Bernard Montel, EMEA Technical Director and Security Strategist at Tenable, shares his predictions for 2022 … and suggests that remote working will be the catalyst for cyber vulnerabilities in 2022.
As 2021 draws to a close, many security teams are responding to one of the most significant threats of our time. The discovery of Log4Shell, a critical vulnerability in Apache, highlights the risky practice of relying on open-source code libraries to build enterprise-scale applications. Many rely on open-source libraries as a key element in their ability to bring applications to market quickly. Yet, these libraries often stop short of a security-first approach. This dependence on code libraries will continue to leave organisations vulnerable until time and resources are invested to make them more secure.
The true extent of the damage this vulnerability will wreak remains to be seen. But it’s not the only challenge security teams have had to overcome recently. One key change has been the permanent adoption of hybrid working practices. A recent independent study conducted by Forrester Consulting on Tenable’s behalf, determined that 86pc of UK organisations plan to permanently adopt a remote working policy or have already done so. To facilitate this move, 46pc of organisations moved business-critical functions to the cloud, including accounting and finance and human resources. Businesses must face up to the increased vulnerability introduced from these diversified networks.
According to the study, 53pc of employees working from home access customer data from a personal device, while 36pc access financial records, and roughly three out of 10 access their company’s IP or other confidential information. It is unsurprising, then, that nearly three quarters of security leaders report their company data is at greater risk since the onset of the pandemic. When predicting how CISOs will be challenged in 2022, hybrid working must be at the forefront of the minds of security leaders who want to stay ahead of their adversaries.
Domino attacks
With many organisations migrating to the cloud in order to meet the demands of hybrid work models, this has led to an expansion of third-party interdependencies and, unfortunately, of attacks too. In 2021, the SolarWinds and Kaseya attacks heightened concern about the integrity of the software supply chain. Threat actors were quick to comprehend and profit from, what I describe as, the domino effect. By compromising one core system, they’re able to traverse across into connected systems and organisations compromising more victims than the original target. Almost two-thirds of business and security executives say their organizations suffered business-impacting attacks involving cloud assets specifically. In 2022, it will be critical that businesses understand that relying on software-as-a-service or security-as-a-service has the potential to increase risk if not monitored.
One thing that is known is that attacks will increase next year – whether that is in line with previous growth or catapulted to new levels – perhaps as a result of Log4Shell, remains to be seen. However, organisations who don’t heed the warning will be sitting ducks. My recommendation is that visibility is key — businesses must understand asset criticality and where it is located.
Security leaders should treat their internal networks as they would physical premises. What this means is that, as their attack surface expands, businesses need to have the same level of strict governance over their infrastructure as they would their physical building. This is important not only in the existing programs in place, but also in developing new applications – security should constantly be on their minds.
A new working world
Threat actors, who traditionally relied on catching users unawares and capitalising on real-world distractions, effectively rewrote the rules on social engineering in 2021. Remote work provides a constant distraction around which attackers can build social engineering attack campaigns, as they take advantage of home networks and the false sense of security felt by those working from the comfort of their living room.
According to the Forrester study, only one-third of remote workers strictly follow their organisation’s security guidelines, and remote workers have an average of eight devices connecting to their home network. This creates the perfect scenario of targets and opportunities for attackers to exploit. Even more worryingly, 43pc of security leaders say they lack visibility into employee home networks and connected devices, and just 33pc feel they have enough staff to adequately monitor their organisations’ attack surfaces.
2022 will be no better when it comes to protecting home networks, with attackers potentially catching employees off guard with well-crafted social engineering stunts, that enables them to slip through cracks in defences. Threat actors only need one employee to slip up to compromise devices in that employee’s home network, and seep into larger corporate networks, databases and valuable assets.
As home networks become just as active as secure office networks, the resultant cloud migration requires an altered strategy to detect and prevent dangerous activity. Every company wants to stay at the forefront of cloud expansion, employing cloud providers and third-party suppliers to implement new cloud-based capabilities at speed.
Remote working shows no sign of disappearing from our new world of work, and the cloud has proven its mettle as a business driver. The key now is to ensure that all aspects of a business – from employee behaviour, to cloud-based systems, to the expanded business network – are secured against malware and threat actors going into 2022.
