BSI’s Global Centre of Excellence for Cyber Security and Information Resilience has forecast five key trends across the cyber security landscape for 2020. They focus on multi-factor authentication attacks, third party/supplier risk management, ongoing privacy assurance, advanced hacking techniques and security in the cloud.
Multi-factor authentication (MFA) attacks
A report by LastPass has highlighted that 57% of global businesses are using MFA compared to 45% in 2018. While this indicates a strong uptake of MFA in 2019, which is set to increase in 2020, it will mean that attacks against MFA will inevitably rise.
Stephen O’Boyle, global head of cyber security and information resilience services at BSI, said: “MFA is a method of authentication developed to add an additional layer of protection for users. While we’ve seen a positive roll-out of it in 2019, we expect to see attackers increase their attempts to bypass it. One such example is what we call a ‘9.00 am attack’, whereby the attacker attempts to login at around the 9.00 am local time of the user. The end user arrives at the office and, when logging on, receives a prompt on their authenticator app to approve. If the attacker has it timed correctly, the user approves and inadvertently grants access to the attacker.”
O’Boyle continued: “This, along with other targeted attacks such as Evilqinx or SIM swapping, will become more prominent this year. Provided that phishing attacks remain a ‘high return and low risk’ proposition they will continue to be attractive to attackers. Organisations must have the capability to detect and react to advanced attacks in order to keep their clients, employees and information secure.”
Third party/supplier risk management
Managing supplier risk effectively has been strengthened by a number of new directives and regulations which have wide-reaching effect, including the Network and Information Security (NIS) Directive and the General Data Protection Regulation (GDPR). While companies are following ISO/IEC 27002 Information Technology – Security Techniques – Code of Practice for Information Security Controls and ISO/IEC 27036 Information Technology – Security Techniques – Information Security for Supplier Relationships to improve their ability to manage risks and are substantially increasing their security control, the risks relating to supplier relationships will continue to expand in 2020.
O’Boyle explained: “Supplier risk management allows organisations to identify, assess, manage and treat supplier risk. This year, businesses will need to further enhance their solutions when it comes to reducing risks associated with third party management. This includes processing of information, outsourced system development, integrations, configurations and hardware product provenance. Doing so will allow them to be in a better position from a security perspective to achieve their objectives and meet their compliance requirements.”
Ongoing privacy assurance
Globalisation and the relentless advance in technology means that privacy safeguards are necessary to ensure the protection of the fundamental rights of citizens. The need to adopt a principles-based privacy programme to establish a rights-centred approach to controls will be further required this year as enforcement of regulations, such as the aforementioned GDPR, are progressed. In 2019, 134 fines were reportedly issued under the GDPR equating to over €417 million.
“The GDPR fines are set to rise in 2020, especially given the impending decisions under review by the Information Commissioner’s Office relating to large tech firms. Many organisations have realised their compliance requirements due to the GDPR. However, new and evolving global legislation such as Japan’s Act on Protection of Personal Information, Brazil’s Lei Geral de Proteção de Dados, Thailand’s Personal Data Protection Act and California’s Consumer Privacy Act mean that an organisation’s privacy compliances continue to evolve. These global requirements must be considered based on a company’s global reach and data jurisdictions.”
Advanced hacking techniques
Mature security organisations often attribute significant human and financial resources to their cyber security programmes. In 2019, many industry security teams were tasked with proving the value of the company’s security investments. In addition to certifications such as the Payment Card Industry Data Security Standard, ISO/IEC ISO 27001 Information Security Management Systems and Service Organisation Control 2, companies began conducting Purple Teaming exercises whereby Defenders (Blue Team) are pitted against Attackers (Red Team) to determine the effectiveness of their defence capabilities. This practice will expand in 2020.
O’Boyle continued: “This technique provides a truly effective view of attack susceptibility and defence capability in a close to real world attack scenario. The benefits to organisations are extremely valuable as defenders gain attack experience in a safe scenario environment, deficiencies are highlighted and opportunities to improve identification and response capabilities are advanced through process improvements and monitoring system tuning. We will see more companies adopt this approach as part of their annual assessment activities this year.”
As cloud adoption grows and organisations begin to truly accept the ‘death of the perimeter’, the Zero Trust model will rise to the fore. Security measures for protecting organisations beyond the traditional firewall will proceed to improve and conditional based access considering device enumeration, certificates, location, biometrics and user secrets will become the norm for protecting organisations leveraging cloud first models.
“Cloud services, including Microsoft Office 365, are key targets for attackers and password spray and credential stuffing attacks are examples of methods used to gain access. Companies who progress their cloud journey without adequate Identity and Access Management tools and processes will soon find themselves subject to compromise. Those with limited monitoring in place can expect attacker persistence to remain for extended durations,” explained O’Boyle.
He concluded: “We’re seeing the next phase in cyber threats, cyber-related regulations, technological evolutions and specific solutions within these trends, looking beyond the stalwart and ever-present security risk of inadequate patching. Defence preparation must remain high on the agenda for 2020 across all industry sectors including finance, the public sector, food and healthcare. In England, specifically this will be further enforced through efforts stipulated in the National Cyber Security Strategy. Organisations need to prioritise and address their cyber and regulatory efforts this year and opt for a deeper level of assurance across the board at all levels. Doing so will ensure that everyone has a greater understanding of the cyber security landscape and that their information resilience is enhanced across the organisation.”
The BSI Cyber Security and Information Resilience team provides a range of solutions to help organisations address their information challenges covering cyber security, information management and privacy, security awareness, compliance and testing.
*For more information visit https://www.bsigroup.com/en-GB/Cyber-Security/