It’s not exactly a secret that 2020 hasn’t been a year to remember fondly – to put it mildly. But as we begin to look ahead, not only to a new year but to what we all hope is an approaching return to normalcy, there are a few key takeaways from that really stand out to me.
#1. One of the biggest impacts of this year, in large part thanks to the changes that the COVID event have forced on all of us, will be that every day, non-cybersecurity folks truly understand how the digital landscape is a part of their everyday lives. My parents now know how to use Zoom, order food on demand, and do anything online. Average businesses, across almost all verticals, are now immediately dependent on remote or virtual options. Sure, we would all love to be at a restaurant right now, but because of the circumstances, many folks have now been exposed to how to live life digitally – and for many it’s going to become a much more permanent shift. Organizations of all kinds will need to learn to adjust to that.
#2. In security testing, what surprised me the most was that the circumstances impelled cybercriminals to create a lot of really novel and inventive attacks. But those attacks have mimicked the form of the technology as we’ve had to move from inside the office to outside. So, we’ve seen attacker innovation around bypassing multi-factor authentication, around exploiting API’s (which is how organizations and applications speak to each other in a rapid manner), and some very cutting-edge attacks around authentication mechanisms for cloud services.
When everything is behind a firewall, inside the offices, the security testing that should take place needs to mimic the attackers. Now, with attackers completely changing their modus operandi, a lot of the changes to cybersecurity will be here to stay. Our lives – as businesspeople and as consumers – are going to become a lot more digitally focused, and that’s going to create permanent changes in security testing as we respond to new threat profiles.
For example, this year the Trustwave SpiderLabs team has worked on a record number of red team exercises, which are really adversary simulations, all around the world. What’s really interesting is that so many organizations have been coming to us asking… what just happened to us as we suddenly moved to a full remote posture? Can an attacker go to our CEO’s administrator’s house and gain access to sensitive data? How much infrastructure was left up in an office building that literally no one is now going to? Red teaming has really been helpful to many organizations in terms of finding and closing those vulnerabilities which can lead to full remote access. We’ve also helped a number of organizations answer some very tough, and very unexpected questions, like how susceptible to ransomware are we? Finally, we’ve tested how the psychological impact, in addition to the change to a remote work force, has expanded organizations' risk for successful phishing attacks.
Another challenge this year for organizations has involved the rapid deployment of application security, from protecting new digital payment systems, communicating virtually for business, and beyond. We’ve conducted a record number of application security tests, which I suspect was due to this rapid shift. As complex as application testing can be, we have still assisted organizations in answering the question: “How can we do the basics better to make sure we’re not struggling on the low-hanging fruit side of things?”
On the Digital Forensics and Incident Response (DFIR) side of the house, we’ve seen that attackers have completely changed their methods because of COVID, where they’ve moved from physical attacks to completely virtual attacks, for example with the Best Buy gift card attacks. On the GoldenSpy finding, our threat hunting teams were showing how they could start to find those needles in the haystacks that can really help keep organizations safe – and I think the intelligent use of automation with great vendor technology to free up your cybersecurity resources has really helped make that possible. These were two great examples of detecting and responding for never-before-seen threats! And to cap it all off, some our criminal underground research has really been groundbreaking.
#3. Many organizations are going to permanently embrace some of the unexpected benefits of this sudden shift to work from home postures. Workers have realized quality of life enhancements, corporate leaders are realizing cost savings from being able to reduce physical footprints, and many of those cost-savings are already being put to use in other areas. That trend will continue and even accelerate. CISO’s should not miss out on this opportunity to divert those cost savings to their security program.
Looking forward to 2021, here’s how I’m advising my clients to prepare:
In 2020, many organizations had to figure out how to enact what amounted to a 3-year digital transformation – in a matter of months. It was very reactive by necessity, and it was open-ended due to no one knowing when the COVID pandemic would end. Organizations have figured out how to survive the initial shock, but the time now is to start preparing for the future. How should your budgets change? How should your networks change?
But most importantly, what so many organizations need to figure out is: where is your data? Is it in the cloud? Is it at someone’s home? Was some of it left relatively undefended in a remote office somewhere that no one has been to in 6 months? Finding all of that data, and protecting it, is probably the most important priority for most organizations as we begin this new year.
Once and Future Threats: What Security Testing Is and Will Be
To protect organizations from cybersecurity compromises, security testing needs to constantly evolve. This e-book defines some of the most common and lesser known security testing techniques and how they can be used to benefit your organization. It presents some of what Trustwave security experts learned about significant threats that organizations will face in the near future and discusses how best to mitigate those risks.