Chris Christiansen's 2019 Predictions for Security

Pixel Security Research: Chris Christiansen’s 2019 predictions for security

In 2018, state-sponsored weaponization of poorly controlled social media was the lead story. Because of consumer ignorance around social media business models, fiduciary-driven profits trumped privacy. The diverse attackers collaborating across many different threat ecosystems highlighted the fragmented defense from governments, consumers, corporations, and suppliers. The good news is that security and privacy awareness is now prevalent at all layers of society, worldwide.

Societal evolution continually changes security and privacy. As risks are reduced in one area (e.g., patching vulnerabilities), new threats emerge. Attackers will optimize attacks by increasingly using open-source AI-based tools to analyze publicly and privately held consumer and corporate data. In 2019 we will also see new privacy vulnerabilities and protections, blockchain developments, and the rise of insurance fraud.

AI competition lessens industry cooperation

Today’s target-rich environment is fed by huge caches of breached IDs and publicly accessible information gleaned from social media and other sources. State-sponsored and corporate attackers will use AI technology to analyze that data in hopes of improving ROI, cutting costs, reducing risks, improving profits, and harvesting collateral opportunities. Far beyond just security, AI’s hunger for developers and data will create an arms race between customers, suppliers, and governments that will lessen cooperation in most AI research fields.

Stovepipe IT security fails

According to Wikipedia, stovepipe systems are “systems procured and developed to solve a specific problem, characterized by a limited focus and functionality, and containing data that cannot be easily shared with other systems.” Traditional hierarchical IT security will fail dramatically in 2019 because these stovepipe systems don’t communicate threats, tools, and incident-response processes to other systems. To fix this, IT and OT (Operational Technology for managing industrial control systems) will need to share vulnerabilities, alerts, analysis, incident response, and forensics. SecOps must work with DevOps collaboratively on secure coding and testing. Customers must also do their part to protect complicated physical/virtual/hybrid assets, users, and software (system, middleware, APIs, consumer and corporate applications, cloud infrastructure) by building, maintaining, and using behavioral analysis to detect anomalies.

Privacy rights become law, but chaotically

Driven by U.S. privacy disclosures (e.g., Facebook and Cambridge Analytics) and modeled on European Union General Data Protection Regulations (GDPR) legislation, demand is rising for U.S. consumer privacy regulation. In 2019 federal regulatory efforts will largely fail. However, state-level privacy laws (e.g., California) will pass. But the differences in these regulations will create compliance nightmares for companies worldwide.

Blockchain goes big, but loses its soul

As bitcoin fades, its blockchain algorithm rises and 2019 is the year of blockchain reality. Many blockchain pilots will go into full production because it potentially:

• Reconciles complex environments

• Enables process sharing with supply-chain partners

• Lowers audit risk

• Improves closing of complex transactions

However, the commercialized algorithms are based on forked blockchain code, centralized validation of blocks, and tightly controlled development teams. In addition to reducing the strength of the chain, all these elements counter the algorithm’s original design. It remains to be seen which commercial implementations are robust enough to deliver on their lofty promises.

Home privacy invasions rise

Identity and Access Management (IAM) is critical to managing tens of thousands of IoT devices connected to SMB and corporate networks as well as home networks. Reportedly, 2019 CES proclaimed that this is the Year of Virtual Assistants. Hijacking the hardware devices and the associated virtual assistant services for legal and illegal profit will be a growing trend. We expect more Murai-like exploits of home automation devices, possibly combined with ransomware. These exploits will not just be Distributed Denial of Service (DDOS), but will focus on home devices by “bricking” (completely freezing control of) refrigerators, lights, outlets, timers, thermostats, surveillance cameras, alarm systems, etc. As consumer fitness trackers monitor and regulate cardiac conditions and blood sugar, there is an even more ominous threat of false positives and even more dangerous false negatives.

Mergers and acquisitions surge, customers suffer

Betting on continued market strength, many private companies scheduled IPOs for 2019. Unfortunately, a partial government shutdown prevented filings with the SEC and stock market volatility dampened investors’ interest. As investors question valuations, cash-flow-negative companies may struggle to raise funds. This will force many privately held vendors into M&A activities. Larger existing security companies will exploit this weakness for acquisitions of intellectual property, developers, products, and management. Of course, this can be troublesome for customers. To offset this risk, we suggest periodically reviewing the financial strength of all security providers. Customers of these acquired companies should also determine if these technologies protect critical production assets. If customers are confident they can negotiate continued support from the acquiring company, they should continue the relationship, but monitor it closely. Otherwise, a speedily implemented migration plan should be set in motion.

Insurance fraud rises as climate instability worsens

Standard account names and passwords are already failing because of the enormous quantities of personal data, PINs, social media, and password hashes that are publicly available. The insurance industry, government emergency management agencies, and NGOs will be inundated with fraudulent claims as disasters related to climate instability increase. The cost of fraud for large-scale disasters is already increasing dramatically for these institutions. Multi-Factor Authentication (MFA) will most likely be required to authenticate consumer and corporate claims. For multi-party relief efforts, blockchain will track, reconcile, and provide audit data for the complex, multithreaded claims processes that involve handling by so many individuals and organizations. Governments and NGOs will need to control fraud to reduce costs as disaster costs increase because government and NGO budgets will remain flat. Adverse media coverage of fraud will exacerbate the need for faster response, greater efficiency, and more accountability.

Looking ahead to the 2020s

Human activity inevitably adds new evolutionary elements to even the most remote ecosystems. Building on worldwide changes over the past decade, the 2020s will see an acceleration of "walled gardens." Specific countries and regions will use regulations, trade policies, and access restrictions to control politics, competition, and social norms. The desire to freely interact beyond the walled gardens will explode the population of “attackers” because of contrarian laws and regulations. In the 2020s, everyone and everything will hack and will be hacked.

Pixel Security Research specializes in analyzing technologies that proactively solve corporate and consumer problems while balancing user experience with risk and cost. We offer subscription and custom external research such as blogs, videos, webinars, speeches, infographics, case studies (anonymous and sourced), and written content of varying lengths. We also engage with customers for internal consulting around market alignment, message testing, business value, and forecasting. Find out more about what we can offer your company on our Services page.