Back when I was a consultant, I had a customer tell me he had an unlimited budget to secure his environment. So I spent more time than was appropriate scoping the very best technology available for what he needed at the time. Every organization has a limited budget. Someone else recommended something far cheaper, that did half the stuff he wanted. He of course picked the other bid. One of his requests was to predict the future and future-proof what he was buying. Half of what the great prognosticators of the day were calling for still isn’t production-worthy.
Why Technology Predictions Suck
It's tempting to believe that experts predicting the future of information security have a crystal ball. After all, with mountains of data and sophisticated analysis tools, shouldn't they (er, we) be able to see what's coming? The reality is often messier. Predictions in information security frequently miss the mark, leaving organizations scrambling to react instead of proactively preparing. So, why are these predictions so often wrong?
The Inherent Unpredictability of Human Behavior: Much of information security hinges on human actions and decisions. Hackers are constantly innovating, adapting their tactics to exploit new vulnerabilities, and employing social engineering tricks (which let’s face it continue to be one of the weakest points of any security paradigm). Predicting human behavior, especially the activities of malicious actors, is notoriously difficult. Even the most sophisticated AI algorithms struggle to account for the unexpected creativity and cunning of determined attackers.
The Ever-Evolving Threat Landscape: Technology advances at a breakneck pace, creating new attack vectors and vulnerabilities almost daily. Patchwork solutions and yesterday's best practices can quickly become obsolete against tomorrow's threats (although some countermeasures have been pretty darn effective since at least 3,000 BCE). Chasing predictions based on current trends can be like chasing shadows, as the landscape shifts beneath your feet.
The Black Box of Cybercrime: The underground world of cybercrime is shrouded in secrecy. Attackers operate in dark corners of the internet, sharing information selectively and obfuscating their activities. This lack of transparency makes it difficult to gather accurate data and understand the true scope and nature of emerging threats. Further, emerging threats can’t be publicized because security researchers need to give vendors time to patch and customers time to install patches, so we’re always months behind even the findings of the reserach community.
The Hype Machine and Market Forces: Predictions, especially those with dramatic narratives, can attract attention and funding. Security vendors may overinflate threats to sell their products, while media outlets sensationalize stories to grab headlines. This creates a noisy environment where it's hard to distinguish genuine risks from marketing hype. It doesn’t help that a lot of industry analysts are well compensated (directly or indirectly) by companies wanting to get into the top right corner of a quadrant.
The Focus on Spectacle over Substance: Some predictions prioritize generating buzz over offering actionable insights. Broad, vague statements about "quantum computing threats" or "AI-powered attacks" may sound scary, but they rarely offer concrete guidance on how to prepare or defend against them. Yet they are happening - if primarily through bad actors being able to build tools faster with the same AI tools legitimate software developers use or chat bots going after our grandparents.
So, are predictions in information security completely useless? Not necessarily. They can serve as starting points for discussion, raising awareness of potential risks, and prompting organizations to consider their security posture. However,it's crucial to approach them with a healthy dose of skepticism. Instead of relying solely on predictions, organizations should adopt a more nuanced approach, including:
Focus on fundamentals: Strong security practices like patching vulnerabilities, implementing multi-factor authentication, and educating employees remain essential, regardless of the latest trends.
Embrace a proactive mindset: Continuously monitor systems, invest in threat intelligence, and conduct regular security assessments to identify and address emerging risks before they become full-blown attacks.
Build resilience: Develop a layered security strategy that can adapt to changing threats, focusing on incident response, disaster recovery, and business continuity planning.
Think critically: Evaluate predictions carefully, considering their source, methodology, and underlying assumptions. Don't let fear mongering or hype dictate your security strategy.
Automate everything: Security scans, patch management, user training, updating documentation, whatever. If it’s part of the arsenal, it needs continual maintenance. Otherwise the very tools we use to secure systems could become threats.
By understanding the limitations of predictions and prioritizing fundamentals, organizations can navigate the complex world of information security with greater confidence and prepare for the inevitable surprises that lurk around the corner.Remember, true security lies not in predicting the future, but in being prepared for whatever it may hold.
Predictions
Now that we’ve looked at why predictions kinda’ suck a lot of the times, let’s make some! Technology advances will move faster in the next few years than the last. There’s a prediction that’s easy to stand behind because it’s been that way since the end of end of World War II (although arguably since the beginning of human consciousness - but there’s way better data to track it since the advent of computers). As technology continues to evolve at breakneck speed, the digital landscape becomes increasingly complex, riddled with opportunities and pitfalls. In 2024, information security professionals face an ever increasingly dynamic environment (that was a mouthful) where threats are constantly morphing and new tools emerge to combat them. Staying ahead of the curve is crucial for protecting sensitive data and mitigating risks.
Even though we argued it’s hard to predict, let's delve into the key trends shaping the information security landscape in 2024, exploring potential threats and the tools available to counter them:
1. The Rise of Artificial Intelligence (AI) in Cybersecurity:
Threat: AI-powered attacks are becoming more sophisticated, leveraging algorithms to personalize phishing campaigns, automate malware distribution, and exploit vulnerabilities with pinpoint accuracy. Expect deepfakes to become even more convincing, used for impersonation and social engineering.
Tool: AI-powered security solutions are on the rise, automating threat detection, incident response, and anomaly analysis. Machine learning algorithms are learning to predict and prevent attacks before they happen. Make sure to have good endpoint protection, device management, and a ZTNA solution that automatically finds and thwarts as many phishing attacks as possible. Also, at a code and service level, rate limit EVERY endpoint so automated AI attacks, especially those that are effectively fuzzing those service oriented architectures we spent years perfecting.
2. Evolving Ransomware Techniques:
Threat: Ransomware operators are constantly innovating, targeting critical infrastructure, disrupting supply chains, and employing double extortion tactics, threatening data leaks alongside encryption. Ransomware-as-a-service (RaaS) models are making attacks more accessible, leading to a potential rise in attacks on smaller businesses.
Tool: Implementing comprehensive data backups and recovery plans is vital. Zero-trust security models offer granular access control, minimizing potential damage. Security awareness training for employees can help prevent initial infection vectors. Moving to passkeys helps with those phishing attacks that often act as a vector to deliver the agent that does that yucky encryption as well.
3. The Expanding Attack Surface of the Internet of Things (IoT):
Threat: The proliferation of interconnected devices presents a vast attack surface. Insecure IoT devices can be exploited to launch botnet attacks, gain access to networks, and steal sensitive data.
Tool: Implementing robust authentication and authorization protocols for IoT devices is crucial. Network segmentation can isolate compromised devices and limit the spread of infections (although good endpoint security should also help to limit the impact of moving laterally in an environment). Regularly patching and updating firmware is essential as well. Although there aren’t good tools to centralize doing so, and don’t expect any given the lack of API standardization (no, this isn’t what MATTER was built for, btw).
4. The Quantum Computing Conundrum:
Threat: While still in its nascent stages, quantum computing poses a significant long-term threat. Its ability to break current encryption standards could render much of our existing security infrastructure vulnerable.
Tool: Post-quantum cryptography (PQC) algorithms are being developed to address this challenge. Organizations should start exploring and implementing PQC solutions in preparation for the future. Secret Chest takes a different approach to PQC if you want to give our tools a spin!
5. The Blurring Lines Between Physical and Digital Security:
Threat: Convergence of IT and operational technology (OT) systems creates new attack vectors. Cyberattacks can disrupt physical infrastructure, causing widespread damage and endangering lives.
Tool: Implementing converged security solutions that address both IT and OT environments is crucial. Industrial control systems need segmentation and dedicated security measures. Continuous vulnerability assessments and penetration testing are essential. Go look at the system that runs the magnetic locks in an office. Most use chips that were created in the 80s or 90s! It’s frightful. Pretty web front ends mask the fact that they’re running C or C++ based commands under the hood. No shade at those languages, but plenty of shade at the vendors who haven’t updated that in order to get apps out the door quicker. A generational shift is coming here, but probably not in 2024.
6. The Cybersecurity Skills Gap Widens:
Threat: The ever-evolving threat landscape demands a skilled workforce, but the cybersecurity industry faces a significant talent shortage. This lack of expertise leaves organizations vulnerable. Further, budget cuts from 2023 often didn’t cut infosec team members, but did cut adjacent teams or eliminate job recs to expand teams. It’s impossible to apply good actuarial analysis to the cost benefit of actually not getting hacked. The larger threat is probably that none of the companies who get hacked go out of business. Most don’t even suffer much of a business hit, even when it comes to stocks.
Tool: Investing in employee training and education programs is crucial. Upskilling and reskilling existing employees can bridge the gap. Attracting new talent requires competitive compensation packages and fostering a culture of continuous learning. Another tool is to try to be more punitive. For example, all those usernames and passwords that get leaked that were re-used because a company didn’t either use Auth0 or pay for a really darn cheap subscription to a tool like https://haveibeenpwned.com - those companies should be fined or have a punitive action akin to Sarbanes-Oxley. I have yet to see any learn from their mistakes. One that I was sent to actually had social security numbers of employees stored in LDAP (without LDAP ACLs). Anyone with the know-how to crawl through LDAP trees could have 100k+ socials of employees. When I noticed it, I was told that apparently it was too hard to alter other tools that keyed off those (let’s just call this technical debt). If you treat your employees that way, how do you treat your customers? Point is, more budget for good people and to train them is the best tool, but taking punitive action when that doesn’t happen is the real remedy (to use legal jargon).
7. Increasing Reliance on Cybersecurity Insurance:
Threat: The rising cost of data breaches and cyberattacks is driving organizations to seek financial protection through cybersecurity insurance. However, coverage and availability may vary, and reliance on insurance cannot replace robust security practices.
Tool: Cybersecurity insurance can offer valuable financial protection, but it should complement, not replace, a comprehensive security strategy. Organizations should carefully evaluate insurance policies and ensure they align with their specific needs and risk profile. Plenty of insurance providers force at least decent security with their fancy checklists. THat’s at least a little peace of mind.
8. The Supply Chain Compromise:
Threat: Attacks targeting software supply chains are becoming more frequent and sophisticated. Compromised code can introduce vulnerabilities into millions of systems, creating a large-scale attack surface.
Tool: Organizations need to implement secure coding practices and continuous integration/continuous delivery (CI/CD) pipelines with security built-in. Software Bill of Materials (SBOM) management helps track dependencies and identify potential weaknesses.
9. The Rise of Biometric Hacking:
Threat: Advancements in facial recognition, fingerprint scanners, and other biometrics raise concerns about data breaches and unauthorized access. Deepfakes could potentially bypass biometric authentication systems.
Tool: Implementing multi-factor authentication alongside biometrics adds an extra layer of security. Organizations should prioritize data privacy and security for biometric information, adhering to ethical and legal frameworks. The concern here is that we’re keying off a singel biometric scanner for most new advances in authentication.
10. The Decentralized Revolution and its Security Implications:
Threat: The adoption of blockchain, cryptocurrencies, and other decentralized technologies introduces new security challenges. Decentralized autonomous organizations (DAOs) and smart contracts may have vulnerabilities, given that a lot of the real cypherpunks are a generation removed from what’s happening today. Not gonna’ lie to ya’, the loss of a generation of true encryption geniuses in exchange for crypto-bros kinda’ sucks for everyone. Fingers cautiously crossed.
Tool: Understanding the unique security risks of each decentralized technology is crucial. Secure coding practices,vulnerability assessments, and specialized security solutions are needed for blockchain and crypto environments.
11. The Evolving Regulatory Landscape:
Threat: The patchwork of data privacy regulations around the world can be complex and challenging to navigate for global organizations. Non-compliance can lead to significant fines and reputational damage.
Tool: Staying informed about evolving regulations like GDPR, CCPA, and others is essential. Organizations need to implement robust data governance and compliance programs to mitigate risks. To be honest, it’s really, really hard to make sure you stay updated on just the things you can get sued over. Platforms like Vanta or Tugboat can help with various compliance frameworks, but that’s yet another cost - so a lot of organizations use spreadsheets. Spreadsheets suck almost as bad as predicting the future (despite the fact that I’ve really enjoyed getting to know the dude who invented them).
12. The Growing Threat of Insider Attacks:
Threat: Disgruntled employees, negligent insiders, and inadvertent data leaks pose a significant risk. Insider threats can be difficult to detect and prevent.
Tool: Implementing least privilege access controls, data loss prevention (DLP) solutions, and employee monitoring can help mitigate insider threats. Fostering a culture of security awareness and ethical behavior is crucial. OK, so Astyages of Media was overthrown by his vassal state of Persia due to an insider threat named Harpagus, which kickstarted one of the most impactful empires of all time. So really, there’s nothing new to insider threats. But whether they expose NSA secrets, secrets about Ukraine’s military capabilities and planned US responses, Trump’s taxes, or whatever else, there’s a new generation who has a different value system coming up (just as there always has been). They influence older generations as well. Limiting who has access to what and detecting what people are sending out is a requirement. It goes deeper - expect tools to disable features of devices (e.g. the camera on an iPhone) based on geo-fencing. That means access to location data, which has been considered a privacy violation by a lot of companies for years. Yet the meta conversation for a number of threats is the push and pull of privacy versus telemetry on endpoint devices that are pretty much all mixed home and work use all the time
13. The Weaponization of Artificial Intelligence:
Threat: This is different than #1. Malicious actors could weaponize AI for disinformation campaigns, automated cyberattacks, and social engineering. Deepfakes and AI-generated propaganda could have significant social and political implications. It’s more about the rules the AI providers are using.
Tool: Developing ethical guidelines for AI development and deployment is critical. Detecting and mitigating AI-powered threats requires specialized tools and human oversight. Honestly, the genie is out of the bottle - SaaS providers who do this don’t impact environments where people can run their own models to thwart it. The better tool is detection, which means browser updates as that’s where people are going to see this stuff. Disinformation like what we have seen in elections by manual troll farms is nothing compared to what’s on the way if we don’t find new dithering algorithms or whatever to combat it. The Late Bronze Age collapsed due in part to new technologies, implements of war, and disinformation (sure, there was also climate change, but we got that too). No one wants a Greek Dark Age. The threat is as valid in 2024 as it ever will be. The tools to combat it (for those who actually want to) likely won’t be ready by November. So just turn off the Wide World Internets for a hot minute maybe?
14. The Increasing Focus on Secure DevOps:
Threat: Traditional security silos can impede agility and innovation in DevOps environments. Insecure deployments and misconfigurations can create vulnerabilities.
Tool: Integrating security into the DevOps lifecycle is essential. Shift-left security practices and DevSecOps tools can help identify and remediate vulnerabilities early in the development process. Tools to build tools are about productivity of a small number of people, but people with incredibly large potential impacts when considering what they have access to.
15. The Rise of Security Mesh and Zero Trust:
Threat: The traditional perimeter-based security model is becoming increasingly ineffective due to the distributed nature of modern IT environments.
Tool: Security mesh architecture distributes security controls across the entire network, regardless of location or device. Zero-trust principles assume all users and devices are potentially compromised, requiring continuous verification for access. ZTNA is nothing new, but new architectures and moving more and more sensors to help slow down those increasingly fast processors is definitely a thing!
16. The Importance of Threat Intelligence and Threat Hunting:
Threat: Organizations need to proactively hunt for threats instead of simply reacting to them. Sharing threat intelligence across industries can help identify and mitigate emerging threats sooner.
Tool: Investing in threat intelligence platforms and skilled threat hunters allows organizations to anticipate and counter malicious actors more effectively. For example, Jamf has a great team of threat hunters. Use them. That only protects Apple products, but also keep in mind that they’re sharing information with other threat hunters. So if you don’t use Jamf Protect, use something.
There is so much more. Good security fundamentals: treat people well, don’t build more than you can maintain, and know every asset you have and everything it can do. But, by anticipating these trends and implementing the appropriate tools and strategies, organizations can build a more resilient security posture and navigate the increasingly complex information security landscape in 2024. Remember,continuous vigilance, proactive threat hunting, and adaptation are key to staying ahead of the curve and protecting your valuable assets in the digital world. That adaptation word, though, is about resilience. Resilient systems are something else we’ll talk more in depth on soon.
Commentaires