The End (of 2018) Is Near: Looking Back for Optimism
Prognostication is risky business. Just days after I originally put together my list of 2019 predictions for the cybersecurity world of 2019, Marriott, Dell, Dunkin’ and Quora trashed my carefully crafted analysis.
This is further evidence that predicting events and issues based on unpredictable human behaviors is like picking your spouse on a blind date. Sure, you might be right, but you are just as likely to make a disastrous choice.
This time last year, I gazed deeply into my company’s Crystal Ball, read the tea leaves in my cup, and boldly predicted five circumstances. Three of them came true in full force:
- Government regulations would drive behaviors. The reaction to GDPR, NY DFS, CaCPA, CaSCD and serious talk of a US federal privacy law is proof that institutional behaviors are changing and will continue to do so.
- Patching will be the Achilles heel of applications. Known CVEs continued to the root cause of cyberattacks.
- More of the same problems as in previous years – a no brainer, unfortunately, since organizations still get caught doing stupid things (cough) Cathay Pacific (cough).
I’m claiming partial credit for the two other 2018 predictions: “Out-of-support software is the next frontier for attacks” and “IoT and Ransomware attacks will (still) be a threat” – and I’m updating them for 2019.
A list of 2019 predictions could easily include all of the same predictions as 2018, but that implies we are not making headway in solving the primary issues that security teams face every day. The reality is, though, we are making progress against cyberattacks.
Despite the recent meme-inspiring breaches that added more than 600 million records to the wild, the number of breaches reported in 2018 will be down significantly for the first time since 2011. That didn’t happen by accident.
Businesses are accelerating efforts to take care of the root cause of most cyberattacks – known, but unpatched CVEs – in a more rapid and efficient manner. Research released late in 2018 proves it: 321 hours (or ~$20K) per week is spent (average) on patching CVEs; 30% of the most severe CVEs are patched within 30 days, a double digit improvement.
The number of reported CVEs is also likely to finish the year flat to slightly down for the first time in four years based on stats from the National Vulnerability Database. This too is evidence that the testing tools and focus on improving the development process is working. Here again, automation has great potential to turn a one-year change in direction into a trend.
Progress, though, is not always linear or steady. While we wait to see if 2018 is a one-off or a movement, let’s look at what to expect in 2019.
- Fewer data breaches…
If the current trends hold true to the end of 2018, we will see the first year-over-year drop in reported data losses since 2011.
- …but bigger data losses.
The number of security breaches may be down but, the size of data losses per attack is growing. Even adjusting for the 2017 Equifax and the 2018 Marriott breaches, the number of records lost per attack/breach will double in 2018. Expect that trend to continue into 2019.
- Unpatched vulnerabilities will get you media attention you don’t want.
The latest numbers from The Ponemon Institute tells the story; security leaders around the world say that manual patching processes create risk – yet they continue to invest in headcount instead of automated tools like runtime virtual patchesthat can fix, not just patch, known code flaws with no downtime. Ponemon calls this the Patching Paraox.
- The security and compliance risks from Legacy Java applications only get bigger.
Depending on whose measuring stick you use, Java 8 accounts for between 79 percent and 84 percent of Java-based applications, with a little more than 40 percent still being written in Java 6 or Java 7! With no backwards compatibility in Java 11, enterprises with legacy apps (which is most organizations) face a dilemma – what to do with out-of-support, but mission critical applications?
- More of the same with a touch of “Huh?”
In a world where SQL injection and Cross Site Scripting vulnerabilities continue to plague between 30 and 50 percent of all applications, we’re going to see more of the same in 2019. But there will be surprises, too, says Captain Obvious. It could be that ransomware attacks will shift from primarily end-point vulnerabilities to server threats. Will we see a surge in DDoS attacks linked to the IoT after a year of relative calm in 2018? And what about critical infrastructure attacks from for-profit hackers and Nation/States?
The Institute of Operations Management advises that “there are two types of forecasts: lucky or wrong.” Let’s reconvene in a year to see which we are.
About the author: James E. Lee is the Executive Vice President and Global CMO at Waratek. He was theformer CMO at data pioneer ChoicePoint and an expert in data privacy and security, having served nine years on the Board of the San Diego-based Identity Theft Resource Center including three years as Chair. Lee has served as a leader of two ANSI efforts to address issues of data privacy and identity management.Copyright 2010 Respective Author at Infosec Island via Infosec Island Latest Articles "http://bit.ly/2TmUCHo"