Behind the scenes can tell a lot about the future, so we revisited the top cybersecurity stories for 2022 with experts in the field.
Yes, it’s the season for cybersecurity experts to look into the crystal ball and tell us what to expect in the coming year. That’s fine, but it’s also nice to look back at the year ending next week. Not just what happened, but what it means and what we can learn from it.
With that as a goal, I can say (I can sing) that “this year was a very good year” with the late Frank Sinatra. Not all good news, but much to learn. Even when it’s painful, it’s useful. So, in no particular order of importance, here are some of the events and trends of the past year, ranging from encouraging to disturbing to alarming, all of which have been beneficial.
real wake up call
There are at least dozens and possibly hundreds of catastrophic cybersecurity events called “wake-up bells.” These included breaches of the Federal Office of Personnel Administration uncovered in 2014 that compromised the personal and financial information of over 22 million current and former federal employees. Stuxnet, who destroyed most of Iran’s nuclear facilities in 2010. Industroyer took down part of Ukraine’s energy grid in 2016. A ransomware attack on the Colonial Pipeline in 2021 shut down nearly half of the East Coast’s fuel supply for almost a week. A year ago, a vulnerability in his Log4Shell group was discovered in the Apache Software Foundation’s (ASF) open source logging library Log4j.
And most of the time, it’s as if everyone hit the metaphorical snooze button after the blizzard headlines and panic faded.
But according to Michael White, technical director and principal architect of the Synopsys Software Integrity Group, it may be dead. This is very good news for everyone but cybercriminals who have thrived on so many organizations’ lethargic security measures.
“I think wake-up calls are already here in the form of rules and regulations,” he said. “Certain industry sectors such as healthcare, automotive and energy, and product security regulations in both the UK and his EU jurisdictions mean we can no longer hit the snooze button.”
“Someone must sign their name to certify that the organization has done everything previously ‘recommended,’ and there are clear consequences for not following the rulebook. ”
ounce of prevention
If you look at most of the headlines about cybersecurity, you might think industry news is always bad, but there’s better news on other fronts…just as carnage and crime always lead the evening news. And, of course, there’s a lot of bad news, too.
But some of the best news of the year that you may not have realized is why we bring it to your attention. Good news on the point. An unknown number of disaster headlines that need not be written.
Software will be more secure in 2022 in several key areas. This means that bad things still happen, but not as often.
One way is to increase the use of the programming language Rust in the Linux kernel, a key component of the free and open source Linux operating system. The Linux OS, which has been around for over 30 years, was previously written primarily in C. C is a low-level language that makes it easier and faster to write code and handle high-performance demands, but it’s also notorious for security. bug.
Rust delivers performance pleasures almost painlessly. Travis Biehn, technical his strategist for the Synopsys Software Integrity Group, said Rust: With the introduction of operating system components such as the Linux kernel, developers can start writing new projects in safe and modern languages. This is the first step in improving Linux kernel security. Hopefully Linux won’t be the last project to pursue them. ”
Something similar is happening on the browser front with Mozilla’s Firefox. Web browsers have traditionally been written in low-level languages such as C for high performance, which has resulted in widespread vulnerabilities.
“One of the most error-prone areas of programming is writing parsers, video and audio codecs,” says Biehn. “However, Mozilla pioneered an approach with the community so that Firefox could wrap these routines in a special sandbox to prevent software bugs from compromising users’ machines. is a great achievement and a new way to protect your users with sandboxing.”
Ransomware continues to grow
The first attack was 33 years ago, according to security firm CrowdStrike. The victim had to send what now sounds like his $189 pocket money to a P.O. Box in Panama.
But ransomware continues to evolve and is now a global plague that robs victims of at least $20 billion annually and has been one of the top cybersecurity (or lack of cybersecurity) stories each year for over a decade. are becoming one.
According to Statista, there could be over 472 million ransomware attacks by the end of the year. That’s about 15 per second. And, as the past year has proved painfully, attackers can wreak havoc and jeopardy on critical infrastructure, from food to fuel, transportation, utilities, healthcare, education, and more.
Ironically, the best way to minimize your risk of falling victim to ransomware is also old news. A silver bullet is unlikely, but the main reason these attacks succeed is the lack of software and system security, and the lack of awareness about how to resist social engineering.
Rebecca Herold, CEO of Privacy & Security Brainiacs, says too many organizations are building more secure software, using end-to-end encryption, creating more effective backup and recovery procedures, Instead of teaching employees how to spot a phishing attack, it said it decided to either: You may not be targeted or buy cyber liability insurance and usually mistakenly assume that your insurance covers all costs of a ransomware attack. ”
“Cybercriminals love this,” she said.
SBOM: year acronym
If you don’t know what the Software Bill of Materials acronym means, you’re part of a vanishing minority. Here are some of the best security news of the year. Yes, that profile took off nationally in 2021 as a key component of President Joe Biden’s Executive Order to Improve Nation’s Cybersecurity, but over the past year the cybersecurity industry has We have gained a serious critical mass within.
Because, as many experts say, one of the realities of software security is that improving software security means doing more fundamental things than transformational things. And SBOM is, or should be, fundamentals. It is an inventory of everything in the software product supply chain, including where the component came from, who made it, who maintains it (or not), known vulnerabilities and licenses. including whether it contains conflicts with In other words, it helps you understand what software your organization uses and whether it needs to be patched.
The not-so-good news is that the road to mainstreaming SBOM can be bumpy. A few weeks ago, the Information Technology Industry Council (ITIC), a lobbying organization whose members include tech giants such as Amazon, Apple, Microsoft, Intel, IBM, Cisco, Samsung, and Zoom, wrote to the Federal Office of Management and Budget. rice field. (OMB) is asking federal agencies to “discourage” requiring SBOM for software products they purchase because SBOM is not yet “scalable and consumable.”
“We still don’t think SBOM is an appropriate contractual requirement. […] At this time, it is premature for software makers to offer SBOMs, and their usefulness is limited,” writes ITIC.
No official answer from OMB yet, but the clichéd reality of security remains the same.
the worst of the worst
Every year more software is created. At its peak two years ago he had 2.8 trillion lines of code. It’s also imperfect because it’s written by imperfect humans. So every year there are more vulnerabilities in software.
More than 22,500 have been added to the Common Vulnerabilities and Exposures (CVE) list, according to Statista, with just two weeks to go before the 2022 book deadline. This is a new record.
But clearly some are worse than others. And at worst he stepped into 2022. The Log4Shell vulnerability (mentioned above) was actually discovered at the end of 2021, but has extended into 2022 and continues to pose a significant threat to organizations. Many organizations fail to install the update, probably because they don’t even know Log4j is buried. Somewhere in the software supply chain.
Open source software offers multiple advantages for both developers and users, but it is neither more nor less secure than other software. And since everyone is using open source everywhere, my New Year’s resolution is to keep track of open source (with the help of SBOM) and stay up to date.
The Internet of Things (IoT), with a global “population” of approximately 13.1 billion devices, nearly double the world’s population of 7.8 billion, is increasingly being called the Internet of Everything.
And because both their vendors and buyers still value functionality over security, they have been the world’s largest attack surface for years.
But over the past year, a more sinister IoT trend has been gaining momentum. The risk isn’t just for hackers to compromise your “smart” devices and steal your money or identity.
Herold noted that IoT products are increasingly being used by criminals to “track and hunt down targeted victims.” According to Vice, a woman in the United States reported 50 cases where she received notices from eight police stations that she was being tracked by a device she didn’t own.
Two women filed a class action lawsuit against Apple earlier this month, alleging negligence after their former partners or husbands used AirTags to track their movements and location. The complaint alleges that her AirTags, which have been touted as a way to track items such as packages, are “one of the most dangerous and terrifying technologies used by stalkers.”
And Congress responded to the threat with a bill titled “Technical Safety Act for Victims of Domestic Violence, Dating Violence, Sexual Assault, and Stalking.” Its sponsors, Sen. Ron Wyden (D-California), U.S. Representatives Anna G. Eshu (D-California) and Debbie Lesko (R-Arizona), said:[e] New grants to clinics and other partnerships focused on addressing domestic violence and technology-assisted abuse. ”
“It’s not just Apple. All other types of GPS trackers can be used for this purpose,” says Herold. “Throughout 2022, we are seeing more and more reports of this type of situation, [these devices] They will increasingly be used for malicious purposes while cybersecurity controls and privacy protections are lacking. ”
Many of the year-end headlines in the tech economy were about layoffs. Crunchbase reported that he had cut 90,000 jobs at more than 370 companies by mid-December. The list includes names such as Netflix, Adobe, Facebook parent company Meta, Cisco, Amazon, and Salesforce.
For the most part, however, the job cuts had no impact on the cybersecurity sector. The cybersecurity sector has the opposite problem: an ongoing skills gap.
Last year was terrible. Most experts predicted that this year would be even worse. Hooray. Next year will likely be even worse. According to the (ISC)2 2022 Cyber security Workforce Study, the gap increased by 26.2% from 2021 to 3.4 million people.
The survey found some encouraging trends (a majority (72%) of organizations expect to increase their cybersecurity staff within the next year), but there is a shortage of skilled applicants. Not only for this reason, the shortage of human resources is expected to continue.
Until things improve, organizations can start closing the gap with one of the security expert’s slogans. Security is everyone’s responsibility.
Stay on top of the latest AppSec news