December 7 2019: Akamai has just released its State of the Internet / Security: 2019 — A Year in Review, It reviews: what we learned in 2019, including:
- New vulnerabilities, attack vectors, and evasion techniques
- The criminal ecosystems behind phishing, credential stuffing, and other attacks
- Surprising hacks of EMV-enabled payment cards
- The security implications of the huge rise in Internet API traffic
- The effect mental health and cognitive bias can have on business and security decisions.
The report also makes predictions for the year ahead which are summarised below:
Futurists and science fiction writers make predictions about the future. Gene Roddenberry and his creation Star Trek have become staples of the collective consciousness and have either predicted or led to the creation of many of the gadgets we use daily, such as cell phones and Bluetooth headphones. But we’re security professionals, not futurists, and we have never been able to make predictions a year in advance with any accuracy.
What we can do is look at the data we have today and extrapolate trends from that. You might wonder how that differs from a prediction, to which the answer is, primarily, perspective. Both extrapolation and prediction are attempts to find emergent trends, but prediction has a more sensational bias.
When someone is asked for a prediction, there’s an assumed need for the response to be new and different from what others have pointed to; extrapolation is based more on real-world trends. Yes, it’s splitting hairs and pedantic, but that level of specificity is what we should be expecting from researchers and editors.
So, what can we extrapolate from the trends of 2019? First, credential abuse, phishing, and exploitation of vulnerabilities in popular systems will continue to grow. This is an easy call to make, but the difference is that we’re seeing professional weaponization of these attacks. If anything, we’re going to see more weaponization and more diversity in attacks.
A decade ago, vulnerabilities were usually found by a criminal, then incorporated into attacks. Five years ago, it became much more common to see professional teams of criminals who discovered and developed attack software. The trend now is an overlap between criminal developers and the advanced persistent threat (APT), or nation-state actors, to create a steady stream of zero-day tools targeting specific organizations and individuals.
This is not merely speculation. In early October, the NSA went to the extreme of issuing a warning that known nation-state actors were targeting vulnerable VPN platforms. There are multiple other communication channels from which such advisories would normally come, so this shows that the NSA views this as a clear and present danger.
We’re moving away from an era when the security advisors in a company were viewed as alarmists, to one where even we are sometimes caught off guard by the severity and impact of attacks. Esoteric topics about security that used to be the realm of specialists and technologists are now part of the daily news cycle and collective consciousness. Many of the predictions from a decade ago are now becoming real, even if the threats look nothing like what most of us expected.
One prediction we can make is that 2020 will be interesting.