Last year, we anticipated that 2022 would be challenging for cybersecurity. This was proven true with the countless number of sophisticated high-profile phishing and ransomware attacks like DropBox, Twitter, Rockstar Games and Uber (twice).
With the introduction of phishing-as-a-service and other sophisticated toolkits that target weaker forms of 2FA, security teams are now prioritizing phishing resistant multi-factor authentication (MFA). Additionally, companies working with the U.S. Federal Government as a customer must respond to MFA mandates that were part of the 2021 White House Executive Order.
In 2023, fortunately, we expect to see wider availability of FIDO-based credentials (ie: passkeys) to help companies address the rising tides. Below, you’ll find details on how we’re preparing ourselves and customers going into the new year.
Be ready for a steady increase of low-effort tactics from hackers
Hacking is usually a story of the path of least resistance – attackers will gravitate to the method that achieves their outcomes using the least amount of time and money. In some cases, this means buying a kit, service, or credentials from the dark web. The use of previously unreleased vulnerabilities (i.e. 0-day vulnerabilities) has become rare. Additionally, vulnerabilities that allow an attacker to directly compromise an internet-facing system are not as prevalent as they once were. When these types of issues are found, the exploit is often unreliable due to environmental differences and varying measures of mitigation.
The path of least resistance for most attackers becomes obtaining the credentials necessary to access the environment. Phishing kits, dark web marketplaces, and insiders have substantially lowered the bar for attackers to get this information while adoption of countermeasures, like phishing-resistant MFA, has lagged behind. For example, the Lapsus$ group, a hacker group notorious for data extortion, brazenly shopped for corporate insiders on its Telegram channel. It has become clear that attackers no longer require sophisticated exploits to obtain access to corporate systems.In some cases, this becomes as simple as an employee who was willing to sell their credentials in dark corners of the Web.
The disclosure of credentials due to phishing, social engineering attacks, or a disgruntled employee should not be enough to lead to a wholesale compromise of an environment. Yet, we saw this quite a bit in 2022. It’s nothing less than irresponsible to assume we can operate in a zero-accidents environment – it’s just not realistic. Shockingly, a recent Yubico survey found that 59% of employees still rely on user name and password as their primary method to authenticate into accounts. Additionally, nearly 54% of employees admit to writing down or sharing a password. These trends simply do not set up businesses for success.
Adopting modern MFA solutions is the only real solution to these credential problems. Our reliance on awareness, training, and detection methods have proven inadequate.
Expect a continued increase in focus on cyberattacks targeting critical infrastructure and the public sector
Attacks on critical infrastructure, healthcare, and education systems will continue to rise. The impact of downtime or loss of availability in these environments leads to a scaled impact on a broad set of the population. This has, and will, continue to lead to large and timely ransom payouts. We know from history that the willingness to pay a ransom often leads to additional interest within and across organized crime.
With the increase in IoT monitoring devices at power stations and general adoption of connected sensors at industrial sites, the number of attack vectors have also greatly increased. The 2021 cyberattack in the U.S. on the Colonial Pipeline showed that password compromises can impact both IT and OT systems and that disruptions to these systems have far reaching implications—not only to the company, but also shareholders and customers.
The new National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems and the Department of Homeland Security’s Cybersecurity Performance Goals (CPGs) highlight the highest-priority baseline measures that critical infrastructure owners should be doing to protect against modern cyber threats which are intended to supplement NIST’s Cybersecurity Framework. In section 1.3, which details recommendations on MFA, the memorandum recommends that ‘hardware-based MFA is enabled when available’ for secure access within IT and OT environments. This is also highlighted by the more general Executive Order 14028 on MFA which was issued by the President of the United States. These government recommendations and mandates highlight the urgency for security-focused supply chain plans and to ensure stringent security practices across all critical infrastructure.
Zero trust architecture is still a primary objective – but more pressure on vendors will be required
Zero trust architecture (ZTA) is going to remain on the list of priorities for businesses for many years to come. Companies have moved some of their business critical Internet-facing applications to ZTA over the last 2-4 years, but a large contingent of back-office applications and services either require a migration strategy or ZTA support that simply isn’t there yet. Cloud adoption provides a quick turnkey solution for some use cases but not all. We have also seen slow adoption in the traditional financial services industry where many still use mainframe technologies for their ledger.
As an industry, we’ll need to continue to apply pressure to our vendors to incentivize the adoption of the protocols and technologies that enable ZTA. At the core, these are protocols that enable federated identities, support centralized logging, encrypted communication, and expose an API to support automating operational tasks. If we don’t help drive the conversation, this “convince-the-vendor” obstacle will continue to block the way.
CISOs need to evolve toward open communication and collaboration methods with their peers and networks
CISOs are turning to one another for advice and guidance on topics ranging from board presentation to vulnerability remediation. I’ve seen a dramatic rise of positive online collaboration happening in 2022. CISOs and other executives are coming together to share knowledge and experience.
Most recently, the OpenSSL announcement of a critical (later revised to high) issue in associated libraries led to the rapid formation of a working group focused on understanding and responding to the issues weeks prior to the disclosure. Although the vulnerabilities were nearly a non-event, the outcomes from this collaboration are palpable.
The work group has become a permanent fixture with over 400 professionals across industries, countries, and experience level. This is nice to experience again as most of my early years in this industry revolved around seeking and providing help on IRC. I expect to see and experience more of this over the next year as we continue to see more threats against an increasingly complex business and technical environment.
Compliance continues to be a hot topic but for the wrong reasons. Security organizations are inundated with a divergent set of bespoke questionnaires and risk assessment portals from customers and their insurance companies. The questions are sometimes out of touch with modern environments or are focused on a control type instead of an objective. The time and effort required to respond to each is overwhelming and the perceived value of the questions diminishes with each questionnaire answered. This is leading many CISOs in my community to look for better strategies on how to instill trust and confidence in our practices while drastically reducing the workload.
I don’t know what the answer will be for others, but we’re standardizing on a System and Organization Controls (SOC) report with a sufficient amount of detail to satisfy most of the customer questions we’ve received over the last few years and support additional questions for a small subset of our customers. I believe our customers prefer that our security budget is centered on managing our risk and providing the world with secure products and less on populating bespoke questionnaires.
Understand and mitigate concerns around software bill of materials (SBOMs)
The push to add transparency to the supply chain has led to a lot of discussion around software bill of materials (SBOMs) for products and services. The intent is to generate machine readable lists of software components that can be queried for known vulnerabilities. This should allow customers to have a better understanding of the risks they are inheriting when they deploy software or use a service. It should also provide them with the ability to quickly assess the potential impact on their operations when a new vulnerability is disclosed. This additional insight into the supply chain would allow a company to implement mitigation strategies until a patch or update is available for the vendor.
One of the concerns being raised about the implementation of SBOMs into a vulnerability management program is the churn that this might lead to for false positives and in situations where the severity of the issue lacks appropriate context. For example, the YubiKey SDK for Desktop bundles OpenSSL but doesn’t employ any of the functionality affected by the recent high severity OpenSSL vulnerability. Yubico upgraded the bundled version of OpenSSL in this specific SDK package, but as part of normal release process and not in a more urgent timeline that a high severity vulnerability would necessitate. Given the experience with vendor questionnaires, I am concerned that the process will turn into the compliance version of the npm audit problem with insignificant issues turning into a mountain of work for engineering and security teams – especially when dependencies for web-based applications are often measured in the thousands.
To mitigate these concerns, we should be engaging with our customers to understand how we can provide better transparency without introducing unneeded churn. We will likely need to develop a process that not only provides the desired insight into the composition of software, but also a process to efficiently disclose how a particular issue impacts a product or service. Automation could be an answer here, but that will require more complex tools than what is currently available.