For anyone who has been in business or IT, 2020 has taken on a semi-mythical place in our predicted futures, and not just in some of the amazing and fantastical predictions of the 19th century.
We’ve all seen countless estimates and predictions of what to expect in 2020. Now that we are nearly two decades into this century and in close proximity from the year 2020, we can take a look at what we’ve seen in 2019 so far and finally begin to predict more accurately some of the cybersecurity threats we will likely be facing in healthcare in 2020 and beyond.
Most definitive 2020 prediction possible
Windows 7 and Server 2003 will be deprecated by Microsoft on Jan. 14, 2020. As of now, many organisations are not shy about the fact that they intend to keep Windows 7 and Server 2003 around for some time past the end-of-life date. Based on this information alone, I can confidently predict that the vast majority of these organisations will still have Windows 7 and 2003 systems on their network five years from now.
Windows XP is a good case study and many organisations back then had grand plans to have XP completely gone within a year of the end-of-life in 2014, however many of those very outdated Windows XP systems are still running today with no clear end in sight. In fact, XP still has 4.59% of the OS market share and it is 18 years old.
The fact that there is significantly less urgency to upgrade these operating systems properly and on time, shows that there is a very real chance of repeating our mistakes, leaving our networks and systems unsupported and vulnerable for an even longer duration of time.
2019 trends that will bleed into 2020
The industry has seen several waves of malware attacks in the last year that utilize different vulnerabilities and more 0-days are being weaponized every day. On top of this, many security researchers have become fed-up with manufacturers slow to non-existent responses to responsibly report new vulnerabilities. This may have contributed to a rash of true 0-day vulnerabilities being released with no patches or fixes in place from manufacturers.
To make matters worse, most of these vulnerabilities have been coming out with usable working exploit code. Exploit code is what attackers need to use a flaw in a system and when “responsible disclosure” is followed, the maker of the flawed system is alerted 90 days before the researcher is supposed to release information to the public. However, in most cases, the working exploit code isn’t released for another 90 days. The frustration with the system and software makers is only getting worse and we should expect more of this in future.
Breaches are another thing we haven’t seen slow down at all in 2019. In fact, this year is shaping up to be a banner year as far as total records stolen. What really stands out is that these breaches keep repeating over and over again, attackers are gaining access by tricking people and using third parties that have worse security protocol than their target.
There are new breaches almost every day that could have been prevented with more careful vetting of third- party vendors, or even just a little more useful user education. Instead, we see organisations of virtually every size imaginable crossing their fingers in hopes they don’t get breached. When in reality the only defence is a good offence, people need to be questioning everything a lot more than they are.
Insider threats and phishing
One of the most consistent things in InfoSec overall has been that the majority of attacks still start with an insider. Whether that person is being malicious or negligent, it is still an insider threat that is the downfall.
Many of the breaches in 2019 started with a well-crafted spear-phishing email (highly targeted phishing email). The breaches that did not occur because of a phishing email or phone scam were perpetrated via less-than-secure third parties, for example, LabCorp’s collections vendor AMCA became the object of an attack, causing AMCA to file bankruptcy and LabCorp declaring a major breach.
The good thing about future predictions is that they have not yet come to be, and there is still time for people to start taking action and preventative measures. The only way we can begin to make a dent in these breaches is to begin to take both user education and vendor security reviews seriously.
We can’t just assume a vendor is secure, we certainly can’t just take them at their word, and without true due diligence, more and more organisations will become victims to breaches that emanate from their vendors. Finally, stop forcing users to sit through generic “awareness” training, you won’t get them to care until they can comprehend how it affects them and their livelihoods. Once everyone understands the risk and ramifications of their actions, change will be much less challenging.