Issues with rapid migration to the cloud during the pandemic may haunt businesses and organizations over the next year, say cybersecurity experts, along with other concerns related to cloud security.
Misconfigurations, supply chain risks and even using cloud-native services to attack other cloud infrastructure are some of the issues cybersecurity pros mentioned in their predictions submitted to SC Media. They also foresee the cloud delivering code solutions for hardware and as infrastructure, while others expressed concern over security and privacy issues with the "metaverse," a virtual world introduced in November by Facebook CEO Mark Zuckerberg.
Here is a roundup of how tech will play a role in the industry in the new year.
Revenge of the rushed migration, says Archi Agarwal, founder and CEO of ThreatModeler:
“The pressure of the business imperative to adopt cloud at rapid speed during the pandemic will begin to unravel as it becomes apparent security slipped through the cracks in rushed migration. As a result, we will witness the rise of huge breaches due to simple cloud security misconfigurations and permissions errors. This will fuel the mushrooming of startups based on automation of cloud configuration, permission analysis and remediation platforms.”
Securing the cloud will be a team effort, says Bob Huber, chief security officer at Tenable:
“Nearly half of organizations moved business-critical functions to the cloud as a direct result of the pandemic. However, cloud migration requires specific considerations that will likely be overlooked in 2022. For instance, detecting and preventing malicious activity in the cloud is a lot different from mitigating it on prem. And this can be further complicated by the nuances of working with cloud providers, as well as other company stakeholders looking to rapidly adopt new services in the cloud. Unless organizations educate their entire teams — not just security teams — about securing the cloud, they will inevitably pay the price as their migration accelerates.”
As cloud adoption skyrockets, risks posed by intracloud environments grow, says PJ Kirner, chief technology officer of Illumio:
“As organizations integrate their cloud and data center ecosystems or move to a hybrid cloud environment, the risks presented by this dynamic, complex IT landscape will become all the more prominent – making organizations even more vulnerable to attacks. Think of it this way: anytime there’s surface between two distinct infrastructure types, understanding and securing the middle area between the two is a serious challenge. Right now, people are uncovering more risks in their intra-cloud environments than they initially realized, and this will continue to be a key concern in the new year.”
Cloud service providers introduce new supply chain risks, says Jeff Costlow, chief information security officer at ExtraHop:
“Every cloud provider should be thinking about supply chain risks and vulnerabilities (i.e. user permissions, cloud misconfigurations). There are areas of risk in the lower level of cloud services, that if not secured properly, could lead to a massive infrastructure attack, something in scale that we’ve not seen before. Organizations must be prepared for this.”
The DarkCloud is coming, says Tal Mozes, co-founder and CEO of Mitiga:
“The Darknet – which originally described computers on ARPANET that were hidden and programmed to receive messages, but did not respond to or acknowledge anything – is going to be succeeded by the DarkCloud. Criminals will use an invisible cloud to attack organizations in 2022, taking full advantage of the cloud’s capabilities for on-demand scale and ubiquitous accessibility. Ransomware and malware are already available as a service, and will use cloud native technologies to attack cloud infrastructure at scale.”
Infrastructure as code
Everything is code, says Moshe Zioni, vice president of security research at Apiiro:
“I believe that there will be a new trend where even hardware goes towards a everything-is-code transition. For years virtualization technologies have been progressing towards this notion, but now — in light of the global chip manufacturers shortage — giants like Intel and Nvidia have started to introduce code-solutions to harness a hardware-like experience. In turn, it will require ops and IT teams to adhere to it in order to grow rapidly, automate and evolve.”
The future of shift-left security is infrastructure-as-code, says Piyush Sharrma, CEO and co-founder of Accurics by Tenable:
“If a vulnerability is detected while infrastructure is running, that organization is already exposed — even if a patch is applied right away. Now that cloud adoption has rapidly increased and organizations are embracing the flexibility that cloud-native provides, it is vital to find and fix every bug before deployment. By the time software reaches run-time, it’s already too late. That’s why detection will move from reactive to proactive in 2022, as CISOs increasingly recognize that security teams don't have to wait for infrastructure to be created to discover and mitigate vulnerabilities in code.”
GitOps will grow alongside infrastructure as code, says Renaud Deraison, chief technology officer and co-founder of Tenable:
“In 2022, GitOps will begin to become the de facto universal for a lot of operations. While organizations increasingly turn to infrastructure-as-code (IaC) to manage their infrastructure, the need for GitOps will simultaneously emerge to manage entire workflows. Merging the approaches will allow organizations to codify how their servers should operate, as well as gain visibility into the entire line of operations.”
Massive personal identifiable information (PII) breach, says Dirk Jan Koekkoek, vice president, DMARC at Mimecast:
“We will see the first data breach with more than a billion records of PII. The Facebook papers and the creation of the Metaverse makes me feel fascinated on the one hand and a little sad on the other hand. The VR space and the technological capabilities as well as the use cases are exiting. On the other hand, we have this giant tech company with a poor data projection reputation that is supposed to guard the world’s largest people databases. Now, we’re combining this with potentially many other big databases to link logins and exchange data. Data breaches already exceed half a billion records. Putting this increasing level of trust in a joint venture of companies that fail to protect our data over and over will cause us to see the first data breach that exceeds 1 billion records of PII. That will trigger more malicious actors to monetize these likely very enriched data sets.”
Metaverse isn’t dominating security... yet, says Ian McShane, field CTO for Arctic Wolf:
“When the word ‘Metaverse’ started dominating the news cycle, I immediately thought of the dystopian futures where a new reality was needed to distract from the misery of the real world — think ‘Ready Player One’ — or, more realistically, I thought of a new avenue for cybercrime like ’Lawnmower Man’ or ’Hackers.’ That’s because most descriptions of the ‘metaverse’ sound like VR ‘worlds’ where you buy and interact with things that don’t exist in reality. Although they don’t exist in ‘reality’ and are supposed to be part of a decentralized chain of custody, they remain linked to an individual’s real-world wealth and identity, despite being obscured to provide anonymity. Naturally, I have immediate concerns and questions about security and privacy, despite the limited ‘ordinary person adoption’ of what is currently ‘bleeding edge’ tech trends.
“The real indicator of adoption will be the criminal activity aligned to the Metaverse. In many ways, the NFT/web3 world seems built on scams for scammers. NFTs and Metaverse products are already attracting people looking for a way to get rich quickly, which makes for easy targets for cybercrime. I wouldn’t be surprised to see DeFi currency scams target ‘celebrity’ VR avatars for account takeover to manipulate the BTC market prices as we’ve seen with Twitter profiles. Potential scams aside, the real focus next year will be on that tipping point for widespread ‘metaverse’ usage, as that will put the security and privacy at the forefront, if or when there is true global adoption of these technologies.”
Enterprises need to invest in Identity Detection and Response, says Carolyn Crandall, chief security advocate at Attivo Networks:
“Enterprises will increase their investment in identity security solutions. The rise in third-party attacks, remote working security risks, and the continuing evolution of ransomware have driven home the fact that traditional security solutions are no longer enough. And while existing solutions like Identity and Access Management (IAM), Privileged Access Management (PAM), and Identity Governance and Administration (IGA) provide basic identity protections, their focus on authorization and authentication leave gaps for attackers to exploit. To close those gaps, enterprises need to be investing in Identity Detection and Response (IDR) solutions capable of providing expanded exposure visibility and detection specific to credential misuse, excess entitlements, privilege escalation, and other common identity-based attack activities.”
AppSec will become more metrics driven, says Manish Gupta, co-founder and CEO of ShiftLeft:
“The focus will shift from ‘I found 2,756 vulnerabilities and that’s an accomplishment worth highlighting’ to ‘The key metrics are: (a) the frequency of scanning is the same as the frequency of code changes, (b) the percentage of vulnerabilities actually fixed, and (c ) MTTR for the fixes.’”
APIs will create new vulnerabilities, says Mike Heredia, vice president of EMEA & APAC, XM Cyber:
“APIs will become more critical as interconnectivity evolves. Organizations will struggle to deal with the complexity of APIs and interconnectedness, which will create new vulnerabilities.”
XDR will die on the vine as a single provider solution, says Andrew Maloney, co-founder and chief operating officer at Query.AI:
“Extended Detection and Response (XDR) has made a lot of noise this year, but even though it’s a relatively new concept, it’s already losing steam. There are many different definitions for XDR, and the market is struggling to believe it’s truly the answer to all problems. The current definitions of XDR all rely on a single platform to do all the collecting, aggregating, correlating, and analyzing – preventing the need for users to collect and store data ‘from other solutions,’ as its all already within the XDR vendor’s purview. The reality, however, is that, with today’s dispersed data and siloed security tools, no one technology provider can possibly have all the capabilities needed for security analysts to efficiently perform investigations. The only way XDR will work as intended is if XDR vendors decide to partner in areas where they don’t have convergence or capabilities, and to build native integrations with those partners, so customers don’t have to do so themselves. Only when working with a security ecosystem of partners will XDR deliver on its intended promise.”
Watch out for QR code attacks, says Magni Sigurðsson, Senior Manager of Detection Technologies at Cyren:
“Cybercrime has long operated as a dark mirror to the legitimate business world, and threat actors have always been adept at incorporating technological trends into their attacks.
The latest example is the resurgence of the QR code. This often-overlooked technology has been around for decades, but has returned to prominence over the last two years due to the COVID-19 pandemic. The scannable software is well-suited to delivering information in a COVID-safe fashion at set locations, and we have seen an increase in its use online, as well. Unsurprisingly, the cyber criminal community wasted little time taking advantage of this trend, evidenced by the increased number of attacks exploiting QR codes. As the software becomes more mainstream in marketing and sales activity over the next year, we anticipate attacks that utilize the tool to follow suit.”
Authenticating voice or video content, says Elaine Lee, staff data scientist at Mimecast:
“In light of rapidly advancing deep fake technology and increasing reliance on virtual collaboration tools due to the post-COVID-19 work arrangements, we should be concerned about malicious actors getting more sophisticated in their impersonation attempts. What was a cleverly written phishing email from a C-level email account in 2021 could become a well-crafted video or voice recording attempting to solicit the same sensitive information and resources in 2022 and beyond. After some incidents of a phishing attack of this nature, organizations will want to move toward verifying such content with a process (manual and/or automated) that results in an explicit ‘certificate of authenticity’ designation. Or, they may adopt more secure authentication regimes (e.g., blockchain) and require the originator of the voice/video content to authenticate in this manner.”
The borders between the physical and virtual worlds will intersect, says Jonathan Miles, head of strategic intelligence at Mimecas:
“There is a growing concern among the international community and law enforcement jurisdictions regarding the potential use of malware to harm / kill humans. In a recent media reporting, it was proposed that we are on the verge of a new level of malware, dubbed Killware. With the world we live in now more connected than ever through the Internet of Things (IoT), the borders between the physical, virtual and cognitive spaces are becoming increasingly intertwined and interlinked. In addition to the known vulnerabilities within critical national infrastructure, given the escalation in virtually enabled and connected medical devices, automotive vehicles, and domestic energy and safety devices within the home, as well as the potential willingness of some threat actors to exploit these devices and cause harm to others, it may become a matter of time before Killware claims its first victim(s).”