Beyond the more recent technical evolution in Blog 1 the main security challenges facing both small and large organisations in 2020 are likely to follow three near-timeless classics:
The age-old challenge of preventing weak, shared, and similar credentials across our networks is of course still ongoing. But with the previously mentioned increase in multi-factor authentication use, this problem looks to be improving. One big recommendation now is to forget all the old password guidance that spawned the likes of Monday1? and Brazil2019! and instead implement the current NIST guidance of dropping the number, case and symbol requirements in favor of a much greater minimum length to encourage passphrases rather than passwords.
From malicious email attachments and phishing attempts to forged invoices and CEO fraud, the volume and scale of these attacks is trending upwards. Whilst new technologies on the perimeter are certainly helping to reduce the volume of malicious content that ends up in-front of our staff, an attacker only needs to win once. In 2020 I expect we’ll see a heavier automation of the email content generation rather than just the sending, with the attacker’s aim being to defeat the existing filtering systems.
Our network boundaries have been getting further blurred over the years, which looks set to increase into 2020. Even in small organisations, simply being able to list the third-party applications that are used by all staff members is likely to be a difficult prospect. In many cases, our information is spread across dozens of disparate systems hosted by different organisations. From Slack to ZenDesk, Office 365 to AWS, accessing internal company resources often no longer requires being inside the corporate network. Compromised staff credentials used to mean an attacker rummaging through Outlook Web Access. Now it can mean full access to SharePoint, support tickets and their chat logs.
So, amid all these challenges, how will we see organisations responding? An array of defensive techniques is essential. However, penetration testing should always be at the core of any organisation’s cybersecurity strategy. It is the only way of proactively identifying potential vulnerabilities in an IT infrastructure. Both application penetration testing and network penetration testing are critical and must be embedded on an ongoing basis in any cybersecurity strategy. Pentest-as-a-service can provide a cost-effective streamlined model for ensuring that comprehensive testing is carried out regularly, rather than completed once a year and then forgotten about, and I expect to see this security model rise in popularity over the coming years.
Additionally, in line with more and more organisations migrating workloads to the cloud, it is also vital for those organisations to discuss at the procurement stage how those cloud services containing company resources and data are being handled. Enterprise security and risk postures now reach far beyond their own premises and network perimeters and reach into the cloud, and this demands a more collaborative approach to security than ever before.
Elliott Thompson OSCP, CTL/CCT-APP, one of SureCloud’s senior security consultants, delivers on a variety of large and unusual pen-testing engagements. Elliott engages targets throughout Europe, Asia, and the Middle East through infrastructure testing and reverse engineering to physical, social engineering and red teaming. Elliott has also appeared on the BBC as a Cybersecurity expert, is a CVE identifier, CHECK Team Leader and CREST Registered Tester.
SureCloud is a provider of Gartner recognised GRC software and Cyber & Risk Advisory services. Whether buying products or services your organisation would benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products enabling a seamless integration of information, taking your risk programmes to the next level.