BeyondTrust experts forecast future threat vectors most likely to affect organisations worldwide in the New Year. Top cybersecurity trends include a rise in ransom-vaporware, cyber un-insurability, compliance conflicts, cloud camouflage, and more
BeyondTrust, the provider of intelligent identity and access security, has released its annual forecast of cybersecurity trends emerging for the New Year.
“The Arab Gulf region continues to innovate at scale,” said Morey Haber, Chief Security Officer, BeyondTrust. “But the digital transformation in the cloud brings with it a range of issues, including the increased sophistication of attackers and their ability to adapt to the moment at a pace that, as yet, enterprise security functions have been unable to match.”
Prediction 1: Negative, Zero, and Positive Trust
Next year, expect products actually to be “zero trust-ready”, satisfy all seven tenants of the NIST 800-207 model, and support an architecture referenced by NIST 1800-35b. Zero-trust product vendors will create marketing messages that may imply positive and/or negative intent. Some will provide positive zero-trust authentication and behavioural monitoring, while others will work using a closed security model to demonstrate what should happen when a negative zero-trust event occurs.
Prediction 2: Camera-Based Malware is here. Say “Cheese”!
In 2023, expect to see the first of many exploits that challenge smart cameras and the technology embedded within them to leverage vulnerabilities. While there have been timeless discussions on the risks of using QR codes, we are only now beginning to understand the risks of our smart cameras. As cameras become more complex, the risk surface is expanding for novel approaches that could lead to their exploitation.
Prediction 3: Reputation for Ransom – The rise of Ransom-Vaporware
We will see a rise in the extortion of monies based purely on the threat of publicising a fictional breach. Society willingly accepts the veracity of breaches reported in the news without evidence. For a threat actor, this could mean the need to perpetrate an actual breach is reduced and a threat alone that is not even verifiable becomes an attack vector all in itself.
Prediction 4: The Foundation of Multi-Factor Authentication (MFA) Invincibility Fails
Expect a new round of attack vectors that target and successfully bypass multifactor authentication strategies. In the next year, push notifications and other techniques for MFA will be exploited, just like SMS. Organisations should expect to see the foundation of MFA eroded by exploit techniques that compromise MFA integrity and require a push for MFA solutions that use biometrics or FIDO2-compliant technologies.
Prediction 5: Cyber Un-insurability is the New Normal
In 2023, more businesses will face the stark realisation that they are not cyber-insurable. As of the second quarter of 2022, US cyber-insurance prices increased 79 per cent over the prior year. The truth is, it’s becoming downright difficult to obtain quality cyber insurance at a reasonable rate.
Prediction 6: The Latest Concert Hack—Wearable Risk Surfaces and Hackable E-waste
If you have recently attended a large concert, you may have received a disposable LED bracelet that can receive RF transmissions during the event. The device is meant to be low-cost, disposable, and potentially only single-use. In 2023, expect threat actors to easily decode the RF transmissions using tools like Flipper Zero to wreak havoc on venues that use these enhancements. Some may be to form a protest for some other purpose.
Prediction 7: Compliance Conflicts are Brewing
Significant compliance standards, best practices, and even security frameworks are starting to see a diverge in requirements. In 2023, expect more regulatory compliance conflicts, especially for organisations embracing modern technology, zero trust, and digital transformation initiatives.
Prediction 8: The Death of the Personal Password
The growth of non-password-based primary authentication will finally spell the end of the personal password. More applications, not just the operating system itself, will start using advanced non-password technologies, such as biometrics, either to authenticate directly or leverage biometric technology, like Microsoft Hello or Apple FaceID or TouchID, to authorise access.
Prediction 9: De-Funding of Cyber Terrorists Becomes Law
Governments all over the world will entertain a new approach to protect organisations from ransomware and stop the funding of terrorists: ban ransomware payouts outright. Granted, threat actors may move on to a new form of cybercrime to fund their operations, but ransomware as we know it will fade away.
Prediction 10: Cloud Camouflage is Confronted
To mitigate cloud security risks, expect a push for transparency and visibility into the security operations of SaaS solutions, cloud providers and their services. The push to ensure transparency of the architecture, foundational components, and even discovered vulnerabilities will extend beyond SOC and ISO certifications.
Prediction 11: Social Engineering in the Cloud
Attackers will turn from their software toolkits to their powers of persuasion as they increase the number of social engineering attacks levelled at employers and organizations across the cloud.
Prediction 12: Unfederated Identities to Infinity and Beyond
Expect a push into unfederated identities to help provide a new level of services and potentially physical products that will become a mild access control and management nightmare. The size and scope will feel truly infinite – unless it is well-defined for identity management teams to provide access beyond what typically is available today.
Prediction 13: OT Gets Smarter, Converges with IT
Expect attack vectors for basic Operational Technology (OT) to expand based on similar exploits that target IT. OT, which once had a single function and purpose, is now becoming smarter, leveraging commercial operating systems and applications to perform expanded missions. As these devices expand in scope, their design is susceptible to vulnerabilities and exploitation.
Predictions 14: Headline Breaches Move to Second-Page News
Expect news of breaches to be buried deeper – whether in print or online format based on audience fatigue, lack of interest, or just because it is no longer exciting. With that said, legal, regulatory, and compliance responses will become front-page news should an organisation fail to follow the proper steps for public disclosure and risk mitigation.
Prediction 15: A Record-“Breaching” Year
Expect a record-breaking year of cyber security breach notifications, not only because of the sophistication of threat actors but also due to the larger changes in the world that will impact an organisation’s ability to mitigate, remediate, or prevent a problem.
“Our assessments of the year ahead may seem all doom and gloom, but in truth, organisations have many ways of protecting themselves against an incident,” said Haber. “With the right blend of skills, tools and strategy — either in-house or in collaboration with a trusted partner — businesses can go into 2023 with their eyes open and conduct their affairs with confidence.”
