BeyondTrust today released its annual forecast of cybersecurity trends emerging for the New Year and beyond. These projections are based on shifts in technology, threat actor habits, culture, and decades of combined experience.
Prediction #1: Negative, Zero, and Positive Trust — Next year, expect products to actually be “zero trust-ready”, satisfy all seven tenants of the NIST 800-207 model, and support an architecture referenced by NIST 1800-35b. Zero trust product vendors will create marketing messages that may imply positive and/or negative intent (maybe not using such simple puns on the number zero). Some will provide positive zero trust authentication and behavioural monitoring, while others will work using a closed security model to demonstrate what should happen when a negative zero trust event occurs.
Prediction #2: Reputation for Ransom—The rise of Ransom-Vapourware – We will see a rise in the extortion of monies based purely on the threat of publicising a fictional breach. Society so willingly accepts the veracity of breaches reported in the news—and without evidence. For a threat actor, this could mean the need to perpetrate an actual breach is reduced and a threat alone, that is not even verifiable, becomes an attack vector all in itself.
Prediction #3: The Foundation of Multi-Factor Authentication (MFA) Invincibility Fails — Expect a new round of attack vectors that target and successfully bypass multifactor authentication strategies. In the next year, push notifications, and other techniques for MFA will be exploited, just like SMS. Organisations should expect to see the foundation of MFA eroded by exploit techniques that compromise MFA integrity and require a push to MFA solutions that use biometrics or FIDO2-compliant technologies.
Prediction #4: Cyber Un-insurability is the New Normal — In 2023, more businesses will face the stark realisation that they are not cyber-insurable. As of the second quarter of 2022, U.S. cyber-insurance prices already increased 79% over the prior year. In the past 12 months, cyber insurance premiums in Australia have risen up to 80% according to Honan Group. The truth is, it’s becoming downright difficult to obtain quality cyber insurance at a reasonable rate.
Prediction #5: Compliance Conflicts are Brewing — Significant compliance standards, best practices, and even security frameworks, are starting to see a diverging in requirements. In 2023, expect more regulatory compliance conflicts, especially for organisations embracing modern technology, zero trust, and digital transformation initiatives.
Prediction #6: The Death of the Personal Password — The growth of non-password-based primary authentication will finally spell the end of the personal password. More applications, not just the operating system itself, will start using advanced non-password technologies, such as biometrics, either to authenticate directly or leverage biometric technology, like Microsoft Hello or Apple FaceID or TouchID, to authorise access.
Prediction #7: Cloud Camouflage is Confronted — To mitigate cloud security risks, expect a push for transparency and visibility into the security operations of SaaS solutions, cloud providers and their services. The push to ensure transparency of the architecture, foundational components, and even discovered vulnerabilities, will extend beyond SOC and ISO certifications.
Prediction #8: Social Engineering in the Cloud — Attackers will turn from their software toolkits to their powers of persuasion as they increase the number of social engineering attacks leveled at employers and organisations across the cloud.
Prediction #9: Unfederated Identities to Infinity and Beyond — Expect a push into unfederated identities to help provide a new level of services and potentially physical products that will become a mild access control and management nightmare. The size and scope will feel truly infinite—unless it is well-defined for identity management teams to provide access beyond what typically is available today.
Prediction #10: OT Gets Smarter, Converges with IT — Expect attack vectors for basic Operational Technology (OT) to expand based on similar exploits that target IT. OT which once had a single function and purpose is now becoming smarter, leveraging commercial operating systems and applications to perform expanded missions. As these devices expand in scope, their design is susceptible to vulnerabilities and exploitation.