We’re in the best of times, yet we’re also in the worst of times. On one hand, we all benefit from the emergence of new technologies, including 5G, AI, IoT and so on. On the other, COVID-19 has posed a serious threat to mankind, and it compels us to alter the way we live and work, probably forever.
The factors aforementioned has affected (both positively and negatively) almost every business sector, including cybersecurity. By gathering information from experts and past evidence, we summarize 8 new trends that every cybersecurity practitioner should know. Hopefully, this article can proffer you some insights about the future threats your organization may be facing, and what you can do to fight back. Ready? Let’s begin.
Trend 1: Targeted ransomware attacks are on the rise.
In 2020, FBI Internet Crime Complaint Center (IC3) has received 2,474 incidents of ransomware attacks as suggested by its 2020 Internet Crime Report; such number exceeds the 2,047 complaints FBI got in 2019. The report also suggests that such attacks are most commonly launched through phishing e-mails, software vulnerabilities and RDP, three of the key subjects for the later discussion in this article.
One noticeable tendency regarding ransomware is “double extortion”, where the hacker group first demands a ransom for decrypting the encrypted files, and then request a second payment for preventing the stolen data from being published online. It seems that this has become a new normal for such type of cybercrime.
In addition, the difficulty for performing such attack has decreased significantly due to the rise of Ransomware as a Service (RaaS), which allows inexperienced attackers to use ready and effective tools in their own strikes. The actual tool developers will then earn a percentage of the ransom paid by each victim. Due to this, it’s generally believed that ransomware will continue to rage in the upcoming year.
Trend 2: Remote working introduces new challenges to business.
COVID-19 has greatly changed how people work. According to a survey done by Gartner, the percentage of employees working remotely has increased from 30% to 48% after the pandemic, and another Gartner report indicates that 74% of the companies consider to let (at least part of) their workforce remain remote permanently.
Such change, however, introduces new challenges to enterprise security. Take VPN (virtual private network) as an example. The U.S. Department of Homeland Security has revealed two critical vulnerabilities related to it: CVE-2018-13379 (affecting Fortinet SSL VPN) and CVE-2019-11510 (affecting Pulse Connect Secure). The former has a CVSS score up to 9.8, and the latter 10 (the highest score on the scale); indicating that both are very serious flaws (P.S., CVSS score ranges from 0 to 10; the higher the worse).
Remote Desktop Protocol (RDP) developed by Microsoft is another common target for computer intrusion. In accordance with a report released by Kaspersky, brute-force attacks targeting RDP has gone up significantly since March, 2020.
In addition, RDP has two major vulnerabilities: BlueKeep (CVE-2019-0708) and DejaBlue (CVE-2019-1181; see also CVE-2019-1182, CVE-2019-1222 and CVE-2019-1226). Both have a CVSS score of 9.8.
Other remote-desktop software has flaws as well, where TeamViewer has 8 of them, Netop 4, LogMeIn 4, and VNC 121. It’s worth noticing that no vulnerability has been found in Splashtop so far, which perhaps makes it the best options for remote accessing today.
E-mail is another tool necessary for remote working, and thus the attacks related to it rise correspondingly after the pandemic. As claimed by FBI’s Internet Crime Report, “business e-mail compromise (BEC)” and “phishing scams” are two of the most common complaints in 2020. Together, they are responsible for more than $1.8 billion dollars loss.
It’s worth noticing that not only do cybercriminals utilize fake e-mail domain that mimics the real one, but 98% of malicious e-mails are text-only, so that firewall or other defensive mechanism cannot filter them out. Many has also pointed out that a great number of phishing e-mails are COVID-19-related.
Trend 3: Supply chain attacks are getting frequent.
In a supply chain attack, an attacker infiltrates your system through a third-party supplier instead of attacking you directly. As you can imagine, since a product or service provided by an affected supplier may be used by multiple organizations and individuals, the influence of such kind of attack can be extremely wide.
One of the most serious supply chain attacks disclosed at the end of 2020 was the SolarWinds hack, in which SolarWinds Orion, a platform used by many for managing IT resources, was injected with multiple malware (such as Sunburst and Supernova) that is capable of creating backdoors on the compromised machine.
It has been suggested by CrowdStrike that the attacker successfully intruded in SolidWinds’ private network as early as September 4th, 2019. The malware, Sunburst, was deployed on the company’s system in February 20th, 2020, yet it was found by FireEye until December 13th, 2020.
It’s worth noticing that there was a fairly long time gap between the intrusion of the company’s network and the deployment of the malware. During such time gap, the attacker was familiarizing itself with the developing environment of SolarWinds, which could help them better hide their misconduct.
The strategy said turns out to be highly effective. Eventually, the malware implanted in Orion successfully infiltrated multiple organizations, including US government agencies (e.g., Department of Homeland Security, parts of the Pentagon, Department of Energy, Department of the Treasury etc.), major tech companies (e.g., Microsoft, Cisco, Intel, etc.), cybersecurity firms (e.g., FireEye), and so on.
In general, a well-executed supply chain attack has the following features. First, it’s hard to detect since the attacker will do their best to blend in (e.g., the injected code will be similar to its host in style). And second, the number of victims can be extremely massive. The malicious code may hide quietly inside the update files, source code, libraries or third-party components, and only start running after being deployed on your computer or server.
To prevent this from happening, it may be wise to reduce your dependency on outside partners and open-source tools. In the cases that independence is impossible, be sure to lower your trust in your suppliers, and actively collect intelligence relevant to such attack.
Trend 4: Once isolated OT systems now become targets of cyberattacks.
Eva Chen, the CEO of Trend Micro, claimed at CYBERSEC 2021 conference that more and more ransomware attacks target healthcare and manufacturing industries. According to her, such trend may result from the fact that both industries rely heavily on operational technology (OT).
The OT systems used in healthcare and manufacturing industries are vulnerable due to several reasons. First, they often adopt old operating systems since their software has low update rates and won’t run on the latest OS. Second, even if there is an update, the manager may avoid it because it may cause the system to fail, act differently, or require reboot, which can result in serious damages in healthcare and manufacturing scenarios.
Note that the two points mentioned were trivial in the old days since these systems were often stand-alone, meaning that they weren’t connected with any (public) network and thus immune to any offense from outside. With the use of IoT and cloud technology, however, this is no longer the case.
To deal with such difficulty, one important solution is to embrace the Zero Trust architecture, which will be discussed in the next section.
For manufacturing industry, another hot topic regarding this is an international security standard of Industrial Automation and Control System (IACS) called “IEC 62443”. It is composed of 4 parts, which concern "general concepts (IEC 62443-1)", "policies and procedures (IEC 62443-2; security methods and processes for asset owners)", "system (IEC 62443-3; security requirements for system integrators)" and "components (IEC 62443-4; detailed requirements for IACS products)", respectively. By combining IEC 62443 and ISO 27001 (aka ISO/IEC 27001, another international standard for information technology security), factories can effectively secure their IT (ISO 27001) as well as OT (IEC 62443) systems.
Trend 5: Zero Trust comes to be a basic requirement for networking.
The traditional network security is based on a concept known as the castle-and-moat model, in which accesses from outside is untrusted while accesses from inside are trusted in default.
This model, however, is very vulnerable to insider threats (i.e., damages caused by the people from within an organization). In addition, with the adoption of IoT, cloud technology and remote working style, the “private” network of an enterprise today is forced to open to a wider users and devices, and many of them can be cybercriminals or malicious software.
To deal with such issue, companies are suggested to always give least privilege access to any user, application and device, internal and external alike. Such strategy is referred to as Zero Trust, and its core spirit is summarized in the following sentence: “never trust, always verify”.
According to NIST Special Publication 800-207 (or NIST SP 800-207), an enterprise can implement Zero Trust Architecture (ZTA) through at least 3 approaches:
Enhanced Identity Governance: Focusing on let the right person or device get the right resources through verifying their identities and assigned attributes.
Micro-Segmentation: Individual or small groups of related resources are placed on different network segments respectively, each protected by its own gateway security component.
Network Infrastructure and Software Defined Perimeters (SDP): The point of SDP is to hide the Internet infrastructure (such as severs and routers) by replacing a hardware-defined network perimeter with a software-defined one, so that the infrastructure is invisible to external individuals (including the attackers) and can only be accessed by authorized subjects.
Note that since Zero Trust Model was proposed by John Kindervag (Forrester) in 2010 (see the original whitepaper here), many companies have developed their own zero-trust framework. For example, Google first proposed a zero-trust enterprise security model known as BeyondCorp in 2014 (see the original research paper), and they went on building a service named Identity-Aware Proxy (IAP, announced in Google Cloud Next 2017) based on it.
In addition, Netflix also developed their own zero-trust framework called Location Independent Security Approach(LISA), which was introduced by its senior security engineer, Bryan Zimmer, at Usenix Enigma 2018 conference.
With these developments, it’s expectable that an increase number of organizations should adopt ZTA to safeguard their network security.
Trend 6: Passwordless authentication is preferred over password-based approaches.
According to a survey done by Google in 2019, 75% of the respondents are frustrated with password. 24% of Americans use weak passwords (e.g., “abc123”, “Password”, “123456”, “Admin”, etc.), and 59% of the individuals have incorporated a name or a birthday in their passwords, which makes them susceptible to brute-force attacks. In addition, as mentioned by a PreciseSecurity.com research, weak passwords were responsible for 30% of the ransomware infections in 2019.
All these messages clearly point to one conclusion, that is, password isn’t a very effective way for protecting one’s data! The key problem here is that human memory is not as good as expected. Thus, people tend to use the same easy password in every occasion.
In view of this, more and more organizations are moving towards to non-password authentication, and many of them do so through adopting standards provided by FIDO Alliance, including Universal Authentication Framework (UAF), Universal 2nd Factor (U2F) and FIDO2 mechanism (whose core component is Web Authentication, or WebAuthn, published by World Wide Web Consortium), which allow one to log in with biometric data, physical security keys (often called a token), and so forth.
The advantages of FIDO standards are as follows:
FIDO mechanism can be integrated into your web page or application easily.
It’s very convenient but secure for the clients, which help boost user experience significantly.
FIDO Alliance provides certification for verifying third-party products and services.
The authentication takes place on user’s device, which means that one’s personal data will always be kept local.
With FIDO standards and the advance of biometric technology on mobile devices, many have predicted that the password-free era is just around the corner. Google has embarked on the journey of eliminating password since 2013, and the effort is still in full swing today. Microsoft has also released a whitepaper in 2018 explaining their own strategies towards a passwordless future.
Of course, we should not expect password-based security systems to go away completely in the short run, but it’s certainly a thing that we can look forward to.
Trend 7: Governments are committed to building clean 5G networks.
The digital transformation today relies heavily on the connection of devices (often known as IoT) for data sharing and automatic control. In order for this to happen effectively, one must build a highly efficient network, and 5G (or even 6G) technology is just the thing for the job.
As a matter of fact, considering how much a smart city, in which everything is linked together, should rely on telecommunication, 5G networks have been deemed part of the national infrastructure by multiple countries, and its security an issue of national defense.
We have discussed about 5G security in our previous article. Please click here to read it. In short, the key to a safe 5G network is “security by design”, which means that the security matters should be addressed at the very beginning of construction.
Incidentally, after the outbreak of COVID-19, many countries seem to join the US government in marking Chinese suppliers, such as Huawei, as untrusted vendors. While such phenomenon may result from political factors, one can say for sure that it’s not going away very soon.
Trend 8: Standards of post-quantum cryptography (PQC) are about to be established.
Since Google’s announcement of achieving quantum supremacy in 2019, post-quantum cryptography (PQC) has begun to attract public attention. But as a matter of fact, National Institute of Standards and Technology (NIST) has investigated the topic for years. In 2009, NIST released its first report on PQC (then called quantum resistant cryptography). And in 2016, they launched an international competition, which continues to this day, for choosing the PQC standards.
NIST’s PQC competition has 2 topics (i.e., public-key encryption & digital signature algorithms) and 3 runs. The first run ended in January, 2019, in which 26 out of 69 candidates were picked. The results of the second run were released in July, 2020, and it contained 7 finalists and 8 alternates (as listed below):
The winner algorithms should be announced in 2022, and NIST plans to use them to build PQC standards during 2023 to 2025.
One funny fact is that none of these cryptographic algorithms is completely new. In fact, many of them are fairly old – McEliece has been proposed for more than 40 years, NTRU 25 years, and Rainbow 15 years. In other words, the point of the competition is not about creating novel encryption techniques; it’s about verifying which of the existed, time-proven methods can withstand the power of quantum computing.
To be clear, there are two types of cryptography: symmetric and public-key (or asymmetric) cryptography, and quantum computing affects them differently. For the former, by executing Grover’s algorithm, a quantum computer can halve the security level of an encryption key (e.g., an AES-256 key will become as secure as an AES-128 today). This issue, however, is not that serious since it can be resolved simply by doubling the length of the key.
As for public-key algorithms based on difficult math problems (such as RSA and ECC), Shor’s algorithm allows a quantum computer to crack such codes in polynomial time (i.e., it’s fast). Traditional computers, on the other hand, can’t break the encryption within reasonable time. That is to say, quantum computing has a significantly severer impact on asymmetric cryptography, and that’s why NIST’s PQC competition only focuses on this type of encryption.
Note that although the PQC algorithms aforementioned (e.g., McEliece, NTRU, etc.) show quantum resistance, none of their mechanism is related to quantum mechanics. In other words, they can all be executed on a traditional machine. In contrast, there are other encrypting methods such as quantum key distribution (QKD) that are on the basis of quantum theory, and they are collectively called quantum cryptography (QC).
While QC / QKD can resolve the complications caused by quantum computing as well, they may be less preferred than PQC. According to an article published by the US National Security Agency (NSA) in 2020, QKD have the following five downsides:
QKD is only a partial solution since it does not provide a means to authenticate the QKD transmission source.
QKD requires special purpose equipment.
QKD increases infrastructure costs and insider threat risks.
Securing and validating QKD is a significant challenge.
QKD increases the risk of denial-of-service (DoS) attack.
Due to the reasons listed above, NSA specified in the same article that they view PQC “as a more cost effective and easily maintained solution than quantum key distribution”, and it “does not support the usage of QKD or QC to protect communications in National Security Systems (NSS), and does not anticipate certifying or approving any QKD or QC security products for usage by NSS customers unless these limitations are overcome.”
But how much time left before a public-key security system can actually be compromised by a quantum computer? Dr. Michele Mosca (University of Waterloo) has commented on the issue in April, 2015: “There is a 1 in 7 chance that some fundamental public-key crypto will be broken by quantum by 2026, and a 1 in 2 chance of the same by 2031”. If such prediction is correct, it seems that we are only a few years away from a PQC future.
Conclusions: Cybersecurity is everyone’s business.
While it’s necessary for an organization to build its own security team, it should be emphasized that cybersecurity is actually everyone’s business! Taking phishing scam as an example. According to a survey, a trained worker is 5 times less likely to open a phishing e-mail, and it’s obviously beneficial to an organization.
So, to better protect your valuable resources, it’s important to ensure that not only the employers and employees but also your customers are well-educated on cybersecurity. And to do so, it’s important to:
actively follow the latest intelligence of cyberattacks and the newest defense approaches, and
share your mistakes and knowledge (especially the former) instead of hiding them.
In a world where dangers are coming from everywhere, only through collective efforts can one best protect themselves from potential menaces.
Footnote: Neurozo Innovation provides viewpoints, knowledge and strategies to help you succeed in your quest. If you have any question for us, please feel free to leave a comment below or e-mail us. For more articles like this, please follow our Twitter, Facebook page, or LinkedIn. Thank you very much for your time, and we wish you a wonderful day!