Key thinkers on the biggest security stories and trends in 2021
What a year 2021 has been. We’ve seen a number of high-profile issues across the cybersecurity sector, from supply chain attacks to critical infrastructure shutdowns. Going into 2022, many of these issues don’t show any sign of slowing.
While the world tentatively started to recover from the initial outbreak of the Covid-19 pandemic, this year the security industry had only just started to respond to the number of new threats caused by the changes to society, from healthcare-related phishing campaigns to attacks on vaccination rollouts.
This is without mentioning the whole host of non-coronavirus-related threats such as the ongoing infosec workforce diversity gap and cybercrime activity.
The Daily Swig has grilled industry experts on their biggest takeaways from 2021 – and what they predict for 2022.
Sins of the past, sins of the present
Cezary Cerekwicki, head of product security at Opera Software, the makers of Opera Web Browser
Looking at the 2021 editions of the MITRE CWE Top 25 and OWASP Top 10, we could say that little has changed compared to 2020. Memory safety issues known for decades continue to rank high.
The root cause for that is arguably the lack of fast memory-safe alternatives for C and C++ and its ‘speed trumps safety’ philosophy.
The web was born in turbulent circumstances and continues to be insecure by default for the sake of backward compatibility. Excessive dynamism, blurred same-origin policy, a lack of strong separation between code and data, and hundreds of other traps make hacking web apps way easier than it should be.
I suspect that HTML and Trainspotting, both products of the 90s, had the same inspirations, given their natural propensity to injections.
Great new solutions are emerging, including Trusted Types, Fetch Metadata Request Headers, and COOP and CORP. However, each of them is optional, solves only a part of the problem, and adds to the already substantial complexity of the field.
When I look at the MITRE CWE Top 25, I see a picture of technical debt caused by the design sins of the past. Each of them will likely continue to bleed zero-days for a long time.
Meanwhile, we are witnessing a progressive celebration of vulnerabilities. Bugs are being given catchy names, websites, and logos. I half-expected this trend to continue, and that Spectre and Meltdown would get a divorce, followed by a court battle over the custody of XS-Leaks. Instead, we see a meltdown of professional ethics. For instance, some people mistake bug submissions for ransom notes. We are also noticing plagiarized exploits in bug bounty programs.
The popularity of bug bounty programs and InfoSec as a career path has exploded. Overall, this is great. We need a security-minded person in every room where crucial technical decisions are being made. Otherwise, we are bound to repeat the design sins of the past.
Follow Cezary on Twitter.
High-profile attacks against nation-states will continue
Paul Maddinson, UK NCSC Director of National Resilience and Strategy
In 2021, the pandemic has continued to shape the cybersecurity landscape and at the NCSC, we focused our efforts on protecting the health sector and [Covid-19] vaccine rollout from online threats and supporting the public as more people spent more time online.
Unfortunately, we saw cybercriminals continue to exploit topical concerns to scam people – from offering fake covid tests to bogus PPE. We anticipate this trend will evolve in 2022, so we urge the UK public to continue reporting suspicious messages to us so we can take action to remove malicious content.Paul Maddinson
Another key trend is the growth of ransomware as the most immediate cyber threat facing the UK, and in the first four months of 2021 the NCSC handled the same number of ransomware incidents as for the whole of 2020.
While it isn’t new, high-profile attacks, such as the US Colonial Pipeline incident, have brought ransomware to the attention of the public, board members, and political leaders, and we welcome more international efforts to combat this threat in 2022.
Such attacks highlight the importance of strengthening cyber resilience across society and this is reflected in the government’s new National Cyber Strategy. In 2022 and beyond, bolstering our national defenses and working with partners to mitigate technological and supply chain risks will be critical for keeping the UK safe online.
Follow the NCSC on Twitter.
Diversity and addressing the infosec skills gap
Clar Rosso, CEO, (ISC)2
The workforce shortage within cybersecurity is undisputed and has been like that for many years with limited progress made. With cybersecurity in the spotlight more than ever, we all must take significant proactive steps to change how we hire, train, and develop people to grow and broaden the workforce.
We need millions more skilled professionals globally in cybersecurity. The only way to achieve that is by growing the talent pool itself, and one significant mechanism for doing so is addressing the limitations and barriers to entry facing many people interested in cybersecurity.
Going into 2022, embracing notions of diversity, equity, and inclusion in cybersecurity will be critical to help us grow the size of the potential workforce.
Organizations need to commit to being more accommodating and welcoming of age, gender, ethnicity, neurodiversity, and other aspects of diversity in the workforce.
We need to thoroughly rethink in-role education and ongoing professional development, as well as opening the door to those who have pursued alternative and even non-degree education pathways on their journey to a cybersecurity career.
It has been a notable 2021 for (ISC)2 in what has been another year of global disruption. Our membership grew year on year as more cybersecurity professionals passed exams and earned their certification.
We saw significant growth in the CCSP certification, reaching almost 11,000 certification holders and underlining the importance of cloud security for the global economy.
Going into 2022, we will focus on bringing our first entry-level certification to market. As a foundational certification, it will play a role in helping employers, educators, and governments respond to the cybersecurity workforce shortage by narrowing the gap between entering the workforce and being able to verify skills and fundamental knowledge through independent, globally recognized industry qualifications.
Follow ISC(2) on Twitter.
Closing the door to cybercriminals
Busra Demir, senior solutions architect at HackerOne
One trend that will continue into 2022 is malicious actors targeting the remote workforce to access company systems. Traditional security perimeters and firewalls set up within an office environment don’t cover those employees working from home and, to some extent, the organization has less control over how employees might be operating.
All of this presents a cyber risk and is leaving a potential ‘open door’ for threat actors to plant ransomware, especially when it comes to less security conscious employees who might not be as vigilant or as aware of the risks.
As we start to see employees embracing hybrid working as the new norm, we are likely to see more instances of ransomware infiltrating corporate networks as employees reconnect to company systems.
Remote work opens the door to cybercriminals for more phishing activities to steal sensitive data, PII data, login credentials etc. This is a very effective method that hackers use for years as it takes advantage of the trusted resources and sends an email as if the email or the URL is coming from these trustworthy resources. Once the victim clicks the link or downloads the malicious attachment, the hacker can take control of the system or dump the critical information.
Another common entry point for hackers is insecure WiFi networks. Especially for employees who prefer to work from public areas with a public WiFi network such as cafes can lead to an attacker to create a fake access point with the same SSID. When the victim connects to the fake SSID, all the network traffic runs through the fake network the attacker created instead of the legitimate one which again allows the cybercriminals to steal sensitive data, bank account information, and sensitive company files.
With ransomware attacks only expected to grow, combined with the fact that as an industry there is a shortage of malware experts, this is going to present a challenge for many organizations. It is therefore important that security conscious organizations start to embrace enhanced measures such as implementing a zero-trust model. This ensures that permission levels are restricted and that employees only have access to the data they need – so if a ransomware attack does occur, any data they encrypt and capture will be limited. This extra layer of protection is important for businesses as we see these types of cyber-attacks increase.
Follow HackerOne on Twitter.
Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows
From a cybercriminal perspective, 2021 should be viewed as a year in which ransomware groups really tested the boundaries of what they could achieve – but also get away with.
Several high-profile attacks, for example the adoption of supply chain attacks and the exploitation of zero-day vulnerabilities, have highlighted that ransomware groups are becoming not only increasingly sophisticated, but also more emboldened to commit attacks against critical national infrastructure.
It is likely that ransomware groups either do not care about the consequences or do not fully understand the implications of who they are targeting.
This issue is confounded by the rise in use of ransomware-as-a-service programs, in which lesser skilled affiliates commit attacks on the developer’s behalf.
Among RaaS programs there is a reduced level of scrutiny regarding target selection, which in turn has raised the overall risk associated with ransomware activity.
These impactful attacks have unsurprisingly resulted in significant scrutiny from the media and law enforcement, but also other members of the cybercriminal community – many prominent cybercriminal forums banned commercial activities directly involving ransomware via their services following the May 2021 attack on fuel provider Colonial Pipeline.
Ransomware groups have responded to such scrutiny, in particular during the aftermath of successful law enforcement operations, in a repetitive fashion. There is typically a retirement of a ransomware campaign and a period of lying low before returning at a later date with a rebranded and redeveloped operation. This has led to a continual game of ‘whackamole’, with law enforcement agencies, which have achieved some considerable successes in 2021 but have not been able to make a significant impact on the overall ransomware landscape.Activity from such groups will almost certainly continue at current rates or increase in 2022. The supply of susceptible companies appears to be continuing, while the demand for ransom payments will also encourage the inception of additional groups. Ransomware is a problem that is here to stay – and likely will get worse before it gets better.
Follow Digital Shadows on Twitter.
Supply chain security is now high on the agenda
Wadeck Follonier, security officer, Jenkins Project, and security engineering manager, CloudBees
For many security experts, 2021 started with the resolution to avoid becoming front page news for incidents such as SolarWinds. That attack brought into focus the importance of supply chain security and the potential widespread damage an attack can cause.
The topic was already very popular inside security circles, but it wasn’t being prioritized enough by companies to justify the necessary investments. With this increased attention and the proliferation of tools available in the market, the security of the supply chain is now considered as important as the software companies are producing.
This shift in focus created increasing demand from users to respond to security scanner reports or compliance questionnaires. To mitigate the workload on security teams and scale the efforts, it is necessary to invest in a company-wide vulnerability management system.
As a DevOps company focused on security and compliance at enterprise scale, CloudBees understoods the situation and has multiplied its investments to increase the security of the open source projects we rely on, such as Jenkins. Investing in the projects and third-party libraries a company is using is more and more common, by either providing maintainers, contributors, or security members, or by donating money to ensure the code is of a sufficiently high quality.
In recent years, the security space has had an impact outside the virtual world. For example, the Colonial Pipeline breach. This increased the demand for attention in companies beyond the security team. Due to this increased attention, the market for skilled security professionals is highly competitive. As a reaction, we have seen a growing number of study programs proposed by universities across the globe, often requested by the state, to reduce the scarcity of talent for the future.
In 2022, I predict a big push from enterprises toward adopting company-wide programs for security, including a set of policies to reduce risk and ensure better protection globally. This move will be very important in that it will differentiate the companies where engineers maintain their freedom to innovate from the ones that will restrict that freedom. From my point of view, the key point is about how the program will be successful, by either forcing common practices or by asking teams to provide proof they are compliant with the policies. Due to the global talent market being in a crisis, the attractiveness of a company will include how they are tackling security while empowering developers to innovate.
As a side note, I also expect more computer assisted tooling will be used to reduce the alert fatigue that the security professionals are facing with scanners and false positives. This will simultaneously improve the desire to work in such equipped companies.
Follow Wadeck on Twitter.
Additional reporting by Adam Bannister, James Walker and John Leyden.