Virtualization Technology News and Information
Neustar Security Services 2023 Predictions: Emerging Security Threats to Watch in 2023


Industry executives and experts share their predictions for 2023.  Read them in this 15th annual series exclusive.

Emerging Security Threats to Watch in 2023

Danger Lurking in No-Code/Low-Code Application Development; Supply Chain Attacks Shaking Partner Trust; The Next Major DDoS Campaign

By Carlos Morales, senior vice president of solutions, Neustar Security Services

The past few years have seen transformative changes take hold across industries as the acceleration of digitization initiatives - driven largely by the pandemic - fundamentally changed the way many businesses operate. To navigate an increasingly borderless world of work, organizations have upped their dependence on the cloud to help meet new demands for flexibility and accessibility. With this operational shift comes added risk from an expanding threat surface that offers cyberattackers a broadening range of targets to choose from.

In a threat landscape that is more dynamic than ever, it is critical that organizations remain actively aware of emerging threats and evolving tactics - and that these developments inform both security policies and current best practices. As we head into 2023, there are three areas where security pros should remain particularly vigilant.

Low-code/no-code software development at odds with DevSecOps

There has been a move in the industry towards low-code and no-code applications as companies strive to increase the speed of software development and maximize available resources. Low-code and no-code options are attractive because they allow people with very little to no coding experience to string together applications and build things quickly without much expertise. However, while low-code/no-code development platforms enable more users to build new applications faster, their lack of governance will likely introduce significant new sets of security vulnerabilities across the industry.

Many organizations are increasingly embedding low-code and no-code applications into everything they do without considering that whoever does develop the code may be doing so in a manner that isn't fully secure. This lack of transparency is a problem that threatens to create a lot of new vulnerabilities and create another Log4j-style time bomb. It's not hard to imagine a particular low-code/no-code applet from a small company gaining large popularity and getting embedded into a wide range of applications across many enterprises. When a vulnerability is found in that application, how prepared is that small company to communicate broadly and manage patching across its customer base? If the company is not prepared, this could lead to huge exposure. Unfortunately, it's all but inevitable that this situation will occur so it will be up to the enterprises themselves who deploy the applet to be prepared.

If done wrong, this trend threatens to undermine a growing push for broad adoption of DevSecOps, which promises to deliver a range of benefits like higher quality code, early vulnerability detection, more efficient launch of applications and APIs through automation, and improved compliance monitoring.

Where DevSecOps strives to create broader accountability for and awareness of security needs throughout the development process, the promise of low-code and no-code development centers on speed to deployment, which is the root of many growing problems across the industry. While mistakes in development are inevitable, organizations will benefit from shifting away from a culture that prioritizes speed to deployment over all else and make accountability a core tenet of the development lifecycle. Without an active culture of security steadiness, you will not win the race.

Software supply chain threats shaking partner trust

The pandemic has caused a seismic shift in the cybersecurity market and the threat landscape has evolved considerably. A recent study from the Neustar International Security Council (NISC) found that confidence in the supply chain ecosystem is waning, with many organizations reporting that they currently feel exposed through software or service providers. Three in four respondents now consider supply chain risk a top priority. 

Given the interconnected nature of modern business, every industry can fall victim to this type of attack. The SolarWinds attack proved the software supply chain is now a part of every company's attack surface. It is critical for companies to hold software and service provider partners contractually accountable to maintain security standards at least as stringent as those that the company adheres to. 

Suppliers and partners represent a huge risk to your company if they are not vetted appropriately. You must be able to trust that what they provide you will not only operate to specifications, but also will not create new vulnerabilities in your environment. Organizations will increase the rigor of vetting processes for potential new partners - and even existing partners, before resigning - ranging from requiring a more thorough understanding of their reputation in the market to auditing what practices they carry out with their own supply chain.

It is important to make security requirements part of your partners' contractual obligation, ideally giving you audit rights to inspect their controls periodically. Of course, we can't count on the partners to catch everything, so we still have our own responsibility to vet the solutions we use. Best current practice dictates that every business should actively perform vulnerability scanning on all systems and sub-systems to the best of their ability, test incident response processes, and when possible, engage third-party penetration companies to verify your defences. We must respond according to our customers' needs while anticipating the constantly evolving cyberthreat landscape. Only by working together as an industry-collective, will we be able to answer some of most pressing cybersecurity challenges of our time.

The next big DDoS campaign is coming

When it comes to distributed denial of service (DDoS), attacks tend to be cyclical. In the security industry, we typically see a wave of focused attacks where there is a lot of activity that eventually dwindles down, followed by a year of two of relative quiet. During that time, cybercriminals are hard at work trying to figure out new ways to bring better attack tools to market and monetize their efforts more effectively.

The last major cycle started in 2020 during the pandemic and was marked by a major spike in ransom-based DDoS (RDDoS) attacks. Those of us on the front lines of security operations centers (SOCs) are anticipating the next big wave to come soon - potentially by mid to late 2023.

When it comes to DDoS attacks, the tactics used by bad actors are usually similar to what came before. Attackers may use some novel combination of techniques, but the big changes are usually in how they've brought the attacks to the customers. The last wave of attacks in 2020 were unique in the breadth of victims they were able to reach across a large swath of industries and verticals, hitting them in bunches often simultaneously. Multi-vector attacks were common, and the attack vectors varied from attack to attack. This showed a level of sophistication into the management of the DDoS attacks and the close coordination with the ransom demands for monetization that we hadn't seen before.

We're not sure exactly what the next campaign will look like yet, but there's a general sense across the security industry that another wave is coming. No organization is immune, but there are verticals with a higher likelihood of being attacked based on historical attack trends. Financial companies, retailers, gaming, service providers, and hosting providers have historically been the most common targets.  More recently, there has also been a large uptick on attacks towards healthcare, utilities, and technology companies as attackers focus on critical infrastructure and services.

While cyberattacks and breaches are to some extent inevitable in our increasingly borderless world, it is increasingly important for security pros to keep a close eye on the threat landscape and better understand emerging areas of vulnerability driven by accelerating digitization.




Carlos Morales is senior vice president of solutions at Neustar Security Services, where he is responsible for creating the technology vision for its portfolio of DNS, DDoS and application security services. His role also includes helping to define strategy for security acquisitions; execution of strategic partnerships; and responsibility for the development, enablement and growth of its solutions engineering organization. Morales has more than two decades of experience in deploying security, networking and access solutions for service provider and enterprise networks. Prior to joining Neustar, he held management and technical leadership positions at NETSCOUT, Arbor Networks, Nortel Networks and Tiburon Networks.

Published Monday, November 14, 2022 7:31 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2022>