It’s pretty difficult to make info security predictions, and even more difficult to verify them afterwards. We can only judge the effectiveness of information security by the number of public security incidents that are uncovered, all the while acknowledging that the majority of data breaches go undetected.
Free eBook: Modern Retail Security Risk – Get your copy now.
However, we can try to make some cyber security predictions based on common sense profitability (profit/cost ratio) for hackers. These are listed below.
1. XSS will become a more frequent and dangerous vector of attacks.
It’s very difficult to detect high- or critical-risk vulnerabilities in well-known web products (e.g. Joomla, WordPress, SharePoint, etc). However, low- and medium-risk vulnerabilities, such as XSS, still regularly appear. Sophisticated exploitation of an XSS can give the same outcomes as an SQL injection vulnerability; therefore, hackers will rely on XSS attacks more and more to achieve their goals.
2. Third-party code and plugins will remain the Achilles’ Heel of web applications.
While the core code of well-known CMSs and other web products are fairly secure today, third-party code such as plugins or extensions remain vulnerable even to high-risk vulnerabilities. People tend to forget that one outdated plugin or third-party website voting script endangers the entire web application. Obviously, hackers will not miss out on such opportunities.
3. Chained attacks via third-party websites will grow.
Nowadays, it’s pretty difficult to find a critical vulnerability on a well-known website. It is much quicker, and thus cheaper, for hackers to find several medium-risk vulnerabilities that in combination allow complete access to the website. Another trend is to attack a reputable website that the victim regularly visits. For example, when chasing after a C-level executive, hackers may compromise several high-profile financial websites or newspapers and insert an exploit pack that will be activated only for a specific IP user-agent and authentication cookie combination belonging to the victim. Such attacks are very complicated to detect, as only the victim can find the attack.
4. Automated security tools and solutions will no longer be efficient.
Web Application Firewalls, Web Vulnerability Scanners or Malware Detection services will continue to be considered inefficient. Both web vulnerabilities and web attacks are becoming more and more sophisticated and complex to detect, and human intervention is almost always necessary to fully detect vulnerabilities. It’s not enough to patch 90% or even 99% of the vulnerabilities; hackers will detect the last vulnerability and use it to compromise the entire website. As a solution to the new threats, High-Tech Bridge has launched ImmuniWeb SaaS, a unique hybrid that uses automated security assessment combined with manual penetration testing.
[su_box title=”About Ilia Kolochenko” style=”noise” box_color=”#336588″][short_info id=’60198′ desc=”true” all=”false”][/su_box]
Ilia Kolochenko is a Swiss application security expert and entrepreneur. He started his career as a penetration tester and has 15 years of experience in security auditing and digital forensics. After serving in Swiss artillery troops in 2007, Ilia founded his first pentesting and cybersecurity consultancy High-Tech Bridge. In 2014, Frost & Sullivan named the company a leading service provider in the European pentesting market. Later Ilia invented and built the concept of the ImmuniWeb Platform, which combines the strengths of human intelligence with Machine Learning, and is now entirely dedicated to it.As a Chief Architect at ImmuniWeb, he leads our data scientists, security analysts and software engineers. Ilia holds a bachelor degree in Computer Science and Mathematics from Webster University, a Master of Legal Studies from Washington University in St. Louis and a Master of Science in Criminal Justice (Cybercrime Investigation) from Boston University. Currently, Ilia is a Doctoral student (Ph.D. in Cybersecurity Leadership) at Capitol Technology University. Ilia Kolochenko is a member of Europol Data Protection Experts Network (EDEN), a Member of GIAC Advisory Board and a Committee Member at Boston University MET CIC (Cybercrime Investigation & Cybersecurity) Center. Ilia is a certified GIAC GLEG professional (Law of Data Security & Investigations) and a Certified Information Privacy Professional (CIPP/US and CIPP/E) by IAPP.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.