With the new year now underway and the memories of the holiday season replaced by the realities of winter, taxes, and work, it’s a good time to reflect on the highs and lows of 2018 to envision what 2019 might look like. Last year:
- Misappropriation of data was a widespread issue in 2018. A ceaseless stream of breach events afflicted a range of industries and distinguished companies, including Google, Marriott, Twitter, and British Airways, which means their customers or subscribers were affected as well. Some of the most famous privacy issues of 2018 were the result of vulnerabilities or bugs that allowed unintended access to customer information. The most famous of these belonged to Facebook, in which the accounts of 90 million users were put at risk, and Google+ where a bug exposed the accounts of over half a million users and contributed to the demise of the Google+ platform.
- Smart home devices came into their own. They, along with third party “Alexa enabled” devices, provided convenience and novelty to home automation and home life.
- Cryptocurrencies like Bitcoin and Ether, which had surged in value and popularity throughout 2017, settled into a more subdued and less visible pattern in 2018. They effectively stepped off the hype curve and started onto a period of maturity.
- Ransomware began to be eclipsed by cryptojacking, in which bad actors used other peoples’ hacked computers and browsers to do the energy-intensive work of crypto mining. This doesn’t mean ransomware events disappeared. They just received less coverage.
- Data protection received a boost from the official enforcement of the General Data Protection Regulation (GDPR) within the European Union. It has profound implications for any organization, anywhere in the world, that connects with Europe-based clients or suppliers; regulators will start taking people or companies to task, handing out significant fines as a result of contravention of GDPR standards.
- GDPR also served as a clarion call for more data protection legislation to become the norm worldwide. The United Kingdom enacted a similar statute (The Data Protection Act 2018), as did industry groups such as the mobile carriers association GSMA.
Looking Forward to 2019: Intended and Unintended Data Breaches
It is a virtual certainty that in 2019 breaches will continue to happen. They will continue to spring from different sources including criminal activity, inadequate internal management, mechanical and software failures, or combinations of these.
As ESET Senior Security Researchers Lysa Myers and Stephen Cobb wrote recently in Cybersecurity Trends 2019, this may result in “greater diversification of the digital ecosystem as people shy away from places that have proven to be insecure.”1
2019: The Rise of IoT Device Attacks
Attacks will also likely increase through the growing use of, and dependence on, Internet of Things (IoT) and Industrial Internet of Things (IIoT) connected devices. While many of these tools like Alexa, remain visible to the public, IoT is everywhere. In consumers’ homes, these include smart doorbells, baby monitors, smoke detectors, and routers. But commercial buildings increasingly use IIoT-connected devices for lighting, occupancy, air quality and more. As ESET expert Tony Anscombe points out, “a smart building is simply a giant IoT device.” With the advent of autonomous vehicles and smart cities, connections will be everywhere while simultaneously blending into the background, rendering their activities, both pure and corrupted, invisible to the average user. Security, Anscombe says, has not been on everybody’s mind, and this has resulted in an oversharing of data, and a general lack of awareness as to where it is being held, who has access to it, and the fact that this data may remain accessible and vulnerable permanently.
The number of internet-connected smart devices is expected to grow to 80 billion by the year 2020,2 which means 2019 will see increased consumption and usage of these tools. Attacks will increase, especially those that use automated scripts to target vulnerabilities, and take control.
It is worth noting, however, that in October 2018, the state of California passed legislation to remove and ban default passwords like “admin” and “password123” on all new consumer electronics starting in 2020. The point of this legislation is to take one step towards eliminating a vulnerability that has been an easy entry point for cyber criminals for decades.
The Hidden Criminals
Hiding in plain sight is a prime opportunity for bad actors and will remain so in 2019 and beyond. Case studies have already shown how IoT devices can be exploited in ways that are inconceivable to the average consumer. For example, as ESET Senior Security Researcher Camilo Gutiérrez Amaya writes, “it is possible for an attacker to unlock devices, make bank transfers, or make online purchases simply by concealing malicious messages in the playback of a normal audio file.”3
Machine Learning: Making Crime Smarter
Artificial intelligence (AI) and machine learning (ML) offer enormous potential in areas we have just begun to realize for computing in general.
It is natural to expect that hackers will use this to their advantage, for example, to create more personalized, targeted emails, a practice called spearphishing. Similarly, facial recognition and digital manipulation technologies have the potential for cybercriminals to extend their powers within areas such as sextortion, contract manipulation, and fraud.
As ESET Malware Analyst Tomáš Foltýn wrote in a WeLiveSecurity post, machine learning cybercriminals are already using automated searches to assist in finding vulnerable machines and online accounts and gathering massive amounts of disparate data for subsequent targeted reconnaissance.4
2019: More Diversity in Types of Data Stolen
We will see an increase in the diversity of data being hacked. Since personal data such as a credit card number has a limited shelf life before the customer cancels the account, there will be greater criminal interest in obtaining access to longer-term data sources such as medical and employment records. These may also prove easier to obtain, due to poor security practices as well as being a soft target. It’s not thought of as having great value, but cyber criminals can exploit it for activities like identity theft and spearphishing.
2019: What Can We Do?
Security specialists and average consumers alike must be more proactive in understanding what types of data are being exchanged and collected by all devices in use, including browsers, smartphones, apps, and IoT technologies. They must take steps to limit the exposure of their data. Anscombe says, “Don’t think it’s not going to happen to you because it probably already has.” He suggests being diligent about granting apps access to your contacts just because they ask for it. Also, use different email addresses for different purposes – use a different one for accessing your bank accounts as you would for shopping online.
Executives and corporate decision makers should use good security technology and must make sure it is always up-to-date. They must educate their employees in cybersecurity practices frequently and proactively, since so many security problems like spearphishing stem from human actions.
Manufacturers need to dedicate themselves to implementing “security by design” policies within the application layer of their products to increase the protection and confidentiality of data.
It’s a race that will never end. But it is up to people to train themselves to not be as complacent or trusting as they were in earlier decades. Security must be a by-the-second obligation. And it will continue this way through 2019 and beyond.
Steve Prentice specializes in the place where human and technology meet. With a background in organizational psychology and project management, he works with IT industry leaders like SAP, CA Technologies and Cisco, as well as with their customers. He consults, manages projects, delivers keynotes, and teaches at a Toronto-area university (UOIT).
- Cybersecurity Trends 2019, page 24. https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET_Trends_Report_2019.pdf
- IDC: IDC Forecasts Worldwide Spending on the Internet of Things to Reach $772 Billion in 2018
- Cybersecurity Trends 2019, page 27.
- Tomáš Foltýn, Tomáš Foltýn, Over 40% of online login attempts are attackers trying to invade accounts (February 2018). Retrieved from: https://www.welivesecurity.com/2018/02/26/login-attempts-attackers-invade-accounts/