As the year picks up steam, it's important for organisations to set themselves up for success. Technologies, processes, and companies are evolving, and so are attackers. We reached out to Adrian Sanabria, VP of strategy and product at NopSec to get his thoughts on what should be on your radar in 2019.
Thanks to his insight, we put together a list of the looming threats your company should keep an eye on and how organisations can defend themselves accordingly.
Border Gateway Protocol (BGP) Hijacking
This is a major potential issue because it's a relatively underexplored vulnerability but has been around for nearly 20 years.
In plainest terms, the BGP is one of the underlying structures of the internet, routing traffic as users navigate from website to website. BGP hijacking involves falsely claiming IP prefixes so they can reroute users to websites they didn’t intend to navigate to. Cloudflare compares this to changing the signs on the highway so that cars end up at a different destination.
Sanabria warns that this vulnerability can affect companies and websites worldwide, because of how deep in the internet infrastructure the hijack takes place. This can lead to denial-of-service (DOS) attacks, man-in-the-middle attacks, and traditional malware attacks by leading users to a risky website. However, due to its complicated nature, mostly nation-states and state-sponsored attackers have been exploiting this vulnerability.
However, with time and increases knowledge, not only are countries (and their respective organisations) at risk, but so are companies who have a large internet footprint or have a global presence.
Unfortunately, unlike the rest of the threats covered here, there aren’t clear ways to defend against this. You can configure your network to accept IP prefixes from only trusted sources. Otherwise, as Cloudflare suggests, you may have to be on the lookout for telltale signs of BGP hijacking, such as increased latency, poor network performance, or misdirected traffic.
Because of the specific nature of BGP hijacking, we covered defense here. For the rest of the article, we’ll cover defense and risk mitigation after listing our 2019 infosec threats.
Consumer and Enterprise-level Internet of Things (IoT)
The Internet of Things (IoT) is one of the major technologies that have emerged over the last few years, changing how homes and organisations function. Think voice-activated devices, smart fridges, internet-connected TVs, wireless conferencing, wireless security devices and more.
These devices take advantage of the enormous network speed consumers and organisations have access to and offer flexibility and convenience to consumers and organisations alike. By connecting to the internet, companies can centralise their processes, keep track of devices, and manage multiple aspects of the organisation, adapting to the ease of having wireless access across devices.
However, the fundamental reason why IoT devices are adopted are also what exposes companies to risk. The centralisation of IoT is what allows devices to speak to each other. If that single access point is compromised, it can lead to widespread issues across an entire organisation’s network.
“Systems that are designed to be controlled by one central point can end up backfiring dramatically.” - Adrian Sanabria
Sanabria offers an anecdote where, in doing his due diligence, he discovered that an IoT device’s Wireless Accessory Configuration (WAC) was publicly visible and displayed sensitive information such as usernames and passwords to anyone who linked to the WAC. Because these products were created sequentially, the device’s MAC address could easily be figured out, allowing any attackers to link to the WAC and have unfettered access into a company’s network.
IoT devices are created with convenience in mind, not security.
“Very few companies understand cloud security well enough, especially in 2018.” - Sanabria
The use of enterprise cloud infrastructure has exploded over the last several years, evidenced by the tremendous growth Amason, Microsoft, and Google, and many others have seen in those departments.
Because companies are reliant on their cloud provider for all their storage and data needs, this places a heavy load on a single point of access that, if compromised, would impact the company’s entire network.
Sanabria notes that the evolution and growth of the cloud industry and has also led to some of the security issues and risks organisations face. For example, Amason Web Services (AWS) has gone from offering dosens to hundreds of cloud services. Before, companies could see all the offerings in a single display grid that was easily configurable. But as AWS has grown, the grid has lost its effectiveness, and, especially for Amason S3, led to companies accidentally exposing their data.
Sanabria notes that this same problem could be replicated by other cloud providers such as Google or Microsoft as they continue to grow and offer more as part of their cloud offerings.
Software as a Solution (SaaS)/Platform as a Software (PaaS) Security
This is an offshoot of cloud security but with important distinctions and considerations that should be mentioned. When it comes to cloud providers and services, an organisation is relying on these technologies as part of their infrastructure.
However, with SaaS and PaaS, organisations are using these technologies to facilitate their processes and execute their business strategy. This makes a potential attack even riskier because a security compromise may directly impede a company’s ability to perform their function and serve their consumers.
For example, this could compromise a company’s social media platform (as evidenced numerous times), a company’s website (if their host is compromised), and any other client-facing applications (an eCommerce platform, for example).
This threat is tied to infrastructure access (which can result from poor cloud security). Essentially, crypto mining is when a malicious actor (or worse, an internal employee) obtains access to your company’s infrastructure and uses it to mine cryptocurrency. Mining cryptocurrency is done by using massive amounts of data and computer processing power. Essentially, a cryptominer is using free data and computer power and footing an organisation with the bill.
While this may seem like a victimless crime (aside from finance), malicious actors are starting to see the benefit of such a stealthy hack. Sanabria notes that this can lead to hackers finding other ways to profit off of them. He warns that this “will likely lead to malware and data theft.”
Sanabria shared this image from Fortinet’s 2018 Q3 Threat Report to note the rise (marked in red) in cryptocurrency connected to criminals and malware authors.
Social engineering, a topic we covered in our last article, is also a major issue Sanabria highlighted. While in the past, social engineering attacks were widespread and targeted many users, Sanabria notes that new attacks are trying to target people directly. This is why business email compromise (BEC) attacks are on the rise, where an attacker emails an employee directly impersonating someone higher in the company or with a comparable authority. Usually, the email contains a ‘bill’ that, once paid, allows attackers to end up getting away with the company’s funds.
While this affects the overall success rate and impact, this direct targeting makes the potential risk and damage incurred much more potent.
Sanabria notes that this shift in social engineering strategy has been the result of effective endpoint security and a significant improvement in anti-virus technology. Because software and malware are being caught by major antivirus providers (or caught within an email by many email providers), this has forced attackers to look for a different method.
As a result, social engineering has become a pinpointed attack, capable of inflicting major damage to a single organisation.
Sanabria suggests that this is one of the threats that is looming most in the near future and while we may not see widespread ramifications of it in 2019, organisations should still keep it in mind. As 3D, augmented reality, and virtual reality technology get more and more sophisticated, biometric-based password recognition, known for its security, may become a liability.
As these technologies are able to more acutely replicate and create details down to the level required by biometrics, it’s possible that iris, fingerprint, or even Face ID hacking is in our near future. This may even be on some hackers’ radars given the prevalence of fingerprint and facial recognition technology utilised by our most common mobile phones.
Sanabria predicts that some high profile hacks may surface in the near future and automated vehicles might also succumb to hacks (we’ve already seen some headlines suggesting the possibility). His concern is that “legislation is already 20+ years behind in regulating software and devices - this problem will only get worse as the variety of devices with computers [and biometric recognition] in them increases.”
This threat also highlights the inherent problem with biometrics as a form of validation. Unlike passwords, users can’t change their face, fingerprints, or eyes, so once a biometric is replicated, it becomes completely vulnerable.
Legacy Issues Organisations Should Be Aware Of
We also wanted to highlight some older issues that have been around for a while but are still problems for organisations. These persistent legacy issues will continue to plague organisations unless they take concrete steps to defend against them and mitigate the risk posed by these problems. Here are some of the issues:
Poor password and password reuse
Unfortunately, this is an employee-facing issue, which is usually the hardest to solve for (this is a recurring theme in this section). Many hacks and data breaches are often the result of a hacker brute-forcing a password that turns out to be easy to figure out. As many studies show, individuals still rely on using common passwords like “12345” or “password.”
Lack of two-factor authentication (2FA)
Two-factor authentication refers to using an additional method of verification (usually an SMS message) before successfully logging in. While this can solve the above problem, it requires employees to opt-into 2FA, which can be difficult to achieve.
Bring Your Own Device (BYOD)
We’ve brought up the risks BYOD in our social engineering article but it’s worth a standalone mention here. Many of the principles and best practices in information security are rooted in visibility and control, two factors that are minimally applied when it comes to BYOD. It’s hard to track and manage an employee’s device precisely because the organisation doesn’t own it. Sanabria presents the perfect scenario.
“When I connect my personal laptop to all my work resources, if you have no visibility into, or control over my laptop, you've just lost control of your data in a big way. “