2019 set a record for data breaches. Add in rising ransomware attacks an increasing number of data privacy regulations like CCPA and India’s upcoming data privacy act are forcing a convergence of security and compliance.
I sat down with Auth0’s Chief Security Officer Joan D. Pepin and Senior Director of Security and Compliance Duncan Godfrey to discuss what we can expect in 2020.
1. Credential Stuffing Continues to be the ‘Easy Attack’
Credential stuffing attacks, where hackers steal login credentials from one site and then use the same credentials to break into a user’s other accounts, will continue to be the ‘easiest attack on the internet’ says Joan.
“Millions of usernames and passwords have already been breached,” says Joan. “And most people use the same password for everything. These credentials are available for free or cheap and what’s inside people’s accounts has real value. Add up bad behavior + breaches + value and you get the easiest attack on the internet. At Auth0, we detect 50,000 attacks every day from unique IP addresses.”
"Find out why @CloudCISO_Joan expects credential stuffing attacks to continue in 2020 — and what you can do about it. #2020prediction #cybersecurity"
Joan says companies can help mitigate this global challenge by: > * Doing what they can to make sure their customers’ credentials aren’t breached (and become part of the problem) > * Employing solutions that will inform their users that they are using breached credentials > * Make it easy for users to change their credentials > * Consider bringing back the 90-day password change policy > * As an industry, we need to collectively work on a solution that’s better than passwords
2. AI Loses its ‘Hollywood’ Shine
2020 will be the year that the cybersecurity industry pulls a reverse Terminator as we see AI-focused detection products losing their shine because of their inability to meet silver bullet promises says Duncan.
“Currently, the term AI is being used as a catch-all for distinct technologies,” says Duncan. “When people think about AI, they think of movies like the Terminator or Minority Report. But when people use AI security products, they’re often actually using machine learning algorithms rather than a prescient computer. Many cybersecurity products carry the AI label, but just can’t deliver that Hollywood performance.”
Despite all the marketing hype, AI still isn’t delivering, says Duncan.
"Sr. Director of Security and Compliance.@duncangodfrey predicts Cybersecurity AI will lose its shine in 2020. Do you agree? #2020prediction #cybersecurity"
“There are no shortcuts in security. It’s still based on doing the hard foundation work and being rigorous with your security hygiene. AI is solving high-level problems that are beyond the needs of most companies. I’m not saying all this technology isn’t working: we have seen great strides in content and facial recognition for example. ”
But it won’t be this way forever. “in 50 years this prediction will perhaps make me look like a Luddite but whatever tech we are using then will be built out of the ashes of the broken AI tech of the last few years — as in I might hear it tell me ‘I will be back,” says Duncan.
3. The Buck Stops at CCPA
GDPR was a game-changer for many, but some companies didn’t have to put their data houses in order. Joan says she expects California Consumer Protection Act (CCPA) to have a bigger impact. “Companies that were able to skate on GDPR will have to deal with CCPA — and because these companies weren’t large enough to be impacted by the EU’s regulations, they are likely to be smaller and less prepared, or we may see CCPA cause more pain than GDPR.”
4. What’s Under the Hood? Autonomous Vehicle Attacks Increase
Falling asleep behind the wheel of your self-driving Tesla seems like a fairly safe activity until you look under the cybersecurity hood says Duncan.
“We have become more and more dependent on automated driving systems and now we are seeing active testing of fully autonomous vehicles. Behind all of this technology are management and control networks operated by the manufacturer. As this technology pervades through our lives it makes you wonder how secure they are. This year 84% of automotive engineers expressed concern that their systems weren’t keeping pace. We’ve already seen small-scale hacks on vehicles, but what happens if a control network is compromised and thousands or tens of thousands are hacked at the same time? These networks become part of our critical national infrastructure and in the same way, power grids and our telecommunications networks are vulnerable, we have a whole new class of social infrastructure that needs protecting. I expect we’ll see an increase in targeted individuals or even fleets of cars. As we become aware of the challenges, companies should take steps to secure their systems and demonstrate to society and their customers that they’re taking this seriously.”
5. Cybersecurity Will Require ‘Old-Fashioned Work’
Privacy regulations like GDPR and CCPA are driving the convergence of security and compliance, says Joan. But the solution doesn’t reside in the next-best cyber tool.
“Be thoughtful,” says Joan.
“Just like your finance team should have a really good idea of your company's assets and liabilities, the InfoSec team, your data team — whoever is responsible — should understand your data assets and liabilities. If responsibility is unclearly spread across six teams that’s the first place to be thoughtful. Do the work of noting your assets and liabilities. Do you have a Plan? Who owns it? Which laws, regs, norms, best practices you are following (and not following). What would be easy to fix? What would be hard? This is old-fashioned work. Nothing cyber about it. Your CFO, CISO, Chief Privacy Officer, Chief Data Officer — someone should own this project, make an inventory, have a plan — and anyone who says the word “cyber” should have to put a dollar in the jar. There’s nothing cyber about it.”
6. Expect even more information warfare
We promised you five predictions, but couldn’t this one out. You’ll find Joan’s thoughts on the relationship between information warfare and cyber warfare in this Forbes post. We’ll get deeper in a future post.