We now live in a new world with many new requirements, including multi-layer masks, social distancing, air-filtering, virus testing, and contact tracing. These tactics employed to combat an invisible virus remind me of the cybersecurity world, where cyberattacks also cannot be seen. We might not know who attacked us or how we were attacked. We might not know which specific network link was breached, or server compromised, perhaps without showing any symptoms. Like with COVID, there are many unknowns when it comes to cybersecurity.
Both the virus and the hacker need to find just one weak spot while we need to protect ourselves against all possible adverse risk factors and threat vectors. Yes, this asymmetry may seem unfair, but that’s the world we live in, and we need to take the appropriate steps to protect ourselves and our data.
We saw the pandemic slow down the world in 2020, but there was no corresponding slowdown in breaches. In fact, we saw attacks continue relentlessly on corporations and governments as the adversaries took advantage of increasingly distracted employees and contractors.
In this changing environment, here are my two major cybersecurity predictions for 2021, borrowed from my keynote last month at the All India Oracle Users Group’s (AIOUG) annual event, titled “Polishing the Crystal Ball – Database Security for the Next Decade
Attacks on the Software Supply Chain
Just last month, we learned of the sustained breach allegedly perpetrated by a nation-state on SolarWinds, an IT infrastructure management software vendor. The digitally-signed patch infected approximately 18,000 SolarWinds customers, including multiple United States federal agencies, security companies and software vendors. The malware then took advantage of an open invitation to browse, change, and exfiltrate data from their networks. It’s interesting to note that the 2017 breach on Equifax, a major US credit reporting agency, exploited unpatched Apache STRUTS, while this SolarWinds attack exploited the patching process itself.
Today’s software supply chain is complex and geographically distributed. The compromise of any one of those links can lead to a data breach, and, in a way, this attack type should not have come as a surprise.
Bolstered by the success of a SolarWinds-style breach, I predict that we’ll see small teams of hackers and even smaller-nations getting into the game. Without a Geneva Convention for cyber warfare, state-sponsored actors will target critical infrastructure industries such as utilities, telecommunications, and even healthcare. Any companies that run on legacy, out-of-support software could be considered soft targets.
A Global Push to Mandate Security
I also predict that we’ll see governments worldwide place a higher emphasis on protecting the aforementioned critical infrastructure industries through compliance mandates and explicit security guidelines. Each regulation may be slightly different on the administrative and enforcement part but mostly similar in the security measures of configuration management, patching, encryption, auditing, anonymization, and proper separation of duties.
Most companies have implemented a few security solutions, but it is challenging to close all gaps without adequate tools and staffing. I believe that a single, robust, comprehensive cloud security solution will be the easiest way for all organizations, small and large, to achieve proper security. For example, Oracle databases, whether on-premises or in the cloud, can now be quickly and easily protected with Oracle Data Safe. Customers can immediately help reduce the risks associated with sensitive data, configurations, and privileged users, and leverage data masking and activity auditing, all without requiring complex deployments, POCs, or additional on-premises system resources to manage.
So, what can we do in the short run?
Check out our new e-book, Putting Data Security and Protection First for a high-level overview of Oracle’s cybersecurity strategy and how we execute on that strategy in our cloud, database, and SaaS offerings.
Your databases hold your crown jewels, and it is crucial to safeguard them. Customers should encrypt data to help stop unauthorized access to data, audit and monitor all critical database activities, and strongly enforce least privilege and separation of duties.
In many ways, there are interesting parallels to be drawn between cybersecurity defenses and what we’ve learned from the pandemic. One must take the appropriate assessment, detection, and prevention steps. There is no one silver bullet, but every step in the right direction increases your chance of keeping yourself and your data safe.
Here’s to a great, safe, and secure 2021.