Seceon 2023 Cybersecurity Predictions by Seceon Thought Leadership

Seceon 2023 Cybersecurity Predictions by Seceon Thought Leadership

This is Part II of our first blog of the new year, one in which we tackle 2023’s top cyber challenges and provide the information you need to make you ready.  We’ll share our insights and recommendations so that you can make cybersecurity a part of your healthy business strategy and best prepare for the path ahead. In our opening segment we reviewed the events in 2022 we forecasted in 2022 in terms of their impact and what we learned from them

Now let’s discuss some common themes we see occurring with even more frequency or velocity in 2023 along with how to prepare for these developing trends and some proactive cyber strategies to implement for the coming year.

2023 Seceon Prediction One:  The emergence of cloud-native security solutions to protect cloud-based systems and applications.

In 2022, outsourcing code development led to a 65+% increase in code leaks. Even with “airtight” outsourcing contracts or SLAs, the risk of poor privacy practices, storage and development practices has led to this significant increase. Public repositories are clearly not well protected. GitHub frequently leaks API and Cryptographic keys. According to a study from North Carolina State University, over 100,000 GitHub Repos leaked API or cryptographic keys in 2022. They also found that thousands of new API or cryptographic keys leak via GitHub projects every day.

Lets continue down this API Security path, however. We’ve seen a 300% increase in API traffic and a 600% increase in API attacks. API security is a key component of modern web application security. APIs may have vulnerabilities like broken authentication and authorization, lack of rate limiting, and code injection.

The exposure to insecure APIs has sky-rocketed and only a nary few are paying attention to the expanding exposure.

The first step is to find and catalog every API on our network. Who does this today? Almost no one. Why? Because of the intense pressure of developer convenience, John Kindervag, the Forrester analyst who coined the term “zero-trust”, claims developers have more power than Cybersecurity folks these days, rapid coding and website development, combined with the increasing drive toward federated services all contribute to random APIs popping up everywhere, and entirely without any sort of registration structure acting as the grown up in the room.

Finding and cataloging need to be taken seriously as even one missed API right now, can leave your company open to cyber-attack.

Setting up security and performance automation for every API is the next step. That performance automation accommodates API testing, critical to security readiness. Both functional and non-functional tests are essential as it is not enough to know that the API performs as advertised, but also that it does so in a secure and reliable manner. Failing APIs are common, but what isn’t common is understanding the consequences of the failure. Non-functional testing will do that.

When pen-testing and securing an API, start with behavioral analysis. Here’s where you match reality to documentation – it is a good time to discover what happens to your system as a whole when an API fails. You may also determine whether the build package is buggy and/or vulnerable.

You will want to assure the process service levels are prioritized for the right service levels, rate limiting for transactional APIs, min/max request latency settings, and availability windows. Some of these details are important to identify slow memory leaks or garbage collection issues that might be a long-term threat to the integrity of the server(s) and network.

Authentication issues should come right out of the Zero Trust handbook and determine the levels of trust you assign for the API’s users. Apply the standards required for specific DAAS access and test the limitations before use.

When responding to an API attack, the first rule should be to kill access – an API should never fail in an open state. Whether you caught the attempt yourself or via AI/ML detection, follow your normal recovery process and never shift down just because it’s an API.

By the end of 2023, API security will separate the mediocre CISO, focusing solely on infrastructure from the masterful CISO who addresses actual business threats and ensures survivability.

Creating a system for API security, and reusable interface testing automation that keeps your API inventory up to date will pay off big when those headlines start talking about API security and not just our old nemesis, ransomware.

2023 Seceon Prediction Two: A heightened focus on leveraging Artificial Intelligence (AI) and Machine Learning (ML) to identify and counter sophisticated and stealthy cyberattacks, as well as using AI and ML to generate advanced cyber threats.

Everyone uses AI and ML so why is this an important area to consider? Because breaches at organizations with fully deployed Security Artificial Intelligence and Machine Learned automation spend less than half on a data breach, than those who do not have this automation in place.

Here is a second consideration.  Simply put, the bad guys are using these tools against the interests and capabilities of the good guys. Let’s take a look.

The arrival of the amazing AI-enabled chatbot called ChatGPT last month has been wowing the tech community with their ball caps facing forward, while it is also allowing hackers behind email and text-based phishing attacks (along with malware gangs) to speed up the development of their schemes.

Those who pooh-pooh the under-achieving Open AI chatbot have 1) never spent any time with her, 2) don’t grant slack to a product that has been released in beta during only its second month of field trials with millions of users and 3) ignore the billion + VC investment in the space in the last couple of months even under the shadow of the great conman, Samuel Bankman-Fried’s attempt at billionaire crime.

Here are some early instantiations of high noteworthiness:  

Several serious cybersecurity researchers have been able to get the ChatGPT to write really good phishing emails and malicious code for them in the last 30 days, mirroring what the Malware mafia were getting good at – incorporating plausible humanlike and undetectable tactics into their recent attack portfolio.

Researchers at Check Point Research verified that they got a “plausible phishing email” from ChatGPT after directly asking it to “write a phishing email” that comes from a “fictional web-hosting service.”

Abnormal Security tested ChatGPT to write an email “that has a high likelihood of getting the recipient to click on a link.”

On the question of liability, OpenAI has implemented a few content moderation warnings into the chatbot, ones that researchers are finding easy to side-step and avoid penalties. Remember, this is a beta release 1.0 on the market under intense conditions for 45 days.

For those who do not take ChatGPT seriously, we say this: Organizations are already struggling to fend off the most basic of attacks — including those in which hackers use a stolen or leaked password to log in to accounts – would be hard-pressed to stave off costly breaches using simple AI capabilities.

2023 Seceon Prediction Three: The Role of the CISO is Harder and More Dangerous Than Ever Before

Four years ago, the threat landscape was such that a CISO could get the job of asset protection done by twisting a few knobs and turning some dials. It could have been argued at that time that CISOs should report to the CEO, not because the job was so integral with the rest of a company’s functions, but because there could be clear and direct communication between the one person able to assess the technical threat and operational risk, and the one person responsible for the business outcome.

Today, I argue that the CISO should still report to the CEO, but for entirely different reasons. In just four years, the threat landscape has evolved into impossible complexity with amazingly smart adversaries launching continual attacks with new and hideously polymorphic vectors with multiple business units pushing digital transformation programs regardless of the cost of security and protection.

Today, the job of asset protection and threat defense is not only integral to the company’s business functions, but most of those functions could not exist without it.

No one at the C-suite or Board level understands this however, because even today, very few senior executives take the time to understand the issues, risks and vulnerabilities around Cybersecurity and most CISO’s and CIO’s do not explain them well and in business terms. To make matters worse, very few if any understand the actual liabilities and fiduciary care requirements of their role.

If you did a random poll, I think most would say today’s threats are very sophisticated and therefore difficult to prevent. The truth is that the bulk of today’s attacks cannot be categorized as sophisticated at all. The reason we are attacked so successfully and so often is we continue to maintain poor hygiene which leads to unpatched known vulnerabilities, misconfigured containers, unsecured DNS and APIs exposed to the Internet. In addition, our development rigor is sloppy. We build code without knowledge of the transitive dependencies inherent in the open-source libraries, APIs, and software we incorporate into our agile pushes.

Today, we don’t design code with security at the beginning. We often don’t design code with security at all. But, it seems the Board and C-suite want to believe that we are attacked because we are being outsmarted by our adversaries. While we are occasionally, sophisticated attacks are rare.

Until the CISO role is perceived as peer, the rest of the C-suite will continue to think of security folks as the deranged department of no and continue to ignore them.

2023 Seceon Prediction Four Cybersecurity professionals will see an increased emphasis on active, real-time security monitoring and analytics.

If you are a business with a traditional insurance carrier, there is a fair chance you’re not getting renewed. You’ll need to understand your ‘residual’ risk since you may not be able to get cyber insurance. And the price is certainly going up, on average by up to 20% what you paid previously, if your program is proven to be in order and working well.

Recent research reports that hundreds of millions of attempted cyberattacks that occurred every day throughout 2022 show that malware increased by 358% overall as compared with 2021 with no end to the rise in sight.

76% of IT Professionals believe a successful attack against their firm is imminent, deepening pessimism, precipitated by steep rises in remote work, BYOD, 3rd party risk, insider error, and stepping into the cloud without knowing how to defend it. Cyber insurers have taken notice and are placing demands on the industry to have continuous security monitoring and the ability to mitigate or remediate threats, every minute, every day.

It is no longer acceptable to have nearly 80% of senior IT leaders believing their organizations lack sufficient protection against cyberattacks as they did in 2021.  With cyber incidents on the rise, here’s what to expect and what you can do to best position your organization when shopping for cyber policies.

  • Do you have a mitigation and remediation cyber capability for these top 10 Risks?
    • Vendor Risk Management
    • Access Control
    • System Security Plan
    • Contingency Planning
    • Employee Mitigation
    • Data Classification
    • Logging and Monitoring
    • Incident Response Planning
    • Configuration Management
    • Cybersecurity Governance
  • Do you have the right technologies in your top actions list such as multi-factor authentication (MFA), encryption, vulnerability management and security event management?
  • Have you developed a skilled Security Operations function?
  • Have you focused on emerging and special challenges like IoT?

Key points about incidents we’ve handled in 2022 – it isn’t just ransomware (but as we pointed out at the top, that’s the headline) – but how do we fall victim? We hear a lot about the end result but, unfortunately, our experience is we are hearing less about why it happened – and this is the critical point. What do you need to do to not fall victim?

Interesting point: phishing has trended down (from around 50%) to 30% – it’s becoming easier to exploit vulnerabilities now, than it was in the past. What does this tell us?

First thing is to not get tunnel vision – you still need a comprehensive cybersecurity program (many orgs focus on just phishing!)

Vulnerability Management is still a huge problem, as are weak passwords, poor security controls, and employee training, and mobile device security. Having an Incident Response capability is a must-have but so are pre-determined policies and procedures to accelerate recovery from ransomware and other attacks along with a set of playbooks to mitigate or remediate (these two terms are not the same, mitigate buys you time, remediate stops the aberrant action).

Other “smart” actions:

  • Invest in modern malware detection and cyberthreat hunting
  • Have analytics than can determine whether any data was compromised or leaked
  • Seek out automation and autonomous response capabilities to work more cohesively and comprehensively with fewer resources.
  • Visibility is key. Log as much as you can, and have data visualization tools to mine key metrics and gain context.
  • Insurers in some high-risk sectors are reducing their exposure by reducing coverage limits or reducing coverages, and placing lower limits on ransomware payouts. Some of the industries where insurers have reduced their exposures include health care and education.
  • Some insurers have been reducing their cyber risk exposure by adding more restrictive policy terms and including additional exclusions to their cyber and non-cyber policies.

Every company will face cyber risk in 2023, no matter its size. The more diverse you are, the more areas of vulnerability you have so the ramifications are serious. You must take a digital asset approach to cybersecurity in our digitalized world.  Seceon is here to help.

As we welcome you to 2023 we want to be sure to thank everyone that is working hard to make cybersecurity effective and valuable, something that is respected. This is hard work and we certainly never expect anyone to do it alone.  Cybersecurity is about people as much as it is about business, and we value each and every one of you. We’re looking forward to working with many of you during 2023 and doing our very best to ensure we’re all prepared and protected from all that is and what is to come.