Recently an article came out describing several cybersecurity trends which are hot and a few that are going cold. I read through the list and made a quick comment in LinkedIn that I was not entirely in agreement with the assessment. I figured that would be the end of it, but a colleague asked if I would elaborate.
Well, I type a lot and the normal response fields just don’t like when I blither on. So, here is an informal, poorly formatted, off-the-cuff, and less-than-thorough response for that request. Forgive me.
Before I dive in, I want to bring up two important points. First, I want to recognize Josh Fruhlinger for coming up with the original list and publishing it to the world. It is daunting to cybersecurity professionals to predict value and future trends. That is why most simply don’t do it. So, it takes a brave soul to put themselves out on social media for everyone to criticize and for history to judge. Credit goes to Josh for his bravery! Secondly, these discussions are rare but hugely valuable to stir discussion, debate, research, and collaboration. We, as the cybersecurity community, should spend more time communicating and working together on exactly these topics. So, if you are reading this add your comments below! We are stronger together.
That said, here is how I rated Josh’s original list:
1. Credential stuffing – Agree, Hot. But, this has been predicted for some time and can be easily mitigated. (see MFA/2FA and Social Engineering below)
2. Collaboration App – Agree, Hot. Nothing new as it has been a problem for some time and solutions exist to mitigate risks in established solutions. The problem is mostly with new services.
3. Ransomware – Disagree, HOT. Bifurcation is occurring within the threat community, with top teams conducting targeted attacks against organizations for big payoffs while low-end criminals still targeting everyday users (ex. ransomware-as-a-service). Additionally, crypto-mining is emerging as a growing off-shoot that guarantees financial returns versus the spotty returns of ransomware payments.
4. Banking trojans – Agree, Hot – Banking trojans continue target both banking institutions as well as their customers. It is where the money is (although the infamous Willie Sutton didn’t actually say that himself, but it was attributed to him by a reporter. It is true all the same!)
5. IoT – Agree, Hot – given the sheer number of IoT devices and the ease in which they are compromised, this is a problem as predicted and will continue to grow with adoption and empowerment of these devices.
6. AI – Disagree, HOT – Three aspects here. 1. AI systems need to be protected from attacks. They are a means of ingress, fraud, privacy leakage, and integrity manipulation attacks. 2. AI systems, specifically ML & DL, are making progress when applied to enhancing cybersecurity, including detecting malware, network attacks, and fraud. 3. AI systems are being used by the bad-guys to identify weaknesses, conduct attacks at scale, and create-synthetic/counterfeit identities. AI is a powerful tool and being used by both the attackers and defenders!
7. Quantum Cryptography – Disagree, NOT HOT – Well, not as hot as you would think. Quantum has been a slow burn for many years. It is impressive but at that pace it is moving the natural tension in the system is keeping things relative. I.e. As risks or threats emerge, counters aren’t far behind. It is similar to the discussions when asymmetric encryption was coming online. Quantum encryption is important to watch, but not hot at the moment. It is an evolution of research, rather than a revolution of practice. …and there is no such thing as perfect security.
8. Phishing – Agree, Hot. No surprise here. People continue to be the weakest link. Social Engineering in general has been and will continue to be hot for at least another decade, likely much longer. Humans are good at manipulating other humans.
9. Antivirus – Disagree, HOT (as in, reports of death are greatly exaggerated). Really, we are talking about Anti-Malware (not just viruses). It is not sexy and doesn’t provide a bullet-proof shield but it is necessary. It is a staple and foundation, which is why I will still say Hot. It takes a significant chunk of the problems out of the equation. Those who do not have any type of anti-malware, quickly learn the value. I have seen far too many headlines for ~20 years saying it is outdated or ‘dead’ (yet even those who are saying that are using some type of anti-malware). I expect to be hotly contested on this one, as it is not newly ‘hot’, but rather still ‘hot’.
10. MFA - Disagree NOT HOT (unfortunately). MFA and 2FA are valuable (as proven by the scale of data breaches, social engineering, and credential stuffing). Strong authentication practices have been around for a long time and should be employed when protecting high value assets, but adoption has been slow because of user friction. There will be a steady increase over time, but unfortunately this is the turtle, not the hare.
11. Blockchain – Disagree HOT. Blockchains are distributed authenticated transaction systems. Some are private and others are public in nature. Bitcoin is an example of one usage, but there are far more that are also permeating the digital world. Blockchains are a radical architecture change and therefore disrupt the traditional risk models. They can introduce problems, but also can have a very positive impact on privacy, credential security, IoT management, transaction tamper-proofing, product safety, and fraud detection. Just about every major industry is looking to adopt blockchain solutions in one way or another.
Overall, I think it is a great list to discuss and debate. What are your thoughts?
Matthew Rosenquist is an industry-recognized pragmatic, passionate, and innovative strategic security expert with 28 years of experience. He thrives in challenging cybersecurity environments and in the face of ever shifting threats. A leader in identifying opportunities, driving industry change, and building mature security organizations, Matthew delivers capabilities for sustainable security postures. He has experience in protecting billions of dollars of corporate assets, consulting across industry verticals, understanding current and emerging risks, communicating opportunities, forging internal cooperation and executive buy-in, and developing practical strategies. Matthew is a trusted advisor, security expert, and evangelist for academia, businesses, and governments around the world. A public advocate for best-practices, and communicating the risks and opportunities emerging in cybersecurity. He delivers engaging keynotes, speeches, interviews, and consulting sessions at conferences and to audiences around the globe. He has attracted a large social following of security peers, is an active member on advisory boards, and quoted in news, magazines, and books. Matthew is a recognized industry expert, speaker, and leader who enjoys the pursuit of achieving optimal cybersecurity. Matthew Rosenquist is experienced in building world class teams and capabilities, managing security operations, evangelizing best-practices to the market, developing security products, and improving corporate security services.