Tim Steinkopf, president, Centrify
The coming year will be rife with new laws related to cybersecurity and data privacy. For example, large-scale IoT hacks affect countless devices. IoT devices range from home security cameras to massive machine-to-machine industrial networks and represent a massive broadening of the potential threatscape. Statista predicts there will be more than 30 billion connected devices by 2020. However, cybercriminals are becoming increasingly bolder and creative in their methods when it comes to infiltrating these devices. In 2018, California became the first state to pass an IoT security bill, which requires any manufacturer of a device that connects “directly or indirectly” to the Internet to outfit it with “reasonable” security features. Going forward, we predict this bill, which goes into effect in 2020, will spur similar IoT regulations in other states and even in other countries. We also predict that GDPR is just the beginning in the fight to protect data, and more data privacy laws will follow suit.
Malwarebytes Labs Team
IoT Botnets—will come to a device near you. In the second half of 2018, we saw several thousand MikroTik routers hacked to serve up coin miners. This is only the beginning of what we will likely see in the new year, with more and more hardware devices being compromised to serve up everything from coin miners to malware. Large-scale compromises of routers and IoT devices are going to take place and they are a lot harder to patch than computers. Even just patching does not fix the problem if the device is infected.
Olli Jarva, managing consultant, Synopsys
IoT attacks will remain an issue in the year to come. In APAC, many countries are moving forward with Smart City and Smart Nation initiatives. This opens the opportunities for a new wave of IoT cyber-attacks. Attacks could be approached from a data poisoning perspective in which faulty information is intended to influence organizational decision making through the sensors deployed within the target city or nationwide. We’ll also see the same old issues persist: hardcoded credentials and unpatched components, not very well designed OTA updates, and continuous update policies.
Sharon Reynolds, CISO, Omnitracs
IoT security will become center stage in 2019: As smart cities, vehicle to vehicle, autonomous driving, and electrification of vehicles technologies continue to develop, so will the risks. Consumers, municipalities and government officials currently have a new awareness of the risks to privacy, data and security. Our growing connectivity of IoT devices are increasingly intersecting with safety systems and has moved the risks from digital to physical. Although researchers and security professionals have been talking about these physical risks for many years, in 2019, these conversations will increase in intensity. Consumers will demand security and privacy as risks physical risks increase.
Deral Heiland, IoT research lead, Rapid7:
With the ever-growing influx of new IoT products with many of them including IoT enabling products such as stoves, cookers, microwaves, I expect we will see an increase in physical injuries directly related to the IoT enablement of devices. These devices, on their own, have a risk to physical injuries, but with remote, and voice-enabled function they become potentially more dangerous.
BeyondTrust’s Morey Haber, CTO, and Brian Chappell, sr. director, Enterprise & Solutions Architecture
IoT devices become major targets – The major devices targeted will be IoT and will range anywhere from consumer-based routers to home-based nanny cams. Expect the supply chain for many vendors, including those that produce personal digital assistances, to be a new target from threat actors who infiltrate environments and insecure DevOps processes.
Paul Trulove, Chief Product Officer, SailPoint
In 2019, we’ll see the first big software bot-related data breach. Organizations are already looking to bots to carry out workplace tasks like booking employee travel and chatting with customers. With the efficiency and automation these technologies offer, we’ll see organizations using bots to access even more critical data in the coming year. One of the areas that bots will be used more and more is in data extraction and reporting, where bots will take over a human’s task of logging into Salesforce or SAP to generate a report, often containing sensitive data, and email it off to the requester. These bots, which are often left unprotected, can be easily compromised by hackers when they’re not governed or managed in the same way as their human counterparts. Once a hacker is able to infiltrate an organization through spoofing a bot identity, they’ll have unchecked access to critical systems and data, giving them the ability to do untold damage. And because these bots are largely unmonitored, who knows how long an attack like this will last without detection and remediation?
Chris Morales, head of security analytics, Vectra
The belief that endpoint security is good enough to stop attacks will fade with increased attacks through the Industrial IoT, cloud and BYOD attack surfaces. Organizations will increase their use of network and cloud metadata for AI-based threat detection and threat hunting. Additionally, nation-state actors will hone their cybercraft and increase investment in advanced AI-based defenses as geopolitical tensions rise. With the increased risk of cyber warfare, new policy adoption and cyberwarfare rules will likely be debated and passed by law makers.
Bret Settle, co-founder and CEO, ThreatX
The threat attack surface will continue to expand as the portals to configure and control the plethora of connected devices are exposed. Hackers will increasingly be less interested in the device itself and more in what can be obtained and/or accomplished by infiltrating the control portal. One industry that showcases this vulnerability is the automotive sector—as more cities allow self-driving cars, ThreatX predicts there will be a major accident as a result of a hacker taking over the controls.
Joe Lea, VP of Product at Armis
IoT Attacks Will Evolve in Sophistication. Since the Mirai botnet in 2016, we’ve witnessed a rapid evolution of IoT attacks. Within the past year alone, IoT devices have been harnessed maliciously for cryptomining, ransomware and mobile malware attacks. In 2019, IoT threats will become increasingly sophisticated, shifting from botnets and stray ransomware infections to APTs for surveillance, data exfiltration and direct manipulation of physical world to disrupt operations. Also, smart cities will suffer IoT-based attacks and that CIOs will bring their spending firepower to IoT security in 2019.