Cyber security is a fast-moving sector, as both hackers and security providers vie to outsmart each other. New threats – and innovative ways to combat them – emerge all the time. In this overview, we explore the latest trends in cyber security.
With supply chain security suddenly something for CISOs to worry about, it is not surprising that more and more organizations are taking matters into their own hands and assessing the security of their partners and customers. This usually involves hiring a third party to conduct a non-intrusive security check on a potential partner, looking for evidence of data breaches, stolen credentials, and compromised devices that might indicate a cybersecurity slip somewhere. Once unheard of beyond sectors such as government and defence, this might eventually become a standard part of best practice under principles such as zero trust.
Ransomware data breaches
Ransomware started life as a form of denial of service. The attackers compromised the target’s network and encrypted any data or applications they could find, demanding a ransom in return for a key. These days, this has changed somewhat. Ransomware attackers still often encrypt data, but more often, they steal it too, using the threat of public data release to exert extra pressure, so-called double extortion. In some cases, they increasingly threaten to directly contact the victim’s customers and partners, a tactic dubbed triple extortion. Whichever is deployed, ransomware should always be considered a likely data breach. If an attacker can encrypt your day, they can just as easily steal it, at which point9t is gone forever.
Multi-cloud data protection
Today, medium and larger companies use multiple cloud platforms to avoid vendor lock-in, often mixed with hybrid clouds that combine public and private data centers. Despite its advantages, this comes with downsides. One of the biggest is that it can dramatically complicate data protection and compliance. Each platform has its own family of tools, leading to compliance gaps and oversights that raise the risk of accidental breaches.
Any organization that depends on public-facing web applications is vulnerable to API attacks which traditional defenses such as web application firewalls (WAFs) and API gateways have struggled to contain. Organizations often don’t know which APIs they are using, including out of date and vulnerable ones, which leads to API attacks, including DDoS states, SQL injection, cross-site scripting (XSS), and large data breaches as data is left exposed.
Rapid vulnerability exploitation
Attackers exploit vulnerabilities more swiftly than in the past, in some cases within hours of becoming public knowledge. According to vulnerability management company Rapid7, in 2021, excluding browser flaws, this dropped from an average of 42 days to only 12 across a wide range of enterprise systems. More than half of the most significant vulnerabilities were zero-day flaws, with ransomware the top attack vector using them.
Edge computing threats
Edge computing distributes network infrastructure such as routers, switches and VPNs to multiple locations, which improves latency compared to traditional centralised networks. However, this creates two problems. The first is that it dramatically increases the ‘attack surface’ of most networks by multiplying the number of access points. The second problem is improving latency – especially when deployed in conjunction with high-bandwidth 5G wireless. This also increases the speed and throughput available for threats to propagate.
Where are the skills?
There is nothing new about the skills crisis in IT, but addressing it always seems to be just out of reach. The simple explanation for this is the skills needed to operate in industries such as IT and cybersecurity are constantly evolving. Solve one skills shortfall, and another will soon replace it. In reality, the shortfall can only be addressed in two ways. The first is to invest in greater automation, which reduces the need for hands-on skills in the first place while not eliminating it. The second is for organisations to move to a managed services model where hard-to-find skills such as cybersecurity become services.
The digital attack surface is invisible
When asked to describe an organization’s attack surface, most CISOs will describe their network and the devices, applications, and data it serves. However, it is more accurate to state that this is the visible network within its direct control. The second aspect of cybersecurity is an organization’s digital footprint, which comprises a range of hidden or underestimated assets. These include lost data and credentials circulating on the dark web, necessary online infrastructure such as registered web domains, and third party social media accounts used by employees for company business. Any one of these can be impersonated, abused, hijacked or misused. Most organizations either don’t monitor for such abuse or only do so partially (for example, typo-squatting abuse) on an ad-hoc basis.
The energy sector has become a strategic target
While ransomware spares no sector, a noticeable recent trend has been a sudden move towards targeting critical infrastructure in the hope of extorting large ransom sums. As the infamous attack on Colonial Pipeline demonstrated in 2021, this isn’t just about energy generation and applies to many smaller companies that sit in what is a complex supply chain. That attack reportedly exploited a single credential found on the dark web to target a legacy VPN which lacked adequate authentication. Despite this, few organizations have invested in the infrastructure needed to detect simple failings like this.
Zero trust is harder than it looks.
In less than a decade, zero trust has risen from the status of a fringe idea to network security orthodoxy on the back of a simple observation – many cyberattacks exploit trust in ways that should now be seen as obsolete. The answer, then, is to abolish trust, rebuilding it through a web of careful device and account control and sophisticated authentication. Nothing should be given trust simply because of who it is or what it is doing. The complication is that while zero trust tells network builders what to do, it does not tell them how. In principle, it must be extended to all parts of the supply chain and not only networking. A large undertaking few organizations have the expertise to do on their own.