Winston Churchill once said, “I always avoid prophesying beforehand because it is much better to prophesy after the event has already taken place.” Because Mr. Churchill was a brilliant man and I am far less so, I
foolishly cheerfully offer my predictions of what I believe will happen in 2021 in the security and tech spaces:
- There will be at least two significant cyberattacks against critical infrastructure targets in the United States and/or Europe, most likely against electrical power systems. These will be noisy attacks in that they will disrupt large numbers of customers and may last several days. My guess is these attacks will be in the Northeastern United States and in France.
- In the same vein, there will be a greater emphasis on attacks against various types of Operational Technology (OT) infrastructure. The growing number of sensors and other Internet-enabled devices can be used effectively for a variety of purposes, including penetrating networks and disabling infrastructure as part of ransomware and other attacks. The work-from-home model that will continue at nearly its current pace well into 2021 will be a key enabler of these attacks. A cheap baby monitor that lives on the same home Wi-Fi network that is used to access corporate databases and email does not make for good security.
- There will be continued high levels of phishing, but we will see an increased emphasis on business email compromise (BEC) as a proportion of total phishing attacks. In fact, we will see record levels of BEC aimed both at senior executives (e.g., CFOs) and lower level employees in HR and finance departments. a) Good security awareness training, b) skeptical employees, and c) communication backchannels to verify these kinds of requests dramatically reduce the chance of bad actors successfully stealing funds, but not enough companies have sufficient numbers of a, b or c.
- There will be a significant increase in ransomware, but there will be higher ransom demands than we have seen in the past. Recently, there was a $34 million ransomware demand directed at Foxconn Electronics (the highest ransom demand to date that we can tell) and another against Dutch firm Randstad. I expect to see more and much higher ransom demands in 2021 (one ransom demand of $50+ million). At least one of these high-value demands will be directed at a critical infrastructure system.
- China will begin military operations against Taiwan no later than July 2021 (and will receive very little pushback from most world leaders for doing so). Of course, this will create significant political repercussions, but also major disruptions in the world economy and in the technology space (for example, Taiwan is Apple’s number one supplier, and Google is currently building its third data center in the country.) Chinese President Xi said in early 2019 that Taiwan “must and will be” reunited with China. In May 2020, Chinese Premier Li Keqiang dropped China’s long-standing use of the word “peaceful” in discussing China’s reunification with Taiwan. In late 2020, the senior director at a think tank that specializes in China-Taiwan affairs noted, “This is the most dangerous, the most unstable, and the most consequential flashpoint on the planet.” And, in recent months, there have been a number of incursions by Chinese military aircraft into Taiwanese airspace.
I’d like to hear your thoughts on these predictions.
State and local governments, municipalities, city councils, local law enforcement agencies, federal government agencies, and other government entities – collectively the government sector – are under attack from cyber criminals and nation-states. Threats from ransomware, business email compromise, phishing and other security threats are relentless, and 2019 was a banner year for various types of attacks against government.
A few examples:
Successful attacks hit four municipalities in Florida in April and June 2019, more than 20 local government organizations in Texas (August 2019), and two power utilities in India (August 2019). Two-thirds of more than 70 ransomware attacks in the United States during the first half of 2019 had local and state government organizations in the crosshairs. The ransomware attack on the City of Atlanta in March 2018 compromised approximately 150 applications, including mission critical services such as the court system and police. The Atlanta’s Attorney Office lost 71 of its 77 computers and a decade worth of documents in the attack.
The City of Naples, Florida was the victim of a spear-phishing attack in July 2019 that netted $700,000 for the cybercriminal(s); this occurred after Collier County suffered a similar attack in December 2018 that netted $184,000.
- Business Email Compromise
A public school in Portland, Oregon almost lost $3 million to a successful BEC attack, and a county in North Carolina was tricked into paying $2.5 million into the wrong bank account for a contractor working on a local project (some of which it was able to recover through quick action by the bank).
- Data Breaches
Mega-breaches include the US Office of Personnel Management in mid-2015 with 21.5 million sensitive data records breached, and the US Justice Department in 2016 with a data breach exposing contact details for more than 20,000 FBI and Homeland Security employees. A White House audit in 2015 discovered a cumulative 77,000 cyber incidents across government, with theft of data a common occurrence. In late October 2019, hackers breached the City of Johannesburg and claimed they had exfiltrated sensitive financial and personal data. The hackers said they would publish the data if a ransom payment was not made.
We have recently published a white paper focused on cyber security in government that discusses the problems in depth. It discusses a number of important best practices that government decision makers should seriously consider. You can download it here.
Cyber security is an ongoing battle between sophisticated and well-funded bad actors and those who must defend corporate networks against their attacks. The bad news is that the latter are typically not winning. A recent Osterman Research survey found that while most organizations self-report that they are doing “well” or “very well” against ransomware, other types of malware infections, and thwarting account takeovers because of the significant emphasis placed on these threats, they are not doing well against just about every other type of threat. These include protecting data sought by attackers, preventing users from reaching malicious sites after they respond to a phishing message, eliminating business email compromise (BEC) attacks, eliminating phishing attempts before they reach end users, and preventing infections on mobile devices.
This missing component for most organizations is the addition of robust and actionable threat intelligence to their existing security defenses, which can be segmented into four subcategories:
- Strategic (non-technical information about an organization’s threat landscape)
- Tactical (details of threat actors’ tactics, techniques and procedures)
- Operational (actionable information about specific, incoming attacks)
- Technical (technical threat indicators, e.g., malware hashes)
The use of good threat intelligence can enable security analysts, threat researchers and others to gain the upper hand in dealing with cyber criminals by giving them the information they need to better understand current and past attacks, and it can give them the tools they need to predict and thwart future attacks. Moreover, good threat intelligence can bolster existing security defenses like SIEMs and firewalls and make them more effective against attacks. Threat intelligence plays a key role in proactive defense to ensure that all security programs are relevant to the fast-evolving threat landscape. This is particularly valuable in security awareness training to ensure users are familiar with known threats.
Existing security defenses provide some measure of protection against increasingly sophisticated threats, but the enormous number of data breaches and related problems experienced by many organizations reveals that current security practices are not adequate. Good threat intelligence capabilities can provide a great deal of information about the domains and IP addresses that are attempting to gain access to a network. It can enable threat researchers to better understand the source of current and past attacks and better deal with future attacks.
We have just published a white paper on threat intelligence that you can download here.
Phishing, which can be considered the delivery mechanism for various types of malware and cybercrime attempts; and ransomware, which is a specialized form of malware that is designed for the sole purpose of extorting money from victims, are critical problems that every organization must address and through a variety of means: user education, security solutions, vulnerability analysis, threat intelligence, good backup processes, and even common sense. The good news is that there is much that organizations can do to protect themselves, their data, their employees and their customers.
Phishing, particularly highly targeted forms of phishing like spearphishing and CEO Fraud/Business Email Compromise (BEC), as well as ransomware, are the logical evolution of cybercrime. Because there have been so many data breaches over the past few years that have resulted in the theft of hundreds of millions of records, there is a glut of this information on the market. The result, as there would be in any other business driven by the economics of supply and demand, is that prices for stolen records are dropping precipitously: a leading security firm estimates that the price of a stolen payment-card record has decreased from $25 in 2011 to just $6 in 2016.
Consequently, cybercriminals are turning increasingly to more direct means of theft. For example, ransomware will extort money directly from victims without requiring stolen data to be sold on the open market where it is subject to economic forces that can reduce its value. CEO Fraud/BEC can net hundreds of thousands or millions of dollars in a short period of time by getting victims to wire funds directly.
We are in the process of writing a white paper on phishing and ransomware, and will be publishing the results of an in-depth survey on these problems. Let us know if you have any questions or would like copy of the white paper when it is published next week.