Curtis
Simpson, CISO, Armis
Voice Deepfakes will
become the new phishing bait: C-level executives, politicians and other
high-profile individuals are already high-risk targets for standard email
phishing attacks given their level of access and financial decision making
within their organization. With advancements in the deepfake voice technology,
I expect a rise of voice phishing schemes in 2020 in which employees are
tricked into sending money to scammers or revealing sensitive information after
getting voice messages and calls that sound like they are from the CFO or other
executives. We’ve already seen one fraudulent bank transfer convert to $243,000
for criminals. Given how hard it is to identify these deepfakes compared to
standard phishing attacks, I expect these operations will become the norm in
the new year.

PJ
Kirner, CTO & founder, Illumio
We’ll start to hear
more about the convergence of physical infiltration with cyberattacks,
challenging security across the board. Cyberattacks on an enterprise or a
government can be carried out remotely but, in 2019, we started hearing more
about the physical element added to the mix. It doesn’t take sophisticated
software or intelligence operations to execute these attacks – a well-planned,
staged scenario is all it takes. For instance, someone could pose as an
electrician to gain physical access to a hospital being built, walking around
unimpeded until they find an unprotected device to access the network. I
believe we’ll see more of these high-profile, hybrid cyber-physical attacks in
2020.

Matt Ulery, chief product officer, SecureAuth
Get ready for SMS attacks to go mainstream. We adopted two-factor authentication with little hesitation: get a text on your phone with the one-time authentication code, enter it in after entering your password and gain access to your account. Most consumers haven’t had an issue with an extra step for a little peace of mind. The problem is that second-factor methods can now be easily defeated by your average hacker.

SMS
overrides have become a common and intensifying threat over the past year, and
they’ll only become more prominent in 2020. This type of attack will come in
three main forms: SIM swap, IMSI factors and SS7 hacks.

From
intercepting SMS messages and voice calls to eavesdropping and location tracking,
these types of attacks highlight the weakness of relying on two-factor
authentication to protect our identities. Businesses and organizations —
especially those handling and storing customer data — have an obligation to
look towards more advanced, adaptive approaches to securely verify their users
by utilizing verification factors like location, time of day, behavior and IP
addresses. It’s no longer safe to assume a six-digit code sent to your phone
will protect your identity.”

Michael
Morrison, CEO, CoreView
Office 365-specific security issues will finally get the attention they
deserve: Office 365 is a major target for IP theft, data leakage, credential
cracking, and O365-specific attacks because that’s where a big bulk of sensitive,
enterprise data is. Yet, O365 security issues often don’t get the attention
they deserve. In 2020 and beyond, IT should expect new O365 phishing and
malware attacks, as well as modified versions of KnockKnock and ShurtLOckr, two
attacks that focus on Office 365 that have been active since May 2017—and are
still running.

Mark Sangster, vice president and industry security strategist, eSentire
Company microtargeting with industry-specific tools will rise. Throughout 2019, eSentire has observed numerous instances of mid-sized organizations being targeted using tools specific to their industry, and this approach will continue into 2020. Phishing emails related to common industry tools or masquerading as trusted sources will be a common attack vector for stealing credentials and sensitive information. For example, phishing lures unique to the legal industry will use avenues, including cloud services, from vendors such as Adobe, to access to stores of sensitive information and credit vendors, like American Express, to gain short-term access to personal and/or company credit accounts. Access to personal or organization emails can lead to the theft of sensitive information. It can also aid attackers in crafting more familiar and friendly-looking lures for spear (targeted) phishing. As this trend towards microtargeting continues, organizations need to ensure they have technical controls in place to detect these threats and also ensure they have a robust security education program in place for their employees.

DRaaS is
Now Mainstream

Disaster
Recovery-as-a-Service (DRaaS) is now mainstream, with large organizations
adopting DRaaS at the highest rates. However, expect in 2020 to see the
adoption of DRaaS by small and mid-sized organizations to drastically increase
as organizations discover that not all DRaaS services require their IT
departments to become experts in hyper-scale clouds. As a result, SMBs will
outsource DRaaS to experts at a fixed price and with little requirement for
their time or technical overview.

Josh
Lemos, VP of research and intelligence, BlackBerry Cylance
State and
state-sponsored cyber groups are the new proxy for international relations. Cyber
espionage has been going on since the introduction of the internet, with
Russia, China, Iran and North Korea seen as major players. In 2020, we will see
a new set of countries using the same tactics, techniques, and procedures
(TTPs) as these superpowers against rivals both inside and outside national
borders. Mobile cyber espionage will also become a more common threat vector as
mobile users are significant attack vector for organizations that allow
employees to use personal devices on company networks. We will see threat
actors perform cross-platform campaigns that leverage both mobile and traditional
desktop malware. Recent research discovered nation-state based mobile cyber
espionage activity across the Big 4, as well as in Vietnam and there’s likely
going to be more attacks coming in the future. This will create more complexity
for governments and enterprises as they try to attribute these attacks, with
more actors and more endpoints in play at larger scale.

Gaurav
Banga, CEO and founder, Balbix
The accepted definition of a vulnerability will broaden. Typically associated
with flaws in software that must be patched, infosec leaders will redefine the
term to anything that is open to attack or damage. The impact will be
systematic processes, similar to those commonly applied to patching, extended
to weak or shared passwords, phishing and social engineering, risk of physical
theft, third party vendor risk, and more.

Chris
Howard, VP of federal, Nutanix
In 2020, we expect
to see federal agencies to increasingly differentiate their IT consumption
models. For example, I expect to see a movement of IT infrastructure to managed
service offerings in hosted data centers in order to take advantage of the
solutions that MSPs provide. In doing so, they will also be taking some of the
work off of their plate. This will not only allow agencies to access better connectivity,
but it will also address some of the same benefits that agencies look for when
moving to the public cloud, like agility and the ability to move away from
managing physical infrastructure, but with added security controls.

John
Summers, VP and CTO, Akamai
The digital
advertising ecosystem will be the next top target as a new class of attacks
emerges – As consumer experience becomes more important — and elaborate —
advertisers harvesting troves of customer data will find themselves susceptible
to a new wave of attacks from cybercriminals. Hoping to capitalize on the data
possessed by agencies, adversaries will increasingly go after the ad delivery
process, compromising the countless amount of customer data stored. In the
coming year, we can expect digital advertisers to amp up security efforts to
combat this, yet we can also expect to see more consumers opting-out of
experiences that require data collection.

Gerry
Beuchelt, CISO, LogMeIn
The use of and
evolution of biometrics. Decentralized, device-managed biometrics will continue
to rise as a convenient way to authenticate users. Biometric data stored
locally on the user device is best for security and eliminates the privacy
risk. These biometrics are good because they make life easier for people to
authenticate with devices in their possession and don’t pose a further security
risk because that info isn’t online and never leaves the system.

Centralized
biometric databases will continue to be promoted (and in some cases forced) by
governments, but we’ll continue to see pushback from civil society.

Centralized systems,
i.e. having one giant database, is not good biometrics because a lot of
sensitive personal information is in one location and invites abuse. People are
understanding this and some citizens in Europe and the U.S. are pushing back
against centralized databases.

In terms of
voluntary centralized databases, there is going to be some form of material
abuse of the type of info people are sharing so freely (i.e. if 23 and Me is
hacked), creating a privacy nightmare. That nightmare is just waiting to happen,
whether through a hack, breach or government subpoena.