Cookie theft, real-time phishing and MFA fatigue attacks threaten multi-factor authentication, which has long been considered unassailable.
Usually this is the spot where we make our forecasts for 2021 based on the latest press releases from IT security providers. But you might have to wait a little longer for that, at least until the second half of this post. Right now, the SolarWinds hack has stolen the show. Reports so far have been fairly cautious but that’s probably down to shock. What the attackers have managed to achieve goes far beyond a single catastrophic incident: They were able to inject malware into the software of a well-known and reputable network management software provider, which was automatically distributed to all customers. This proves that widespread supply chains can be compromised. Not only for SolarWinds products, but theoretically for any provider that distributes automatic updates of its software to customers. For example, what if attackers managed to infect Microsoft’s patch Tuesday updates?
The implications of the hack will only become apparent in the coming weeks, at least the part of it that will actually be made public. But it is already clear that all organizations must implement a zero-trust model as soon as possible in order to at least be able to limit damage in the event of an attack of this dimension. Following this approach, the network and all resources are segmented and separated by function. Consequently, an Exchange Server administrator would not also have permission to manage Oracle databases. Companies must also apply a privileged access management strategy that protects accounts with higher access rights in particular. Since organizations usually move slowly and such changes have a wide impact on organizational structures beyond technical implementation these are not ad hoc measures. But anyone in charge of information security in their company should review their priorities for 2021 following the SolarWinds hack.
And if that isn’t enough to keep us busy, security firms have also identified further significant trends for 2021. The absence of artificial intelligence in this list is surprising, considering the hype of the last few years. AI is still an important part of security technology but the arms race between attackers and defenders has become less prominent than in previous forecasts. Now it’s all about remote working and everything related to it. Employees need not only bandwidth, but also a working authorization concept to access company resources. When access is needed by resources in the public cloud, access routes and perimeter controls are also affected, which will be addressed by technologies such as CASB and SASE. Although remote working has been adopted quickly, many organizations will not have time until next year to fully secure and incorporate infrastructure that was hastily set up in 2020 into company-wide IT policy.
Organizations in the field of health and administration will probably have the least time for this. Forecasters suspect increased attacks in 2021 for this sector, especially through ransomware, because it is the easiest way to earn money. The number of major ransomware attacks reported was already in the upper three-digit range in 2020, and the sums paid were in excess of USD 100 million. New threats such as publishing stolen data to put pressure on the victims does not make things look any better for the coming months. Backup software providers correctly suggest that backup is not only the fastest, but also the only way to recover from a ransomware attack. Backup strategies and programs are therefore likely to receive greater attention in the coming months.
Finally, there is one last prediction in our list which is not surprising but still rather astonishing: Users will remain the highest risk factor for facilitating attacks and malware in 2021 – namely by email. This is not surprising, because it’s been this way for the past few years. Nevertheless, it is astonishing that awareness training courses are still quite superficial and not as widespread as they could be. Security overall could be greatly improved here, with considerably little effort.