It’s pretty difficult to make info security predictions, and even more difficult to verify them afterwards. We can only judge the effectiveness of information security by the number of public security incidents that are uncovered, all the while acknowledging that the majority of data breaches go undetected.
Free eBook: Modern Retail Security Risk – Get your copy now.
However, we can try to make some cyber security predictions based on common sense profitability (profit/cost ratio) for hackers. These are listed below.
1. XSS will become a more frequent and dangerous vector of attacks.
It’s very difficult to detect high- or critical-risk vulnerabilities in well-known web products (e.g. Joomla, WordPress, SharePoint, etc). However, low- and medium-risk vulnerabilities, such as XSS, still regularly appear. Sophisticated exploitation of an XSS can give the same outcomes as an SQL injection vulnerability; therefore, hackers will rely on XSS attacks more and more to achieve their goals.
2. Third-party code and plugins will remain the Achilles’ Heel of web applications.
While the core code of well-known CMSs and other web products are fairly secure today, third-party code such as plugins or extensions remain vulnerable even to high-risk vulnerabilities. People tend to forget that one outdated plugin or third-party website voting script endangers the entire web application. Obviously, hackers will not miss out on such opportunities.
3. Chained attacks via third-party websites will grow.
Nowadays, it’s pretty difficult to find a critical vulnerability on a well-known website. It is much quicker, and thus cheaper, for hackers to find several medium-risk vulnerabilities that in combination allow complete access to the website. Another trend is to attack a reputable website that the victim regularly visits. For example, when chasing after a C-level executive, hackers may compromise several high-profile financial websites or newspapers and insert an exploit pack that will be activated only for a specific IP user-agent and authentication cookie combination belonging to the victim. Such attacks are very complicated to detect, as only the victim can find the attack.
4. Automated security tools and solutions will no longer be efficient.
Web Application Firewalls, Web Vulnerability Scanners or Malware Detection services will continue to be considered inefficient. Both web vulnerabilities and web attacks are becoming more and more sophisticated and complex to detect, and human intervention is almost always necessary to fully detect vulnerabilities. It’s not enough to patch 90% or even 99% of the vulnerabilities; hackers will detect the last vulnerability and use it to compromise the entire website. As a solution to the new threats, High-Tech Bridge has launched ImmuniWeb SaaS, a unique hybrid that uses automated security assessment combined with manual penetration testing.