Cybersecurity Predictions                        and a Wishlist for 2023

Cybersecurity Predictions and a Wishlist for 2023

? 2022 Bob Carver, CISM, CISSP, M.S.

2022 has been a year of continued cybercrime and nation state activity.?Ukraine was often pummeled with wiper malware from Russia, interrupting any system that might be important to the Ukraine government and the war effort.

The Lapsus$ group started their phishing campaigns and hacking spree in early 2022 stealing from Samsung, Ubisoft, Microsoft, Nvidia and eventually Okta.?At least one of the teenage members of this group was arrested in Great Britain.

In November, the island nation of Vanuatu was hit by a cyberattack that took much of the country offline causing all government agencies to work with pen and paper.?In addition, Costa Rica, Albania and Montenegro suffered similar damaging cyberattacks.

Ransomware groups continued unabated, especially hitting schools and healthcare organizations around the world.?Ransomware as a Service (RaaS) continued to be a popular way to enter the cybercrime business with no coding skills and limited funds.

One of the largest cybersecurity insurers in the world, Lloyds of London, announced that they would no longer pay claims that were caused by Nation States stating that they fell under the Force Majeure clause, events that were beyond anyone’s control.?Soon afterwards, Llyods was breached.

Twitter had much of their personal account information stolen due to an API vulnerability. Then there were outages and posts from fringe hate groups getting a free pass.

Last but not least, Lastpass, a popular password manager got breached.?It was first reported this breach only involved a development environment; however later it was discoverd that entire password caches were stolen for many of their customers.

This was just a small sample of what has taken place this year.

  1. Devops and Lab Environments -We will see more organizations that will be compromised through their devops and lab environments. Air-gapped and separate LANs may not provide the protection you think they do.?Start treating these environments closer to the same level of security that you have in your production environments or simply ignore at your own peril.?We have Lastpass and others to thank for bringing this to our attention this year.
  2. ?Supply Chain Simple and Complex - Many have been busy getting their own houses in order attempting to reduce their "in house" risk.?Many will find their largest risk in their suppliers and customers.?We will be seeing more organizations being compromised via their supply chains. –

Questions to consider:

-What type of visibility and context do you have in your customer and vendor networks, in the connections to your networks. Do they have a risk management program?

-What SAAS software is being utilized and are there vulnerabilities in their software?

-What contractors have access to any parts of your network?

-Do you have a list of all of your suppliers and customers??You might be surprised on how many eventually show up on that list.

3. Cybersecurity Insurance – The viability of cyber insurance will start to be extensively re-evaluated by the insurers and insured.?Lloyds of London started the trend by announcing that they were no longer going to pay claims on nation state cyberattacks and then they soon announced a breach of their own organization.?

Later the compromised company Mondelez won their cases against their cyber insurer Zurich for 100 million dollars.?Recently Zurich’s CEO, Mario Greco, has warned that cyberattacks will become “uninsurable” as the disruption from hacks burgeon.?“What will become uninsurable is going to be cyber.”?Greco said, “What if someone takes control of vital parts of our infrastructure and the consequences of that??There must be a perception that this is not just data . . . this is about civilization.?These people can severely disrupt our lives.”

?4.????Self Insurance - Corporations will start considering self-insurance due to the limited availability and the high cost of limited coverage.?

5.?????Targeted Attacks - We will see more targeted attacks on high value targets where there are no known IoCs (Indicators of Compromise) and TTPs (Tactics, Techniques and Procedures.)

?6.????Zero Trust - Continued evaluation and implementation of Zero Trust systems because you need to verify and control who or what is accessing critical parts of your networks and data.

?7.????Cloud Security – There will be more focus on tightening cloud security.?Tightening and reducing end-to-end risk on these ecosystems.?As well as addressing the complexity of security in multi-cloud environments.

?8.????Theft of Digital Likeness - . With the rapid development of “deep fake” environments, there will be markets for “digital likeness” of various people including celebrities, executives, politicians and the like.?With access to the voices, mannerisms and 3D profiles of these people, deep fakes will become better than ever.

?9.????Ransomware –is not going away anytime soon.?Ransomware as a Service (RaaS) will fuel growth in this cybercrime industry.?New targets, new methods of infection and distribution will keep everyone on their toes.

?10.?EV’s Compromised – As we see an increase in EV purchases, we will also see vulnerabilities being abused.?Cars malfunctioning, possibly causing accidents.?EV charging stations being taken down and offline.?Remote auto theft and people being locked in their cars.

2023 Wish List:

?1.????Less transference of risk to cyber insurers while making continued improvement in reducing real risk in the enterprise.?If you don’t start making moves in the correct direction, the cyber insurers may force you to.

?2.????Start teaching concepts of cybersecurity and privacy in the grade schools.?This will pay off in the long run.

?3.????Start treating NIST CSF as a “foundation” to build upon.?It is often referred to as a framework.?In my opinion NIST CSF is a foundation on which to build the framework.

?4.????Everyone needs to start moving toward passwordless authentication such as passkeys and security keys. The time for utilizing passwords alone has passed.

?5.????ICS and IoT systems should have an “End of Life” date.?When they can no longer be supported with firmware or software patches to remediate vulnerabilities, they should be retired and more secure replacement should take its place.

????

No alt text provided for this image
Staying secure as a bank vault

Wishing everyone a Happy New Year and may 2023 be your best year yet!

Debesh Choudhury, PhD

Information Security Researcher, Academician, Entrepreneur | Password & Cybersecurity, Data Privacy, Blockchains, Digital Identity, Biometrics Limit | 3D Education | Writer | Linux Trainer | Podcast Host

1 年

Bob Carver, CISM, CISSP, MS ?, Won't passwordless open more vulnerability to digital identities?

回复
Mila Araujo

Personal Cyber Insurance Practice Leader, North America, @NFP, an AON company |DigitalShield AVP, Personal Risk | Financial Writer, Speaker

1 年

Fantastic overview. I particularly loved your item on the wishlist: teaching cybersecurity in schools: knowing what resources you have available and starting with this education in the classroom can make a major difference. Especially when it comes to protecting our kids from extortion and manipulation online which can be so traumatizing - Thank you for sharing!

回复
Dana Rivkind

Experienced Technology Leader | Expert in Data & AI | Thought-Leader in Digital Transformation & Innovation | Visionary | Strategy & Solutions-Oriented | Empowering Integrity, Elevating Humanity

1 年

Great article, Bob! We definitely need to start changing how we do things. I like your wish list. Especially the education and a passwordless future. In my wish list, I’d like to see us move towards “personal computing” by the removal of bulk user data from all database systems and vaults. At the very least, better auditing insights (observability) on access to our data. We need to separate machine (“things”) from person with interfaces and personal databases/vaults. Let’s stop giving criminals what they want in bulk form and become autonomous people with autonomous systems. Reverse engineer our thinking and implementations. We should be building and learning to manage our personal clouds in grade school. ?? Thanks for sharing! Happy New Year!

  • 该图片无替代文字
回复
Katalin Kish

★ I create value by turning complex info into actionable insights using technology & Maths. MBA, Global E-Commerce Champion

1 年

Excellent article. A few additions: - Opportunity makes thieves everywhere. Especially insiders who know what is logged, how to bypass logging and alarms, how to escalate their privilege, etc. - Compliance certifications give a false sense of security at best, as technology changes much faster than laws/regulations ever will. The Victorian Electoral Commission #VEC received a clean bill of auditing health each year while a stalker IT Helpdesk Assistant trading stolen data for crimes as a service with bikies and criminal police had unrestricted access to the VEC's server room + everything in it 2009-2012, while I witnessed his crimes working as a Business Analyst. Trying to report the stalker's crimes to the executive of the VEC meant I had to resign and leave - fast. The stalker kept his job for at least another 5 years. - No one knows the actual range/volume of tech capabilities in criminal hands (see my reply to this comment). We must stop making all systems interconnectable and online 24x7x365. Everyone using the same tech = economies of scale for attackers. Uniformity => easy prey. - The absence of proof is no proof of absence in cyber-space. Never assume security. - Cyber-insurance cannot undo reputation-damage/trauma.

Bob Carver

CEO Cybersecurity Boardroom ? | CISSP, CISM, M.S.

1 年

Have a great new year Joseph Landergott!

回复

要查看或添加评论,请登录

社区洞察

其他会员也浏览了