Once upon a time, I proclaimed I had the solution to the problem. A wise man then responded by asking, “What are the trade-offs?”
As the year draws to a close, we look back at the (un)eventful incidents and alarm bells that were raised this year.
Patch failure (Who watches the watchmen?)
Example: Print Nightmare Vulnerability
This year taught end-users a fundamental lesson known to security practitioners for a long time: Do not completely rely on vendor patches for thorough security resolution. The security practitioner’s golden rule of thumb is to apply patches to close vulnerabilities. Repeated highly publicized patch failures have indicated that patching alone is insufficient for both consumers and enterprises alike. Where does that leave us? Should the end-users stop using the affected software altogether, be a guinea pig for patch QA or should there be other options? Software has become complex, if not already complex, end users expect better and thorough work from software producers while plugging these vulnerabilities. Enterprises can’t afford lots of downtime for patch delivery as it hurts the productivity and bottom line, and average consumers aren’t technically savvy enough to understand the nuances in multiple patches. If this trend on patch failure continues, micro patches from third party will become a highly viable alternative for enterprises and consumers alike. After all, end-users would like to explore alternatives and not be at the mercy of software manufacturer’s all the time.
Nightmare fuel:
Google Chrome has become the defacto industry leader in the browser market due to its high adoption rate in both consumer and enterprise market segments.
(https://www.statista.com/statistics/276738/worldwide-and-us-market-share-of-leading-internet-browsers/). It adopted sandbox in its early stage as a mitigation mechanism to keep typical threat actors (cybercriminals who seek monetary benefit) from exploiting its browser. This sandbox was a simple yet effective mechanism to keep the cost of exploitation through Google’s browser high. It made Google Chrome’s browser out of reach from typical threat actors who sought for monetary gain. Exploitation of chrome was generally confined to hacking competitions and Nation sponsored attack.
Due to Chrome’s widespread reach and popularity, it has become a desirable target for threat actors. This is demonstrated by the fact that this year, with a whopping 12 zero-days in 2021 alone. To give some context here, even seeing 1 zero-day published in a year for an application is a pretty big deal and now consider 12 being published against a single application.
https://www.forbes.com/sites/thomasbrewster/2021/10/01/google-chrome-updated-after-2-more-zero-day-hacks/?sh=106e39dcf4b3
We expect this trend to continue next year. This year’s zero-day findings for Chrome also corroborates the widely held belief that becoming a market leader brings with it unwanted attention by the threat community.
What happens when your software Supply Chain is compromised.?
Example: Solar Winds
Software supply chain compromise has opened the debate on how we enforce controls on our development and delivery process. The current software design paradigm needs to reconcile the time to ship code vs time to find compromise/vulnerabilities in the development and delivery process. A more thorough code review that includes looking at backdoor/compromise in the code should be at the heart of the development process. Instances where such activity are not possible, especially in pre-compiled third-party libraries, enforcing control via thorough risk assessment needs to be performed. Security Industry believes shift-left to be obvious answer, but tradeoffs need to be well understood before making decisions.
Third party risk
Example: Log4j and etc.
How do we ensure that we can quantify the risk from third party libraries? Should developers use third party libraries in our code base because the implementation has already been widely adopted or are we better of writing our own code? When such libraries are integrated into software that is critical to our national infrastructure, we need to be aware of risks that usually come knocking in the form of vulnerabilities and associated exploitation code. Free/open doesn’t always mean secure.
Ransomware.
The number of incidents this year indicates that we are gradually losing the battle on ransomware from a security control perspective. Security solutions are not enough. Law enforcement along with cross-border cooperation is a viable long-term solution when such activities are coordinated with Security solutions providers. Security solutions providers can provide crucial threat intelligence coming from their global sensors to take down ransomware activities. Take-down activity on botnet operators needs to substantially increase to effectively mitigate this problem.
And the value of security investment
The Return On Security Investment (ROSI) is not a new concept. Security teams typically rely on expected loss and risks to calculate the value and show the need for current and additional security solutions. This year, SecureIQLab executed a first-of-its-kind cloud web application firewall (WAF) security testing and operational validation to demonstrate cloud WAF ROSI. This type of testing showcases the value cloud WAFs provide.
Outlook for year 2022
Power of SMB’s and Consumer
More that 44% of economic activity is generated by small and medium sized businesses (SMBs).
(https://advocacy.sba.gov/2019/01/30/small-businesses-generate-44-percent-of-u-s-economic-activity/)
Covid has forced rapid digitization of economic activities undertaken by small and medium sized business. Cloud adoption has proliferated during the last couple of years. More internet- connected devices are at the heart of productivity in this segment. While it’s a positive sign of resiliency in the face of global pandemic, it’s opening new avenues for cybercrime. SMBs are less equipped to deal with cybersecurity threats than bigger enterprises. They frequently don’t have a security team; they don’t have sufficient resources to deal with cyber security threats. This creates a perfect storm for cybercriminals. We have seen time and again this year how outdated software, poorly configured security controls in our doctor’s office or at our favorite local restaurant has resulted in cyber incidents.
A typical household consists of more connected devices that ever before. Smart-Thermostats, Smart-Doorbell, Smart-refrigerators classified has IOT or Internet of Things have been proliferating for the last few years to make people’s life easier. The Internet-connected technologies are flood-gates for cybercriminal activity. Security Controls are virtually non-existent to combat these criminal activities.
Some of the TTPs (Tactics, techniques and procedures) used by cybercriminals usually seen in enterprise sector will spill into SMBs in the coming days.
Empowering and arming SMB’s and consumers with cybersecurity education, resilient security control will safeguard our economic activity. SMBs and Consumers will fuel the cyber security market in years to come.
Emergence of Marketplace Security
Watch out for Mushrooming software Marketplaces like Zoom Marketplace, Security Software vendor marketplace and bunch of others. Attack surfaces on marketplaces are not well researched and investigated. Is it on par with Apple’s Wall Garden approach? How mature is the software vendor who is providing the software? These are the kind of questions every end-user (enterprise and consumer alike) should be asking before using these marketplaces.
Cyber Education
Hacking is no longer a hobbyist job. Global cybercrime is getting on par in terms of revenue with Narcotics Trade. Illicit activity in Cyberspace has already escalated into the physical world. Before we lose the game on global cybercrime, increased cooperation on a global scale is required to combat this threat.
We are launching SecureIQLab Academy to provide cyber security education to IT Admins in late 2022. Our goal is to help build the security hygiene from ground up, providing tools to make the right choices and increase understanding of the tradeoffs between security and productivity. We launch a portal to educate how to do basic things the right way. For example, how to deploy your firewall correctly, how to validate basic configuration without relying on hyperbole marketing gimmicks, and how to verify if your security controls are accurately configured and working inside a sandboxed environment.
As security practitioners and trusted advisors, we have moral obligations to make a safer world. Computing Platform needs to be resilient; security enforcement needs to be resilient; the Workforce needs to be resilient. For Enterprises, SecureIQLab will continue to provide measurable outcomes to evaluate security resiliency in coming days.