By Greg Johnson, Author, CEO Webcheck Security
January 1 2022
WHAT WILL 2022 BRING? WE ASKED THE EXPERTS
I am very fortunate to be associated with practitioners much smarter than I. Webcheck Security
enjoys the services of many skilled penetration testing engineers and fractional CISOs with
deep organizational and technical experience. What better way to predict the future than by
asking the real wizards? What follows is a compendium of our collective thoughts.
“Log4j seems to be a marathon instead of a sprint. We are potentially going to see many variations of Log4j.”
LOG4J LOOK-ALIKES
The Log4j issue, much like the SolarWinds Orion attack, affects thousands or hundreds of thousands of organizations. Why? Because this piece of open source code impacts Atlassian, Amazon, Microsoft Azure, Cisco, Commvault, ESRI, Exact, Fortinet, JetBrains, Nelson, Nutanix, OpenMRS, Oracle, Red Hat, Splunk, Soft, and VMware, to name only a handful of the big ones....
Now that it is known and in the open we can put it in the rear-view mirror; as long as savvy
organizations apply the proper patches. Or can we? “Log4j seems to be a marathon instead of
a sprint. We are potentially going to see many variations of Log4j,” states pen testing engineer,
David Jensen. He continues, “I wouldn’t be surprised to continue to see more crypto;
ransomware attacks. The more lockdown continues, the more people have time on their hands
to think of new attack vectors. There are some financial pundits predicting recession in the next
year, and it will be interesting to see how it affects cyber if true.”
INDUSTRIAL ESPIONAGE AND NATION STATE ATTACKS
“I predict an increase in industrial espionage
through cyber means (as if there isn’t a ton
already). “ says Brad Lewis, Webcheck
Fractional CISO and pen test engineer. ”R&D
is expensive and with public exploits that are available and vulnerable networks that house industry-leading technology, it is much cheaper to steal the information and replicate it, than build from ground zero. I believe there will be major breakthroughs in the AI field that will be used for both offensive and defensive warfare (not just self driving cars).”
The reason I lump espionage in with Nation State Attacks is simple – most of them are
perpetrated or backed by such. Says senior CISO and engineer, Ben Card, “I think entities
backed by nation states that oppose the Western Worlds influence (e.g., China, Russia, Iran,
etc.) are going to continue to improve their vulnerability detection and automation of exploitation
to do more damage to a broader range of Western entities than ever before. SMBs are going to
see more targeted and effective attacks than they've ever seen - particularly if the SMBs play any role in the supply chains for more desirable targets like Western government agencies and big businesses. Subsequently, larger manufacturers and service providers will more carefully scrutinize the SMBs they use and require them to implement better security programs and vulnerability detection.”
When Ben says vulnerability detection, he is also describing critical security operations services
such as log collection, anomaly detection and response. SMBs now have more affordable
options in this realm such as the advanced threat analytics technology and services from
companies like Security On-Demand in San Diego, CA.
A MOBILE APP SMORGASBORD
Mobile app functionality has evolved, and useful apps proliferate. On my phone alone I have 5 travel apps, multiple financial and social media, utility and other apps – and all, of course, may be vulnerable to attack. The reality is, clients request web app tests ten times more than their mobile apps, often leaving them neglected.
Webcheck Senior VP of Engineering and Testing, Curt Jeppson states, “I've been doing more
research lately into userland insecurities on mobile devices and how they can be used to steal
2-factor credentials. An attacker can do a great job of stealing credentials and keys from there,
such as the Keychain on iOS devices. Usually after a restart, all tracks of what they stole are
wiped away as well. I see an increase in focused attacks against mobile security by nation state
level attackers or high-end hacking groups. I believe it will lead to an increase in thefts of
resources like bitcoins and an increase in complete compromise of targeted companies that only
depend on 2-factor for authentication security for access.”
So at Webcheck Security we’re raising the red flag and asking developers of mobile apps to
ensure they are tested at least once a year, and perhaps budget for two annual tests if possible.
Better safe than sorry.
SHOULD AULD ACQUAINTANCE BE FORGOT?
In conclusion, 2022 will see more:
Log4j-type vulnerabilities arise. Never before has it been more important to implement detection/response technologies.
Industrial Espionage and Nation State Attacks will only increase, and in fact will hit more SMBs and small manufacturers - that are part of a larger ecosystem - than ever.
Finally, we’ll see mobile app breaches giving way to PII and crypto currency breach.
We could talk about many mistakes and the lack of cyber control implementation in 2021, but
perhaps it’s time to forget old practices and controls and adopt new vision. This may be as easy
as assigning a dollar value to cyber risk and lobbying for budget to make change. To learn about
your own risk, contact us to use the Cyber Risk Monetizer.
May you have a productive year, and hopefully the aforementioned won’t bite you at all, but if it
does, hopefully this will spur you to be prepared!
Follow us on Webcheck Security more daily info. Reach out to us at getintouch@webchecksecurity.com and we’ll run you through our cyber risk monetizer and
assign a dollar value to your cyber risk! #security #infrastructure #FISO #vciso