BeyondTrust experts forecast future threat vectors most likely to affect organizations worldwide in the New Year
BeyondTrust has released its annual forecast of cybersecurity trends emerging for the New Year. These projections, authored by BeyondTrust experts Morey J. Haber, Chief Security Officer and Brian Chappell, Chief Security Strategist, EMEA/APAC, are based on shifts in technology, threat actor habits, culture, and decades of combined experience.
“The Arab Gulf region continues to innovate at scale,” said Morey Haber, Chief Security Officer, BeyondTrust. “But digital transformation in the cloud brings with it a range of issues, including the increased sophistication of attackers and their ability to adapt to the moment at a pace that, as yet, enterprise security functions have been unable to match.”
Prediction #1: Negative, Zero, and Positive Trust –Next year, expect products to actually be “zero trust-ready”, satisfy all seven tenants of the NIST 800-207 model, and support an architecture referenced by NIST 1800-35b. Zero trust product vendors will create marketing messages that may imply positive and/or negative intent. Some will provide positive zero trust authentication and behavioral monitoring, while others will work using a closed security model to demonstrate what should happen when a negative zero trust event occurs.
Prediction #2: Camera-Based Malware is here. Say “Cheese”! — In 2023, expect to see the first of many exploits that challenge smart cameras, and the technology embedded within, to leverage vulnerabilities. While there have been timeless discussions on the risks of using QR codes, we’re only now beginning to understand the risks from our smart cameras. As cameras become more complex, the risk surface is expanding for novel approaches that could lead to their exploitation.
Prediction #3: Reputation for Ransom—The rise of Ransom-Vaporware — We will see a rise in the extortion of monies based purely on the threat of publicizing a fictional breach. Society so willingly accepts the veracity of breaches reported in the news — and without evidence. For a threat actor, this could mean the need to perpetrate an actual breach is reduced and a threat alone, that is not even verifiable, becomes an attack vector all in itself.
Prediction #4: The Foundation of Multi-Factor Authentication (MFA) Invincibility Fails — Expect a new round of attack vectors that target and successfully bypass multifactor authentication strategies. In the next year, push notifications, and other techniques for MFA will be exploited, just like SMS. Organizations should expect to see the foundation of MFA eroded by exploit techniques that compromise MFA integrity and require a push to MFA solutions that use biometrics or FIDO2-compliant technologies.
Prediction #5: Cyber Un-insurability is the New Normal — In 2023, more businesses will face the stark realization that they are not cyber-insurable. As of the second quarter of 2022, U.S. cyber-insurance prices already increased 79% over the prior year. The truth is, it’s becoming downright difficult to obtain quality cyber insurance at a reasonable rate.
Prediction #6: The Latest Concert Hack—Wearable Risk Surfaces and Hackable E-Waste — If you have recently attended a large concert, you may have received a disposable LED bracelet that can receive RF transmissions during the event. The device is meant to be low cost, disposable, and have potentially only single use. In 2023, expect threat actors to easily decode the RF transmissions using tools like Flipper Zero to wreak havoc on venues that use these enhancements. Some, may be to form a protest for some other purpose.
Prediction #7: Compliance Conflicts are Brewing — Significant compliance standards, best practices, and even security frameworks, are starting to see a diverging in requirements. In 2023, expect more regulatory compliance conflicts, especially for organizations embracing modern technology, zero trust, and digital transformation initiatives.
Prediction #8: The Death of the Personal Password — The growth of non-password-based primary authentication will finally spell the end of the personal password. More applications, not just the operating system itself, will start using advanced non-password technologies, such as biometrics, either to authenticate directly or leverage biometric technology, like Microsoft Hello or Apple FaceID or TouchID, to authorize access.
Prediction #9: De-Funding of Cyber Terrorists Becomes Law — Governments all over the world will entertain a new approach to protect organizations from ransomware and stop the funding of terrorists: ban ransomware payouts outright. Granted, threat actors may move on to a new form of cyber crime to fund their operations, but ransomware as we know it will fade away.
Prediction #10: Cloud Camouflage is Confronted — To mitigate cloud security risks, expect a push for transparency and visibility into the security operations of SaaS solutions, cloud providers and their services. The push to ensure transparency of the architecture, foundational components, and even discovered vulnerabilities, will extend beyond SOC and ISO certifications.
Prediction #11: Social Engineering in the Cloud — Attackers will turn from their software toolkits to their powers of persuasion as they increase the number of social engineering attacks leveled at employers and organizations across the cloud.
Prediction #12: Unfederated Identities to Infinity and Beyond — Expect a push into unfederated identities to help provide a new level of services and potentially physical products that will become a mild access control and management nightmare. The size and scope will feel truly infinite — unless it is well-defined for identity management teams to provide access beyond what typically is available today.
Prediction #13: OT Gets Smarter, Converges with IT — Expect attack vectors for basic Operational Technology (OT) to expand based on similar exploits that target IT. OT which once had a single function and purpose is now becoming smarter, leveraging commercial operating systems and applications to perform expanded missions. As these devices expand in scope, their design is susceptible to vulnerabilities and exploitation.
Predictions #14: Headline Breaches Move to Second-Page News — Expect news of breaches to be buried deeper — whether in print or online format based on audience fatigue, lack of interest, or just because it is no longer exciting. With that said, legal, regulatory, and compliance responses will become front-page news should an organization fail to follow the proper steps for public disclosure and risk mitigation.
Prediction #15: A Record-“Breaching” Year — Expect a record-breaking year of cyber security breach notifications, not only because of the sophistication of threat actors, but also due to the larger changes in the world that will impact an organization’s ability to mitigate, remediate, or prevent a problem.
“Our assessments of the year ahead may seem all doom and gloom, but in truth, organizations have many ways of protecting themselves against an incident,” said Haber. “With the right blend of skills, tools and strategy — either in house or in collaboration with a trusted partner — businesses can go into 2023 with their eyes open and conduct their affairs with confidence.”