2019 is right around the corner, closing yet another widely interesting year for IT-Sec experts. We followed it closely at our weekly cybersecurity newsletter, Don't Panic. We can't deny it, it was a thrill. A nerve-racking thrill.
3 Cybersecurity Lessons We're Taking Into 2019
We saw the slow but steady recession of ransomware, replaced by new players such as the now all-time favorite: cryptojacking. On the other hand, we suffered more data breaches this year than it probably rained in London.
Learn More: What is Cybersecurity?
It was, without a doubt, a difficult year. But, once again, DON'T PANIC! When evil stands right around the corner and we face it constantly, we learn one or two things. Let's review 3 lessons 2018 left us in the field of cybersecurity.
1. Data privacy is being destroyed commercially.
It all begun early in the year, with Facebook's Cambridge Analytica scandal. The year started with a data breach that wasn't actually a breach, but the unauthorized usage and distribution of data. Over 87 million users were scraped for commercial purposes, provided by Facebook.
This marked the beginning of a series of events that turned 2018 in the demiseofdataprivacy.It also marked the break of trust between consumer and big enterprises, exposed in several scandals that revealed their mishandling of private data.
Cambridge Analytica accessed over 87M Facebook profiles.
Facebook gave the queue, and followed with constant follow-ups on how they allow specific companies access private information, such as conversations, and friend lists.
It didn't end there, though. Facebook had a rough 2018, not only they mishandled, but they were also targeted by a spam attack that stole personal information of over 30 million users, and 80,000 more when targeted with browser extensions.
However, the iceberg below the sea was the constant accumulation of breaches, which culminated in the reveal of the Marriott Hotel breach later this year.
Quora lost data of over 100 million users; Instagram exposed user passwords accidentally; Google+ was shut down after exposing 500 thousand more users; 945 data breaches in the first half of the year alone, with over 4.5 billion records compromised.
Finally, the Marriot Hotel chain revealed a 4-year-long breach that costed them the financial and personal data of 500 million Starwood guests.
It is a year that certainly doesn't correlate with the European General Data Protection Regulation Act (GDPR). Despite the EU's intentions, the scope of data handled outside of Europe and in the U.S. is of an irrepressible magnitude.
As for the meaning behind these breaches, the security specialist Brian Krebs explained the reality these data breaches reflect on his Marriot report:
"Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren’t, including your credit card information, Social Security number, mother’s maiden name, date of birth, address, previous addresses, phone number, and yes — even your credit file."
"Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil."
Due to the fact that previously trusted controllers and providers of data are now involved as active threats actors, it isn't a wild concept to consider all data exposed or mishandled until proven the contrary.
In that very same report, Krebs explained to companies lesson number two in our list for the year.
2. Security needs to evolve faster to keep up with new vectors.
In the past year, quite a few technologies and security standards were tackled. Last year, WiFi encryption and Bluetooth security protocols fell, and IoT has yet to established a decent security framework.
A great article by Martin Rudd at HelpNet Security analyzes the diversity of threat vectors that appeared in 2018 and how security evolved around them. He asks the following question: can new security technologies keep up with appearing threats?
The key, according to Rudd, is to follow the attacker's path and focus on emerging technologies. Take Artificial Intelligence and Machine Learning for example.
Botnet networks leverage the power of hundreds of infected devices to carry out attacks with Terabytes of power.
As smart threats appear, so do defense systems that will take advantage of the very same aspect to fight back. Encounters will be machined based, AI vs AI, ML vs ML.
AI Fuzzing and ML Poisoning will become the norm, and we won't be surprised if we see smart botnet attacks that combine the power of thousands of devices to leverage Terabytes of network-attack-power.
Emerging threat vectors follow that natural evolution flow. A new technology or trend appears, then its malicious counterpart appears too to exploit it.
This was also the case for cryptojacking. The cryptocurrency craze reached its peak during the last year, and it caught the attention of attackers who took these new attack vector and grew it into one of the most popular types of attacks of the year.
These attacks infect large networks and individuals to take advantage of other's resources to mine cryptocurrencies. Currently, it's an attack difficult to detect, and it gives us an example of how sometimes the negative counterpart of a technology advanced faster than the positive one.
3. Individuals need to become the first barrier of security.
The third and last conclusion comes as a reaction to the previous two. At the moment, individuals can't rely on enterprises to completely secure their data, or handle it properly.
Moreover, the threat industry is moving forward too quickly, and sometimes the security industry can't provide automated solutions right away.
Educating users in matters of security is crucial to protect information at its point of origin and handling. To spread awareness, we must teach individuals what cybersecurity really is, what cyber threats exist and how to counter them, and proper ways of securing their personal devices.
After all, around 90 percent of all enterprise data breaches are caused by uninformed and unprepared people who simply commits a mistake. Things like accessing enterprise files on a insecure location, or using predictable passwords can cost an enterprise millions in damages.
Dashlane uncovered worrying and breachable password trends, such as 'password walking'.
Moreover, we have reached a stage of constant mobile device growth, reaching 3 billion users soon; together with the appearance of over 7 billion IoT devices, in which security hasn't been promptly considered.
In this context, mobile threats have been growing steadily with 54% more variants this year alone, according to Symantec's Internet Security Threat Report.
It is crucial to control the backlash that this hyper-connectivity generates. End-users need to leverage their online citizenship to become the first barrier of defense against all threats, both personal and business related.
2018 has been a tough year for both data security and personal privacy. It's clear that there's more holes to patch in the system than GDPR can contain.
At the moment, big enterprises have lost the trust of end-users who now know they have to work proactively to secure their personal information from being mishandled or stolen.
Moving forward, we should see the growth of personal and individual security as individuals retire their trust from the usual security players. 2019 will be a year of changes, as common practices continue to be rebuked and bested by the future's threats. It is time to redefine security!