Simpson, CISO, Armis
Voice Deepfakes will become the new phishing bait: C-level executives, politicians and other high-profile individuals are already high-risk targets for standard email phishing attacks given their level of access and financial decision making within their organization. With advancements in the deepfake voice technology, I expect a rise of voice phishing schemes in 2020 in which employees are tricked into sending money to scammers or revealing sensitive information after getting voice messages and calls that sound like they are from the CFO or other executives. We’ve already seen one fraudulent bank transfer convert to $243,000 for criminals. Given how hard it is to identify these deepfakes compared to standard phishing attacks, I expect these operations will become the norm in the new year.
Kirner, CTO & founder, Illumio
We’ll start to hear more about the convergence of physical infiltration with cyberattacks, challenging security across the board. Cyberattacks on an enterprise or a government can be carried out remotely but, in 2019, we started hearing more about the physical element added to the mix. It doesn’t take sophisticated software or intelligence operations to execute these attacks – a well-planned, staged scenario is all it takes. For instance, someone could pose as an electrician to gain physical access to a hospital being built, walking around unimpeded until they find an unprotected device to access the network. I believe we’ll see more of these high-profile, hybrid cyber-physical attacks in 2020.
Matt Ulery, chief product officer, SecureAuth
Get ready for SMS attacks to go mainstream. We adopted two-factor authentication with little hesitation: get a text on your phone with the one-time authentication code, enter it in after entering your password and gain access to your account. Most consumers haven’t had an issue with an extra step for a little peace of mind. The problem is that second-factor methods can now be easily defeated by your average hacker.
SMS overrides have become a common and intensifying threat over the past year, and they’ll only become more prominent in 2020. This type of attack will come in three main forms: SIM swap, IMSI factors and SS7 hacks.
From intercepting SMS messages and voice calls to eavesdropping and location tracking, these types of attacks highlight the weakness of relying on two-factor authentication to protect our identities. Businesses and organizations — especially those handling and storing customer data — have an obligation to look towards more advanced, adaptive approaches to securely verify their users by utilizing verification factors like location, time of day, behavior and IP addresses. It’s no longer safe to assume a six-digit code sent to your phone will protect your identity.”
Morrison, CEO, CoreView
Office 365-specific security issues will finally get the attention they deserve: Office 365 is a major target for IP theft, data leakage, credential cracking, and O365-specific attacks because that’s where a big bulk of sensitive, enterprise data is. Yet, O365 security issues often don’t get the attention they deserve. In 2020 and beyond, IT should expect new O365 phishing and malware attacks, as well as modified versions of KnockKnock and ShurtLOckr, two attacks that focus on Office 365 that have been active since May 2017—and are still running.
Mark Sangster, vice president and industry security strategist, eSentire
Company microtargeting with industry-specific tools will rise. Throughout 2019, eSentire has observed numerous instances of mid-sized organizations being targeted using tools specific to their industry, and this approach will continue into 2020. Phishing emails related to common industry tools or masquerading as trusted sources will be a common attack vector for stealing credentials and sensitive information. For example, phishing lures unique to the legal industry will use avenues, including cloud services, from vendors such as Adobe, to access to stores of sensitive information and credit vendors, like American Express, to gain short-term access to personal and/or company credit accounts. Access to personal or organization emails can lead to the theft of sensitive information. It can also aid attackers in crafting more familiar and friendly-looking lures for spear (targeted) phishing. As this trend towards microtargeting continues, organizations need to ensure they have technical controls in place to detect these threats and also ensure they have a robust security education program in place for their employees.
DRaaS is Now Mainstream
Disaster Recovery-as-a-Service (DRaaS) is now mainstream, with large organizations adopting DRaaS at the highest rates. However, expect in 2020 to see the adoption of DRaaS by small and mid-sized organizations to drastically increase as organizations discover that not all DRaaS services require their IT departments to become experts in hyper-scale clouds. As a result, SMBs will outsource DRaaS to experts at a fixed price and with little requirement for their time or technical overview.
Lemos, VP of research and intelligence, BlackBerry Cylance
State and state-sponsored cyber groups are the new proxy for international relations. Cyber espionage has been going on since the introduction of the internet, with Russia, China, Iran and North Korea seen as major players. In 2020, we will see a new set of countries using the same tactics, techniques, and procedures (TTPs) as these superpowers against rivals both inside and outside national borders. Mobile cyber espionage will also become a more common threat vector as mobile users are significant attack vector for organizations that allow employees to use personal devices on company networks. We will see threat actors perform cross-platform campaigns that leverage both mobile and traditional desktop malware. Recent research discovered nation-state based mobile cyber espionage activity across the Big 4, as well as in Vietnam and there’s likely going to be more attacks coming in the future. This will create more complexity for governments and enterprises as they try to attribute these attacks, with more actors and more endpoints in play at larger scale.
Banga, CEO and founder, Balbix
The accepted definition of a vulnerability will broaden. Typically associated with flaws in software that must be patched, infosec leaders will redefine the term to anything that is open to attack or damage. The impact will be systematic processes, similar to those commonly applied to patching, extended to weak or shared passwords, phishing and social engineering, risk of physical theft, third party vendor risk, and more.
Howard, VP of federal, Nutanix
In 2020, we expect to see federal agencies to increasingly differentiate their IT consumption models. For example, I expect to see a movement of IT infrastructure to managed service offerings in hosted data centers in order to take advantage of the solutions that MSPs provide. In doing so, they will also be taking some of the work off of their plate. This will not only allow agencies to access better connectivity, but it will also address some of the same benefits that agencies look for when moving to the public cloud, like agility and the ability to move away from managing physical infrastructure, but with added security controls.
Summers, VP and CTO, Akamai
The digital advertising ecosystem will be the next top target as a new class of attacks emerges - As consumer experience becomes more important -- and elaborate -- advertisers harvesting troves of customer data will find themselves susceptible to a new wave of attacks from cybercriminals. Hoping to capitalize on the data possessed by agencies, adversaries will increasingly go after the ad delivery process, compromising the countless amount of customer data stored. In the coming year, we can expect digital advertisers to amp up security efforts to combat this, yet we can also expect to see more consumers opting-out of experiences that require data collection.
Beuchelt, CISO, LogMeIn
The use of and evolution of biometrics. Decentralized, device-managed biometrics will continue to rise as a convenient way to authenticate users. Biometric data stored locally on the user device is best for security and eliminates the privacy risk. These biometrics are good because they make life easier for people to authenticate with devices in their possession and don’t pose a further security risk because that info isn’t online and never leaves the system.
Centralized biometric databases will continue to be promoted (and in some cases forced) by governments, but we’ll continue to see pushback from civil society.
Centralized systems, i.e. having one giant database, is not good biometrics because a lot of sensitive personal information is in one location and invites abuse. People are understanding this and some citizens in Europe and the U.S. are pushing back against centralized databases.
In terms of voluntary centralized databases, there is going to be some form of material abuse of the type of info people are sharing so freely (i.e. if 23 and Me is hacked), creating a privacy nightmare. That nightmare is just waiting to happen, whether through a hack, breach or government subpoena.