Well, we made it. 2021 is finally in the books. The gift of LOG4J and the onslaught of vendor emails made for an eventful end to 2021. Take a minute (and I only mean a minute) to catch your breath before we jump headfirst into 2022. It’s time to look forward to what the cybersecurity landscape will give us this year. Obviously, I could continue to scare you with increased COVID-19 related attacks, the lack of cybersecurity progress in the healthcare industry and mega breaches in the cloud, but there is already enough written and rewritten on those topics. The cloud continues to be a technology accelerator – and a risk to businesses going forward. Most of our office perimeters have dissolved and clouds enable a mobile workforce. Hyper-connectivity of systems and applications, and everything automatically talking to everything else is a must. This translates to a lot of risk in 2022.
A recent report by Cybersecurity Ventures outlined that global cybercrime costs1 will reach nearly $7 trillion USD annually in 2022. To put this figure in perspective, if cyber-crime was a country, this figure would represent the world’s third-largest economy after the U.S. and China. There is an entire industry that has popped up around cybercrime in a way we’ve never seen before. With so much at stake, what are the things to watch out for to make sure you are as prepared as you can be?
Back in 2019, and 2020….AND 2021, I said the best way to combat these types of attacks was to use multi-factor authentication (MFA).
Use it for everything!
Steve Tcherchian, CISO
Looking back, a lot of the risks we called out at the beginning of 2021 were never properly addressed and therefore remain risks today. For example, credential theft and attacks targeting privileged users continue to dominate the headlines. Although, the targets and sophistication of attacks have evolved.
Back in 2019, and 2020….AND 2021, I said the best way to combat these types of attacks was to use multi-factor authentication (MFA). Use it for everything! There is no simpler way to say it – but three years later, this is still not being done. Until we require MFA for access, making it the standard, risk will continue to increase. I cover this past advice and other cybersecurity predictions for 2022.
1. Embrace ZERO Trust Security
We are all used to the traditional security model of authenticating to the perimeter VPN or to a cloud application, then carrying on with our tasks. This “Trust but Verify” strategy assumes everything within an organization’s network is trusted and not already breached. Once a user is authenticated to the VPN, they can move around to any resource to which they have access. The assumption is the user is who they say they are, the user’s account is not compromised, and that the user will act responsibly.
This model leaves organizations vulnerable to credential theft, low and slow attacks, and malicious insiders. Essentially all authenticated users are trusted on the network. That’s a risk. A big one.
Enter ZERO Trust.
ZERO Trust is not a single product or technology, it’s a methodology. ZERO Trust access methodologies never trust and always verifies. This eliminates any trust that previously existed for users, credentials, network, permissions. Instead, ZERO trust continuously checks and authenticates all attempts to gain access to data, applications, servers, resources, etc. to ensure they are who they say they are. Even the U.S. Federal government is pushing hard for agencies to adopt this model under new guidance released last year by the Office of Management and Budget’s Cybersecurity and Infrastructure Security Agency. There will be a heavy emphasis this year by organizations both large and small, federal agencies and security vendors towards ZERO Trust strategies.
2. Cryptocurrency becomes a target
With interest rates (currently) at all time lows, hyper-inflation and the U.S. stock market at all time highs, investors are looking at better returns on their money. Apps like CoinBase, Robinhood, eToro and others can make investing available to even the most technologically novice user. This could potentially be a recipe for disaster. As novice investors move funds around into these apps, they become popular and draw attention. Late last year, we saw what Robinhood calls a “data security incident” which compromised data from 7 million accounts by using simple social engineering techniques. Although this incident wasn’t as bad as it could have been, this shows that no app is off limits. This was the toe in the water. We are going to see larger attacks focused on targets where the money is.
Take steps to protect yourself:
- Practice good security hygiene
- Do not respond to unsolicited messages (These are almost always scams)
- Do not divulge information
- Monitor the activity on your investments
- Turn on two factor authentication
3. Ransomware as a Service
Yes, this is really a thing now. Ransomware as a Service is a subscription based model that lets anyone use ready made ransomware tools to launch an attack. There is no need to develop your own ransomware or even be technically proficient. Using the platform, someone can launch the attack and share the profits. An entire industry has cropped up to support ransomware as a legitimate business model – including crypto exchanges and “cyber security” companies. Most of these crypto exchanges are fronts to launder money, and the “cyber security” companies who “negotiate” with the malicious actors on a customer’s behalf are also part of the ploy.
There is currently no technology that eliminates or completely blocks ransomware. If that were the case, ransomware wouldn’t be profitable and would not exist. Disturbingly, it’s growing faster than ever. Ransomware is here to stay – because most industries make it so easy to become targets. The best way to combat ransomware is to implement security best practices, verify and reverify that there are working backups, and real time monitoring.
In the event the ransomware is successful, unfortunately most of the time, the only way to get data back is to pay the ransom. This is a hard pill to swallow.
Even the FBI strongly recommends not paying ransoms, but in a time of crisis all options are on the table and the number of victims paying the ransom is increasing year over year. According to Sophos, 32% of companies hit with ransomware paid a ransom in 2021, up from 26% in 2020.
These stats are high mainly due to the decrease in properly performed and verified backups and other responsible methods used to recover from ransomware and other data-compromising disasters. Because backups aren’t verified to be working, either due to technology failures or not being set up properly in the first place, this leaves the company with few options. Unfortunately in these cases, paying the ransom, although not encouraged, may be the shortest route to get data back. Of the 32% that paid the ransom, 96% of them were able to get some of their data back. But recovered data is inherently compromised going forward.
There are steps you can take now to avoid paying a ransom and becoming a statistic.
- Ensure you have implemented security best practices
- Verify your backups
- Train your staff
- Implement real time monitoring.
- BE PREPARED!
4. The Great Resignation
Anyone else tired of hearing this phrase on a daily basis? The cybersecurity industry was already in the precarious position of not having enough people to fill open positions. This crisis hit an all time high of 3.5 million unfilled cybersecurity jobs in 2021.
Resignations pose new types of threats: unhappy or disgruntled employees abusing their access for malicious purposes or intentionally stealing data to take to their next job. There is also a disturbing new trend of cyber criminal groups attempting to recruit dissatisfied insiders. A recent study by the Harvard Business Review showed employees between 30 and 45 years old had the greatest increase in resignation rate between 2020 and 2021; over 20%! These resignations, coupled with an enormous workforce gap means cybersecurity as a whole, especially monitoring and response times, will suffer in 2022, leading to more mega breaches, spanning longer periods of time. Now is the time to automate as much as possible.
Privileged account abuse is the most common way for hackers to compromise a system.
Steve Tcherchian, CISO
5. Exploiting Insecure Authentication
The biggest risk to any organization are passwords, especially default passwords and passwords to privileged accounts, which have elevated access to perform special functions. These can be administrator accounts, service accounts, database connection accounts, application accounts and others. Most of these accounts were set up years ago when an application or system was initially deployed. They have multiple integration points and because of the risk of “breaking something,” the passwords for these accounts are rarely rotated, likely shared and often improperly stored.
Privileged account abuse is the most common way for hackers to compromise a system. But it starts with authentication. Proper credential storage and visibility to authentication events is paramount for risk mitigation. Relying on manual methods is resource-intensive, error-prone and leaves gaps.
According to a Varonis report, nearly 40% of all users sampled have passwords that have never been rotated! These passwords have a higher likelihood of showing up in online password dumps and being used to infiltrate networks. Simply put – they’re a cyber criminal’s best friend. This is how hackers walk in right through the front door. Not because they’re clever, rather because it’s easy!
Last year’s Kaseya incident showed us the types of multifaceted attacks being used. It’s not a matter of if but when they’re going to get into your network. They’re going to get in and they will attempt to exploit authentication controls first. In the Kaseya attack, once the attackers circumvented insecure authentication controls, they captured an authenticated session and were able to move laterally using multiple, different, insecure credentials until they could upload a malicious payload and execute commands through SQL injection which distributed and executed the ransomware. Our efforts should focus on proper authentication controls and shoring up systems to limit their ability to move around your network using insecure credentials. Proper authentication controls, password management, ZERO trust, and multi-factor authentication could have prevented this from happening. I’ve said it before, and I’m forced to say it again – turn on Multi-Factor Authentication for EVERYTHING!
6. Log4J (and others) Continues
Log4J is still here and continues to be an important target for attackers. According to Microsoft “Exploitation attempts and testing have remained high during the last weeks of December. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks. Organizations don’t realize their environments may already be compromised. Microsoft recommends customers do an additional review of devices where vulnerable installations are discovered. At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a clear and present danger to their environments. Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.”
Nation-states and other threat actors will continue exploiting this vulnerability, adding new exploits that take advantage of security gaps. Expect more of these highly impactful vulnerabilities. Another fun fact? They have a tendency to happen in cycles. Remember in 2014, once the HeartBleed vulnerability became publicized, it opened the floodgates for Shellshock, POODLE, WinShock, Ghost and more. In 2017, the cycle repeated with Struts2, KRACK, CryptoAPI and others.
In 2022, expect more of these mega vulnerabilities now that attention is being paid in this area. The best preparation is to establish a ZERO trust strategy from the outset, so the fallout from damage is minimized.
Attackers exploit the weakest link and walk right through the front door. If we continue to make it easy, these types of attacks will only continue.
Passwords are archaic. You must introduce a second factor for authentication. This added layer of complexity to the authentication process provides immense value in terms of addressing the risk. MFA is the biggest bang for your security buck. MFA should be turned on for everything.
Unless we shift our mindset and follow through, attacks will only continue to increase in 2022 and beyond.
1 Includes damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.
Steve Tcherchian, CISSP, PCI-ISA, PCIP is the Chief Product Officer and Chief Information Security Officer for XYPRO Technology. Steve is on Forbes Technology Council, the NonStop Under 40 executive board, and part of the ANSI X9 Security Standards Committee.
With over 20 years in the cybersecurity field, Steve is responsible for the strategy and innovation of XYPRO’s security product line as well as overseeing XYPRO’s risk, compliance, and security to ensure the best experience for customers in the Mission-Critical computing marketplace.
Steve is an engaging and dynamic speaker who regularly presents on cybersecurity topics at conferences around the world.