With National Cybersecurity Awareness Month in full swing and Halloween only a couple weeks away, ZeroNorth asked some of our top security pros about the “scariest” trends and specific vulnerabilities they’ve seen happening on the security front—programs or decisions that “keep them up at night,” maybe even more than their first horror movie. Here are some of the responses we received, which not only offer a good shiver, but also highlight precisely where the industry should focus its collective efforts.
Aside from going out of business entirely, the most frightening thing executives face is the threat of a serious hack. To ease this fear, organizations often choose to spend more aggressively on bolstering defenses, and Cybersecurity Ventures, an analyst research firm, estimates that security spending is going to exceed $1 trillion within the next two years. As organizations of all kinds, across all industries, increase their budgets to strengthen their stacks—a non-negotiable expense—the average cost of a data breach continues to soar. In fact, new research from Kaspersky shows the average breach is up from $1.23 million in 2017 to $1.41 million in 2018, a spike that is certainly worthy of the Board’s collective attention.
Undefined Attack Surfaces
Just like trying to vanquish an invisible monster, it’s nearly impossible to fight vulnerabilities you can’t see. This means, a lack of visibility into an organization’s complete attack surface can make any security professional pretty uneasy.
With 83% of enterprise workloads expected to be in the cloud by next year, it’s important to understand which organizational assets are using cloud technology and how they can be protected. However, ZeroNorth’s CTO John Steven believes, “most organizations can’t even pin down what their asset base is with move-to-cloud initiatives in full swing, and when you couple this with shadow IT practices, it becomes even more difficult to take inventory on assets that security teams are actually responsible for.”
Steven explains how this can put security teams at a significant disadvantage, as “there’s no view into where the organization’s data flows and what third-party services they rely on, so there’s no way to understand the full attack surface and put the necessary security controls in place.”
Speed Over Security
Another common theme that has security professionals on edge is the prioritization of speed over security. Even in a horror movie, learning from one’s mistakes is key to survival. Barry Walker, Senior Software Architect at ZeroNorth, notes most organizations “rush to ship products out as quickly as possible instead of ensuring proper security and doing things correctly.” He adds, when breaches happen at large companies, “they fail to learn from their mistakes, so there’s little incentive to ship secure products with so little accountability required when breaches do happen.”
ZeroNorth VP of Engineering, Andrei Bezdedeanu, agrees the speed of business today is causing some companies to overlook security. Bezdedeanu’s primary concern is the “velocity and frequency at which companies are pushing out software can lead to inept security within these releases.” The bottom line—security pros are worried about security falling through the cracks in the quest for more velocity.
New Targets, Large Impact
Often times, the scariest movies are the ones with the most realistic action and plot lines—cyberattacks are much the same. Threats to critical Infrastructure are particularly scary because they can impact the lives of everyday citizens in a noticeable away. Ernesto DiGiambattista, ZeroNorth founder and chairman, considers this reality to be one of the most serious out there.
“When security impacts the physical world, like on 9/11” our risks become our reality because after all, we “can’t override planes crashing into buildings.”
ZeroNorth product security lead Mario DiNatale says more on the subject of shifting attack methods. “The idea that you could do everything right and still get popped” is something that keeps lot of pros up at night. “And this year’s trend seems to be compromising open source programming libraries.”
Critical infrastructure is always something security pros keep an eye on. Mike Brown, Rear Admiral, United States Navy (Retired), president of Spinnaker Security LLC and a ZeroNorth security advisor, confirms, “The ongoing effects to our critical infrastructure and the significant expansion on the horizon keeps me up at night and has for years.” In particular, he’s concerned about “the use of OT and IOT to run our systems, which has significantly expanded the attack surface for malicious actors.” And with the advent of 5G, “the surface is only going to continue to expand,” Brown adds.
Spooky Tales Become Lessons Learned
Unfortunately, the most worrisome trends will likely materialize into some sort of related attacks. And because professionals on the front lines of defense are the most qualified to spot these shifting tactics, they can also see them coming down from far away—just like that zombie apocalypse you remember from the movies! But in all seriousness, these concerns are not just nightmares—they are a sign of where we are in the journey and what we need to fix.