There’s never been a shortage of stories on the cybersecurity beat, and 2022 brought some real doozies.
Thieves dumped details about more than 1 million stolen credit cards on the dark web, class-action lawsuits hit major companies after data breaches, and firms sustained thefts of personal data affecting millions of customers.
While the names of those involved change, and the magnitude of incidents ebbs and flows, these kinds of stories, unfortunately, have become the norm. What matters for CISOs going forward are events that will have the biggest impact on enterprise digital risk, including entirely new trends and important catalysts shaping existing trends.
With that in mind, Focal Point takes a look at the most consequential stories of 2022.
Software supply chain security hardened
Ever since the SolarWinds supply chain attack in 2020, and the zero-day exploit known as Log4j that companies cleaned up well into 2022, leaders everywhere have come to realize just how interdependent they are on the software that underpins the modern organization.
You need to understand your supply chain. And you need to understand all of the software components you have, as well as those of your providers.
The software supply chain essentially consists of nearly everything to do with the development and procurement of software, from the security of open-source applications and libraries to products from third-party providers. That includes the security practices and infrastructure of third parties as well.
Driven by the need for increased software supply chain security, this year saw software bills of materials (SBOMs)—inventory lists of software components in products—reach new levels of adoption. As an example of the urgency to act, President Biden’s 2021 Executive Order on Improving the Nation’s Cybersecurity requires vendors that provide software to the federal government to include an SBOM for everything in their products.
The takeaway: “Understanding software dependencies is truly critical,” says Nick Selby, vice president of the software assurance practice at software security consultancy Trail of Bits. “You need to understand your supply chain. And you need to understand all of the software components you have, as well as those of your providers.” He says that if third-party providers don’t have a complete SBOM, they need to provide a list of dependencies in their libraries. That tells you, the buyer, that they have some level of control over the code that goes into what they’re selling.
The Uber hack put CISOs on alert
CISOs around the U.S. took notice in October when the former CISO of Uber (and a former federal prosecutor) was convicted on federal charges that he obstructed justice and hid a known felony.
[Staying silent about a breach] is not merely covering up something that’s embarrassing for you or embarrassing for the company.
The convictions stemmed from payments he made to attackers under NDA regarding a 2016 digital intrusion. Former Uber CISO Joseph Sullivan contended the payments were part of Uber’s bug bounty program. Federal prosecutors said the actions were a payoff and a cover-up, and that Sullivan asked the hackers to keep their hack a secret and deny they stole data. Notably, Uber was still under an FTC investigation at the time regarding a previous data breach.
Many CISOs viewed the verdict as a warning that the federal government will charge CISOs for failing to disclose a breach. The reality is that the verdict was about the cover-up of a breach the Justice Department determined should have been more honestly disclosed and addressed.
The takeaway: Legal experts recommend that CISOs maintain detailed documentation about security incidents and communicate through email and other channels as if regulators, judges, and jurors might eventually read that correspondence.
Mark Rasch, a former federal prosecutor and an attorney at the law firm Kohrman Jackson & Krantz, advises leaders to be honest regarding any data breach or bug bounty program at their company. In an interview on the Security Current podcast, he said that even though an organization may choose not to report a breach, leaders should at least establish that their process for coming to that decision was valid.
“This is not merely covering up something that’s embarrassing for you or embarrassing for the company,” he said. “There is an informed decision about why you are and are not reporting a data breach. You also want to make sure you are making decisions with the advice of counsel.”
Firmware risks intensified
In 2021, we highlighted hacks targeting firmware, which manage the interaction between computer hardware and the operating system. Firmware vulnerabilities provide enviable access to the enterprise.
Earlier in 2022, security researchers identified a sophisticated hack known as CosmicStrand that helps attackers clandestinely infect firmware. In addition, the year saw firmware attacks exploiting flaws that affected more than 70 Lenovo laptop models and vulnerabilities that exposed operational technologies and Internet of Things (IoT) devices.
The takeaway: “Securing the firmware layer is often overlooked, but it is a single point of failure in devices and is one of the stealthiest methods in which an attacker can compromise devices at scale,” according to a report from the U.S. Department of Homeland Security and the Commerce Department.
At a minimum, enterprises must ensure they implement the technical requirements of the most current unified extensible firmware interface (UEFI) specifications, and that features such as UEFI Secure Boot are in place. Tools such as CHIPSEC can be used to conduct security reviews of firmware as part of the due diligence process before acquiring products.
Economic uncertainty skyrocketed
While no one can know exactly how strong the headwinds facing the U.S. economy will grow in 2023, the broad consensus among economists is that the nation is heading for recession, or at least a deeply unsettled period of economic growth. Sharply higher prices, supply chain woes, and geopolitical tensions have put a big damper on growth.
Economic uncertainty is bound to put pressure on security budgets, even as cyber-related risks continue to rise. “Take this as an opportunity to optimize,” advises Andy Ellis, former CSO at Akamai Technologies and currently an operating partner at YL Ventures.
The takeaway: Security leaders should increase efficiencies as much as possible, but they should do so in the most effective and least risky way possible. But if ultimately asked to cut, CISOs will be forced to find places to cut.
“It’s painful, but you can always find ways to cut deeper,” says Ellis. A smart exercise for the CISO is to reach out to peers and stakeholders and ask two questions: What are we doing that you don’t see the value in? And what are we not doing that you think would be easy and valuable?
Cyberwar broke out across Europe
While cyber hostilities in the Russia-Ukraine war have mostly remained confined to Ukraine, with some exceptions concerning Western infrastructure, it’s still too early to say whether things will stay quiet on the digital front. But if hostilities do spread, there’s a good chance they will start online. Russian cyberattacks during the war’s early days targeted Ukraine’s critical communications infrastructure.
Do you have a good disaster recovery plan? Do you have a working relationship with the local FBI office? If not, cultivate one.
Even before Russia’s invasion, the U.S. Department of Homeland Security warned U.S. organizations, especially those involved with critical infrastructure, to be ready for distributed denial-of-service (DDoS) or even more destructive attacks. These attacks—or clandestine preparations for them—could already be under way.
“When you delve into nation-state–backed activity, whether physical or cyberattacks, you’re not really going to have a full understanding of what’s going on, because those in the know aren’t going to say what they know,” says Andrew Storms, VP of security at platform provider Replicated. “I don’t think it’s prudent to believe it’s over, or that widespread attacks won’t happen.”
The takeaway: Get busy closing security gaps. “Take a deep look at your security posture and look for the essentials that should be in place that maybe aren’t quite in place,” says Storms of Replicated. “Do you have a good disaster recovery plan? Do you have a working relationship with the local FBI office? If not, cultivate one.”
That’s excellent advice anytime, not just during an era of rising digital threats. While no one knows which security developments 2023 will bring, leaders who learn from the lessons of 2022 will certainly be better prepared for whatever is in store.