absolutely no other option for the security industry other than adapt or die. We have to dive deeper into the pipeline. We have to become part of the pipeline.

    On the Middle Eastern software community…

    “The region’s security open source community is booming now and is producing more and creating more. I’ve seen many great tools being showcased in conferences and online in 2019 by people from Middle Eastern communities.

    However, the industry is asleep. The security industry in the Middle East is just vendors doing what vendors do. They have absolutely nothing in common with the vibrant infosec community in the Middle East. So much young raw talent is available, but no real industry to utilize it correctly.”

    READ MORE Barq: Post-exploitation framework plays havoc with AWS infrastructure

    Deshini Newman, managing director EMEA at (ISC)2

    “Data breaches have dominated the sector in 2019 and continue to be one of the key challenges keeping cybersecurity pros awake at night.

    We’ve seen the GDPR tested several times, with several high-profile organisations including Google and British Airways on the receiving end of painful fines. It is illustrative of the fact that the era of lax and throwaway attitudes towards data security and data protection are over.

    This won’t be tolerated anymore and regulators across the EU are very willing to take action where previously organizations got away with a metaphorical slap on the wrists. Control of end user data is firmly back in the hands of the individual and the impact this has had on data security best practice is fundamental for a safe and secure society.

    Malware and phishing also remain at the forefront of the cybercrime battle, with more focus from cybercriminals on targeting Android and mobile devices. This is a direct reflection of how user habits have changed, and so the battleground is increasingly moving away from the desktop and firmly into the mobile space.

    A year ago it was predicted that spear-phishing would be more of a problem, and this was definitely the case in 2019 with a plethora of targeted and extremely convincing campaigns that have moved beyond financial services to also target online streaming services, charities, government services and even sports teams.

    Spear-phishing will continue to be a preferred tool for cybercriminals in 2020 until tools appear that can better deal with both known scams as well as detect the characteristics of one. The growth of AI in cybersecurity countermeasures will play a big part in achieving this.

    However, the cybersecurity skills gap remains one of the major challenges – if not the biggest – facing the sector. The global gap has widened from 2.9 million to four million in the space of 12 months based on our independent research. A shortage in the global cybersecurity workforce continues to impact on organisations across the board and this will continue into 2020.

    To overcome the skills shortage, we need to do more to increase the available talent pool and make cybersecurity more appealing to both first-time jobseekers as well as career changers. We also need to tackle the significant diversity and inclusion issue in the sector by encouraging more women and more people from underrepresented groups to pursue cybersecurity careers.

    The industry is making great strides in improving skills development and training. The work on the formation of the UK Cyber Security Council is also a step forward in making the industry more accessible, increasing recognition for the profession, as well as creating an overarching body to support initiatives to grow the sector and make it more inclusive.”

    Grant McCracken, director of solutions architecture at Bugcrowd

    “It’s been a busy year for crowdsourced security. Not only has the general awareness continued to rise, but the number of researchers participating, as well as organizations adopting crowdsourcing as part of their security model, have risen.

    Organizations are realizing their attack surface is often a lot more complex and expansive than they originally thought, resulting in larger scoped programs, more target types and findings, more awareness, and increasingly interested researchers.

    In terms of bug classes, things have remained roughly similar, but as we run more niche programs, we also see more vulnerabilities against new and exciting vectors. For instance, since many IoT bugs fall into the same classes as web, API, and mobile programs (SQLi, IDORs, BAC, etc.), on paper it’s just more of those types of vulnerabilities. But what that data doesn’t show is that we’re seeing new targets that are across the board in nature (IoT, automotive, etc.), and tapping into more varied skills throughout the Crowd.

    READ MORE Bug Bounty Radar // November 2019

    We’ve also done a number of really cool and fun engagements with the government and public sector this year, such as the US Air Force, and expect to do a whole lot more in 2020. While these programs in themselves are rewarding because we’re helping secure assets with national security implications, they also offer interesting targets and technologies that you wouldn’t normally be exposed to in the wild.

    Overall, if one thing’s for certain in 2020 and the decade to come: there will be bugs, lots of them, and the ‘unknown’ will be the biggest continued cyber threat businesses will face.

    But there will also be a lot of organizations that don’t get breached, that find the vulnerabilities and patch them before they’re ever found or exploited in the wild. Sadly, those won’t make the headlines. And while it may never get printed, that’s a storyline worth hoping for in 2020.”

    Sarah Jamie Lewis, executive director at Open Privacy

    “The next decade will surely feature a greater number of democracies entrusting their future to internet voting. E-voting, after all, has the potential to revolutionize society for the better. The promise of faster, cheaper, more accurate and accountable elections is a hard one to turn away from.

    Unfortunately, 2019 has been a year of cryptographic trapdoors that would allow authorities to lie about the result of an election, a year where an electoral authority patched a voting system mid-election, and a year where those same authorities have remained steadfast in their commitments to build on provably broken systems instead of empowering open, collaborative solutions.

    2020 may very well be a pivotal year, it may be the year where governments finally start taking the safety and security of e-voting systems seriously. There is also the very real danger that the current generation of proprietary, broken voting systems propagate beyond their current reach. And in time, there is the very real danger that we will lose our democracies to these systems.

    If there is one thing that I have learned this year it is that speaking math to power is an effective tactic against those who would try to blind the public to the broken complexities of these systems. The fight for safe and secure democracies will need more people joining in the chorus if we are to get the democracies we deserve.”

    David Oberly, associate at US law firm Blank Rome

    “By far, the most significant development of 2019 in the area of US privacy law pertains to the flurry of activity that transpired surrounding the California Consumer Privacy Act (CCPA), which goes into law at the beginning of next year.

    In particular, two key developments took place with respect to the CCPA in 2019, both of which will substantially impact businesses’ CCPA compliance obligations for years to come.

    First, the CCPA’s long-awaited amendments were finalized and signed into law. The amendments are a critical piece to the CCPA compliance puzzle, as they provide important clarification on ambiguous aspects of the law, while at the same time lessening the compliance burden on covered entities to some extent through the addition of several new exemptions.

    Second, the California attorney general also issued its much-anticipated draft CCPA Regulations, which not only clear up some additional significant ambiguities, but also extend covered businesses’ compliance obligations well beyond the text of the CCPA itself.

    Combined, companies have finally been afforded a clear, complete picture as to the full scope of requirements that must be adhered to in connection with this first-of-its-kind privacy law beginning at the start of next year.

    The CCPA is the first of a coming tsunami of state-level privacy laws which, together, will radically shift how businesses collect, use, and protect personal data.”

    Read Part II of The Swig Security Review here.

    Additional reporting by James Walker and Adam Bannister.