The year 2019 so far has seen its share of major security and data breaches. Unsurprisingly, they were not caused by new cybercriminal techniques but by the same ones that have plagued information security for up to two decades. Social engineering and cyberattacks on web assets remain the two primary vectors for cybercrime. However, with increasing digital transformation coupled with the advances and shifts in technology, we can clearly see that web-related cyber threats are affecting more than they ever have. Let us take a look at web-related cybersecurity trends, both in terms of attack vectors as well as security measures.
Focus on the Big Players
The biggest organizations remain the primary target of cyberattacks. The reason is simple: the attackers have the most to gain. That is why enterprise security is one of the biggest current and future concerns.
In 2019, we have seen two major data breaches that encompassed entire countries. Both Bulgaria and, more recently, Ecuador, have had personal data of almost the entire population stolen. In the first case, the reason was a 20-year old culprit: SQL Injection. In the second case, it was another common culprit: database misconfiguration and lack of proper authentication. Both these could have easily been avoided if only the data owners adopted the right IT security posture for their critical infrastructure.
The biggest security problem that big organizations are facing is not that attacks are difficult to avoid. Such organizations are just not protected comprehensively. Suitable security solutions exist but most of them do not fit well into complex structures and have to be handled manually. And even the most innovative future products based on blockchain, machine learning, or artificial intelligence will be just as useless unless they are made to fit easily in complex environments.
Therefore, the biggest cybersecurity challenge for enterprise security, government security, and the security of all large organizations is insufficient integration and automation coupled with the increasing skill gap within security teams caused by the lack of suitable cybersecurity professionals available for hire. There is a simple way to combat this: security software manufacturers must go way beyond simple manual tools and provide new products that fit within enterprise environments. Enterprises must then start adopting such products. Luckily, this is exactly the trend in web security for 2019 and beyond (for example, Acunetix 360).
New Attack Motivations
Another piece of bad news for all large organizations is that cybercriminals now have more financial reasons to attack you. They no longer just want to steal your data and sell it on the black market. In 2019, ransomware attacks and cryptocurrency mining have become even more widespread.
While malware including ransomware is usually delivered via social engineering (primarily phishing attacks), cryptocurrency mining, which is on the rise, is often delivered via web attacks. If a cybercriminal utilizes an SQL Injection with privilege escalation, they can take control over your back-end server and install a cryptocurrency mining tool. They may also escalate to other connected systems. This way, they can use your IT infrastructure for their personal profit. Even worse, a cryptocurrency miner may be installed client-side due to a web vulnerability, thus utilizing the resources belonging to end-users. When exposed, this may seriously threaten your reputation and have legal consequences.
With such new motivations, enterprise security is more important than ever because primary targets for ransomware and cryptocurrency mining are enterprises and public institutions.
Mobile Security Is Web Security
The fast-paced digital transformation to mobile technologies continues in 2019. At first glance, mobile application security seems to have little to do with web security. This harmful perception is often why mobile application security leaves a lot to be desired. Mobile applications almost always communicate with back-end servers, and they use web technologies for that communication (APIs). And it’s those APIs that are the primary target for cybercriminals.
This trend affects not only small businesses that provide apps for mobile devices but also big players. Building a mobile app to go along with your web application is no longer just a trend, it’s a business necessity. And protecting the API of that mobile app is another necessity. Luckily, organizations can use the same tools to protect their desktop and mobile solutions.
Lamentable State of IoT Security
The Internet of Things is making its way not only into our homes but also into businesses. For example, enterprises may use IoT devices for physical security monitoring and data storage. They may also upgrade their network structures to use intelligent network devices. Little do they realize the risks that go along with it.
The current state of IoT in terms of security is simply lamentable. Many manufacturers do not test the security of the web interfaces and APIs that power most IoT devices. And this, unfortunately, includes not only small manufacturers but the biggest names as well. A research paper called SOHOpelessly Broken 2.0 proves this. Security professionals tested several devices, many of them from renowned companies, and found a horrifying number of web vulnerabilities.
With the current state of IoT, enterprises have two solutions. They either have to hold their horses with adopting IoT technology or they have to take security into their own hands and thoroughly test every device before it is adopted. They should also put pressure on equipment manufacturers to have more responsibility and security awareness.
What’s Coming In 2020
In 2020, we can’t expect any large shifts in current trends. Security breaches will continue and they are expected to be based on common vulnerabilities such as SQL Injections or Cross-site Scripting. Coupled with this, we expect the skill gap affecting security professionals to keep widening. Unlike others, we do not expect emerging technologies such as artificial intelligence or machine learning to be much help yet.
To combat these cybercriminal trends, both small businesses and large enterprises will hopefully become more aware and implement viable cybersecurity strategies. We are hoping that they will realize that the only way to ensure sufficient protection is through automation and integration. Businesses will hopefully treat cybersecurity as part of their regular processes, shifting from DevOps to DevSecOps. If so, despite the growing number of threats and new criminal motivations, security postures will keep improving.