2018 Cybersecurity Year In Review with Predictions for 2019
Another year has gone by and the world of cybersecurity has once again been forever changed. In 2018 we saw a number of political “firsts”, downright crazy headlines, and another Super Bowl involving the new England Patriots in an upset. US President Trump seated his second Supreme Court nominee (after some controversy), had summits with the Kim’s (one and two), the Republicans expanded their footprint in the Senate while Democrats took the US House of Representatives in the process electing the youngest person ever to Congress, we said goodbye to President George H.W. Bush, held the Winter Olympics in PyeongChang without incident and fielding the first inter-Korea team in history, #Floridamen were still, well let’s be honest, Florida men, people proved once again the are not responsible and a public service announcement had to be made not to eat Tide Pods, Disney’s Marvel’s Infinity War delivered on the most anticipated cross-over movie ever, France’s national Football team won the world cup, companies went public at a record pace not seen since before the financial crisis including my employer, Uber and Lyft filed for their highly anticipated IPOs, and I became a father again. Phew, that’s a lot of news for just twelve short months. In between the meteoric fall of Harvey Weinstein and Boston winning the World Series (again), a number of cybersecurity events took place that would change the security landscape yet again.
While ransomware, phishing, cyber-espionage, and advanced persistent threats are nothing new, attack campaigns in 2018 have been far more strategic and appear to be directed by higher levels of government than previously seen. Military theorist Carl von Clausewitz famously stated that "War is the continuation of politics by other means" and the “cyberwar” is no exception.
In the past years, when a new bug, exploit, or vulnerability was found in a popular piece of software, it would lead security researchers to a thought provoking discussion. Today, Information Security is so intertwined with geopolitics, commerce, and the physical world, the context is completely changing and it’s becoming increasingly important to know the “how’s” and the “why’s” of the attack rather than the actual bug or exploit. Tools, tactics, and motives are constantly evolving and 2019 will undoubtedly be an interesting year for cybersecurity.
Here is a look back on notable Information Security events in 2018.
2018 started off with a BANG when Intel announced the “not-a-bug” speculative execution vulnerability (named Spectre and Meltdown) in their processors dating back to the mid 1990’s. Following this announcement and the months that followed came a number of software and microcode patches that were intended to mitigate the potential information leakage as a result of speculative execution. In the race to build a better and faster processor, processor manufacturers sacrificed security for speed and they ultimately paid the price for this when several teams of security researchers were able to exploit speculative execution to gain unauthorized access to privileged information. Intel’s 8th generation processors are said to have hardware mitigations to prevent this. While Spectre and Meltdown and their various variants have been greatly discussed and commanded their fair share of headlines, there have been no recorded practical attacks using these vulnerabilities.
Earlier this year, I made the prediction that 2018 would be the year of cryptojacking (unauthorized use of computing resources to mine cryptocurrency). Security researchers reported that cryptojacking spiked over 4000% this year due to the rise of cryptocurrency prices, number of exploits and vulnerabilities, and the ease of monetization. The invention and acceptance of cryptocurrency completely changed the profit motive for malware authors.
In the early stages of cryptocurrency-related malware, malware authors created ransomware, which would encrypt a victim’s files and demand a payment in cryptocurrency in exchange for the decryption key. This direct payment model resulted in immediate financial gain without middlemen or additional steps such as is the case in brokering stolen credit cards or personal information. This model worked well in developed countries where victims valued their data more than their money. In developing countries, victims would often forgo their files rather than pay the ransom. Cryptojacking allows an attacker to immediately monetize a compromised machine.
Routers have had unpatched vulnerabilities in them for years. Many consumer devices are installed and have no self-updating mechanism so they sit vulnerable for years. The rise of cryptojacking made these unpatched router vulnerabilities much more valuable overnight. Security research is always a double-edged sword, which uncovers security vulnerabilities giving companies and users the ability to patch them while also exposing the vulnerabilities to attackers. Attackers are using vulnerabilities in devices such as MicroTik, D-Link, and GPON Dasan, to increase their reach for use in creating botnets for DDoS attacks and cryptojacking. The combination of security research vulnerability disclosure and an average user’s inability or lack of knowledge to update an infected device means the problem will get much worse before it gets better. This problem will also be exacerbated as long as vulnerable routers lack a self-updating mechanism. For those in the security industry, when was the last time you checked for an update on your home router? When was the last time your parents/brother/sister/son/uncle/aunt checked for and applied a security update for their home router? I would bet a very large amount of money that there are far fewer people who patch on a regular basis than those who do.
Cybersecurity vendor consolidation
In 2018 alone, the Chicago-based private equity firm Thoma Bravo acquired Barracuda Networks, Centrify, Veracode, and LogRhythm. There are unconfirmed rumors that Thoma approached Symantec and McAfee about a possible takeover.
McAfee acquires SkyHigh Networks
Splunk acquires Phantom
Cisco acquires Duo
Palo Alto Networks acquires Secdo, RedLock, and Evident.io
Checkpoint acquires Dome9
Symantec acquires Appthority and Javelin Networks
Broadcom acquires CA technologies
AT&T acquires AlienVault
In the strangest of takeovers, Blackberry acquires next-generation AV-vendor Cylance
The cybersecurity landscape is changing from both the next generation of threats and attacks and the consolidation of the security industry. The majority of the cybersecurity acquisitions made in 2018 focused on the cloud, endpoint, identity, and applications. These are the growth and focus areas of 2019 when security companies try to offer a "comprehensive” and all-encompassing, turnkey security solution.
GDPR takes effect
General Data Protection Regulation (GDPR) took effect on May 25, 2018. This law was enacted by the European Parliament requiring companies to get affirmative consent for any personal information they collect on residents of the European Union (EU). The text of the strict regulations for data processing and handling were not what got the attention of outside observers; it was the eye-popping fines for violators that garnered the most attention. Organizations that fail to follow GDPR face fines of up to 20 million Euros ($24 million US Dollars at the time of writing) or four percent of the organization’s global annual revenue, whichever is greater. Any organization whose sites or services could be offered and accessible in the EU would be required to comply with GDPR, even if they are not based in an EU member state. This was a major win for consumer privacy with some negative implications on security research. At the time, it was thought that WHOIS records would be partially or fully redacted to comply with GDPR regulations which would hinder security research. This eventually proved not to be a “the sky is falling” moment and for the time being, security researchers still have the same tools available to them.
In the cybersecurity bombshell story that will not die, Bloomberg reported that servers manufactured by SuperMicro and used by tech companies such as Apple and Amazon Web Services contained hardware implants that granted China unauthorized access to information on those servers. SuperMicro’s stock lost half of its value overnight after the story broke. SuperMicro, Apple, and AWS all vehemently deny these claims, but Bloomberg has stuck by its reporting. To date, Bloomberg has provided no clear evidence that the implant story is actually true. While supply-chain attacks were in common use prior to the Bloomberg story, this would be the first time a non-US agency was responsible for the implants. In the leaked Snowden documents, evidence that the US NSA intercepted and implanted hardware targeted for countries and organizations targeted for surveillance.
Marriott International was breached in early December exposing up to 500 million guest records. That same week, Quora, Dell, and Sky Brazil were also breached exposing 100 million, an unknown number, and 32 million records respectively. Two months earlier, Cathay Pacific lost 9.4 million records. Facebook exposed the information of up to 84 million of its users in the now famous Cambridge Analytica breach which sent company CEO Mark Zuckerberg to Capitol Hill to testify. It’s safe to say that your information is likely already out there, but you can always check https://haveibeenpwned.com/
Users will continue to be the target for attacks. With record high spending on infrastructure security, users will continue to be the weakest link in security. Attackers will continue to trick users into clicking on bad links and downloading bad files to turn their machines a beached into the corporate network.
Continued security consolidation. The security space will continue to consolidate with companies snapping up other companies to add to their portfolio. It is often cheaper and quicker to acquire a new company than to innovate and perform the R&D in-house. This often leads to multiple management and logging consoles before the solutions are fully integrated.
The rise of “good enough” security. As breaches and cybersecurity come to the forefront of board discussions, strained budgets and checkboxes for auditors will lead to the acquisition of security solutions that only satisfy auditors. The phrase “buy nice or buy twice” comes to mind as good enough solutions often leave large security gaps that have to be closed by purchasing additional security solutions or having the organization accept the level of risk exposure.
IoT will still be insecure and a huge attack surface. With no regulatory framework and no standards to base IoT security on, companies will continue to pump out cheap and insecure IoT devices. Insecure IoT devices have been remotely compromised and built in to massive botnet armies for use in cryptojacking and DDoS attacks. Wholistic IoT protection will be a growing market in 2019.
2019 will bring more of what we saw in 2018, but with more focus and resources. Governments are building up their cyber armies and it will not take much to become the opening salvo in a war in the new digital battlefield. Russia is constantly provoking Ukraine, Iran is attacking Saudi Arabia, and it’s only a matter of time before this becomes a new digital world war. See you in 2019!