New year usually means out with the old, and in with the new. But the top concerns for CISOs in 2022 will seem all too familiar—remote work, ransomware, supply chain security and talent shortage will be, or should be, top of mind.
CISOs could be forgiven for thinking that the ball dropped in Times Square and instead of ringing in the new year, they woke up back in 2021. No sooner had the final strains of Auld Lang Sine faded than CISA and the NSA dropped a warning to critical infrastructure organizations to bolster their defenses against Russian operatives. Attacks on Ukrainian government websites soon followed and REvil ransomware was in the news. (This time Russia announced the takedown of the group’s leadership.) Sound familiar? It seems, then, that security is dragging some of the old into 2022 but with new twists.
Remote work
Despite the optimistic predictions of the commercial real estate market and the cities whose economies thrive on full office buildings, remote work is here to stay, at least for the time being. And, even more challenging from a security standpoint, hybrid options will become more prevalent, with the workforce straddling work from home and onsite. Of course, working remotely has increased risk as employees use unsecured networks and share devices and bandwidth with other people in their homes. For example, devices in the home that connect to the network could include Chinese chipsets. That would never happen in an office.
In the rush to get everyone home and supported in early 2020, many organizations relaxed security standards and cut corners. Now it’s time to reevaluate security controls. This year, organizations will be going back and looking at what they did during the mad rush into the pandemic and trying to improve on that as they consider a future dominated by remote work, including accommodating data spread out in multiple places and a threat landscape that is equally spread out. That means rethinking and retooling security solutions to determine the indicators that might be malicious.
Ransomware as a result of evasive threats
If 2021 got slammed by devastating ransomware, then CISOs better buckle up, because ransomware in 2022 will grow only more menacing as attackers leverage evasive threat tactics to deliver ransomware to skirt legacy defenses and wreak havoc on organizations. Why does ransomware still persist? Simple: it’s still a profitable venture for intrepid cybercriminals, who look to monetize everything. The payoffs for ransomware have gone from $179 for the AIDS Trojan back in 1987 to upwards of $4.4 million for Colonial Pipeline early last year. With those kind of dollars as a lure, ransomware operators aren’t going anywhere soon — and their numbers are increasing as ransomware-as-a-service (RaaS) makes it possible for anyone with a plan to execute an attack.
Bad actors are increasingly using evasive threats to deliver ransomware payloads. Among the techniques being users are dynamic file downloads that bypass network security solutions, exploring new phishing avenues that don’t stem from email only, dynamically generated or obfuscated content, and evading HTTP traffic inspection. In the latter, obfuscated javascript makes it unreadable to both security researchers and detection engines, allowing attackers to sneak past faulty defenses to steal sensitive data, takeover accounts, or launch ransomware payloads.
Ransomware will continue to be exacerbated by work from home as VPNs, formerly the remote security solution of choice, continue to offer limited protection and sag under the weight of increased traffic.
Supply chain security
Despite the intense scrutiny on the supply chain, attackers continue to slip under the radar — that is, until a campaign, like the one involving SolarWinds, shows visible signs of damage. The supply chain will continue to get a lion’s share of the attention in 2022, both for the pandemic-provoked shortages that will likely continue well into the new year and the security shortcomings and vulnerabilities that threaten to lay it low.
While the recent Log4j debacle is not a supply chain issue per se, the reaction of organizations across the board was similar to the reaction to SolarWinds. And the situation delivers some of the same lessons learned from SolarWinds — primarily understanding what’s under the hood. So many companies and agencies don’t really understand what they’re running so they don’t know how to fix it, much less how to. That’s a particularly risky scenario in a supply chain, when organizations don’t just have to worry about what’s under their own hoods but also what other companies in a supply chain are running as well and how diligent they are in responding to vulnerabilities or simply securing their assets. Many security vulnerabilities have a long tail, so problems can kick up in a supply chain well after the initial hullabaloo over a flaw or weakness has died down.
It’s important to consider the health of the entire supply chain and demand that third parties ensure they place a premium on security — not just a checkbox of security solutions, but actual insight into how their organizations handle security.
Talent shortage
With unemployment at its lowest levels in decades and workers resigning across industries, “the great resignation,” as they negotiate better jobs or seek to stay safe during the ongoing pandemic, the talent shortage that has existed in security for the last several years and projected for years to come has been amplified.
It complicates and compromises security, particularly as teams are expected to protect remote work, which increases the threat landscape. All these elements have piled on top of each other to not only add to the talent shortage, but to its impact on security. IT security is still a young, undefined field, which may explain why it doesn’t have the cachet of more established careers — that makes attracting talent more difficult. Organizations would do well to more clearly define what a career in security could be, the payoffs, not just monetarily but in terms of showing the satisfaction of having a greater purpose rather than just a job. In addition, this is a good opportunity for companies and agencies to diversify their security workforces, tapping women and other under-represented groups to fill the yawning gap. It’s also a good time to rethink qualifications — better to find talent that have soft skills and curiosity than to require certain degrees and certifications. By expanding the pool of potential applicants, organizations will consider candidates who would have been passed over before but who could prove valuable members of their teams.
Avoiding or at least mitigating these security woes, in large part, means getting back to fundamentals. Organizations must consider where their data and assets are (hint: they’re not just in the data center); determine the likely threats; create risk profiles; and invest in the tools that will bolster their security postures.
Trust will grow in importance in 2022 — organizations should ramp up their Zero Trust Network Access (ZTNA) initiative, a key element of the Secure Access Service Edge (SASE) framework that’s especially suited to protecting remote work while allowing employees to securely access the resources they need from wherever they are.
As much as CISOs would like to put a coda on 2021 with its devastating ransomware attacks, supply chain vulnerabilities and yawning talent gap, it seems that many of the same issues will be amplified in 2022. Hopefully, organizations have learned from 2021, will reach into a more enriched toolkit for solutions and those issues won’t have the same devastating effects going forward.