Following are the trends that should concern enterprise leaders most and that could spread fear and trembling for years to come:
Firmware flaws are multiplying
Firmware provides an interface between hardware and other devices that run software. It therefore provides attackers coveted access to endpoints and enables them to remain undetected for long periods of time.
All software has a weak underbelly, and firmware is still just software.
Attackers are increasingly targeting and successfully burrowing into device firmware. A recent example is CosmicStrand, which exploits the unified extensible firmware interface (UEFI) and was first publicized by Russian anti-malware vendor Kaspersky Lab. The hack targets the H81 chipset, and when successful, it disables security software running on a device.
In 2022, the number of serious firmware vulnerabilities continued to rise. In February, security vendor Binarly found critical vulnerabilities in InsydeH2O, a type of UEFI firmware software. These vulnerabilities affected all the vendors that use independent BIOS developers (IBV) code in their software to help computer operating systems run. Binarly reported in a blog post that vulnerabilities were found in products from vendors that included Fujitsu, Siemens, Dell, HP, HPE, Lenovo, Microsoft, and Intel.
“We’re in a constant race, with the line moving lower in the [tech] stack,” says anti-malware and firmware security expert Roger Thompson, technical product manager at ReversingLabs, which offers a software supply chain security platform. “All software has a weak underbelly, and firmware is still just software.” He says attacks against firmware will only increase as enterprises deploy more endpoints, which broadens the overall attack surface.
Advanced persistent threats lurk within networks
A standard assumption of the “zero trust” security approach is that IT environments have already been breached, and that attackers are already inside any number of servers and endpoints. Security teams don’t know which ones yet. With stolen credentials being used to move laterally after an initial breach, stopping attackers as soon as they get inside an organization remains essential.
There are clear rules around kinetic warfare, but there aren’t clear Geneva rules around cyberwarfare. It’s the Wild West out there.
Zero trust is a technical architecture that assumes that people, systems, and devices must be continually authenticated. Analysts expect the value of the global zero-trust market to reach $126 billion by 2031, up from $24 billion in 2021.
“This model is dramatically different from the ‘trust but verify’ approach, which has traditionally exposed networks to nefarious activity by internal actors,” says Robin Berthier, CEO at Network Perception, which provides network-segmentation verification and visualization solutions. He says the strong interest in this security architecture is due, in part, to the executive order President Biden issued in May 2021 mandating that the federal government adopt zero trust. While many different interpretations exist, zero-trust standards are emerging, such as NIST’s 800-207, Forrester’s ZTX, and Gartner’s CARTA.
Ransomware remains a scourge
Ransomware continues to exert heavy costs. According to Cybersecurity Ventures, the cost of ransomware attacks is expected to reach $265 billion by 2031, up from $20 billion in 2021. Costs include loss of productivity and sales, data breach cleanup, and regulatory fines.
Anti-malware software provider Webroot ranked LockBit as 2022’s most prolific and successful ransomware group. While the group has been providing ransomware-as-a-service for years, it continues to advance its tactics. In addition to ransoming data—while threatening to make data public if they aren’t paid—the hacking group also conducts distributed denial of service (DDOS) attacks.
“As automation becomes increasingly accessible, there are more attacks overall,” says Tom Kirkham, CEO and CISO at consulting firm Kirkham IT. “[Groups are] becoming more sophisticated in their approach. We’ve even seen entire ransomware agencies for hire. They’ll target an individual and deploy a tailored strategy to directly attract attention and get into the person’s inner circles.”
Supply chains are still vulnerable
Gaining visibility into software supply chains is a constant worry. With software and services of all kinds—including open source, commercial, cloud, and third-party solutions—ensuring that code is free of exploitable flaws is challenging.
“Third-party risk from the supply chain or software vulnerabilities within third-party software components continues to be a huge element of externally caused breaches,” said Sandy Carielli, a principal analyst at Forrester, at the research company’s Security & Risk Forum. “Organizations probably have more third parties in their ecosystem than ever before.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been actively promoting the use of software bills of materials (SBOMs)—inventory lists of software components in products—as a way to help improve software supply chain security. SBOMs add visibility into the software components in place within an organization’s commercial and open source software.
Geopolitical risks snowball
If one thing has become clear this year, geopolitical risk is closely aligned with cyber-risk. Every new conflict adds to the risk of cyberattacks. Cyberattacks on Ukraine’s public, energy, media, financial, business, and nonprofit sectors intensified even before Russia’s full-scale invasion in February 2022. Since then, Russian cyberattacks have undermined the distribution of medicine, food, and relief supplies, a European Parliament briefing determined.
The most dangerous potential trend for CISOs today is the hesitation of acting on anything due to the fear of Uber-style legal threats.
“The impact [of cyberattacks] has ranged from preventing access to basic services to data theft and disinformation, including deepfake technology,” the briefing found. “Another malicious cyberactivity involves sending phishing emails, distributed denial-of-service attacks, and use of data-wiper malware, backdoors, surveillance software, and information stealers.” Critical infrastructure has been increasingly targeted in the West as well.
With heightened Chinese saber-rattling toward Taiwan, the Taiwan government is increasing its cyber resiliency even as it strengthens its conventional military capabilities. Cyberattacks on Taiwan increased with the visit of Speaker Nancy Pelosi of the U.S. House of Representatives. Electronic billboards were commandeered to display messages hostile to Pelosi’s visit.
“There’s just so much unrest in the world in both authoritarian and democratic states,” says Kirkham. “There are clear rules around kinetic warfare, but there aren’t clear Geneva rules around cyberwarfare. It’s the Wild West out there in terms of both protection and security.” Kirkham is surprised the West hasn’t seen more large-scale attacks from Russia or Iran.
Legal uncertainty casts a long shadow
In early October 2022, a federal jury in San Francisco convicted Joe Sullivan, Uber’s former chief security officer, for concealing facts about a data breach from the Federal Trade Commission. The government successfully argued that Sullivan obstructed an active FTC investigation by paying hackers to be quiet and failing to report the breach. Sullivan has yet to be sentenced, but the verdict has CISOs’ attention.
“The most dangerous potential trend for CISOs today is the hesitation of acting on anything due to the fear of Uber-style legal threats,” says David Maynor, senior director of threat intelligence at Cybrary, a cybersecurity and IT workforce development platform. After the verdict was handed down, he says private cybersecurity social and networking groups “went crazy” discussing what the verdict meant for them. Although the sentencing hasn’t yet taken place, real jail time is on the table.
“This is a huge shift from CISOs worrying about fines,” Maynor says. “Now they are worried that years later, a jury may have to decide if actions they take amid an emergency could be deemed illegal. That fear brings inaction by paralysis, or even more red tape for organizations to go through when responding to a breach.”
It’s unlikely 2023 will be any less harrowing than 2022, and enterprises and their CISOs know it. According to a survey of more than 1,400 IT professionals from Spiceworks Ziff Davis, security budgets will outpace other categories in enterprise technology investment like productivity applications, with security spending comprising 11% of software, 7% of hardware, and 6% of cloud services budgets.
CISOs can only hope all that money is well spent.