top of page


By Greg Johnson, Author, CEO Webcheck Security

January 1 2022


I am very fortunate to be associated with practitioners much smarter than I. Webcheck Security

enjoys the services of many skilled penetration testing engineers and fractional CISOs with

deep organizational and technical experience. What better way to predict the future than by

asking the real wizards? What follows is a compendium of our collective thoughts.

“Log4j seems to be a marathon instead of a sprint. We are potentially going to see many variations of Log4j.”


The Log4j issue, much like the SolarWinds Orion attack, affects thousands or hundreds of thousands of organizations. Why? Because this piece of open source code impacts Atlassian, Amazon, Microsoft Azure, Cisco, Commvault, ESRI, Exact, Fortinet, JetBrains, Nelson, Nutanix, OpenMRS, Oracle, Red Hat, Splunk, Soft, and VMware, to name only a handful of the big ones....

Now that it is known and in the open we can put it in the rear-view mirror; as long as savvy

organizations apply the proper patches. Or can we? “Log4j seems to be a marathon instead of

a sprint. We are potentially going to see many variations of Log4j,” states pen testing engineer,

David Jensen. He continues, “I wouldn’t be surprised to continue to see more crypto;

ransomware attacks. The more lockdown continues, the more people have time on their hands

to think of new attack vectors. There are some financial pundits predicting recession in the next

year, and it will be interesting to see how it affects cyber if true.”


Figure 2 - Ransomware Mitigations Article

“I predict an increase in industrial espionage

through cyber means (as if there isn’t a ton

already). “ says Brad Lewis, Webcheck

Fractional CISO and pen test engineer. ”R&D

is expensive and with public exploits that are available and vulnerable networks that house industry-leading technology, it is much cheaper to steal the information and replicate it, than build from ground zero. I believe there will be major breakthroughs in the AI field that will be used for both offensive and defensive warfare (not just self driving cars).”

The reason I lump espionage in with Nation State Attacks is simple – most of them are

perpetrated or backed by such. Says senior CISO and engineer, Ben Card, “I think entities

backed by nation states that oppose the Western Worlds influence (e.g., China, Russia, Iran,

etc.) are going to continue to improve their vulnerability detection and automation of exploitation

to do more damage to a broader range of Western entities than ever before. SMBs are going to

see more targeted and effective attacks than they've ever seen - particularly if the SMBs play any role in the supply chains for more desirable targets like Western government agencies and big businesses. Subsequently, larger manufacturers and service providers will more carefully scrutinize the SMBs they use and require them to implement better security programs and vulnerability detection.”

When Ben says vulnerability detection, he is also describing critical security operations services

such as log collection, anomaly detection and response. SMBs now have more affordable

options in this realm such as the advanced threat analytics technology and services from

companies like Security On-Demand in San Diego, CA.


Figure 3 - Mobile App Security Loopholes

Mobile app functionality has evolved, and useful apps proliferate. On my phone alone I have 5 travel apps, multiple financial and social media, utility and other apps – and all, of course, may be vulnerable to attack. The reality is, clients request web app tests ten times more than their mobile apps, often leaving them neglected.

Webcheck Senior VP of Engineering and Testing, Curt Jeppson states, “I've been doing more

research lately into userland insecurities on mobile devices and how they can be used to steal

2-factor credentials. An attacker can do a great job of stealing credentials and keys from there,

such as the Keychain on iOS devices. Usually after a restart, all tracks of what they stole are

wiped away as well. I see an increase in focused attacks against mobile security by nation state

level attackers or high-end hacking groups. I believe it will lead to an increase in thefts of

resources like bitcoins and an increase in complete compromise of targeted companies that only

depend on 2-factor for authentication security for access.”

So at Webcheck Security we’re raising the red flag and asking developers of mobile apps to

ensure they are tested at least once a year, and perhaps budget for two annual tests if possible.

Better safe than sorry.


In conclusion, 2022 will see more:

  1. Log4j-type vulnerabilities arise. Never before has it been more important to implement detection/response technologies.

  2. Industrial Espionage and Nation State Attacks will only increase, and in fact will hit more SMBs and small manufacturers - that are part of a larger ecosystem - than ever.

  3. Finally, we’ll see mobile app breaches giving way to PII and crypto currency breach.

We could talk about many mistakes and the lack of cyber control implementation in 2021, but

perhaps it’s time to forget old practices and controls and adopt new vision. This may be as easy

as assigning a dollar value to cyber risk and lobbying for budget to make change. To learn about

your own risk, contact us to use the Cyber Risk Monetizer.

May you have a productive year, and hopefully the aforementioned won’t bite you at all, but if it

does, hopefully this will spur you to be prepared!

Follow us on Webcheck Security  more daily info. Reach out to us at and we’ll run you through our cyber risk monetizer and

assign a dollar value to your cyber risk! #security #infrastructure #FISO #vciso


bottom of page