Tim Steinkopf, president, Centrify
The coming year will be rife with new laws related to cybersecurity and data privacy. For example, large-scale IoT hacks affect countless devices. IoT devices range from home security cameras to massive machine-to-machine industrial networks and represent a massive broadening of the potential threatscape. Statista predicts there will be more than 30 billion connected devices by 2020. However, cybercriminals are becoming increasingly bolder and creative in their methods when it comes to infiltrating these devices. In 2018, California became the first state to pass an IoT security bill, which requires any manufacturer of a device that connects “directly or indirectly” to the Internet to outfit it with “reasonable” security features. Going forward, we predict this bill, which goes into effect in 2020, will spur similar IoT regulations in other states and even in other countries. We also predict that GDPR is just the beginning in the fight to protect data, and more data privacy laws will follow suit.
Malwarebytes Labs Team
IoT Botnets—will come to a device near you. In the second half of 2018, we saw several thousand MikroTik routers hacked to serve up coin miners. This is only the beginning of what we will likely see in the new year, with more and more hardware devices being compromised to serve up everything from coin miners to malware. Large-scale compromises of routers and IoT devices are going to take place and they are a lot harder to patch than computers. Even just patching does not fix the problem if the device is infected.
Olli Jarva, managing consultant, Synopsys
IoT attacks will remain an issue in the year to come. In APAC, many countries are moving forward with Smart City and Smart Nation initiatives. This opens the opportunities for a new wave of IoT cyber-attacks. Attacks could be approached from a data poisoning perspective in which faulty information is intended to influence organizational decision making through the sensors deployed within the target city or nationwide. We’ll also see the same old issues persist: hardcoded credentials and unpatched components, not very well designed OTA updates, and continuous update policies.
Sharon Reynolds, CISO, Omnitracs
IoT security will become center stage in 2019: As smart cities, vehicle to vehicle, autonomous driving, and electrification of vehicles technologies continue to develop, so will the risks. Consumers, municipalities and government officials currently have a new awareness of the risks to privacy, data and security. Our growing connectivity of IoT devices are increasingly intersecting with safety systems and has moved the risks from digital to physical. Although researchers and security professionals have been talking about these physical risks for many years, in 2019, these conversations will increase in intensity. Consumers will demand security and privacy as risks physical risks increase.
Deral Heiland, IoT research lead, Rapid7:
With the ever-growing influx of new IoT products with many of them including IoT enabling products such as stoves, cookers, microwaves, I expect we will see an increase in physical injuries directly related to the IoT enablement of devices. These devices, on their own, have a risk to physical injuries, but with remote, and voice-enabled function they become potentially more dangerous.
BeyondTrust’s Morey Haber, CTO, and Brian Chappell, sr. director, Enterprise & Solutions Architecture
IoT devices become major targets – The major devices targeted will be IoT and will range anywhere from consumer-based routers to home-based nanny cams. Expect the supply chain for many vendors, including those that produce personal digital assistances, to be a new target from threat actors who infiltrate environments and insecure DevOps processes.
Paul Trulove, Chief Product Officer, SailPoint
In 2019, we’ll see the first big software bot-related data breach. Organizations are already looking to bots to carry out workplace tasks like booking employee travel and chatting with customers. With the efficiency and automation these technologies offer, we’ll see organizations using bots to access even more critical data in the coming year. One of the areas that bots will be used more and more is in data extraction and reporting, where bots will take over a human’s task of logging into Salesforce or SAP to generate a report, often containing sensitive data, and email it off to the requester. These bots, which are often left unprotected, can be easily compromised by hackers when they’re not governed or managed in the same way as their human counterparts. Once a hacker is able to infiltrate an organization through spoofing a bot identity, they’ll have unchecked access to critical systems and data, giving them the ability to do untold damage. And because these bots are largely unmonitored, who knows how long an attack like this will last without detection and remediation?
Chris Morales, head of security analytics, Vectra
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.