With 2020 finally in the books, it’s time to look forward and discuss our cybersecurity predictions that will most affect the industry in 2021. I thought long and hard about what I could say that would be impactful and hasn’t been said before. Obviously, COVID-19 and it’s security ramifications will continue to stay with us for 2021 and well beyond. What we previously predicted and planned for in 2020 was flipped on its head, turned around and flipped over again several times. Even the best laid plans had to be adapted this past year. Looking back, a lot of what we predicted back at the beginning of 2020 was never properly addressed and remains a risk today. For example, credential theft and attacks targeting privileged user logins continue to dominate in the headlines, though the targets of the attacks broadened to include coronavirus vaccine research.
Back in November of 2019, I said the best way to combat these attacks is to use multi-factor authentication (MFA). Use it for everything. There is no simpler way to say it – but this is still not being done. Until we demand and implement multi-factor authentication for access, making it the standard, risk will continue to increase in 2021. I cover this past advice and other cybersecurity predictions for 2021 in the list below.
Multi-Factor Authentication Goes Mainstream
Experts have been preaching for years about the benefits of multi factor authentication. Yet I’m still shocked by the lack of adoption throughout the industry. It’s one of the biggest bangs for your buck in terms of cyber protection, yet the excuses for why it’s not implemented, never end.
According to Microsoft, 81% of data breaches occur because of weak, default or stolen credentials and 99% of these attacks can be blocked by implementing MFA.
MFA is an authentication method where a user is granted access only after successfully presenting two or more of the following pieces of information:
- Something you know (password)
- Something you have (security token)
- Something you are (biometrics)
All it takes is one compromised account to one legacy application to cause a catastrophic breach and catapult a company negatively into the headlines. With the unfortunate increase in COVID-19 phishing scams targeting remote workers isolated from their day-to-day environments, there is no better time to implement multi-factor authentication across your critical applications, servers and services. If we continue to delay, that time will pass and there will be no excuses left, only breaches that could have been prevented.
CyberSecurity will be More Automated
We’ve all heard about machine learning (ML) and artificial intelligence as a way to bridge the skills gap in cybersecurity. Until recently, ML and AI weren’t much more than a technology solution you purchase but do not really use. We have not begun to scratch the surface of the capabilities of ML and AI to combat security threats. There is a lot of skepticism about its efficacy that has existed for years, but in 2021 we will have no choice. The amount of data being generated is increasing exponentially and the only way to keep up and identify threats is to allow machines to churn through data and trust they will detect the right concerns – then take appropriate action to combat the threat. We are going to see a lot of research, funding and effort invested in these methods.
We need to get comfortable with the technology so it can be adopted on a larger scale and evolve. We have no choice. It’s the only way to monitor security going forward. It’s going to augment overworked and understaffed security teams and give us a fighting chance against a dynamic and very evasive adversary.
IoT Devices will be a Threat to The Remote Workforce (and Everyone Else)
The proliferation of Internet of Things (IoT) devices, an expanding remote workforce due to the pandemic and the need for automation has put “smart devices” into the spotlight. We’ve all heard the stories of attacks on IoT devices. Remote attackers viewing baby monitors and home security cameras. Estranged couples trying to annoy each other by remotely adjusting the thermostat. Even instances where a smart switch was hacked and all the attacker did was turn the switch on and off rapidly where it generated a spark and started a house fire. These are extreme examples but IoT security is a real problem.
The functionality and simplicity of IoT devices is great. I can wake up and tell my smart speaker to open my window shades, brew my coffee and start my shower without getting out of bed. These conveniences come at a steep price. The tradeoff is often security and personal data. For an IoT device to be quick to market, affordable, easy to setup and useful– usually important, non valuable functions like security are cast aside. Off the shelf IoT devices usually have hardcoded default passwords. These passwords can be located by a simple Google search. Manufacturers often post their device passwords online to aid in the setup of their device. Some of these devices have passwords like admin/admin. Multiple devices from the same provider or chip maker may all share the same password. Some devices have hard coded passwords that cannot be changed. I’ve even seen devices with no passwords. Securing these devices needs to start at the source.
This vulnerability, connected to the internet via the same WiFi we’re all using to do remote school, play video games and work from home during a pandemic creates a big threat to the remote workforce. These insecure devices provided an easy entry point into home networks and given time will allow attackers to move laterally into corporate networks. I don’t see this risk going away. In fact, as the remote workforce gets more comfortable working from home and the market continues to be flooded with smart devices and automation, this problem will get much worse.
Unfortunately, unless required by compliance or by government legislation, I predict that we will see very little from the business community in this regard. That is not to say there aren’t software vendors and IoT manufacturers who want to do the right thing, but unfortunately without external pressure, most won’t.
On September 28, 2018, California Governor Jerry Brown signed SB-327 making California the first state to expressly regulate the security of connective devices, commonly known as IoT devices. The new law took effect on January 1, 2020. The law aims to protect the security of both IoT devices and any information contained on them. This puts the onus on device manufacturers and software vendors to ensure that they comply with the legislation or face steep consequences. This law and others like it are much needed because of the integration of IoT devices into our daily lives and the proliferation of insecure devices. We will see more and more legislation similar to SB-327 in the future.
What can you do? Install updates. Check your device app and install any available updates. Change default passwords. Most smart devices ship with an embedded default username and password to allow for quick configuration. Change these right away. Use multi-factor authentication. A second factor adds complexity to the authentication process and provides immense value in terms of addressing the risk. We’ve heard for years that multi-factor authentication should be turned on for everything, yet it’s rarely implemented. Turn it on for everything now, including your NEST thermostat, your iCloud account, your email. Turn it on everywhere possible.
Attacks on the Healthcare Industry will Increase
The 4 trillion dollar a year Healthcare Industry has always been a target. Now Healthcare data is worth more than credit card numbers. Because of the COVID-19 pandemic, this industry has not only seen a sharp uptick in the amount of large, widely publicized data breaches, but also in the value of the data stolen.
The average price of a single stolen credit card has dropped from $35 to under $1 because of flooded supply, causing thieves to look for other more profitable products. The Healthcare Industry, with its aging infrastructure, slow adoption of security and need to complete its move to electronic medical records, has turned out to be a treasure trove of valuable data for cyber criminals. The impact of medical data breaches now rival that of the largest retail breaches. Today’s cyber-attacks make payment data leaks look like petty theft. Our transition to this new era has been sudden; our medical records, social security information and personal data are all at risk. Because medical records are worth ten times more than credit cards, they have become a high value target. With so many players in the Healthcare Industry as well as government agencies being compromised, it is difficult to trust anybody with your information.
With the vaccine rollout finally starting, but not very smoothly, I predict that ransomware attacks will also increase. Criminals love panic and chaos and they’ll use every opportunity to exploit the situation. What better opportunity than a pandemic? Criminals love that. The bad guys are preying on security ignorance as much as they are exploiting the lack of controls and people’s desire to get a notification that they can get the vaccine. We’re going to see more ransomware attacks on the healthcare system that will delay and disrupt the pandemic response. Why would they do this? Because they can. Following best practices and good security hygiene will provide much needed relief, but it’s not so easy for an industry already playing security catchup pre-pandemic and now visibly stretched beyond its breaking point.
Passwords will Change Your Business Strategy
One of the most critical security risks to any organization are passwords, especially default passwords and passwords to privileged accounts, which have elevated access to perform administrative functions. These can be administrator accounts, service accounts, database connection accounts, application accounts and others. Most of these accounts were set up ages ago when an application or system was initially deployed. They have multiple integration points and because of the risk of “breaking something,” the passwords for these accounts are rarely rotated, likely shared and often improperly stored.
Privileged account abuse is the most common way for hackers to compromise a system. Proper credential storage and accountability is paramount to risk mitigation. Relying on manual methods is resource-intensive, error-prone and leaves gaps.
According to a Varonis report, nearly 40% of all users sampled have passwords that have never been rotated! These passwords have a higher likelihood of showing up in online password dumps and being used to infiltrate networks. Simply put – they’re a cyber criminal’s best friend. This is how hackers walk in right through the front door. Not because they’re clever, rather because we make it too easy for them.
The recent SolarWinds incident showed us what types of multifaceted attacks are being used. It’s not a matter of if they’re going to get into your network. They’re going to get in. In the SolarWinds attack, once the attackers gained access to the network with compromised credentials, they moved laterally by capturing and using multiple, different, insecure credentials. Our efforts should focus on shoring up internal systems to limit their ability to move laterally using insecure credentials and passwords once they’re in. Proper password management and multi-factor authentication would have prevented this from happening.
This is counterintuitive to traditional methods of security where locking the front door was once considered to be good enough. But time after time we’ve seen that is no longer sustainable. Defense in depth is required. We need to treat locking up all of the valuable systems and information inside of our network just as important as being just as important as hardening our perimeter.
In Summary
Even though we’ve already seen too many breaches lately targeting privileged accounts, we will see these types of attacks continue in 2021. Passwords are archaic. One true way to combat this risk is introducing a second factor for authentication. A second factor adds a layer of complexity to the authentication process but provides immense value in terms of addressing the risk. We’ve heard for years that multi-factor authentication should be turned on for everything, yet it’s rarely implemented. Until we shift our mindset and sacrifice a little bit of convenience for a massive amount of security – these types of massive, high profile attacks will only continue to increase in 2021.
Steve Tcherchian, CISSP, PCI-ISA, PCIP is the Chief Product Officer and Chief Information Security Officer for XYPRO Technology. Steve is on Forbes Technology Council, the NonStop Under 40 executive board, and part of the ANSI X9 Security Standards Committee.
With over 20 years in the cybersecurity field, Steve is responsible for the strategy and innovation of XYPRO’s security product line as well as overseeing XYPRO’s risk, compliance, and security to ensure the best experience for customers in the Mission-Critical computing marketplace.
Steve is an engaging and dynamic speaker who regularly presents on cybersecurity topics at conferences around the world.