Looking back finds reasons for optimism…and why you should plan ahead
Prognostication is risky business. Trying to predict events and issues that are largely based on unpredictable human behaviors is like picking your spouse on a blind date. Sure, you might be right, but you are just as likely to make a disastrous choice.
Yet, every year at this time lots of smart people with loads of data at their fingertips predict what they think will be the major cybersecurity issues of the coming year. In 2018, Waratek’s Crystal Ball had a pretty good track record – three out of five security predictions have come to pass with two partials – and there is still time to pick up the others before the year ends.
|Government regulations will drive behaviors.||GDPR, NY DFS, CaCPA, CaSCD and serious talk of a US federal privacy law.||1|
|Patching will be the Achilles heel of applications.||321 hours (or ~$20K) per week spent (average) on patching CVEs: 25% of the most severe CVEs are not patched within 290 days.||1|
|Out-of-support software is the next frontier for attacks.||Too soon to see much movement here, but it’s coming||.5|
|IoT and Ransomware attacks will (still) be a threat.||It’s not that these aren’t issues, but only one 2018 attack made headlines. So far.||.5|
|More of the same.||Organizations still get caught doing stupid things (cough) Cathay Pacific (cough)…||1|
A list of 2019 security predictions could easily include all of the above, but that’s just a tacit acknowledgement that the security community is not making headway in solving the primary issues that teams face every day. The reality is, though, we are making progress against cyberattacks. Progress is not linear or steady, but there are signs the collective actions of teams may be impacting the effectiveness of current attack vectors.
So, without further ado, here is a list of cybersecurity issues you can expect to see in 2019 – in no particular order.
Fewer data breaches…
2018 is on track to see fewer reported breaches and fewer reported CVEs after a record smashing 2017. If the current trends hold true to the end of 2018, we will see the first year over year drop in reported data losses since 2011. Check back this time next year to see if this is a trend or a momentary pause in the action.
…but bigger data losses.
The number of security breaches may be down but, the size of data losses per attack is growing. Adjusting for the 2017 Equifax breach, the number of records lost will double in 2018. Expect that trend to continue into 2019.
Unpatched vulnerabilities will get you media attention you don’t want.
The latest numbers from The Ponemon Institute and CA Veracode tell the story: According to Ponemon, security leaders around the world say that manual patching processes create risk – yet they continue to invest in headcount instead of automated tools like runtime virtual patches that can fix known code flaws with no downtime. A US government report confirms that hackers breached Equifax within two days of CVE 2017-5638 being announced – yet CA Veracode says fewer than 30% of known code flaws are patched within 30 days of discovery.
The security and compliance risks from Legacy Java applications only get bigger.
The release of Java 8 SE in March 2014 marked the end of backwards compatibility for the world’s most popular application. Java 8 has since been replaced by Java 9, 10 and 11 and will go “end of public support” in January 2019, yet it remains the go-to framework for enterprise applications. Depending on whose measuring stick you use, Java 8 accounts for between 79 percent and 84 percent of Java-based applications. A little more than 40 percent are still being written in Java 6 (2006) or Java 7 (2011)! With no backwards compatibility in Java 11, enterprises with legacy apps (which is most organizations) must rewrite their applications or virtually upgrade their applications using compiler-based technology and a virtual container.
More of the same with a touch of “Huh?”
In a world where SQL injection and Cross Site Scripting vulnerabilities continue to plague between 30 and 50 percent of applications, we’re going to see more of the same in 2019. But there will be surprises, too, says Captain Obvious. It could be that crypto-mining attacks will accelerate, or maybe ransomware attacks will threaten more than just healthcare companies. Will we see a surge in DDoS attacks linked to the IoT after a year of relative calm in 2018? And what about critical infrastructure attacks from for-profit hackers and Nation/States?
The Institute of Operations Management advises that “there are two types of forecasts…lucky or wrong.” Let’s reconvene in a year to see which we are.