FEATURE
Morey Haber, CTO and CISO at BeyondTrust
BeyondTrust, have delivered the following
predictions for 2020 and beyond.
• Malware auto-updates increase
– Since many applications auto-
update, cybercriminals now target
cloud-based update mechanisms
using a variety of techniques. Most
users trust their applications to
auto-update and may be unaware
of the threats made possible by a
compromised cloud connection.
Although old-school software
piracy is on the decline due to the
cloud, cybercriminals’ creativity will
continue to zone in on auto-updates
to infect users. Expect high profile
applications and operating systems
to be targeted by these advanced
threats in 2020.
• Reruns of old CVEs – January 2020
brings the end for Windows Server
2008 and Windows 7. With an estimate
in the millions of devices still running
these operating systems, a myriad of
vulnerabilities will continue to exist
until they are patched, or the operating
systems are replaced. Since replacing
end of life operating systems can be
costly and potentially difficult, 2020 will
see them targeted by cybercriminals at
an accelerated rate. New vulnerabilities
disclosed for end of life devices will
also arise posing unmanageable risk
to many organisations.
• Identities become the latest
attack vector – Privileged attack
vectors have been on the rise in
www.intelligentciso.com
|
Issue 20
recent years, where threat actors
compromise accounts, then engage
in lateral movement to compromise
additional assets and accounts
with stolen credentials. 2020 will
bring more of this, but as threat
actors refine their strategies and
impersonate users using DeepFake
technology, it will be hard to
determine if an identity is real or not.
Thus, beyond the usual hijacking of
email and SMS messages, we will
see fake phone calls with spoofed
accents, social media hijacking,
and even biometric hacking using
compromised data and malicious
Artificial Intelligence to impersonate
an identity.
Looking forward through to 2025
• End user passwords phase
out – Operating systems and
applications will continue to push
to end dependency on passwords.
Authentication patterns such as
biometrics and keyboard pattern
recognition have proven reliable
enough to make passwords obsolete.
These techniques will become
mainstream over the next five years,
gain corporate acceptance and
remove the need for password
usage from day to day computing.
However, credentials and passwords
for privileged accounts and legacy
systems will remain in use for the
next 10 years at least.
• Next-gen processors gain footing
– Microprocessors based on x86
and x64 technology, though ageing,
will remain for the next 20 years. But
ARM based computers and tablets
are on the rise, including rumours of a
next-generation MacOS and Windows
running on ARM. These processors
will bring changes in security, power
and performance. The shift from
legacy CPU architectures to ARM will
become mainstream in the next five
years and require new security tools
to protect them.
• Facial recognition transactions
increase – Facial recognition
technology, though relatively
immature, shows great promise.
From a vending machine
authorising transactions based
on facial recognition, to airlines
experimenting with facial recognition
to authorise boarding passes,
the technology will mature over
the next five years and become
widely available. Facial recognition
will step in for the password-less
authentication practices mentioned
above and will present its own risks
and data privacy concerns that will
need to be addressed.
• Cloud offerings triple – The next five
years will continue to bring massive
growth in cloud-based architecture
as the market demands more in
availability, scalability and security.
As this happens, cloud-based threat
vectors will increase and the need
for security within cloud offerings will
become more critical. If the Capitol
One or Equifax breaches don’t
propel the security posture of other
organisations, similar breaches will
continue. Demand will rise for the
securing of the cloud, cloud-based
assets, identities and keys from now
until 2025.
“The more CISOs and other IT staff
understand the security implications of
evolving technologies, the better prepared
they are to make the right investments for
their business,” said Morey Haber, CTO
and CISO at BeyondTrust.
“It’s the difference between being
proactive versus reactive and having
a security approach that enables
new technologies and business
opportunities, versus one that clamps
down on them.” u
39