peach_fotolia - stock.adobe.com
As 2023 wraps up and 2024 kicks off, it's time to look at the cybersecurity trends and predictions analysts and industry thought leaders have top of mind.
The past year saw a continued barrage of ransomware attacks, with many evolving into double and triple extortion efforts. AI and machine learning also took center stage with the unveiling of generative AI -- as did attackers' potential to use them maliciously.
Following are nine cybersecurity predictions and trends for 2024 to be aware of, even if they don't all come to pass.
1. Increase of zero-day vulnerabilities in extortion attacks
Attackers could more often use zero-day vulnerabilities to target multiple organizations, said Dick O'Brien, principal intelligence analyst at Symantec, part of Broadcom, an enterprise tech vendor. As evidenced in the MoveIt Transfer attacks, malware groups can use a single vulnerability to target multiple organizations that use the affected tool or technology.
"This is quite effective in that you get multiple victims for a single attack or campaign," O'Brien said. "The damage is done before awareness of the TTPs [tactics, techniques and procedures] become common knowledge."
Finding zero-day vulnerabilities isn't easy, however. O'Brien said malicious actors need deep pockets or specialist skills to pull these attacks off, which could limit how widespread they are. Malware groups might opt to watch and observe the success of others before conducting their own campaigns.
2. Generative AI impacts email security
The release of generative AI dominated the tech industry in 2023, so no trend list would be complete without looking at how it could affect organizations from a threat perspective. While attackers already use generative AI to improve phishing emails and reduce the likelihood of spelling and grammar mistakes, they will further integrate generative AI into their social engineering campaigns by using large language models to impersonate high-level decision-makers and publicly visible executives.
"People are super active on LinkedIn or Twitter where they produce lots of information and posts. It's easy to take all this data and dump it into something like ChatGPT and tell it to write something using this specific person's style," said Oliver Tavakoli, CTO at Vectra AI, a cybersecurity vendor. "The attacker can send an email claiming to be from the CEO, CFO or similar role to an employee. Receiving an email that sounds like it's coming from your boss certainly feels far more real than a general email asking for Amazon gift cards."
To combat this social engineering attack, Tavakoli recommended organizations conduct employee awareness training, regularly determine their overall security posture and ensure their downstream security measures can handle an employee falling for a phishing attack.
"You don't want to be overly reliant on any one particular defense mechanism," he said.
3. Widespread adoption of passwordless
It's been said for many years, but 2024 could finally be the year passwordless takes off in the enterprise.
"This coming year we're going to truly go passwordless, with biometrics being the winning modality," said Blair Cohen, founder and president of AuthenticID, an identity and access management (IAM) vendor. "It's finally going to happen."
Biometrics makes sense as the common authentication option since people have used fingerprint and facial scanning on consumer devices for years, he said. It can also stand up to attack and fraud better than SMS or email one-time passcodes or other methods.
What industry standard wins out, however, is up for debate. FIDO2 is a contender, but not the winner, Cohen said. "I applaud it and think it's great for everyday consumer use, but don't think FIDO2 will be the choice of enterprises, large-scale banks, etc. There are just too many vulnerabilities," he said, specifically highlighting its vulnerability to first-party fraud.
Jack Poller, analyst at TechTarget's Enterprise Strategy Group (ESG) disagreed. FIDO2 is going to win in the consumer marketplace since many enterprise organizations, such as Google, Amazon and Apple, currently support it, Poller said, and because it's phishing-resistant.
4. CSOs, CISOs and CEOs work more closely together
Continued economic uncertainty has led to tightened budgets. In 2024, CEOs will likely be working more closely with CSOs and CISOs to determine where to best spend budget security-wise, said Chuck Randolph, CSO, and Marisa Randazzo, executive director of threat management, at security vendor Ontic. This requires CSOs and CISOs to determine where their organizations' risk exists and how to keep data and employees safe, both in-office and remote, they added.
"If I'm a C-suite individual, I'm thinking about risk prioritization, budget optimization and proactive investment in security, whether physical or digital," Randolph said. Organizations should conduct a risk assessment and ensure stakeholders have a say in the security budget, he advised.
Randolph and Randazzo said there could be a convergence of IT security with physical or corporate security, such as identifying and monitoring potential insider threats and disgruntled employees. CISOs can offer input on IT security, they added, while CSOs consider workplace violence issues.
5. Identity verification to see wider adoption
Expect to see more organizations embrace identity verification in 2024 to ensure employees, partners and customers are who they say they are during account onboarding, especially as AI improves.
"If I've never met you before, even if you're appearing on Zoom, how do I know it's really you and not an imposter with access to your computer?" ESG's Poller said. "From an enterprise perspective, how do I authenticate you correctly against a government document?"
Organizations will increasingly use identity verification to onboard and secure account access or reset requests. The technology can also compare employee photographs and information to government documents, as well as provide liveness detection to ensure someone isn't using an AI-generated image or video.
6. Increased adoption of proactive security tools and technology
Organizations should invest more in proactive security tools and technology in 2024 to better detect vulnerabilities and security gaps, said Maxine Holt, senior director of research and content at analyst firm Omdia. With proactive security, she said, organizations can learn where to best spend their budget for their specific use cases.
Holt recommended organizations research proactive security technologies to decide which could most help them. She said to consider the following:
- Risk-based vulnerability management.
- Attack surface management, including cyber asset ASM and external surface ASM.
- Security posture tools for applications, cloud and data.
- Attack path management and security control validation, including penetration testing, red teaming, and breach and attack simulation.
7. More regulations for connected and embedded devices
IoT adoption continues strong, and so does the lack of appropriate security measures on embedded devices. In 2024, we could see more regulatory scrutiny, especially as the threat of AI grows and malicious actors look for additional attack vectors.
"The regulatory outlook for connected devices will continue to evolve as governments and regulatory bodies develop more comprehensive frameworks to address the increased use and development of connected devices and the increased sophistication of attackers," said Veronica Lim, U.S. product security leader at consulting firm Deloitte. "We'll see organizations adhere more closely to cybersecurity-by-design standards."
How organizations will handle increased regulations remains to be seen. Lim explained that organizations already struggle with patch management, which opens opportunities for attackers to exploit. "Connected devices are a frequent target for attackers because they often contain outdated and vulnerable software," she said.
8. Third-party security struggles continue
Breaching a third party, such as a vendor or partner organization, can net attackers more lucrative outcomes. Third parties have their own security strategies and infrastructure, which might not stack up to those of their customers, opening further vectors for attackers.
"The bad guys have gotten really good at identifying these third parties that help them get past the big security apparatus of bigger organizations, such as a bank," said Alex Cox, director of threat intel at LastPass, a password manager vendor. "A big bank spends a ton of money on security, but the vendors they use don't. If you get access to that vendor, it gets you access to a bunch of other companies."
There's no easy answer for organizations worried about third-party security, either. Cox said while it's difficult to enforce a certain level of security with third parties, organizations should consider creating a security checklist their vendors must follow or require third-party security evaluations before doing business with any vendor.
9. Vendors could affect cyber insurance policies
Organizations obtain cyber insurance policies to ease the aftermath of ransomware attacks. At the same time, cyber insurance carriers are tweaking underwriting procedures. Certain vendors could be identified as red flags and affecting an organization's ability to get a policy in 2024. For example, if an organization uses a vendor the insurance carrier deems risky, such as Progress Software, which supplied the MoveIt Transfer application, the carrier could increase premiums or deny coverage.
"There is going to be more scrutiny under your hood when it comes to security posture and technology vendors," said Jess Burn, analyst at advisory firm Forrester. "Product security is going to become something insurance carriers get more involved in. They're going to ask organizations who provides the product and not just if you have it."
Organizations might have to spend time vetting their current and potential vendor partners if cyber insurance providers want more say in their clients' security posture, she said.
Some infosec professionals already think cyber insurance carriers have too much influence when it comes to incident response decisions. Forrester predicted this will continue in the coming year.
Kyle Johnson is a technology editor for TechTarget Security.