2022: A Cybersecurity Review

I like to take some time out at the end of the calendar year to reflect on what's happened in Cybersecurity, key learnings, areas of focus and what's next. Normally this is done in December, however with the mad race to Christmas and planned holidays, I got to reflect in Vietnam riding a motorbike from Ho Chi Minh (Saigon) to Hanoi. 2022 was a rough and tough year, with plenty of valuable lessons, but as they say "What doesn't kill you makes you stronger".

Don't talk Politics at the dinner table

They say not to talk Politics at the dinner table, however with everything happening out there, it's undeniable global affairs has had an effect on our world. The evolving war and cyberattacks between Russia and Ukraine has been a huge focal point. Russia’s GRU military intelligence agency, known to be some of the worlds most dangerous hackers, have been using vulnerabilities on "edge devices" i.e. firewalls, routers, and email servers to gain more immediate access than phishing attacks. My article on CyberCon 2022 has some good insights from Government heads. If you're further interested in the topic this Cyber Security Uncut podcast investigates Russia’s cyber campaign.

We even saw a whole country go offline from a civic cyberattack. Conti ransomware gang used compromised credentials, obtained through installed malware, to gain local network domain administrator access over a VPN connection. Their network was scanned for file shares, with plaintext/bruteable credentials exfiltrated using Mimikatz. Sensitive information stolen from the Costa Rica Government was published, Conti issued a ransom demand and extended intrusion to multiple government bodies, evolving into Costa Rica declaring a national emergency. Scary stuff! Check here for more info on the cyberattack event and breach details .

Data Breaches

It is reported that more than 4,100?publicly disclosed data breaches occurred in 2022, equating to approximately 22 billion records being exposed.?You can check a list of biggest data breaches of 2022 here , with unfortunately a few familiar names hitting close to home. It got so bad in October we renamed the month 'Hacktober'.

Our rockstar Principal Engineer Cameron Smith , wrote an article on 'Recent data breaches and what your business can learn from them '. API Security continues to be an area of focus with organisations looking towards best practice. You want to ensure that you have appropriate authentication AND authorisation controls in place. Authentication will prevent them from accessing the API (this is something that testing tools can actually check for . Some reports mentioned that the issue may have been with an API with no authorisation on it – a tool would / should have flagged that).

Organisations should conduct authorisation checks on whether you/they are allowed to access something more specific, like a record. Most tools can’t check that properly as they don’t know who is supposed to have access to what records. Below are some other tips:

• Make sure your connection is over HTTPS, without supporting vulnerable TLS versions
• Make sure you can revoke tokens/keys etc
• Finally, you want to make sure your developers aren't creating backdoors/authorisation bypasses for "testing" purposes

Organisations should also practice good Vulnerability and Patch Management as part of their ongoing security program and BAU operations, however it's not always about the latest and greatest vulnerability. 1/2 of the most common vulnerabilities used in targeted attacks and to deliver malware are more than a year old. Patching Applications and Operating Systems is in the ASD/ACSC Essential 8 for a reason and slow remediation should not be an option.

The ACSC released a publication on 'Questions for Boards to Ask About Cyber Security ' with some good content to help organisations understand and manage cybersecurity risks.

Land down Under

It's great to see Australia appointing a Minister for Cyber Security, making Clare O'Neil the first dedicated Cyber Security minister in the Organisation for Economic Co-operation and Development (OECD) Top 20 countries. Work is underway to develop a '2023-2030 Australian Cyber Security Strategy' that would?provide the step-change Australia needs to improve our national resilience to cyber threats and properly address the consequences of cyber incidents.

Clare has taken a tough stance on Cybersecurity and whilst I don't understand the rationale publicly quoting 'I want the scumbags behind this attack to know that the smartest and toughest people in this country are coming after you,' (seems to put a bigger target on our back ??) I do agree with her below statement;

“If there is anything good to come out of these incidents, it is that the country needs to shake out of the slumber the country has been in regarding cyber threats and I see huge commitments across the country, from companies big and small, and certainly from within government for us, to make big step changes on how we deal with this problem.”

Think like a Hacker

We've seen a huge uptake in organisations conducting Penetration Testing , whether it be for the first time in a long time, development of web/mobile apps, upgrades to office/site/cloud or your standard annual compliance. One of my Mad Dog predictions from last years Cybersecurity Review article was that as staff return to the office, we will see a huge uptake in Internal Penetration Testing, which is definitely the case. Whether it be External/ Internal/ Wireless/ Web/ Mobile/ API, organisations need to mitigate their risk and think like a hacker to reduce your attack surface, protect your infrastructure/data and prepare your team to manage any unauthorised access attempts. When going out to market, it's important to avoid some of the pitfalls of recent trends. Check out our article on 'the great Penetration Test lie '.

Also predicted last year, Purple/Red Team exercises are on the rise. A Purple/Red Team uses the MITRE ATT&CK knowledge base of adversary techniques to simulate pre and post exploitation attacks. This is a great way to test out the effectiveness of your current security controls, collaboratively improve your Security Operations team and determine the level of detection, alerting and prevention of cyber-attack techniques with findings and recommendations to improve.

Whether it be outsourced development or internal dev teams, organisations have been investing into proactive SecDevOps . It is considered a culture shift, where the ideal DevOps implementation combines all stakeholders needed for software development tasks, from design to deployment and finally maintenance, into a single cohesive team. It is important to note that whilst many approaches focus on structured approaches to development (DevOps) – they fail to adequately encompass “Secure-by-Design”. People (Security Champions, Education, Training), Process (Peer Review Process, Third-Party Artefact Repository, Patching) and Technology (DAST, SAST, IAST, RASP, PT) are all considerations to "shift-left".

Excuse me whilst I hoot our own horn, but we're proud that in July 2022 The Missing Link became an accredited CVE Numbering Authority . As a CVE Numbering Authority (CNA), we can publish CVE records, which allows program stakeholders to discover and correlate vulnerability information to protect systems against attacks. We’re 1 of only 3 with CNA in Australia, and the only Security Testing Consultancy. CVEs are found through research or during consulting projects and we always follow responsible disclosure, and work with vendors so they can patch. At the time of writing The Missing Link Security team have 48 zero-day vulnerabilities under our belt, with plenty more to come.

Data is the new Oil

At the AISA CyberCon 2022 I heard the phrase 'Data is the new Oil' and it has stuck with me. Long gone are the days of criminals robbing banks for loot, nowadays criminal activity is done online. Data = Money. As a result of some of the recent news headlines, the board and executive teams are asking the security team, "Could this happen to us?" Former Telstra chief executive David Thodey says the cyberattack on Optus “could happen to anyone” and urged all big and small organisations to be “vigilant” about online security. In order to protect our data and digital systems, we need to first know what's out there. Questions to consider are; Where is your data? Is their overexposed sensitive data? Who has access to it? Are there consistent permissions? How long have you had/do you need that stale data? There are tools out there to help organisations understand your data footprint, classify data and remediate exposure.

It's in the Cloud

Remote working, collaboration, better insight, speed and better engagement are some of the key drivers for organisations moving to the cloud. Gartner predicts Cloud Security will see the fastest growth over the next two years, attaining a 26.8% growth rate in 2023. Unfortunately we often hear 'It's in the Cloud, our Cloud Service Provider (CSP) has got me covered' which is a common misunderstanding of shared responsibility. 59% of attacks where the data was encrypted involved public cloud. Security and Compliance is a shared responsibility between CSPs and you the customer, with the CSP being responsible for "Security of the Cloud" and the customer "Security in the Cloud". Many organisations have no way to govern their external partners to ensure security best practices, compliance mandates, and corporate cyber policies are being followed. Securing a modern cloud centric organisation requires controls across the User Plane, Control Plane, and the Data Plane. Our top gun Paul Friend, MBA wrote an article on how you can address the problem of cloud security.

Plan for the Worst, Hope for the Best

The age old adage 'It's not if, but when' rings true! We've seen a huge uptake in organisations updating their Incident Response Plans, Business Continuity Plans and conducting Mock Cyber Breach Exercises and Paper Based Tabletop Training. Running an exercise with your technical team is a great way to test the effectiveness of your IT and Security Plan, Processes and Playbooks if the proverbial was to hit the fan. As cybersecurity is ultimately the responsibility of the board, it is also a good opportunity to have an executive session and walk them through what could/would happen if the organisation was the victim of a cyber breach, how they would respond and drive home the importance of cybersecurity.

Knowledge is Power. Enable your staff as the human firewall

With all the recent headlines, Cybersecurity has been at the forefront of everyone's minds. This is a great opportunity to provide cybersecurity awareness training to the business, point them towards what they can do to protect themselves if they have been impacted, and how to practice good cybersecurity at home.

The ACSC and CISC have some good articles that can help you to build out your messaging to help staff change their driver’s license, Medicare, passport, bank account PII and access your credit report . The Australian Government have some really good info on how you can protect yourself online.

Below are some of our recommendations that you can pass onto staff to keep up their cyber hygiene. If they practice at home (which is also the office somedays) they will practice at work.

• Secure and monitor your devices and accounts for unusual activity, and ensure they have the latest security updates
• Use a password manager to ensure they have a different, complex password for each account
• Enable multi?factor authentication for all accounts
• Check your credit score, such as Credit Savvy
• Subscribe to ScamWatch to keep up-to-date with the latest scams
• Share HaveIBeenPwned with your family (can be a fun game at gatherings to see who has been pwned most) to raise awareness
• To keep the young ones safe there are some good resources to introduce/promote eSafe kids

Below are some of my recommendations for your Security Awareness Training (SAT) program;

• Feature Security in Staff newsletters. Some good content on ACSC and Proofpoint with relevant news to keep abreast
• Posters around the office. I’ve also heard some Security Manager's walk around with post-it notes that say ‘You’ve been hacked ??’ to place on screens when people leave workstations unlocked and unattended. This is also fun to open up your colleagues Notepad and leave them a message
• Digital signage on emails to promote checking validity of emails
• There is some cool content to ‘gamify’ security which isn’t appealing to all but can make it fun whilst learning
• Promotions i.e. $50 Uber Eats for SAT champions
• For your intranet you could have a monthly Ask Me Anything (AMA) session where staff are able to ask you security questions. An open door policy can also help promote security best practice

2022 was a manic and rewarding year, and I'm looking forward to what 2023 has in store for us. To impart some of my Mad Dog predictions for the calendar year;

• Ransomware attacks will continue to increase (both in sophistication & frequency) and gravitate towards Double Extortion tactics. Organisations should focus on protecting themselves from Identity and Authentication attacks
• The option to work from home is here to stay. Organisations will shift towards Secure Access Service Edge (SASE) and Security Service Edge (SSE) to provide secure remote access to employees, partners and contractors
• Increased adoption of Cloud Security Posture Management (CSPM)
• Artificial Intelligence and Machine Learning will further assimilate into cyber and speed up Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR)
• To rebuild customers trust in data security, organisations will invest in Customer Identity and Access Management (CIAM). This is a good method to improve end user experience, reduce support calls, lower cart abandonment, keep the bad guys out and differentiate yourself from peers/competitors
• Staff are hard to find, let alone good staff. Organisations will prioritise Security Orchestration, Automation, and Response (SOAR) and/or oursource services to MSSPs