Episode 48| The Year in Cyber: 2020
2020 has been a year no one predicted. COVID-19 has made remote work the norm and shook up the attack landscape, with attackers jumping on new opportunities for social engineering. Through it all, breaches and ransomware attacks continued to plague organizations. In episode 48 of Cyber Security Sauna, we’re looking back at some of the trends that defined the cyber world in 2020 with F-Secure’s Tom Van de Wiele and Nick Jones. Also in this episode: The supply chain attack on SolarWinds; update on the cyber skills shortage; 2020’s effect on VPN, Zero Trust, and cloud; the 2020 elections and more.
Listen, or read on for the transcript. And don’t forget to subscribe, rate and review!
So let’s start right off with the bombshell report of the SolarWinds supply chain attack, which will continue to be a major cyber story in 2021 and beyond. Now that the story’s been out for a couple of weeks, what are your thoughts, Nick?
Nick: The SolarWinds breach is an interesting one from my perspective, not least of which is because obviously it’s one of the most comprehensive and high-profile cyber-focused intelligence breaches, I think, that we’ve ever seen.
But the really interesting thing for me was actually what got the attackers caught. In that instead of it being some crazy, high-end super duper machine learning detection technology, the information we have now shows that FireEye actually caught it as a result of a user having a new two-factor authentication device added to their account, which triggered an alert that the FireEye security operations center reviewed and looked into and realized it looked a bit fishy and did some more digging.
And as a result of what is essentially sort of security hygiene checks, a new two-factor authentication device being registered and someone looking into that, we unraveled an enormous nation state attack targeting multiple US government agencies. And what that really hammers home for me is that getting your security hygiene right, getting the basics done properly, is actually an effective defense even against those really high-end threat actors that everyone likes to talk about.
That’s very interesting, because that’s what security researchers such as yourself have been saying for years. And now we have something to show to back our words up.
Nick: Yeah, absolutely. Which to me is great. It’s vindicated, as you say, what we’ve been saying for ages. I just hope that we can take that knowledge and look at some of the other lessons learned as part of this, especially when it comes to supply chain security, and see what we can do to improve the situation.
I mean, supply chain security as a whole is an incredibly complex and challenging area to get our heads around. In many respects I think what happened to SolarWinds, the way they were breached and the way that was leveraged to get into other organizations, would be very, very difficult for most organizations to spot. And their deploying a validated and cryptographically signed security update from a provider, a vendor that they work with, there’s very little that you can do as an organization to spot that it’s been tampered with once it enters your network. Because that’s happened before it reaches you.
And the current ways of doing supply chain security, where we do audits, paper-based trails and try and legally enforce things, are never going to catch that. So I think we’re going to see a rise in people trying to do better technical due diligence on their supply chain and on the vendors they work with, and then we’ve seen historically as well.
How do you mean that?
Nick: So in the sense that instead of – right now often, we’ll see third party supply chain vendor audits look like someone going in with some paperwork and some due diligence, and saying “Okay, do you run antivirus on all your systems? Do you have regular penetration tests?” And the vendor will say “Yes, yes, we do all of these things.” And boxes get ticked, and things are written into contract to say “You shall carry on doing all of these things,” and that’s about as far as it goes.
Whereas actually for higher risk vendors, especially something like SolarWinds, where actually what we’re seeing is a product that’s going to deploy and configure large parts of a network, very high privileges, very large reach into an organization’s internal assets, what we’ll see is for targets like that, for vendors that an organization works with with that level of access, I think we’ll start seeing them enforcing more technical security controls around what they’re bringing in.
So things, like, “Okay, you’ve got a penetration test, or you say you’ve got a penetration test done. Show us the reports for that. Let’s have a look. Let’s see what security controls you’re building into your development processes. Let’s see what your internal security management processes and systems actually look like.”
Essentially, show us your cards, so that we can get a better feel and a better understanding, and if you don’t have the processes in place for that, then that’s likely to negatively impact on your ability to do work with some organizations.
Or it may well be in some cases where large enterprises are buying from smaller vendors, they’re actually providing support to those vendors to bring them up to scratch to ensure that they can use those products safely.
Sounds like the purchasing processes of organizations need to become even more diligent than they are right now.
Nick: Yeah, absolutely. I think that’s definitely a key part of it. And I think what we’ll see is people realizing that they can’t apply the same one-size-fits-all vendor procurement process, that we’ll start seeing differentiation depending on what’s being purchased and procured for what purposes, and that there’ll be sort of a high risk bucket where a high level of technical due diligence is insisted on above and beyond the usual legal- and audit-based due diligence.
Whereas for lesser risk products that maybe don’t have as much reach into an organization or are only used by a small part of it, perhaps that level of due diligence won’t be necessary. And that triage system of enforcing high due diligence on critical assets or critical vendors and less so on others will mean that it’s much easier, I think, for organizations to manage their budgets effectively when doing that.
All right, that makes sense. If you want to hear more about supply chain attacks, I think we did an episode in August 2019, episode 28, called “When the Well is Poisoned” about supply chain attacks, so check that out. So let’s talk breaches. What else did we see in breaches in 2020?
Tom: A couple come to mind. We’ve had a few major organizations and companies getting compromised through all kinds of different attack vectors, either customer databases for all things IOT, but also more direct attacks to subscriber-based services like Netflix, Disney+, where the same techniques are being used.
And of course, where the real root cause is that people are still very bad at remembering passwords, they reuse their passwords, which means if you use the same password or only change it a little, someone is going to find a leaked breached database somewhere, is going to try and get into your life and he’s going to try and guess your password and with that maybe sell off the access.
What about you, Nick, anything that comes to mind?
Nick: I think for me, the most interesting one, really, was the Twitter breach back earlier this year, where we had essentially a social engineering attack against Twitter, which led to what we think might well have been a 17, 18-year-old young gentlemen over in the U.S. having access to a bunch of the internal Twitter maintenance and customer support systems. And he was able to use that to gain access to a number of verified accounts to then tweet out Bitcoin addresses for you to send money to from people like Elon Musk.
Which obviously is quite an interesting one, especially now that President Trump and a number of other people are doing their geopolitics over Twitter. In many respects I think we were lucky that it was just a teenager with some Bitcoin that he wants to make. I think actually that was a close shave, really, and I’m sure Twitter have been looking internally at what they can do about that. Of note in particular is they’ve hired in Mudge as he’s known, Peiter Zatko, as their new Chief Information Security Officer, who I’m sure will do great things given what we’ve seen him do so far.
Yeah, he’s an old school hacker, isn’t he?
Nick: Yeah, absolutely. It goes right back to some of the early ’90s hacking scenes. And we’ve seen him at DARPA and at Google and at a number of other places since then. He’s done some really great stuff.
Well, one of the new things that I did see in 2020 was in ransomware. Before, you would just lock up the target organization’s computers, but the habit of stealing the information and threatening to expose that information, I think that was something that sort of really blew up in 2020.
Tom: That’s true. And I’m sure, I mean, we know of course of incidents that we’ve handled ourselves, and we know from colleagues and people in the business that these things happen. But you’re absolutely right, we’ve never seen it in a way that we’ve seen in Finland with the healthcare provider, where it was not just the healthcare provider itself that got asked for ransom, it was individuals that were targeted to pay the ransom on the somewhat loose promise of not publicizing the information, and that goes pretty deep.
Yeah. So is that what stands out to you, Tom, in this year in ransomware? Where do you think we’re going next?
Tom: Well, unfortunately we’re going to see more of the same. I mean, we also didn’t talk about that one case in Germany which was also ransomware-based where ransomware was able to get into a medical facility or a hospital where it led, either directly or indirectly, to the death of a patient.
So yeah, there’s no more ethics involved here, there’s no more honor among thieves, even if it was accidental. There’s no safeguards in these ransomware attacks. The only thing that people want that launch these attacks is money, and apparently, what we’ve seen this year is that they will go over bodies for that, either willingly or unwillingly.
Let’s not forget last year we also had Norsk Hydro, critical infrastructure, responsible for power generation. We’ve heard stories from other parts of the world also dealing with critical infrastructure, housing, energy. So there seems to be no more limitation to these attacks, these attackers really just want to disrupt.
And unfortunately we’re probably going to see more of it next year and in the coming years, where other people have predicted that ransomware will make its way to the cloud. We’ll see if that’s going to happen or how many fail-safes you would have to bypass or breach. But it’s certainly one of the possibilities, and as said unfortunately this is only going to get worse before it gets better.
Well, let’s talk about the companies that have already fallen victim to ransomware. Are they now in a better, more resilient position in terms of this threat, or are they just as vulnerable as before?
Nick: I that’s an interesting one. From my perspective, a lot of organizations have woken up to the threat, to some degree or another. I think we’ve especially seen industries that have been hit hard or have had a few of their flagship companies get hit. I think there’s been an overall trend upwards in improving their resilience against it, purely because no one wants to be the next organization that gets wiped out by it.
For instance, following on from the attacks a few years back, we saw a few of the big pharmaceuticals get hit by WannaCry and NotPetya, et cetera. And my experience in that sector has been since then that a lot of them have started paying significantly more attention to basic cyber hygiene as a result of seeing their competitors get hit hard, and not wanting to be explaining that to their board and their shareholders should it happen to them.
Tom: That and for other companies, I mean, there are still companies that still have not seen the light or still don’t understand that they too can become a target. Because the moment that you rely or depend on computers, you are a target. It doesn’t matter if you have one computer or 10,000. And yeah, for some companies we’re seeing changes, for other companies we’re seeing it in the same way that fitness advice is being given to people. Everyone knows what they’re supposed to do but we’ll start tomorrow.
Yeah, absolutely. All right. Well, moving on from ransomware, another trend I’ve been keeping my eye on is the cybersecurity skills gap in the industry. An F-Secure survey this year found that more companies nowadays have cybersecurity-related personnel on staff than previously. What’s your own experience on the ground? Has the situation improved this year? Are the companies starting to find it easier to hire the talent they need or is the situation unchanged?
Nick: I think from my side, there’s a bit of a perception in the industry that there is a huge skills shortage. I think actually the industry in many respects does this to itself, in that we are terrible as an industry at hiring in young eager professionals and promoting them up through the ranks. Businesses want experienced people, and they are less willing to take the chance on less experienced people. And you often see it with job adverts demanding years of experience, certifications, all these kinds of things, for roles that may or may not necessarily need them.
And as a result it becomes a catch-22 for people trying to get into the industry, of where do I get my start if everyone wants experience? And the end result of that is we’ve ended up creating our own skills shortage, I think, by not being willing to hire in juniors at the level we need to in order to maintain our growth as an industry and keep generating more people.
Now, there are a few obvious solutions to that, one of which is get better at bringing in more junior people. But I think the overarching problem that we’re seeing, in terms of skills gaps and there not being enough of the right kinds of people in the right kinds of places where business needs them, is something that we continue to see through this year. I think it’s something we’ll continue to see for a number of years, because even as we start fixing the recruitment problems at the lower end, it’s going to take a few years for those to filter up into the more experienced positions that businesses are clamoring to fill.
But is that change happening? Do you think companies are wising up to this and realizing that they need to sort of maybe look at the requirements for jobs, and does this actually require seven years of experience?
Nick: In my experience, I think it’s not improved massively. I think there’s a number of organizations in the industry who are doing their best to start remediating that across the industry by offering training programs to rapidly build up some of this experience, or by training people up, getting them certified in various things as a booster into the industry, and things like that. But I think on the whole we see a lot of organizations, especially the medium-sized enterprise market, I think, is still slow to catch in on that. But perhaps, Tom, you might have different experiences.
Tom: No, I have the same experience. I mean, as we talked about before in this podcast, we’ve talked about the universities and in general the education system that is a little bit behind as far as what the real requirements are of the information security market out there. And we’re also seeing lots of companies, if they don’t know which person has the right experience or enough years of experience, or rather, a collection of meaningful engagements or projects within in that time, what companies then do is they flock back to the certification requirement. And as we know that’s not a complete solution either. I mean, it can definitely carry someone within the business or get them introduced to the business, but all the rest needs to come from experience.
And as Nick mentioned, this chicken and egg problem, of having to need experience for a job but not being able to get the job because of lack of experience, is also the reason why lots of governmental entities but also private companies are setting up their own academies where they try to train people in what it is that they need to be able to fulfill a particular task. Usually, those tasks are very selective in that they focus on maybe becoming a mobile security expert or red-teaming or reverse-engineering. And then hopefully those people will grow out to be more general and generic information security professionals.
But right now, we’re seeing that people enter the market highly specialized, and then try to broaden their knowledge, whereas, at least 10 to 20 years ago, people were interested in security because it was kind of an added thing to your day job of networking, system administration, programming. Let’s hope that we see lots more people flocking towards information security and that they’re not scared away by the current situation.
Yeah. We often talked about how you never know what kind of skills or backgrounds might be useful in information security, and that we’d like to see a more diverse workforce. Now, if a majority of people entering this area are coming directly from schools and universities, are we missing out on the system administrators of ten years work experience moving over to infosec? Are we missing out on some crucial not infosec-related skills, but skills that are helpful in this field, anyway?
Nick: I think in my experience one of the most challenging things that people find is not necessarily building the technical skills. Obviously there are a lot of technical skills required depending on which part of cyber security you end up in. But the thing that most businesses seem to lack more are people who understand enough of the technical stuff to get buy in to do their jobs, but who have a solid understanding of the business and how the pieces fit together and how at the end of the day cybersecurity needs to work within the business and support the business, not act as a gatekeeper that decides what can or cannot happen. And the business needs to move and do whatever the business needs to do, it’s on cybersecurity to make sure that that’s done in as safe a manner as possible, in a way that balances the risks and investments needed to mitigate them.
And at the end of the day, the real skill in cybersecurity is learning how to balance that and learning how to support the business, as opposed to just come in and find all the bugs or scream about how nothing’s patched. There’s another layer on top of that of business understanding that I think people often struggle to grasp. And actually that’s why I often enjoy working with members of the industry who’ve previously been systems administrators or developers, because they often bring the operational side of the business, that knowledge with them into their infosec roles, and that has an awful lot of benefits, I think.
All right. Well, one of the big things affecting companies and requiring the support of information security professionals this year has been the transition to remote work. How has that gone? From your point of view, are you seeing companies have a pretty good handle on things, or has it been chaos all around?
Tom: Well, we’ve seen some chaos, at least, where companies aren’t exactly used to having their entire company work remotely. And not just from a social and organizational standpoint, but also just mere technically. People were not counting on having the entire user base coming through their remote access infrastructure VPN, or what have you. Also, on top of that, there’s usually applications that, as part of an internal evaluation of the company, were originally off-limits to be accessed over remote access methods. And now, at least in our experience, we’re seeing lots of security work that is aimed at making these things available anyway over a remote access solution and to identify what risk might be there and how to mitigate it. So it is certainly posing a range of interesting problems and challenges to companies on all fronts.
Nick: And I think from my side, we’ve seen a few interesting things there in the cloud space, I mean, I specialize in cloud so obviously I’m going to focus here. But we’ve seen the pandemic and that remote work situation rapidly accelerate a lot of people’s move into the cloud, and rapidly enough that, in fact, Azure ran out of capacity early on in the pandemic in a couple of key regions. Which was rather embarrassing for them and overall actually did the cloud industry some damage, I think, as a lot of people took the message away that there may be times where the cloud provider does run out capacity, and that’s going to hurt you as a business.
But actually, if we look at the other providers, certainly Google didn’t run into any problems. Neither did AWS. AWS scaled out just fine, and they’ve been the real winners in the IT world in the pandemic, I think. Both the public cloud providers that offer infrastructure, like AWS, Azure, Google Cloud, but also the big remote work software as a service platforms like Office 365, Slack, who we’ve seen bought by Salesforce for $27 billion, I think it was. We’re seeing an awful lot of the remote work organizations doing very, very well, and quite a few new startups and things offering more targeted products into this space based on the experiences that the pandemic has brought to the business world.
All right. How has the COVID situation affected breach detection and response? I’m thinking a lot of security teams have been so distracted by this abnormal activity, the increase in spam and just the security work of maintaining an entirely remote workforce. That’s got to have an effect on their ability to detect abnormalities and threats.
Nick: I think from my side, I can only really speak to the large enterprise market there, as that’s who I work with usually from an attack detection standpoint. And I think many of those organizations have adapted fairly well, really, all in all. A lot of the abnormalities that we’re talking about aren’t necessarily that abnormal from a detection perspective. You’ve essentially switched from people being mostly on site and on their corporate networks to coming in through the VPN onto their corporate networks in those kinds of organizations.
So the exact traffic locations and things might change, but in terms of the usage patterns, the same kind of behavioral and anomaly analytics that people were doing before in terms of who’s accessing what, who’s trying to do what within the network that they shouldn’t be, have largely carried on applying as they did before in those kinds of organizations.
I think the point where we’ll see a big impact is on much smaller organizations where their security team also doubles as their IT team and everything else. Where in that situation, their time that they may typically have been able to dedicate towards maintaining security previously will have been entirely absorbed by scaling out their remote access infrastructure to maintain the business in the face of the pandemic, and making sure that everyone’s got enough laptops so they can work from home and all of these kinds of things. I think that’s where organizations will have been really affected, it’ll be at the small to medium enterprise end of things.
Tom: From an attack simulation and red-teaming perspective, we are getting more questions from companies that are asking what their real risk picture is like, now that there’s almost no one at the office. Does that increase the actual chances of break-in, physical break-in, or theft? Will it increase their chances when people are sitting in the park having their laptop with them, or sitting in the coffee bar, or people talking about very interesting things that are very sensitive to the company? People are sitting at home now, people are sitting in bars and coffee shops.
So we have requests from organizations private and public, that they’re asking for advice as far as we need to be able to work, we need to handle this, but this is a new world, what should we know?
All right. So while everybody has been moving to work from home and work remotely, we’ve seen obviously an explosion of VPN usage. But we’ve also seen vulnerabilities in VPN technologies. Now, is there this Zero Trust approach beginning to replace VPNs? Are we seeing any of that yet, or is it just going to be VPNs from here on out?
Nick: Zero Trust is an interesting one, and it’s something I’ve been following quite closely for a while because a lot of it is being driven by a lot of these new cloud technologies. And fundamentally what it boils down to is the idea that you have your applications, you have your systems exposed to the internet. They are positioned there for anyone to communicate with. And your security controls become your identity, who you are, rather than the network location in which you sit, i.e., you’re inside the VPN, now you can access these applications.
Now, that as an idea works great if you are Google or Netflix or another organization with extreme engineering capability and very, very capable systems administrators, developers, all the rest of it, who are building systems that are designed to work in that way and who don’t have 30, 40 years worth of legacy equipment to content with.
The biggest problem with Zero Trust is mostly that the systems that people want to expose in a Zero Trust fashion, are often their line of business applications, which may not have been maintained for the last 20 years or they’re out of support, and they’re being very carefully looked after and nurtured by system admins somewhere, and the idea of exposing those to the internet rightfully scares a lot of people.
So I think we’re going to see a lot of VPN usage going forward. I think a lot of people want to do Zero Trust but understand they’re not yet in a position to do so, but are perhaps making some moves towards it. I think we’re also seeing some organizations start developing tools to support that in a way that works with legacy applications.
So one interesting release this year was from HashiCorp, who maintain Terraform and Vault and a number of other big cloud DevOps enterprise products. And the point of Boundary is essentially to act as a front gateway on your Zero Trust model. So rather than having a heavyweight VPN connection straight into the network, what it allows you to do is authenticate, and then it will open individual tunnels, essentially, through to the applications that you are supposed to speak to. So instead of joining you into the corporate network, it creates limited connections into the things you’re supposed to speak to. Which is quite an interesting model and not one that I’ve seen done elsewhere before, but it’s quite a nice adaptor that allows you to put that in front of some legacy applications, not rely on exposing them completely to the internet, but still have that sort of Zero Trust approach where we don’t need heavyweight VPNs to get to all our corporate systems. I’m keeping quite a close eye on that, it’ll be interesting to see when that starts getting adopted.
Well, that’s good news at least, so something positive out of this year. Are there any other notable security success stories in 2020 that people can feel good about…other than Zoom hiring Alex Stamos?
Nick: Yeah, I’m gonna have to do a little bit of Googling to pull some stuff out.
Tom: So that means no, basically, because nothing comes to mind.
(Laughter)
Nick: The one success that really strikes me this year, I think, and that teams involved should be really proud of, is that in spite of all the fear-mongering, there’s been no credible evidence to suggest that the U.S. elections were in any way influenced by cyber attacks. And I think that really speaks well to the efforts put in by the U.S. Cybersecurity Infrastructure Security Agency, along with their partners at the FBI and every other agency that was part of that multi-agency coalition. They’ve got a lot of systems there that we know are vulnerable. You see people taking election machines to DEFCON villages every year and people find all kinds of vulnerabilities, but in spite of all of that there’s been no credible evidence that any of that was exploited to in any way influence the democratic process. I think that’s definitely one big success in my mind.
Tom: Also what we’ve seen is when these larger attack campaigns are being launched towards the internet, what was interesting in this year is that we saw United States cyber command take the wind out of a fairly large attack being launched against a very big user base of computers and companies and be able to disrupt it to an extent that it was pretty much rendered, I’m not going to say without impact, but certainly not the impact that the attackers intended. And that’s certainly good news, that…Call it management of the internet, that there is influence possible and that early warning signals do work to be able to, as said, take the wind out of these kinds of attacks to limit their impact. That was certainly positive for 2020 as well.
Is there an area of cybersecurity you think that is unrepresented right now in companies threat model, something that they should be paying more attention to but they’re not for whatever reason?
Nick: In my case I have to say the usual thing that springs to mind is shadow IT, especially now that we’re all moving into the cloud rapidly because of COVID. A lot of people are buying software-as-a-service packages and not all of that purchasing is going through the proper channels. A lot of the time teams will be just expediently buying whatever they need to make sure that the job keeps on going as it should. And that has negative impacts because if we don’t know that we’re using a service, we don’t know we’ve bought something, then it’s very hard for the security team to keep track of that.
Also, one of the things that I’ve experienced in general with software-as-a-service providers is that not all of them are particularly good at offering a sensible set of security controls as part of their offerings. If you look at Office 365, for instance, there’s a lot of effort that Microsoft have put into making sure you’ve got multi-factor authentication that you can use with people, you can set access requirements on what devices can connect in, all of these kinds of things.
But I’ve spoken to other software-as-a-service providers where you say, Okay, how do I do multi-factor authentication? “Well, we’ve not implemented that yet.” Okay, can I connect this to my single sign-on platform that we use to control access to all of our other applications to make sure that our joiners and leavers process correctly revokes access, all of these kinds of things? “Oh, no, actually you’ve got to manage your users through our own user management portal.” And a lot of these miss a lot of the enterprise management features that organizations require to maintain a good security posture, or at least to maintain it without significantly more effort, and so I think that’s something that’s perhaps being missed in some organizations in and amongst the COVID-driven shifts in IT infrastructure procurement.
Tom: I would say that because we’re now accessing things from different locations, at least for some of the companies that are dealing with data that’s very sensitive, some of the threat modeling will have to be redone. That means that we are kind of overloading certain security controls when it comes to trying to protect the data that we’re trying to access and to use on a day-to-day basis.
Just to give a few examples, if a laptop gets gets stolen and your statement is, “But it has encryption.” Sure, but there’s ways of bypassing that. So what else do you have? Like Nick mentioned two-factor authentication, everyone uses SMS passcodes or other means of two-factor authentication. But that’s really effective against password stuffing or password reuse, but it’s not going to do much against a targeted phishing attack. Because if I know where the real services are that you need to log on to, and I present you a login screen that also asks for your SMS passcode, either interactively or not, I can simulate the same attack.
So we need to really look at how do these things function? What do we depend on to authenticate ourselves? Because we can no longer do it based on our location. And what else do we need to invest in, and what else do we need to check for, to make sure that we have all our ducks in a row in protecting the services from a distance in the way that we’re using it right now?
Would that be… If I were to ask you guys both, and I am, ask you for one piece of advice for companies going into 2021, what would that advice be?
Nick: I think from my side, the sexy parts of cyber security aren’t usually the things that result in people getting breaches. You’ve got to get the basics right, you’ve got to have proper asset tracking to make sure you know what’s on your network and how it’s connected in. Maintain a decent asset map in terms of what’s supposed to talk to what, how your network’s laid out. Get antivirus on your endpoints, have some basic security monitoring in place, patch all your systems, all of these kinds of things. Which aren’t interesting, they’re not sexy, they’re all pretty boring. But people usually get owned by that, people don’t get owned by zero days in crazy applications on their perimeter. So focus on the basics, get those right. And multi-factor authentication for everything. So I guess that’s two recommendations: MFA for everything, and get the basics right.
So your message is you know what you need to be doing, now go do it.
Nick: Pretty much, yeah. I don’t think anything that I would recommend is going to be a surprise to any business with a security function. It’s just the case for most of them that the investment hasn’t been there to make it happen.
Right, right.
Tom: My recommendation would be kind of in the same category in that just determining what your attack surface is. Because companies are making major changes, they are going to the cloud. That means more attack surface. And that could be fine, but you need to know what it is, or else you have no hope in trying to protect yourself and having to invest in whatever security controls you need to protect that new infrastructure, or whatever it is that you newly exposed. So knowing what you have, and then acting accordingly and trying to protect it, and of course detect the attacks that that might come, I think that’s probably my main recommendation, because all the rest flows from there.
Sure, sure. Now, I know we’ve been recapping what happened in 2020, but do you guys think I could coax you to provide a prediction for 2021, something you guys would like to go on record as saying, “This is something we’re going to see in the next year?”
Nick: Well, I think one of the easiest is more breaches in the cloud, because the cloud is growing and people are doing silly things with it so we’re going to see some more breaches there, I’d expect. My prediction for the next few years in that space is that we’ll start seeing the sophistication of the attacks increase, people start getting used to turning off the public feature on their S3 buckets.
(Laughing) I was just going to say that.
Nick: Yeah, if people get around to turning off the stupid stuff that’s getting them owned in the cloud at the moment, which means attackers will be forced into being smarter about it. And one of the biggest things that we are lacking in the cloud space right now is decent threat intelligence, probably partly because people aren’t looking for attacks in the cloud, and partly because attackers aren’t doing anything clever. I expect that’ll change over the next few years and we’ll see some of that start in 2021.
Tom: If there was one thing to make a prediction on, it would be that we’re going to see a continued arms race with the makers of ransomware in making ransomware more advanced and trying to hide its real intentions before it is too late, again because the business model of ransomware is and will remain very profitable knowing that attackers can be almost completely anonymous. We’re going to see a continued rat race in this, I think, and unfortunately that’s not going to change anytime soon.
All right. Well, with that I want to thank you guys for being with us today and looking back on this year with us. Thanks, guys.
Tom: Thanks.
Nick: Thanks for having us.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast, and you can reach us with questions and comments on Twitter @CyberSauna. Thanks for listening.
Categories