Two items for home users and consumers:
We will see more discovered vulnerabilities in, and attacks against, so-called “smart home” products, such as smart speakers, security systems, and cameras. Any time we see widespread deployment of technology that is, relatively speaking, in the early stages of maturity, we expect that attackers will pay attention and work to discover ways to circumvent security functions of these devices. In the last few months we’ve seen lasers used to surreptitiously command smart speakers, attackers remotely compromise smart home devices, and the inadvertent disclosure of PII from smart camera owners by the camera’s vendor. Expect attackers to look for, find, and exploit ways to control, obtain sensitive data from, and disrupt these devices.
What you can do today:
Make sure you’ve hardened your smart home devices. Change factory passwords after you install them, restrict the activities they can perform without identity validation, and regularly review the “connected apps” they use.
Because of the 2020 presidential election, we expect that social influence operations will substantially escalate from foreign states that have an interest in our country’s politics. This will include social media “news” posts, activity programmatically generated by computer-controlled (or “bot”) accounts, and an uptick in spam e-mail and robocalls to your phone. There’s also the possibility that attackers will target our voting machines. Stanford University’s Cyber Policy Center published an excellent paper on the risks and some countermeasures and controls to ensure our elections are conducted with integrity and security.
What you can do today:
Be cautious with blindly trusting any material you read from your browser or smartphone. Make sure you’re getting your news from vetted sources that are known to publish content of substance based on careful investigation and thorough research. Contact your state and local boards of elections and tell them you expect the voting process to be secure, transparent, and free from any interference, and ask what is being done to ensure this happens.
Three items for enterprises:
Ransomware incidents will continue to shift from opportunistic to targeted attacks. Opportunistic attacks—those that aren’t focused on a specific individual or organization, but instead sent broadly to the public Internet—are certainly still going to happen, but we are seeing more and more ransomware incidents that are deliberate in nature, with a focused effort on a specific organization (say, the City of Baltimore or New Orleans). Attackers will build phishing and social engineering campaigns designed to exploit human weaknesses, as well as find exposed infrastructure with technical weaknesses and misconfiguration that will allow them a presence on the network. They will use this presence to install ransomware on key systems, attempting to impact the organization’s operations sufficiently to encourage payment.
We also expect to see “business e-mail compromise” attacks continue, as attackers conduct similar focused campaigns to obtain access to trusted e-mail accounts, and use that access to trick employees into providing cash, gift cards, funds transfers, or financial information. It is by far the most common successful “cyber” attack we see in our customer environments, one that’s trivial for an attacker to perform with commoditized tools and methodologies, and susceptible users at nearly every business.
What you can do today:
Begin a comprehensive security awareness training effort, intended to teach users to spot and report these attacks. Inform every employee that their managers and leadership aren’t going to ask them to take pictures of gift cards and text them back, so those requests can be safely ignored! Review your security controls posture to ensure you have sufficient defense against these threats.
Attackers will focus research efforts on credential theft, bypass of so-called “next generation” endpoint protection solutions, and defeating multi-factor authentication. We can expect to see new standalone tools, shared code, and malware kits that leverage these advances.
What you can do today:
Ensure your risk management efforts include staying current with modern threats, including those that compromise the effectiveness of the controls you’ve deployed. Continue to monitor the threat landscape, the output from vendors that provide these solutions, and at least annually review your control set to ensure it aligns with the risks you’ve identified.
The California Consumer Privacy Act went into effect on January 1. That means if you serve customers in California and (a) make $25M in revenue, (b) possess personal data for more than 50,000 individuals, or (c) sell personal data and make more than 50% of your revenue from that effort, you are subject to the law. You’re required to tell customers what data you’re collecting about them, provide this data to them when requested, and delete it when requested. The EU’s General Data Protection Regulation (GDPR) made this practice more common in 2018, but we anticipate a greater number of businesses will be looking to add it in 2020.
What you can do today:
Read the CCPA to see if you’re subject to the law, and if so, get ready to field requests from customers or face penalties.
Related Articles:
IT Security: ways to win the cyberwar
How to build a cyber risk program
Ransomware Attacks: Protecting your Business from Becoming a Statistic