13 trends in the cybersecurity and information security market 2019-2020
Hello everyone, my name is Alexander Dvoryansky, I am the commercial director of Infosekurity company. Today we will look at the main trends and vectors of cyber security development, both global and Russian, which in my opinion will be relevant in the near future.
If we translate all encyclopedic kilometer definitions into a concise and clear definition for everyone, then, as banal as it may sound, cybersecurity is countering emerging dangers, and it is based, naturally, on the protection and prevention of hacker attacks.
Thus, cybersecurity trends are directly related to the goals and objectives of the attackers. We will consider them now.
In terms of focus, hacker attacks continue to target large companies, including state-funded, industrial systems and other critical infrastructures. But in addition to large-scale targets, hackers are quite interested in “smaller fish”: routers and other network equipment, IoT devices, and hardware vulnerabilities (like Specter and Meltdown).
At the same time, I would like to separately note the attacks made through the so-called supply chain. In fact, the first thing you do is to hack your trusted counterparties, and then, on their behalf, you get some attachment with a cryptographer.
Now consider the other side of the coin, that is, the main purpose of hacking. Here are the following points:
“Brad!” You say. "And here and no" - I will answer you.
Without even noticing, the specialists of the companies leave various data about themselves, their internal domains, credentials, logins, password on the Internet. So, we repeatedly found on public resources like github and pastebin , similar sensitive information. Without a doubt, hackers will gladly use it.
And now let's deal with the other side: how we will defend ourselves and what is fashionable now.
In the Russian market, only lazy does not speak about SOC at the moment. For developers, this is a deep market; for customers, it is an opportunity to qualitatively improve the overall level of information security of a company and build a comprehensive, layered defense.
More and more market participants are giving their preference to the service model of connecting to the monitoring and event management centers of information security, or they will do it in the next 2 years, rather than taking up building their own. This is primarily due to the significantly lower cost of the solution and a faster return on investment. Also, the customer does not need to form and maintain a team of analysts who, by the way, are very expensive today.
In turn, the players of the Russian market of monitoring of information security events are increasingly resorting to the exchange of experience of shop colleagues from around the world. This is confirmed by the accreditation of several companies by the Carnegie Malone Institute's CERT professional community, some of them even belong to the international community of information security response centers: FIRST.
More and more large and medium-sized organizations are discovering managed services provided by service providers in providing information security services on a commercial basis.
What is the value for customers and why is the near future for MSSP?
Firstly, this is a reduction in costs, since there is no need to buy specialized software and equipment, besides, payment is made solely for the services actually rendered to the client.
Secondly, services are provided by professionals who, based on their own experience, will help you quickly and competently respond to incidents and cope with other difficulties.
You, in turn, have to concentrate on the main business and forget about information security, well, or just monitor and optimize the services provided by the service provider.
In Russia, the MSSP is just beginning to gain momentum, although, of course, it’s still far from world figures. More and more customers are beginning to trust service providers, outsource key IT and information security processes.
On January 1, 2018, the Law on the Security of Critical Information Infrastructure (hereinafter the Law) came into force in our country. Starting in 2013, at the project stage, this law was vigorously discussed by the information security community and raised many questions regarding the practical implementation of the requirements put forward by them. Now that these requirements have come into force, and all the subjects of the CII have been faced with the burning need to fulfill them, here is a more or less unified algorithm of actions.
By law, KII subjects must:
And the connection to the State Committee for Social Security and Social Development requires the following entities from the KII
In addition, according to an individual decision of the subject of the CII, the GOSEPA equipment may be placed on the territory of the CII facility. But in such a model, the subject is additionally obliged to ensure its safety and uninterrupted functioning. In other words, the subject of the KII can be organized its own center of the State SENA.
Conclusion, if you are a subject of the CII, no matter what class, you are obliged to report all incidents to the State BARS. The punishment for non-fulfillment or improper fulfillment of the requirements of the law is severe here, even criminal. Therefore, all subjects of the CII, state, commercial, including the individual entrepreneur (if he suddenly provides such services) must and will take measures to comply with the requirements of the law.
In general, the cyber risk insurance market is now only developing, but by 2023, according to experts, the size of insurance premiums in the Russian market will be 1 billion rubles.
An important factor in terms of deciding in favor of cyber risk insurance is government policy on this issue. So, the Ministry of Finance issued a letter, according to which it allowed organizations to take cyber-attacks as a expense and thus reduce the basis for calculating the income tax, but for this it is necessary to report an attack to law enforcement agencies, which, if you have an expert opinion, should initiate a criminal case . However, in case of refusal to initiate a criminal case for any reason, it will not be possible to reduce the tax base.
Consequently, any attack by intruders in this case will incur not only financial losses for organizations, but also additional reputational risks. And customers and contractors will be able to make the appropriate conclusion about the reliability of the organization.
At the same time, the use of a cyber risk insurance policy, on the contrary, demonstrates the desire of the organization to protect and protect clients from the actions of intruders.
I want to emphasize that preventive measures to organize data security are still the most logical and effective tool for reducing the likelihood and potential damage from cyber attacks.
On July 1, 2018, Law No. 482-FZ on Biometric Identification of Citizens entered into force in Russia, providing for the creation of a unified database of biometric data for all residents of the country. Consequently, all organizations, one way or another related to this law, will need to provide reception, storage, and most importantly, secure transmission of users' biometric data with the help of specialized hardware and software complex.
At this stage, the introduction of a biometric system will significantly facilitate the life of bank customers by simplifying the process of processing financial products. Now, to determine the identity of the client, it is not necessary to require a passport - it is enough to match the voice and the person with the records in the database. A bank customer can arrange any of his products - for example, a deposit or a loan - at any time and in any place by telephone or online banking. Banking services will become more accessible to people from remote regions, where the choice of banks is limited or completely absent.
And banks, in turn, connected to the EBU will help to comply with the requirements of the legislation, in terms of the security of the data transmitted and received from the Unified Biometric System.
Raising awareness is not only the direction of information security, but also one of its eternal trends. If a company does not teach its employees the rules of information security, a violation of these rules is almost inevitable: even the most conscientious employee cannot observe what he does not know. Plus, in recent decades, fraudsters who want to get valuable data are actively using social engineering. During attacks of this kind, a person is manipulated, parasitic on his weaknesses - curiosity, gullibility, fear of sanctions from the authorities.
Complex technical solutions recede into the background: why waste time and energy on developing a virus, trojan or spyware, if a person himself can give you all the necessary information? It is clear that in the light of this trend, learning becomes just an indispensable means of protection.
If a company wants to make the training of its employees effective, it needs to conduct it regularly and make sure that it is interesting. If with the first all is usually not bad, then with the second most often problems arise. This is where trends within awareness raising itself come to the rescue. It:
The threat to security from IoT devices was seriously talked about back in 2016, after a massive DDoS attack by the Mirai botnet, which included hundreds of thousands of infected devices.
The possibility of organizing a botnet of this scale is associated with a low level of security for such devices: in many, besides the initially weak passwords “by default”, there are also critical vulnerabilities.
The list of types of devices is constantly updated: home routers and webcams, various sensors and components of a smart home, medical and industrial equipment.
In recent years, interest in software vulnerabilities has also increased.
Since every year the number of equipment connected to the Internet, only increases, we predict an increase in the number of incidents related to this area.
Already, automation of security processes and routine operations is launched, response to cyber incidents and detection occurs at the end points.
Companies use corporate Honeypot, i.e. fake website / resource, leaving the hacker site to be torn apart by hackers. And as part of the usual information security products, machine learning modules are already used. But toli will still be.
Machine learning has been used in the security industry for a long time, allowing you to build more flexible and adaptive threat detection techniques.
Currently, there are trends to increase this competence, not only on the side of the defenders, but also among hackers.
Basically, attackers use machine learning to develop malware that bypasses signature-based detection methods, create phishing emails that are virtually indistinguishable from regular mail correspondence, and also search for vulnerabilities in application code.
Do not forget that machine learning can be used from the point of view of working with company algorithms. As soon as the fraudsters will have an understanding of how the algorithm was trained, they will immediately have levers of manipulation.
Here we will discuss the monitoring of the information space, the control of publications and references to organizations and its representatives, as well as brand protection.
Currently, black PR and fraudulent schemes are increasingly moving into the information field, which is accessible to all.
By releasing a certain kind of information about a company or an individual, its attackers pursue several goals:
Given the above, there is a need to monitor the information space, control the illegitimate use of the company's brand, search and verify negative reviews, as well as monitor confidential information for leaks, in general, protect the business.
And what are the trends in the near future of cyber security? Perhaps together we can expand this list.
If we translate all encyclopedic kilometer definitions into a concise and clear definition for everyone, then, as banal as it may sound, cybersecurity is countering emerging dangers, and it is based, naturally, on the protection and prevention of hacker attacks.
Thus, cybersecurity trends are directly related to the goals and objectives of the attackers. We will consider them now.
In terms of focus, hacker attacks continue to target large companies, including state-funded, industrial systems and other critical infrastructures. But in addition to large-scale targets, hackers are quite interested in “smaller fish”: routers and other network equipment, IoT devices, and hardware vulnerabilities (like Specter and Meltdown).
At the same time, I would like to separately note the attacks made through the so-called supply chain. In fact, the first thing you do is to hack your trusted counterparties, and then, on their behalf, you get some attachment with a cryptographer.
Thus, the trend number 1 - building defense of the most vulnerable and the most "tidbits."
Now consider the other side of the coin, that is, the main purpose of hacking. Here are the following points:
- Withdrawal of funds (including from ATMs);
- Various extortionists (wipers / cryptographers);
- Hidden mining;
- Theft of data for resale;
- Industrial espionage.
Consequently, the trend number 2 - actions to prevent financial damage, disruption of the life of the organization and the disclosure of confidential information.
Separate trend (we have the number 3), is gaining momentum, is the use of data that are in the public domain.
“Brad!” You say. "And here and no" - I will answer you.
Without even noticing, the specialists of the companies leave various data about themselves, their internal domains, credentials, logins, password on the Internet. So, we repeatedly found on public resources like github and pastebin , similar sensitive information. Without a doubt, hackers will gladly use it.
And now let's deal with the other side: how we will defend ourselves and what is fashionable now.
Trend number 4. SOC, including cloud, and claudization
In the Russian market, only lazy does not speak about SOC at the moment. For developers, this is a deep market; for customers, it is an opportunity to qualitatively improve the overall level of information security of a company and build a comprehensive, layered defense.
More and more market participants are giving their preference to the service model of connecting to the monitoring and event management centers of information security, or they will do it in the next 2 years, rather than taking up building their own. This is primarily due to the significantly lower cost of the solution and a faster return on investment. Also, the customer does not need to form and maintain a team of analysts who, by the way, are very expensive today.
In turn, the players of the Russian market of monitoring of information security events are increasingly resorting to the exchange of experience of shop colleagues from around the world. This is confirmed by the accreditation of several companies by the Carnegie Malone Institute's CERT professional community, some of them even belong to the international community of information security response centers: FIRST.
The next trend in the account (No. 5), but not by value, are services according to the MSSP model (Managed Security Service Provider)
More and more large and medium-sized organizations are discovering managed services provided by service providers in providing information security services on a commercial basis.
What is the value for customers and why is the near future for MSSP?
Firstly, this is a reduction in costs, since there is no need to buy specialized software and equipment, besides, payment is made solely for the services actually rendered to the client.
Secondly, services are provided by professionals who, based on their own experience, will help you quickly and competently respond to incidents and cope with other difficulties.
You, in turn, have to concentrate on the main business and forget about information security, well, or just monitor and optimize the services provided by the service provider.
In Russia, the MSSP is just beginning to gain momentum, although, of course, it’s still far from world figures. More and more customers are beginning to trust service providers, outsource key IT and information security processes.
Moving on. The sixth trend and, probably, the most predictable - KII and GOSPKA
On January 1, 2018, the Law on the Security of Critical Information Infrastructure (hereinafter the Law) came into force in our country. Starting in 2013, at the project stage, this law was vigorously discussed by the information security community and raised many questions regarding the practical implementation of the requirements put forward by them. Now that these requirements have come into force, and all the subjects of the CII have been faced with the burning need to fulfill them, here is a more or less unified algorithm of actions.
By law, KII subjects must:
- to carry out categorization of KII objects;
- ensure integration (embedding) into the State System for the Detection, Prevention, and Elimination of the Consequences of Computer Attacks on the Information Resources of the Russian Federation (GOSOPKA)
- take organizational and technical measures to ensure the safety of CII facilities.
And the connection to the State Committee for Social Security and Social Development requires the following entities from the KII
- inform about the computer incidents of the FSB of Russia, as well as the Central Bank of the Russian Federation, if the organization operates in the banking sector and other areas of the financial market;
- assist the FSB of Russia in detecting, preventing and eliminating the consequences of computer attacks, establishing the causes and conditions for the occurrence of computer incidents.
In addition, according to an individual decision of the subject of the CII, the GOSEPA equipment may be placed on the territory of the CII facility. But in such a model, the subject is additionally obliged to ensure its safety and uninterrupted functioning. In other words, the subject of the KII can be organized its own center of the State SENA.
Conclusion, if you are a subject of the CII, no matter what class, you are obliged to report all incidents to the State BARS. The punishment for non-fulfillment or improper fulfillment of the requirements of the law is severe here, even criminal. Therefore, all subjects of the CII, state, commercial, including the individual entrepreneur (if he suddenly provides such services) must and will take measures to comply with the requirements of the law.
Trend number 7 for the next couple of years - cyber risk insurance
In general, the cyber risk insurance market is now only developing, but by 2023, according to experts, the size of insurance premiums in the Russian market will be 1 billion rubles.
An important factor in terms of deciding in favor of cyber risk insurance is government policy on this issue. So, the Ministry of Finance issued a letter, according to which it allowed organizations to take cyber-attacks as a expense and thus reduce the basis for calculating the income tax, but for this it is necessary to report an attack to law enforcement agencies, which, if you have an expert opinion, should initiate a criminal case . However, in case of refusal to initiate a criminal case for any reason, it will not be possible to reduce the tax base.
Consequently, any attack by intruders in this case will incur not only financial losses for organizations, but also additional reputational risks. And customers and contractors will be able to make the appropriate conclusion about the reliability of the organization.
At the same time, the use of a cyber risk insurance policy, on the contrary, demonstrates the desire of the organization to protect and protect clients from the actions of intruders.
I want to emphasize that preventive measures to organize data security are still the most logical and effective tool for reducing the likelihood and potential damage from cyber attacks.
Another predictable trend, and he is already number 8 - biometrics.
On July 1, 2018, Law No. 482-FZ on Biometric Identification of Citizens entered into force in Russia, providing for the creation of a unified database of biometric data for all residents of the country. Consequently, all organizations, one way or another related to this law, will need to provide reception, storage, and most importantly, secure transmission of users' biometric data with the help of specialized hardware and software complex.
At this stage, the introduction of a biometric system will significantly facilitate the life of bank customers by simplifying the process of processing financial products. Now, to determine the identity of the client, it is not necessary to require a passport - it is enough to match the voice and the person with the records in the database. A bank customer can arrange any of his products - for example, a deposit or a loan - at any time and in any place by telephone or online banking. Banking services will become more accessible to people from remote regions, where the choice of banks is limited or completely absent.
And banks, in turn, connected to the EBU will help to comply with the requirements of the legislation, in terms of the security of the data transmitted and received from the Unified Biometric System.
Trend # 9. Training and raising information security awareness
Raising awareness is not only the direction of information security, but also one of its eternal trends. If a company does not teach its employees the rules of information security, a violation of these rules is almost inevitable: even the most conscientious employee cannot observe what he does not know. Plus, in recent decades, fraudsters who want to get valuable data are actively using social engineering. During attacks of this kind, a person is manipulated, parasitic on his weaknesses - curiosity, gullibility, fear of sanctions from the authorities.
Complex technical solutions recede into the background: why waste time and energy on developing a virus, trojan or spyware, if a person himself can give you all the necessary information? It is clear that in the light of this trend, learning becomes just an indispensable means of protection.
If a company wants to make the training of its employees effective, it needs to conduct it regularly and make sure that it is interesting. If with the first all is usually not bad, then with the second most often problems arise. This is where trends within awareness raising itself come to the rescue. It:
- The emphasis on distance learning - training materials can be viewed on different types of devices at a convenient time for employees;
- Personalization - preparation of different materials for different target audiences;
- Microtraining - giving training information in small blocks and fixing each block with practical tasks;
- Gamification - adding game elements to training (rewards and achievements, gradual complication of tasks, use of fascinating plots and characters).
Next, the 10th trend - the security of the Internet of Things
The threat to security from IoT devices was seriously talked about back in 2016, after a massive DDoS attack by the Mirai botnet, which included hundreds of thousands of infected devices.
The possibility of organizing a botnet of this scale is associated with a low level of security for such devices: in many, besides the initially weak passwords “by default”, there are also critical vulnerabilities.
The list of types of devices is constantly updated: home routers and webcams, various sensors and components of a smart home, medical and industrial equipment.
In recent years, interest in software vulnerabilities has also increased.
Since every year the number of equipment connected to the Internet, only increases, we predict an increase in the number of incidents related to this area.
Next trend number 11, which can not be ignored in terms of product development in cybersecurity.
Already, automation of security processes and routine operations is launched, response to cyber incidents and detection occurs at the end points.
Companies use corporate Honeypot, i.e. fake website / resource, leaving the hacker site to be torn apart by hackers. And as part of the usual information security products, machine learning modules are already used. But toli will still be.
Speaking of Machine Learning, this is also one of the cybersecurity trends - in our list number 12.
Machine learning has been used in the security industry for a long time, allowing you to build more flexible and adaptive threat detection techniques.
Currently, there are trends to increase this competence, not only on the side of the defenders, but also among hackers.
Basically, attackers use machine learning to develop malware that bypasses signature-based detection methods, create phishing emails that are virtually indistinguishable from regular mail correspondence, and also search for vulnerabilities in application code.
Do not forget that machine learning can be used from the point of view of working with company algorithms. As soon as the fraudsters will have an understanding of how the algorithm was trained, they will immediately have levers of manipulation.
Well, the final, 13th trend is a comprehensive work to identify and protect business from threats.
Here we will discuss the monitoring of the information space, the control of publications and references to organizations and its representatives, as well as brand protection.
Currently, black PR and fraudulent schemes are increasingly moving into the information field, which is accessible to all.
By releasing a certain kind of information about a company or an individual, its attackers pursue several goals:
- Marketing (image), namely the loss of business reputation, as a result of customer care and lost profits. For Internet companies, even a partial loss of reputation and customers, a negative information background runs the risk of substantial bankruptcy.
- Financial - a real loss of money due to phishing and information attacks. Selling sensitive information to competitors or intruders is also at the forefront.
- Personnel - the disloyalty of staff or luring competitors.
Given the above, there is a need to monitor the information space, control the illegitimate use of the company's brand, search and verify negative reviews, as well as monitor confidential information for leaks, in general, protect the business.
And what are the trends in the near future of cyber security? Perhaps together we can expand this list.
Source: https://habr.com/ru/post/439130/