Is cybercrime-as-a-service poised to become an actual business trend? Don't be surprised to see it happen in 2020.
Security-breach news became so common in 2019 that readers' eyes often glazed over at the headlines. Ransomware and phishing, as in 2018, were out of control; state-run hackers were working around the clock and making money; passwords were leaked; sophisticated malware attacks kept spreading; data was breached and governments around the world once again worked around privacy rules—despite the first full year of the General Data Protection Regulation, a set of international rules set by the European Union in May 2018.
Oh, and don't forget the concerted nation-state misinformation campaigns from countries such as Russia, China, North Korea and Iran designed to influence U.S. voters through social networks in the 2020 major U.S. elections. Networks such as Facebook, Instagram, YouTube and others again found themselves spinning their wheels on how to mitigate hate speech, fake news pages, false memes and myriad other cultural poisons being published on their web pages.
Now we're seeing predictions of AI and machine-learning "poisoning" potentially causing new cybersecurity problems. It remains to be seen how these new twists will affect cultures.
Go here to see eWEEK's listing of Global Data-Loss Prevention Software vendors.
According to professionals who fight these battles every day, there is no reason to believe that 2020 is going to be any less problematic than 2019 was.
Here is a list of 2020 security predictions from some of those professionals. eWEEK will probably have more of these to publish before the end of the year because the sector is so hyper-active.
Eric Taylor, CTO, Big Data & Security, Atos North America: Will we see our first examples of AI poisoning in 2020? Can machine learning poisoning actually happen?
The high-level process used by machine learning is called inference. Inference refers to the machine-learning engine making a decision based on the training that it has already received. The easiest way to perform a machine-learning poisoning attack would probably be to overwrite the existing training data with poisoned data, thereby causing a breakdown of the inference process. Cybercriminals will figure out ways to poison AI inference capabilities of endpoint security technologies as a way to bypass security controls. As we move AI processing closer to the edge for other applications, attackers will find ways to poison AI inference models to wreak havoc on models - potentially causing a "return to zero" for AI models over time.
Ian Cruxton, CSO of Callsign: Identity gets personal.
In today’s modern bank, fraud departments are tasked with identifying when fraud occurs and mitigating the incident. Their job is to simply detect the presence of fraudulent activity, rather than correctly identify account holders. But increasingly, privacy laws and other regulations like PSD2 in Europe are calling for organizations like banks to confirm identification, so security professionals have to look beyond the fraud solutions. In 2020, identification as we know it will become personal.
Casey Ellis, Chairman, founder and CTO of Bugcrowd: Elections: Cybersecurity is a Citizen Problem.
New media and western democratic processes will collide on the cybersecurity battleground. The combination of a higher percentage of digitally-native, first-time voters; an increased reliance on connected systems for registration, tallying, and voting itself; and the wide knowledge and sharing of Russia’s disinformation playbook from 2016 indicates to me that we’re in for a wild ride through the 2020 elections — not just in the U.S., and not just with Russia as a potential aggressor.
Much of the voter narrative on election security focuses on the cybersecurity elements. In 2020, this will drive a rapid increase in the consumer demand for vendors and governments of all types to demonstrate accountability for the measures they’re taking to keep the data and processes of their customers confidential, integrated, and available.
The good news is, we’re already seeing a move in the right direction with the call for vulnerability disclosure programs across agencies, which would allow whitehat hackers to help surface flaws in election websites and applications in lead up to and through the elections.
Matt Kunkel, CEO of LogicGate: The board and cybersecurity
Ultimately the board thinks about dollars and cents—both top line and bottom line financial considerations. With the increased number of data breaches, ransom attacks, and cyber incidents, combined with the increased amount of technology companies use to run their business on a day-to-day basis (equating to lots of spending), cybersecurity is getting much more attention and importance at the board level than ever before. CEOs have a hand in this too. According to The State of ERM: A View from the Top, cybersecurity ranks as the top concern for 1 in 3 CEOs who are most concerned about operational risk. This will continue being a focus in 2020.
Mark Gazit, CEO of ThetaRay:
--The cybersecurity world will see ever-increasing sophistication in attacks. There will be a significant uplift in malicious acts which utilize source code and exploits that have been developed by commercial companies and governments and leaked.
--Criminals will have an increased ability to infect devices that were previously considered safer than “traditional” networks and servers – most notably mobile devices. As a consequence, this will escalate financial cybercrime because the technology will allow for easier penetration and takeover of mobile operating systems such as Android and iOS.
--We will see an increase in attacks on IoT devices, including smart home devices, home automation systems and more. We might see new forms of IoT financial cybercrime, building on first generation IoT attacks on ATMs and their networks. Cybercriminals will exploit payment services and open banking initiatives such as Google's plan to offer checking accounts, Apple Pay, Google Pay and possibly Facebook's Libra. These technologies will provide opportunities for a new type of cybercriminal who utilizes next generation payment providers to hack into accounts and not only access customer data but steal funds as well.
--On the plus side, we'll also see more systems based on artificial intelligence that will help companies protect themselves. We will even see solutions that were previously considered too good to be true, such as Artificial Intuition, which mimics human decision making and is already used by Tier-1 financial institutions as part of the AML, CTF and fraud-detection efforts. The market will realize that the only way to protect itself is to use the most advanced solutions possible.
Jamie Zajac, Senior Director of Product Management, Carbonite:
Businesses are realizing that no matter what they put into protection, attackers are always trying to stay at least one step ahead and businesses need to have an incident response plan. Being able to respond and remediate the machine quickly is key. During the past few years, we’ve seen cybercriminals shift from causing disruption to focusing on threats where they can take a financial stake in the outcome. We’ve seen the prevalence of things such as ransomware and personal info exfiltration become more popular since there is a direction correlation to their ability to make money. Educating users against phishing, preventing malware from being accessed over DNS, blocking malware from running, and recovering the system, if necessary, will need to be a focus in 2020 to support the availability and security of corporate and personal data.
Eric Taylor, CTO, Big Data & Security, Atos North America:
In 2020, the industry will see detection based on AI and machine learning, and in return, attacks based on AI and machine learning. Cybersecurity firms are increasingly using AI and machine learning to train systems to recognize anomalies that indicate compromises. Cybercriminals are also employing machine learning tools in an ever-escalating cat and mouse game, in which attacks and protections against attacks are evolving faster than ever. Cybersecurity firms and incident responders will find cybercrime-as-a-service leveraging more advanced AI for offensive attacks then defenders have available to use. There is a solid chance we will find the use of more advanced AI and machine learning for attacks in 2020.
Joe Jaroch, Senior Director of Cybersecurity Strategy, Webroot, a Carbonite company:
Adversarial attacks against AI-based security products will grow in scope and complexity. There will be a bifurcation in AI providers with these attacks highlighting which systems are vulnerable to sophisticated attackers. It will become clear that there are fundamentally two types of AI in cybersecurity: AI which acts like a smarter conventional signature and AI which is built into every facet of an intelligent, cloud-based platform capable of cross-referencing and defending itself against adversarial attacks.
Casey Ellis, Chairman, founder and CTO of Bugcrowd: Containers make bad security decisions faster, and with more energy.
In 2020, my prediction is that container misconfiguration, network hygiene and breakouts on containers themselves will be heavily targeted. Know your entire attack surface, prioritize assets, and get ahead of potential back doors to your organization. Unknown assets have long been the cause of headline-drawing security incidents.
Grayson Milbourne, Security Intelligence Director, Webroot:
Phishing will become more targeted as data collected from breaches is incorporated into phishing emails. Things like passwords and recent transactions can go a long way in convincing people the email is legit.
Grant McCracken, Director of Solutions Architecture at Bugcrowd: The “unknown” is the biggest cyber threat businesses will face in 2020.
When protecting against elements such as WannaCry or other known threats, organizations have a clear picture of what the enemy looks like and can thereby adopt successful defensive techniques against such known threats. However, the biggest threats today are the ones we won’t know about until tomorrow, or even later.
The next big breach is happening now, and we’ll only learn about it months down the road. Exposed but unknown attack surface is what’s much more likely to sink an organization than an old (but known) flaw (such as Apache Struts) that’s been patched. And while you fundamentally can’t expect the unexpected, organizations can take steps to ensure there are fewer unknowns. In doing so, reduce their available footprint for being surprised, as well as get ahead of potential back doors to the organization.
eWEEK is running a series of prediction articles throughout the month of December.