As organizations recover, rebuild and retool with a digital-first mindset, cybercriminals will be watchfully waiting for the proliferation of attack surfaces.

As a tumultuous year of health and cybersecurity issues draws to a close, what can we expect from hackers next year?

Ethical hackers around the world have also had a rough year, so who better to hear from regarding 2021 predictions?

Before the crystal balls start churning, here is a recap by the good digithacker community about 2020. Australian hacker Shubham Shah, a.k.a. @notnaffy noted that the increase in free time due to the pandemic had enabled hackers to team up with others to find more critical vulnerabilities: “With an almost global lockdown, I’ve increasingly worked virtually with other hackers to collaborate on bug bounty programs in order to discover more critical vulnerabilities. When calculating security, two variables are normally taken into account: time and resources. At the moment, there is far more time to spend on breaking the security of any given target, meaning there is a higher chance of finding vulnerabilities.”

Singaporean hacker Samuel Eng, a.k.a @Samengmg also witnessed how bounty hunters have been busy during the pandemic: “Due to the COVID-19 pandemic, I’ve seen an influx of bug bounty hunters in various programs. I noticed that many programs hardened really quickly at the start of the pandemic, especially common vulnerability classes such as XSS, SQL Injections and basic authentication bypasses.” 

Cybersecurity predictions for 2021

  • Impact of DX speed
    Concerned about the impact that the coronavirus has had on security as a result of businesses and schools having to speed up their digital transformation projects, German Hacker Julien Ahrens, a.k.a @MrTuxracer, reflected: “The COVID-19 pandemic has forced businesses to speed up their digital transformation in ways they weren’t expecting. As a result, I think that we’re going to see an influx of attacks, especially against those who have just begun digitalizing. One thing that particularly concerns me in Germany is the enormous speed at which government institutions like schools are moving everything online. They had to build systems and processes with very little time, which is never a good thing when it comes to security. I’m not even just talking about technical flaws that lead to security issues, but also the security awareness.”
  • New attack methods
    James Kettle, a.k.a @albinowax, from the United Kingdom, warned: “As the classic attacks get mitigated and picked off by automated scanners, I think we’ll see a gradual trend of hackers embracing the obscure: business logic flaws, race conditions, timing attack and convoluted attack chains in general. We’ll see more people exploiting discrepancies between multi-server applications, through the likes of request smuggling, parameter pollution and path normalization exploits.”
  • Social engineering
    This phenomenon will still be a concern for 2021. German hacker Ahrens added: “It’s inevitable that all kinds of attacks will increase in 2021 because more companies are moving online. But there is one type of attack I think will increase exponentially, and more than any technical attacks: social engineering. I think social engineering attacks against people who aren’t sufficiently guarded and aware will massively increase because companies won’t have had the time to sufficiently educate their employees about the threat.”
  • App development and deployment increase attack surfaces
    Shubham Shah commented: “As businesses recover from this pandemic and economies are rebuilt, I predict that there will be an uptick in application development and deployment. That means the rapid introduction of new assets, applications and networks: a growth that will be challenging to manage from a security perspective. I believe the biggest threat to both businesses and government agencies will be managing their attack surfaces and the respective security exposures as they rebuild and grow.”  

As companies embrace the cloud-first approach, Shubham expects to see companies adopting newer technologies such as Kubernetes, to orchestrate the deployment of critical applications and services. But: “with new technologies and methodologies being adopted,  there are usually misconfigurations and missteps along the way that may lead to vulnerabilities,” he noted.