Mison Riggins from Inspired eLearning joins me for Converge TechTalk today and we’re taking a look at the 2019 Cybersecurity trends and what we see as important now and in the coming months.
We start off by addressing the Collection #1 Data Breach. With some 770+ million email records and 21 million passwords reported to be shared online, there’s every reason that it’s being called “the mother of all data breaches.” If you’d like to learn more about the Collection #1 breach, I’ve covered it here—Collection #1 Data Breach, What You Need to Know.
Then we moved on to 2019 cybersecurity trends and what’s on the horizon. This includes:
AI and Machine Learning
AI and machine learning are current industry buzzwords, but Mison and I talk about how these things, or either of them, like weaponized AI, impact cybersecurity.
What’s happening with ransomware? Are we going to see more ransomware or less in 2019 and beyond? While we most likely expect to continue to hear about pointed attacks against big name companies and/or conglomerates, we’ll likely see a shift in cybercriminal focus to cryptocurrencies. The reason for the decline is that it is much more lucrative to mine cryptocurrencies through nefarious means than to steal protected data and hold it for a ransom payment that may or may not come.
What Should Companies be Doing to Protect Against Ransomware?
That said, it doesn’t mean you don’t still need to protect against ransomware. That means backing up your data and using encryption to protect your hard drives or at least your personally identifiable information (PII) as well as your intellectual property is still good security practice.
We move on to the IoT … specifically, Weaponized IoT and the impact that has on the security space. So what is “Weaponized IoT”? Great question— and you’ve got to watch or listen to the interview for a deeper dive on this. Bottom line, more IoT connected devices means more opportunities for cybercriminals to take advantage of them for their own uses.
What Risks do Weaponized IoT Attacks Present, and Who is Their Most Likely Target Audience?
The targets for weaponized IoT attacks include the relatively mundane, We expect to see escalated attacks specifically targeting critical industrial infrastructures like power plants, electricity grids, public utility services, and communication networks. Industrial IoT make a great target since their vulnerabilities lie in the underlying cloud infrastructure, increasing network connectivity to edge computing, difficulty in securing the devices themselves with Meltdown and Spectre vulnerabilities still in the mix, and the exponential number of devices that have to connect to the cloud for updates and maintenance. IIoT has become low-hanging fruit for attackers since just a compromise of back-end servers will cause widespread service outages and bring vital systems to a screeching halt, affecting other vital sectors at the same time.
What Role do Privacy Regulations Play in Trend Predictions
We expect consumer awareness of and demands for privacy protection to continue. As a result, we also expect cybersecurity trends to demonstrate increased legislative and regulatory activity continuing throughout 2019. GDPR violations will mostly likely start to receive penalties from 2019. We saw that with recent news of France levying a nearly $57m US fine against Google for GDPR violations, and that’s likely not the first such assessment. Also, state-level privacy regulations will continue to be outlined and distributed as we see happening in California already.
Authentication Methods Will Improve
There’s good news in cybersecurity trends for 2019 as it relates to authentication methods—passwords are going to get a massive makeover.
Single Factor Passwords will be a thing of the past, perhaps even regulated as Dark Age Relics. With Fido Alliance and other such cross-organizational movements, the use of crypto keys instead of a single, albeit complex, password will be the more secure option to opening applications. Multi-factor authentication is already gaining ground with requests for “something you know”—a phrase or pin, and “something you have”—biometrics, token, or an encryption key, being the new norm. NIST has already moved away from advising security professionals to demand a complex list of items to include in a password as it has resulted in End User password management fatigue.
Wrapping Up 2019 Cybersecurity Trend Overview
Perhaps most important of all in the cybersecurity trend overview is that 2019 will likely mark a strategic shift in the way people, especially the boardroom and the C-Suite executives view cybersecurity. The security industry will also see a shift from an emphasis on “cybersecurity” to “information assurance and risk management.”
If you like what you’re seeing/or listening to, be sure to hit the subscribe button here and stay in touch with all the latest business and technology news from Converge Tech Talk.
If you prefer a podcast, you can subscribe to the Converge TechTalk podcast here.
And slide over to the Converge Tech + Business website to check out our full coverage on business and technology events, webinars, and other offerings.
Shelly Kramer: Morning, this is Shelly Kramer, your host of Converge TechTalk. This week’s episode I am thrilled to bring you my guest and friend Mison Riggins. Mison is a tech writer, and a security expert with Inspired eLearning, Good Morning Mison, great to have you.
Mison Riggins: Good Morning Shelly, thank you for having me. It’s always a pleasure.
Shelly Kramer: Always a pleasure to hang out and discuss the totally geek things that we both care about, like cyber security. And that’s what we’re going to be talking about today. We’re going to be talking about 2019 cyber security trends, and before we get started down that path, I would be remiss if I didn’t touch on the news of the day, which is the Collection #1 data breach being called the “Mother of all data breaches.” Exposing some 773 million email addresses and some 21 million passwords. And so if there’s anything to take away, we’ll be writing about this, you’ll be reading about this I’m sure, all over the internet. If there’s anything to take away from this is that at the very top of your data security, cyber security, personal protection, business protection, employee education list for 2019 should be password security, changing your passwords. Not using the same password just because it’s easy in all places across the web. So this is tremendously important. More important now than ever with this data breach. So please, don’t take this lightly.
Mison Riggins: That’s very true.
Shelly Kramer: So, Mison we’re going to talk about some trends. And I think the first one we’re going to tackle is what to expect in 2019 as it relates to AI and machine learning. Let’s talk about that a little bit.
Mison Riggins: That’s a great topic. We’ve been hearing a lot of talk about AI and machine learning, it’s quite a buzzword right now. I think we’ll still be hearing more throughout, well into the future I’m sure.
Shelly Kramer: Sure. And I think that what, we were talking about this before the show, and I think that what we’re seeing is that you know, AI is being used in marketing and sales and across other business operations. And security experts kind of disagree on this point, some people feel threats involving AI and machine learning are something to be concerned with right now. Others believe we’re going to be seeing this more in three to five years. I think that without question AI and machine learning are things that we can expect cyber criminals to be using.
Mison Riggins: Definitely.
Shelly Kramer: Yeah.
Mison Riggins: Definitely, and I think whether it’s right now or whether it’s three to five years, I think we as white hats need to start now. We need to get ahead of the curve. And I know that there are companies out there that are already trying to incorporate AI, and especially machine learning into their algorithms to find different threats that are already out there, and search for vulnerabilities, and continue to update. I don’t know if you know of CVE lists, but there’s a running list of all known vulnerabilities and AI will definitely help beef that list up. I think we can look for, I mean we can definitely anticipate the black hats trying to turn it for their own purposes, and their own malicious intent. So getting ahead of the curve would really give us a leg up.
Shelly Kramer: Well, and I think it’s just with anything else. It’s sort of resolving to have this on your radar screen as a trend moving forward, as a threat, as something to take into consideration, to plan against, to expect to happen. You know, we see phishing attacks. I got a phishing attack this Monday and it was really very interesting, and it was something that is called like a CEO phishing attack. And it was directed to a couple of people on my team, and it’s kind of like, okay so, that’s already happening to all of us on a daily basis. And thankfully, my team and I are aware enough that we can quickly identify those, but they’re easy to fall for. So if you add more technology into the equation, if you add AI into the equation, and those attacks can happen with great regularity, and they can become more sophisticated and more personalized over time, then I think it’s something that we really need to be concerned about.
So I do think that these are things that we need to not be complacent and think, “Oh, well. We’ve got three to five years before we really have to worry.” But I think we have to stay on top of it. We have to keep learning and talking about and exploring how this might impact us and our companies. Whether they’re large or small companies.
So let’s talk about ransomware. Are we going to see more ransomware or less ransomware in 2019?
Mison Riggins: I personally think that ransomware will become more targeted. I don’t think it’ll disappear totally, but I don’t think we will hear as much about it as we did last year and the year before. I think ransomware is going to be targeted only to bigger company, the bigger fish, I guess. Because, we’ll probably touch on this later, but it’s more lucrative to mine cryptocurrencies and to steal other people’s bitcoins than it is to make a whole ransomware campaign.
Shelly Kramer: So let’s talk about, and you know I do think that again, this is kind of one of the things that we’ve talked about recently. Still, in spite of the fact that we think that the trends are going to be moving away from fears of ransomware, I think that’s probably important to say that we still need to be backing up data, using encryption to protect hard drives and your personal, identifiable information and your intellectual property. We’re never going to move away from that being important. But we hope that we won’t see as much of a focus on ransomware.
So weaponized IoT is another trend that we’ve identified as something to pay attention to for 2019. So specifically, weaponized IoT and the impact that has on the security space. So, let’s start with, what is weaponized IOT?
Mison Riggins: Well, IoT in general is Internet of Things, little gadgets that we can use in the home. Smart fridge, smart appliances in general. Even little talking teddy bears-
Shelly Kramer: Toys.
Mison Riggins: Yes, toys that allow kids to connect to the internet. Well, weaponized IoT is taking these great inventions and turning them into tools for mal intent. So, attackers are hacking the device itself, usually they don’t even have to have some special code. All they need to know is the default password, and a default ID and they just log right in. There’s already scripts out there that will tour the internet looking for connected IoT devices that still have their default login credentials, and that’s their backdoor into your whole network. Especially if you haven’t setup a special segregated IoT network, and then your computer and your laptop network. If you’ve not created that divide and keep them on two separate networks, it’s very easy to, once they’re in your network, everything is, it’s all up for grabs.
Shelly Kramer: So the takeaway here is this is as important for consumers to understand as it relates to our homes, which are increasingly being filled with IoT connected devices. Amazon Alexa devices, Google Home devices, smart TVs, smart appliances, kids toys. All kinds of things. And those things, light bulbs, those things are only going to grow. So I think that understanding the risk and taking steps to protect yourself is important. If you’re a business, again, even more important to understand these things. And I think that we as consumers aren’t thinking about the fact that a lot of times when these things that we buy for home or for business come out of the factories, and are created by developers, security it sometimes not even on the list of developer concerns, when they’re building these devices. And the problem is that they arrive, they have default passwords, we’re not thinking about them, we don’t want to read instructions, we don’t want to take extra care, we don’t want to set things up.
From a CISO standpoint, this becomes challenging when you’re an enterprise level company, and you’ve got people throughout the company that have IoT devices that they’re setting up within the company. I mean it really can be a big deal. So it’s something to keep top of mind that can have an impact on security, and it’s really important to get arms around. Personally and professionally.
Mison Riggins: And the good news is, Shelly, that I think there is a strong trend, especially starting in 2019 where they are trying to incorporate security features into the IoT devices. Especially with Meltdown and Spectre, where the chip, the hardware was affected, remember? So now there are steps taken to ensure that that at the CPU level, that the chips are also secure. And that will go a long way to helping secure our IoT devices. So the two things that we as users can do is to change our default settings, credentials. And then the second thing is, even if you have to borrow someone who’s tech savvy, try to create two separate networks and have your IoT devices only on that one, there by themselves on one network so there’s no crossover. That will go a long way to also protecting data and intellectual property and all of our personal information.
Shelly Kramer: So we’ve talked about the risks of weaponized IoT as it relates to smart devices, connected devices in the home and in the office. But I think there’s also a bigger area of weaponized IoT that needs to remain on our trend list. And these are not new things, we have seen some attacks on public utilities, on power plants, power grids, on public utility services and communication networks. We don’t hear about those things as much in the news, but I think they represent a huge risk for business, for governments, for municipalities moving forward and they need to remain high on the list of things that we’re aware of, and that we’re protecting against. Because a significant impact can result when cyber criminals get into a power plant and shut down grids or things like that.
So you mentioned how, I think we’ve talked a little bit about this. You know, industrial IT’s make great targets because they rely on cloud infrastructure and we’re talking about network connectivity and all those sort of things, and how we’re using the edge. So keeping laser focused on industrialized IoT vulnerabilities, and protecting against those things, if those are things that are fall under your per view. I think that those need to remain high on the list of things to protect against, and I think we’re on the same page on that one, aren’t we?
Mison Riggins: Definitely, yes.
Shelly Kramer: So what about crypto jacking? I think you mentioned this a little bit before, but let’s talk about. We’ve seen some of this, you know we are in agreement that in trends to watch moving forward, certainly in 2019, crypto jacking remains high on the list. Talk a little bit about that.
Mison Riggins: Sure. So, not to keep saying the same things, but since it’s so easy to hack IoT devices, just by having the default credentials, what the attackers are doing is they’re taking the IoT device. And the ones that are interested in crypto jacking, they’re not going to mess around with your data per say. But they will use your device to power their crypto mining …
Shelly Kramer: Activities, yeah.
Mison Riggins: Activities, thank you. So it takes a good amount of power, just physical electricity power to mine for these crypto currencies. Whether it’s bitcoin or any of the other ones. And so instead of using their own resources and having to pay out of pocket for their own resources, they’re using yours. So if you see a spike in your electricity bill, or if you see that your IoT device is kind of lagging, or your computer or your computer is lagging on your networks, or your WiFi is always fritzing out, it might be a sign that something else is going on in the backend. Where they’re using your resources, your electricity, your WiFi signals, your bandwidth to mine for these crypto currencies.
And I haven’t really dabbled in it myself, but I hear it’s quite lucrative. Especially when they’re not having to put in any of their own resources to fund this.
Shelly Kramer: Right, well and it’s just a little army of computers and devices that are working for cyber criminals. So, okay so you talked about ways to maybe figure out that this might be a concern. How do you protect against this?
Mison Riggins: Well, like we said earlier, change those default credentials. Most people who have nefarious intent, they usually take the short road, the highroad, the easy road. So if you have to make them work for it by having to crack your passwords or figure out, or re-figure their code to account for that, it’s going to take more time, it’s going to take more effort.
Shelly Kramer: They’ll just move along.
Mison Riggins: So they might just skip over you and go to the next person who hasn’t changed all that, right? So that’s step one. The other thing again is segregating your network, and then powering things down. Unplugging things from the wall, and not letting them. Like Alexa, does she really need to be on while those kids are at school and you’re at work and nobody else is home but the dog? I really don’t see Alexa having a great conversation with a dog at home.
Shelly Kramer: Makes perfect sense, and I think people don’t do that.
Mison Riggins: Yeah, just unplug her.
Shelly Kramer: Yeah, I think people don’t do that. So, another trend that we’ve identified in 2019 that shouldn’t surprise anybody is a renewed and continued and perhaps even more intense focus on privacy, and privacy regulations. So let’s talk about that a little bit.
Mison Riggins: Well, so GDPR, the deadline for GDPR came and went, and there wasn’t much of a buzz about cracking down on people that were noncompliant yet. And I think that was due to the regulators of GDPR giving us a grace period. And I think starting in 2019, I think we’re going to see an uptick in penalties, yes. Whether they carry over from 2018 or not, that I cannot say. But I know going forward, because privacy is a big issue, and it’s something that we do need to protect. And as we’ve seen already, California moving to create their own laws and statutes, and I think we might see other states moving in that direction as well, and other countries.
Shelly Kramer: Yeah, I was reading an article this morning that was written by an investor in Facebook and an early mentor of Mark Zuckerberg’s. And it was really interesting because what he was calling for and what he was saying, you know, “I’ve been a mentor of Mark Zuckerberg’s. That said, Facebook needs to change the way it operates.” And Facebook isn’t the only huge technology firm. You’ve got Facebook, you’ve got Google, you’ve got Amazon. They have so much information, they have so much data, and they continue to collect that data, especially Facebook and Google, from us.
So there’s really been a call for regulation, for legislation, and I feel like we’re at the early stages of this, because we’re tactfully operating at a time right now where we have a government that is not interested in regulations and consumer protections. It’s kind of a difficult path to walk. But the reality of it is consumers are incredibly concerned about their privacy, they continue to be more and more concerned about their privacy. And they’re not interested at being put at risk.
So I think that privacy, regardless of penalties that we might see as a result of regulations like GDPR. I think we’re going to start seeing consumers and consumer groups demand greater privacy protections and so I think that as a trend, I think the message to companies is what your customers, what consumers, what your employees are looking for. I mean, we’ve had plenty of instances of companies experiencing data breaches, and government contractors information, social security number, private information being hacked, those sorts of things. Sony data breach.
So I think that employees have every right to expect of the companies that they work for that protections will be in place to protect their privacy. So I think if you’re in the security space, if you’re a senior leader of any company anywhere, you have to be thinking about privacy and consumer demands of privacy, employee demands of privacy, customer demands of privacy. So I think that needs to remain very high on a trend list.
So, I think the last trend that we were going to talk about today really related to a continued improvement in authentication methods. And that’s great news. So you want to tackle that a little bit?
Mison Riggins: I think I read somewhere that single-factor passwords are going to be the dark ages. So, definitely two-factor authentication, where you have your password, and then a token. Or these days you get a code sent to your phone, right? But I think it’s going to go further than that, I really think it’s going to be multi-factor. Especially with the FIDO Alliance, I know Google is a very big partner in that, and there are very … There are quite a few big name companies that have signed on with FIDO.
It uses, I don’t know want to get into the weeds, but it definitely uses encryption keys, and having a private and public key that’s either on your phone or on some little fob that you carry with you. But I think it’s great that we’re trying to delve into different- using technology to beef up our password security is great news, all around.
Shelly Kramer: Yeah, and I see that, this isn’t something that we talked about in advance, we were talking about trends. But I also see that that’s really where blockchain is going to come into play in a lot of instances, because blockchain can be used to keep things more protected, more locked down, and I think we’re going to see more businesses use that. Whether it’s HR departments or banks or whatever. I think we’re going to see a lot of that as well.
So there you have it, those are the trends that we think that are on our radar screen for 2019, we think need to be on your radar screen. Things like how AI and machine learning might be used from a nefarious cyber-criminal standpoint. The fact that perhaps we need to worry a little bit less about ransomware, but that we still need to be aware of the fact that crypto jacking is a thing and will continue to be a thing and kind of have our defenses on alert there. I think that we need to be paying attention to the IoT and methods of weaponizing the IoT as it relates to both personal devices, devices used within the workplace, and then on a larger scale if you happen to be in an industry that would be vulnerable for an industrial IoT attack. Privacy regulations, respecting your customers, your employees, all of the data and privacy protections that you have in place and continue to enhance. And then how you’re modifying your authentication methods, and how you’re working perhaps with your employees and training them to understand a need for change and ongoing training as it relates to authentication and multi-factor authentication.
And we just can’t operate anymore as, do you remember when people used to say, “Oh here, let me open my desk drive, I’ve got a post it note here with my password on it.” You know, and it’s Bobby Sue, 1999, the year we got married, whatever. We really are moving away from that. We have to move away from that, there’s too much information that’s out there on all of us that is at risk.
So interesting times ahead, and the thing about being in the business of cyber security and protecting against cyber security. And actually, as you know, educating, providing training and education to employees, it’s kind of like being in the business of healthcare. There are always going to be people who need healthcare. There are always people in businesses who need that kind of training and that kind of support, so that’s one of the reasons that we have you on as a guest so often. Because these are kind of things that are top of mind and super important for businesses today. Mison, thanks for joining me.
Mison Riggins: Thank you for having me. That was a great analogy. Health care and cyber security, yes, they go hand in hand actually.
Shelly Kramer: Well, actually protecting health care data goes hand in hand as well, so. Anyway, well it’s always a pleasure having you on the show. And I’m sure you’ll be back in the near future, and you know, here’s to keeping safe on the inter webs, for you and for me and for our clients and employees and all of that.
Mison Riggins: Yep, I’m here anytime. Thanks Shelly.
Shelly Kramer: It’s great having you, good bye.