Key thinkers on the biggest security stories and trends in 2020
It’s safe to say that 2020 has been a year like no other, with the Covid-19 pandemic dominating headlines worldwide.
Within the cybersecurity sphere, the ripple of changes to the way we work and live have resonated loudly.
From navigating the security risks of working from home to cybercriminals taking advantage of the pandemic, the cyber-threats have been widespread and varied – not to mention the effects social distancing has had on the hacking community as conferences and meet-ups were forced to go virtual.
But while 2020 might be a year that many would rather forget, it’s important to also recognize the effort and contributions of the security community, as its members stepped up the fight against cybercrime amid this new wave of challenges.
The Daily Swig spoke to some of the industry’s key thinkers to take a retrospective on an eventful year and look forward to what 2021 will bring.
‘Information security has a very big role to play’
Vandana Verma, security solutions architect at IBM, OWASP global board of directors, and president of InfosecGirls
“2020 has been a year like never before. Covid-19 came with a host of uncertainties, which in turn meant people losing their lives, jobs, and their loved ones. It also had a torrential impact on the cybersecurity ecosystem.
One of the things that changed the whole paradigm was the shift to cloud, and companies that were already planning to move to cloud were forced to do so quicker, leaving a lot of gaps in security. At the same time, the threat landscape increased for organizations.
Remote working enabled people to log in from home, which shattered the traditional perimeter to include using open security systems using VPNs or workspace management systems. Enabling security in a short span of time for a whole organization became a challenge. It became a snake and ladder game wherein anything missed could have left an entire organization vulnerable.
One major area Covid-19 had a big impact was on cybersecurity conferences and physical communities. The cybersecurity community did a great job in keeping the learning and sharing going via online conferences and keeping the spirit high. At OWASP, we had a responsibility to keep the community going as well, so we encouraged all chapters to host online events and provided them with all the support they needed. We hosted the OWASP Chapters All Day conference which was organized together by various chapter leaders from around the world. OWASP also held dedicated virtual training events and its flagship AppSec conference online.
Most of the businesses started their operations online which gave loophole visibility to the invaders in the business. On the other hand, people became more cyber aware around the technology.
What these past few months have taught us to keep in mind a few things. First and foremost, an organization needs to be ready for such a situation in future, which means having resources ready for remote working conditions.
Companies need to scale their IT infrastructure for remote working scenarios, strengthen their VPN resources, enable multi-factor on all the applications in use and for third-party services in cloud, and have a detailed plan identifying which employees really need to come to work, even after the lockdown is lifted.
This is going to be the new normal way of working. Everyone has a role to play, and similarly information security has a very big role to play. This is not a choice anymore. It is the need of the hour.”
Follow Vandana on Twitter.
‘We have seen security teams excel in what they often do best – find creative solutions in adverse circumstances’
Wim Remes CEO and principal consultant, Wire Security
“2020 was rife with significant cybersecurity incidents and our industry has, once again, been put on notice. There is no doubt that organizations the world around, and society, are expecting us to do better. One of the biggest takeaways from this year is that there is a need for more professionals. At the same time, we must highlight the immeasurable resilience that people have shown in extremely adverse circumstances.
I am cognizant of the fact that not only our profession has been under extreme pressure – many of our peers in other industries also work day in and day out to ensure that essential services can be provided. The sudden move to lockdowns and other very necessary measures to keep society safe immediately made executing on those responsibilities more complex than ever before. Despite those challenges, we have seen security teams excel in what they often do best – find creative solutions in adverse circumstances.
I could talk about ICS security, healthcare security, supply chain, or data protection. 2020 has shown many indicators that we still have a lot of work to do in those areas. However, we also need to realize that the work ahead of us will not be solely fixed with technology. On a personal level, I regularly page through what is commonly called “The Ware Report”, a document from 1970 written by Willis Ware and a team of computer experts that looked at the requirements for security controls for computer systems. In this document, virtually any threat that we know today is already listed in minute detail. While it could be depressing to see that nothing much has changed in 50 years, I think it is also an extremely positive realization. At the very least, we have not made things significantly worse. And, above all, problems are identified, described, and resolved by people.
Both defense and offense rely on talented and motivated people in an environment that allows them to be their very best selves. It is not uncommon for people to focus on themselves when times are hard but given the right environment people will always step up and contribute to the common good. And I’ve seen so many infosec professionals do just that in 2020.
It is up to us that are already here to attract, to train, to mentor, and to welcome our new peers. Let 2021 be about ‘us’.”
Follow Wim on Twitter.
Evolving ransomware, more APT threats, and an increase in credential stuffing attacks
Per Thorsheim, security evangelist and founder of PasswordsCon
“2020 has been another crazy year in security and privacy. Without listing any breaches, we have seen too many times reports of AWS S3 buckets being accidentally open to the public.
Ransomware has evolved to increase the probability of payouts from victims. APT actors have continued their work with some spectacular cases, others use old tricks such as phishing.
Although adoption of two-factor authentication (2FA) is increasing, 2020 has shown that successful password spraying and credential stuffing attacks are increasing. Hidden in some cases, we also find a disturbing trend: 2FA is getting hacked or bypassed. There are different levels of 2FA, but public debate is mostly about having 2FA or not. And very few [organizations] talk about implementing risk-based authentication in their services online.
My tips for 2021: Patch your systems, improve 2FA support, and implement risk-based authentication.”
Follow Per on Twitter.
GDPR will continue to ‘go global’
Natasha Singh, Principal Consultant Privacy & Data Protection, Gemserv
“Since it was introduced in 2018, the EU General Data Protection Regulation (GDPR) has become the gold standard for privacy. During 2020, Brazil introduced its own version, Lei Geral de Proteção de Dados (LGPD), and other countries are poised to follow suit in 2021.
India, the world’s biggest information technology services provider, is likely to introduce its Personal Data Protection Bill (PDPB), which will have a major impact on the global digital market, with controversial data localization requirements. Singapore, another important hub in Asia, is also updating its Personal Data Protection Act to align closer with GDPR, with changes entering into force in 2021.
China unveiled its draft Personal Information Protection Law (PIPL) in October 2020, marking the country’s first attempt to introduce a comprehensive data protection law.
Canada’s privacy landscape is also about to undergo reform with its Consumer Privacy Protection Act (CPPA) proposal, which intends to modernize the current Personal Information Protection & Electronic Documents Act (PIPEDA). The key objective is to align with the GDPR and maintain its ‘adequacy status’ for data flows from the EU.
Perhaps the biggest changes could come in the United States, where a federal privacy law is being mooted, with backing from ‘big tech’ for a harmonized national approach. California has already pressed ahead on its own, with voters approving the California Privacy Rights Act (CPRA) in November 2020, building on the California Consumer Privacy Act (CCPA) and bringing America’s most-populous state closer to GDPR standards.
Back where it all began in Europe, we will still feel the aftershock of the EU’s “Schrems II” (PDF) decision, which invalidated the EU-US Privacy Shield in July 2020 because of the US government’s access to personal data. With the consultation on the UK’s National Data Strategy closing in December 2020, all eyes will be on how close Britain remains aligned with GDPR – with the rest of the world moving closer to the EU’s position, it’s hard to imagine the UK wanting to miss out on a potential data protection adequacy status.”
Follow Gemserv on Twitter.
Cybercrime forums have expanded to include smaller targets
Stefano De Blasi, threat researcher at Digital Shadows
“The trading of access to compromised victim systems on cybercrime forums has developed during 2020.
Firstly, such listings have increased in frequency and have expanded from fairly elite offerings affecting major organizations to include lower-level sales targeting smaller companies.
Secondly, threat actors are increasingly selling identified vulnerabilities to target victim systems rather than the credentials for the initial access itself.
This increases the turnaround speed for vendors – rather than taking the time to exploit the vulnerability to discover administrator credentials, they can simply sell the vulnerability and move on to the next victim.
Stefano De Blasi
Ransomware has become inextricably linked with this sale in access offerings. The growing prominence of ransomware attacks has been widely reported, but partnerships between access vendors who provide an initial ‘way in’ to networks and the ransomware teams who infect these systems have developed in frequency and sophistication. Ransomware groups have also become increasingly involved in forums on Russian-language cybercriminal platforms through schemes such as sponsoring forum competitions.”
Follow Stefano on Twitter.
‘I am proud of our community for learning fast how to become virtual event specialists’
Andrew van der Stock, executive director at the OWASP Foundation
“2020, by far, has been this generation’s worst-ever year. You read about pandemics from the past and wonder how it would be, and now we know. OWASP took a massive hit in our usual revenue sources, which are in-person events. We’ve had to really cut an already lean organization into a ripped 0% body fat organization. It’s been tough, and some of the things we’ve had to cut back on are our mission.
Some of the things I am proud of our community and my team getting done this year are learning fast how to become virtual event specialists. I really appreciate the trainers and speakers, our sponsors, and your support in registering and coming to these events and our staff’s hard work in putting it on at short notice.
Andrew van der Stock
2021 is OWASP’s 20th anniversary. We will be doing many virtual events around the past, present, and future of OWASP. If you want to be on a panel, we have plenty of opportunities for that throughout the year.
We are going to run an in person Global AppSec in Australia, as they are the closest country to eradicating Covid-19 as any and have shown that they will lockdown hard to get rid of it again. The event, with some luck, will be happening in October 2021.
Looking forward to 2022 and beyond. We need to restart full operations, including chapter, regional, and global AppSec [groups] again.
The OWASP Foundation is here to enable the mission, not do it. We need the community to come back to our mission. I hope that during the board strategy face to face, we can think of the next mission statement, as we need a new one that will serve us well for the next five to 20 years.”
This excerpt was taken from the OWASP Foundation's blog.
Follow Andrew on Twitter.
Read Part I of the Swig Security Review 2020.
Additional reporting by Adam Bannister, James Walker and John Leyden.