by Kudelski Security Team | Jan 10, 2023 | Advisory Services, Blockchain, Cyber Resilience, Cybersecurity, Quantum, Risk, Zero Trust
It’s the time of year when the industry begins making its top cybersecurity predictions for the year ahead. Gartner, among others, recently released their top 8 cybersecurity predictions for 2023, writing that supply chain and geopolitical issues will continue to dominate cybersecurity.
In this article, our team looks into the proverbial crystal ball to share their top cybersecurity predictions and what initiatives security leaders should prioritize for 2023.
What Cybersecurity Lessons Did We Learn in 2022?
The breaches, hacks, and cyber breakdowns in 2022 taught us many cybersecurity lessons that we can use to improve security in the new year. Lessons learned include:
- You can’t rely on MFA.
- Company stakeholders, including VCs and board members, must have insight into their company’s security stance.
- Don’t sacrifice security for a 1% improvement of your product. Constant re-architecting creates numerous security holes.
- Continuous security is mandatory for blockchain. Instead of one-time assessments at launch, teams should strive for continuous validation throughout the project lifecycle.
What Are the Top Cybersecurity Predictions for 2023?
The top cybersecurity predictions for 2023 identified by the team of experts at Kudelski security are:
- Basic, human-targeted attacks will be the biggest risk to cyber defenses.
- Zero trust will replace VPN.
- Insider and third-party risk will rise.
- Reliance on passwords will decline.
- Skepticism around blockchain security and availability will continue.
- Quantum-interested companies will need to start assessing risks.
Prediction #1: Basic, human-targeted attacks, like ransomware, phishing, and email attacks will be the biggest risk to cyber defenses.
In 2023, we will see the most basic security attacks — email compromise, active directory attacks, ransomware, phishing, and multi-factor authentication attacks — continue to be the most effective and lucrative for cybercriminals.
Whenever humans are introduced into the security equation, they immediately create holes in the corporate cyber defense system. Phishing and emerging MFA bombing schemes are more sophisticated than ever and will render cybersecurity training ineffective.
“Whenever humans are introduced into the security equation, they immediately create holes in the corporate cyber defense system.”
To combat these attacks, corporate security teams should not trust human factors. Instead, they should adopt an offensive security posture. Detection and response initiatives should focus on preventative features instead of reactive quick fixes.
Will your threat detection and response strategies stand up to advanced threats? Watch our webinar to learn how to improve program maturity.
Prediction #2: Zero trust will replace VPN to secure a distributed workforce.
In 2023, zero trust will replace virtual private networks completely as security teams adjust to a more dispersed workforce. With work-from-home here to stay, company network borders won’t look anything like they used to. Employees are accessing most work applications via SaaS, and IT teams are hesitant to inherit the risk of home networks. Mistrusting every device is the key to supporting and securing remote workforces.
Can zero trust be a business enabler? Read our take on this blog from Vincent Whaart.
Prediction #3: Insider and third-party risk will rise as attackers take advantage of vulnerable parties in the economic downturn.
The impending recession will loom even closer in 2023, and cybercriminals will take advantage of the dire economic situation to bribe their way into corporate systems. We predict that software hacking will decline in 2023 in favor of “insider risk.”
Attackers will set aside their hacking skills and instead single out vulnerable employees at third-party vendors, such as shipping authorities, supply chain companies, internet service providers, and software vendors.
Companies must remain vigilant to not only secure their own network perimeters but also build a strong vendor risk management program.
Prediction #4: Reliance on passwords will decline as the flimsiness of MFA is exposed.
While it’s unlikely that passwords will completely disappear in 2023, MFA fatigue could usher in a passwordless future in years to come. The recent Uber breach highlighted the flimsiness of MFA and left security teams searching for a better alternative. In 2023, we’ll see an emphasis on securing accounts with as many other safeguards as possible, including stronger passwords and password managers.
Prediction #5: Skepticism around blockchain security and availability will continue without more caution.
2023 will be another tumultuous year for blockchain technologies unless it shifts away from “point in time” security measures. Currently, too much trust is put into code to be perfect.
Blockchain security teams must layer in more robust controls, including detection and response capabilities, to deter threat actors. The billions of dollars of bridge hacks that occurred in 2022 put a huge dent in users’ confidence in blockchain security.
Luckily, blockchain enterprises and projects are aware that customers are just as concerned about their chosen blockchain’s security as its features. This will lead blockchains to apportion the appropriate resources to improve security in 2023.
In addition to cryptocurrency theft, blockchain availability and stability should be a priority in 2023. If outages and slowdowns continue, blockchains face user decline or even complete collapse.
Learn more about Kudelski Security’s portfolio of blockchain security services.
Prediction #6: Companies concerned about quantum computing should begin assessing risks now.
Controls to prepare for quantum computing are unlikely to see mass adoption in 2023, but keep an eye on it for 2024. The current risks of quantum computing don’t quite outweigh the incredible investment required yet. That said, companies that stand the most to lose from future quantum attacks — e.g., financial services, defense contractors, and companies that transmit extremely sensitive data especially — should begin assessing their risks now.
Are you ready for the era of quantum computing? Watch our webinar to know how to be better prepared.
What Impact Will the Recession Have on Security Teams in 2023?
The recession should have relatively little impact on security teams in 2023. We predict security teams are going to remain mostly untouched even as companies across industries are forced to make cuts to their budgets and workforce in response to the upcoming recession.
American privacy laws will likely elevate to reach current European standards, putting a renewed focus on security and compliance in boardrooms and C-suites.
Additionally, cybersecurity labeling for consumer products, especially on hardware, will further the importance of corporate security teams. Economic hardships will necessitate that security teams work smarter and consolidate to meet the evolving economic and tech landscape.
What Should Security Leaders Prioritize in 2023?
In response to these top cybersecurity predictions for 2023, security leaders should prioritize the following initiatives:
- Adopting an offensive security posture rather than a defensive one.
- Focusing detection and response initiatives on preventive features instead of reactive fixes.
- Phasing out VPN in favor of zero trust strategies for the remote workforce.
- Building out a strong vendor risk management program to protect against third-party risk.
- Looking for alternatives to MFA while implementing stronger password requirements and account protections.
- Working smarter and consolidating to meet the evolving economic and tech landscape.
- Bolstering availability and security of blockchain-related services.
- Assessing risks related to quantum computing, especially for those in financial services, defense, or other industries that deal with highly sensitive data.
Get in Touch
Kudelski Security can help you prepare for 2023 and beyond with a comprehensive suite of security advisory services. From MDR and zero trust to blockchain and quantum, our experts can assess, design, implement and manage a resilient cybersecurity strategy. Get in touch with our team here.
by Scott J. Carlson | Aug 6, 2020 | Blockchain
The bubble for cryptocurrency may have burst in 2018, but the potential for the blockchain technology behind is just getting started, especially within the enterprise. The same benefits blockchain technology provides crypto—reliability, efficiency, transparency—can all be realized by the enterprise in order to increase efficiencies, reduce costs, create new markets, and ultimately impact the bottom line.
It is with these benefits in mind that Kudelski Security launched our Blockchain Security Center in early 2019. The BSC is wholly committed to helping the enterprise deploy, validate, and secure blockchain ecosystems. Through our work over the past year and a half, our team has come across common scenarios, use cases, and ultimately, solutions to help enterprise adopters confidently design, develop, and run secure blockchain technology.
These solutions address pain points that are specific to the enterprise implementation of blockchain. Where previously, blockchain primarily supported one-to-one transactions, the stakes are much higher and the scale much bigger at the enterprise level.
We’ve seen three main factors emerge that enterprises need to bear in mind when exploring secure blockchain implementation: code validation, global scalability, and proof of provenance..
We’ll explore each of these a little deeper later in this post, but first, it is important to understand some foundational concepts about blockchain.
What is blockchain technology?
A blockchain is a mathematically protected database that uses hashes, signatures, and algorithms to create a fixed record of transactions, known as a ledger. As transactions occur, a hash is generated that links it to the transaction before, creating a chain. If information within the chain is altered, the mathematical algorithm breaks in a way that indicates data has been tampered with.
Is blockchain technology inherently secure?
While blockchain comes with some built-in protections, it does not inherently mean the processes and technology around it are secure. Therefore, security of the entire blockchain ecosystem must be considered. Not only that, but the applications making decisions based on information stored in the blockchain can also only be as good as its underlying algorithms. If those aren’t secure, or if they don’t do what they say they will do, blockchain cannot be viable in the enterprise. That foundation is essential, and it is the foundation that we’ve built the BSC on.
Three Considerations for Enterprise Blockchain Adoption
In our work in the BSC, many of the enterprise client requests we have encountered involve at least one of the following activities: validating the blockchain, scaling the blockchain, and proving provenance in the blockchain. For good reason, too. Each of these activities is essential to ensuring processes and technologies deliver the uninterrupted, enterprise-level service customers and the business rely on.
1. Validating the Blockchain
Blockchain is only as good as the math it runs on, right? For blockchain technology vendors and customers, validating that the blockchain does what it is supposed to do is critical to establishing and maintaining trust. The abstract, distributed nature of the blockchain makes it difficult to assess without deep expertise in cryptography.
I am lucky to work with some of those experts. They are able to audit nearly any type of blockchain code or cryptography in order to perform assessments of existing blockchain architectures or to test new technologies. For example, a vendor could claim that their blockchain consensus is based on proof of elapsed time, but they have no way to prove that to clients. A code audit can verify those claims and create that trust.
2. Scaling the Blockchain
Blockchain is an immature technology that wasn’t necessarily built with the enterprise in mind. For one-to-one cryptocurrency transactions, a personal wallet or ledger sufficed. However, as blockchain expands into digital asset custody for financial institutions or transportation monitoring for the supply chain, the number of transactions, users, locations, devices, etc. involved in the process multiplies. These processes can be critical for quality and integrity of service, and so the blockchain ecosystem must be designed to support and integrate with the global architectures, access management, and IoT platforms they run on.
3. Proving Provenance in the Blockchain
Provenance in the blockchain means tracing the origin or authenticity of an asset as custody is transferred through digital means or physical supply chain. It is a record of what an asset is and where it has been. As enterprises rely more on blockchain technology to automate processes and decision-making, proof of provenance ensures operational efficiency and reliability.
Take, for example, our supply chain scenario. Blockchain could facilitate an automated decision for whether or not to pay a delivery truck driver. Each transfer of the asset is recorded in the blockchain. If the asset is what it is supposed to be and comes where it is supposed to come from, then there is no reason not to pay the driver. If, however, the asset has been tampered with, the blockchain would break, and payment would not be issued.
If your organization has deployed or is thinking of deploying blockchain technology, our team would be happy to talk through the above solutions or any other requests you might have. Not only do we bring blockchain and cryptographic experience to the table, we have the expertise and services of the entire Kudelski Security team to help you securely integrate blockchain into your enterprise architecture.
by Scott J. Carlson | Jul 31, 2020 | Blockchain, Cryptocurrency
When the blockchain security center was conceived in 2018, it had a few goals in mind to help companies, projects, and inventors around the world use blockchain and advanced cryptography safely. With over 50 commercial applications as well as work with some of the world’s largest exchanges, such as Crypto.com, our perspective as wells as our integration into the ecosystem continues to grow.
We believe that blockchain is an important technology, capable of improving facets of the CIA Triad in information security. Confidentiality (through privacy-preserving technology and encryption), Integrity (through guaranteed truth of the blockchain), and Availability (through distributed copies of data) in each technology implementation is a starting point.
We not only work with the largest of companies, but also the smallest independent and open source projects helping them fuel their innovation in a secure manner. As a publicly-traded company, we have the same challenges as others with directly accepting cryptocurrency as payment. Now that we have regulated and secure services such as the one offered by Crypto.com, we were happy to integrate this process into our runbook for accepting payments. Companies wishing to do business in Europe or Asia with us can now work with us to receive their invoice on the Crypto.com platform and pay in the listed currencies. It is extremely important within our risk posture that our third-party partners meet international security standards and with Cypto.com not only complying with ISO27001 as well as PCI:DSS, we felt comfortable with this integration.
We believe this integration will reduce fees, allow our customer base to grow within the crypto & blockchain ecosystem, enable easier mobile payments for smaller customers, and allow our global expert services to be utilized by those companies and countries that are traditionally unbanked. As users hold more and more digital assets, we are working to be at the forefront of enablement, security, and acceptance.
If you are interested in threat modeling, security architecture review, code assessment, or other blockchain/cryptography/cryptocurrency services, please contact us at kudelski-blockchain.com.
by Scott J. Carlson | May 14, 2019 | Blockchain
The Binance Hack shows us once again that simply by moving the world to blockchain, it will not remove the risks associated with two major areas: Users and Basic Best Practice Hygiene. It’s frustrating to me as a 20-year practitioner that we continue to make the same mistakes as 20-years ago, just in a different programming language.
Risk Area 1: End Users
First, systems are only as weak as the users. No matter how good the system is, any loss of information, compromise, virus, misunderstanding, or exploit of an end user or their ‘key’ to your system WILL result in a compromise to their account. Sometimes a backend system will catch a transaction that is unexpected but often ‘insurance’ just pays back the user because most financial institutions still will not accuse their users of being stupid or provide help to make an end-user computer system better, it’s better PR to just make them whole. Good on Binance … they just made the users whole. From a prevention standpoint though, until there are more measures directly aimed at proving the intent and identity of the user, with backend detection, AI, behavior, signal detection, instrumentation, incidents will continue to happen within #blockchain infrastructures just as in any traditional system.
Risk Area 2: Lack of Basic Hygiene
Second, companies have to stop Skipping basic cybersecurity hygiene! I’m very happy to read that Binance had back-end systems that noticed something, but I’m guessing that they do not have a fully functional managed security provider, SIEM, behavior tool, systems instrumentation, etc. I have not talked to Binance specifically but have tried reaching out to exchanges to ask about their cybersecurity abilities, and without fail get “We take care of all of that internally.” Unless these exchanges have all built a fully operational staff of cyber experts (haha) these breaches will continue to happen. Please do not believe that your expert developers understand cybersecurity like the actual cyber experts. 90% of a blockchain system is the same application risks as a traditional data center system. Don’t forget what we have learned from NIST, PCI, HIPAA, etc.
If you run a crypto project or an exchange, I would love the opportunity to have my team run a short cybersecurity assessment on your environment and start to make some headway in improving architecture, monitoring, or response so that we can get your detection and response time to near zero.
by Kudelski Security Team | Feb 13, 2019 | Blockchain
This new service could address the lack of security in applications, processes, and systems associated with blockchain, which itself, is mathematically protected.
Kudelski Security, the Kudelski Group’s Cybersecurity division (SIX: KUD.S), is launching its Blockchain Security Center (BSC), which targets the blockchain-based developer community.
While transactions on a blockchain are protected by proven mathematical principles, security is not necessarily integrated into applications, technologies, processes, and associated systems. That’s where Kudelski Security’s new expert cryptography service, grouped at its Blockchain Security Center that was launched today, come into play.
Blockchain technology has the potential to revolutionize business capabilities by creating new opportunities for optimizing efficiencies and improving the performance of technology applications in all industries.
Gartner predicts that the blockchain technology market will account for $ 3.1 billion in 2030 as Blockchain technology expands, bringing new opportunities for optimization in all industries.
A roadmap has been developed by Kudelski Security for its BSC, to develop fundamental technologies, enabling the integration of security in and around blockchain solutions destined for the public and private sector. Interview with Kudelski Security Global Chief Technology Officer Andrew Howard and Scott Carlson, Kudelski Security’s new Head of Blockchain.
What are the main security risks related to blockchain? Blockchain is an algorithmic program, created by people who we may assume have a different logic. It only takes a small human error to – despite the exceptional level of the mathematics – cause the collapse of the system. The academics of mathematics will hold, but not the layers of technology assembled around blockchain, such as hardware, cloud, associated application, website, which are targeted by hackers every second. The risk is huge to companies of losing the trust of their customers.
Intrinsically, the blockchain is not safe? While blockchain transactions are protected by proven mathematical principles, security is often overlooked and not necessarily integrated into applications, processes, systems and associated technologies. That’s where we come in. We help companies active in digital finance, communications, and IoT to secure their products using proven methodologies and common sense approaches in order to deliver superior performance and instill end-user confidence. We are not just satisfied with looking at the code; we work with all the components present within an ecosystem of manufacturers, end-users, companies and code creators. ”
What do centralized solutions bring to your new Blockchain Security Center (BSC)? The BSC is developing a suite of extended cryptographic solutions, security recommendations for enterprise blockchains, and development tools intended to address the entire blockchain ecosystem. Leaders, investors, engineers and developers of blockchains will be able to confidently design, develop and run secure applications that implement this new technology.
What about the competition? As far as we know, there are no tailor-made products available other than those of giants, such as IBM, Amazon and Oracle, and white-papers, which cover some 85% of process change needs. But nobody is really ready to address the remaining 15% of needs, which are the most pertinent.
Our 30 years expertise, in the field of cryptography, from chip to software, allows us to warn our customers tempted by the adoption of standard technical, plug & play, fast and cheap, solutions, which do not address the whole problem. We are concentrating on the remaining 15%, which means that security must be the main focus of our customers’ concerns. What we observe in this intense phase of digitalization of our economy in all sectors of activity is that security is often relegated to the background. The hackers spot classic errors at the speed of light, and by infiltrating them, that can cause the collapse of the system in place. Think about the transfer of payment allowed by blockchain technology and that contains flaws. It’s like fixing an old problem, but in a new way, avoiding the generation of new vulnerabilities.
What are the early-adopter sectors? Mostly VC-funded start-ups and cryptocurrency companies in their Initial Coin Offering (ICO) project. But we are seeing a major shift in the market in the manufacturing sector (to optimize their value chain); financial and insurance, health. In Switzerland, the financial services industry and insurance companies are among the “spearheads”
In Switzerland, the Federal Council adopted a report in December on the legal framework governing blockchain and distributed ledger technology (DLT) in the financial sector. Swiss legislation lends itself well to the use of new technologies, including blockchain.
Original article by Elsa Floret appeared in L’Agefti translated from French to English.
by Andrew Howard | Jan 29, 2019 | Blockchain
Today, we are announcing the launch of our new Blockchain Security Center, a full-service practice that represents the culmination of decades of experience securing our clients’ businesses. The Center’s goal is to enable our clients to securely transform their enterprises using the power of blockchain and other Digital Ledger Technologies (DLT).
We believe that Kudelski Security is well-positioned to serve enterprises as they venture into the world of blockchain and DLT. Our 30 years of leadership in cryptography, data protection, and secure system design prepare us to partner with clients on their most innovative endeavors.
Why Blockchain? Why Now?
Blockchain is exiting its honeymoon phase. The unprecedented boom of 2017 followed by the Great Crypto Crash of 2018 has shifted much of the mainstream opinion from “miraculous” to “frivolous”. This opinion shift is valid to an extent; blockchain is not the solution to every problem. The bubble surrounding the boom, much like the technology bubble of the early 2000s, was destined to pop at some point. However, not all is lost. While the starry-eyed optimism of technology enthusiasts coupled with the “get rich quick mentality” of the ill-informed got us here, robust and sensible solutions for the enterprise will lead the way on.
Looking beyond cryptocurrency, we believe that enterprises are the future of blockchain. Blockchain and related DLT allow business leaders to disrupt old processes in a way that will impact bottom-line results and shape future markets. We have seen blockchain enable our clients to rethink their businesses far beyond the typical cryptocurrency scenarios, and we are confident that the long-term impact of the technology will be great enough to one day be immortalized in textbooks.
There are plenty of known scenarios where blockchain can enable disruption and thousands yet to be conceived, especially in areas where provability of source, monitoring of transport, or assertion of delivery is essential.
* Blockchain can save lives by bringing much-needed trust and transparency to the pharmaceutical industry. For decades, the industry has been beset by fraud and errors throughout its supply chain. Raw materials flow through a series of unrelated players on their way to becoming consumable remedies. Once completed, these remedies are distributed through yet another series of unrelated parties before making it to patients. Smart contracts supported by closed consortium-based or private permissioned blockchains could serve as a reliable and efficient mechanism for tracking the flow of information, financial capital and materials throughout the entire supply chain. This implementation of the technology could ultimately improve the quality of medications given it to patients around the world and slow illegal trafficking.
* Blockchain-based identity verification systems will enable trust, provide transparency and reduce friction across business ecosystems, driving huge resource savings for enterprises. These trust-based mechanisms have the potential to reduce the burden of complying with know-your-client (KYC) and anti-money laundering (AML) regulations, making onboarding new clients cheaper and less time-consuming.
* The fine foods industry is ripe for disruption from blockchain, as counterfeit goods dilute brands, endanger consumers, and ultimately strain profits. Often these fine foods are traded
between unrelated parties on a low-trust basis. By the time the products make it to the shelves, consumers are left guessing about the legitimacy of the food they intend to purchase. Tracking the movement of these goods on an immutable ledger allows the entire value chain to justify higher prices by restoring the product’s credibility to the end consumer.
The Blockchain Security Center: Up Close
The Blockchain Security Center will deliver advisory, design, and development services for enterprises internationally and later on in 2019, we anticipate launching a suite of enterprise-focused solutions. Through our experience over the past several years we have noted that the most vulnerable point of most blockchain applications is on their periphery. Though the blockchains themselves may be secure, the architecture around them is typically susceptible to intrusion. The secure-by-design mentality of blockchain must transcend the ledger itself into the development of the full stack.
For the past two years, we have assisted start-ups and enterprises in their quest to validate their blockchain applications, build ecosystems around their existing blockchains, and craft their business models based on the promise of blockchain. Taking our program forward is Scott J. Carlson, the Head of Blockchain Security. Scott will be leading the new Center, bringing decades of experience in emerging technologies, enterprise architecture, and, most recently, blockchain security for the enterprise.
We look forward to working with you.
