By Alain Brenzikofer, Integritee
Experts expect 2022 to be marked by a continuing increase in cyber threats – and savvy enterprises will deal with that changing landscape by adopting a zero-trust model. Here are the top predictions.
After two years filled with headlines about the rise in cyberattacks, driven largely by Covid-19, can we look forward to a corresponding slump as we slowly emerge from the pandemic? Sorry, that’s not likely. In fact, researchers agree that it will probably only get worse.
Reviewing a range of forecasts from experts, here are eight trends mentioned so often, we expect to see them dominate infosec news over the coming year.
1) Library security
The Log4Shell exploit in December highlighted, even more dramatically than the earlier SolarWinds and Kaseya attacks, the shocking extent to which organizations are vulnerable to breaches due to software dependencies. By identifying a weakness in widely distributed software, a hacker can easily launch attacks on multiple targets. Enterprises would do well to adopt the use of a software bill of materials as policy, to help them identify risks and respond faster to potential supply chain incidents.
2) Edge computing
Between remote working and the Internet of Things, edge computing is an area in rapid development. That means edge security will need an accordingly high degree of attention in 2022 – especially given the inherent risks. IoT devices are notoriously vulnerable (thanks to providers that may not have much experience with cybersecurity, and to supply chain issues), as is the home office environment.
3) Cloud resiliency
Linked to the above, the increasing dominance of cloud computing makes cloud security a top priority. Unfortunately we have seen that cloud providers have not always been able to safeguard their customers’ data. Growing awareness of this weakness will make enterprises more wary of cloud adoption, until and unless they can be convinced of its security. Those service providers who can demonstrate top-notch data protection will be the winners in the more cautious landscape that is emerging.
4) Social engineering
The “human hacking” threat is also on the rise, with one striking example being the November breach at trading exchange Robinhood, when an attacker gained access to 7 million customer records with a phone call to the support line. This vulnerability may be a particular problem in the growing remote workforce.
This threat is further exacerbated by new forms of deception, like deepfakes for example. With AI tools and the wealth of raw material that can be scraped from the endless Zoom meetings of the Covid-19 era, it’s possible to imitate the voice or face of a known individual in a convincing phishing attack – as was demonstrated when an attacker stole $35 million from a Hong Kong bank using voice cloning and fake emails.
In the overall cyberthreat landscape, ransomware has become the primary attack mode (with ransomware-as-a-service becoming big business) and is expected to be used in nation-state attacks for political and other ends. This raises the fear that essential services will be disrupted and sensitive data leaked, making it particularly critical for government agencies to adopt countermeasures and devise contingency plans.
6) Identity management
Identity solutions for online services are ever more critical to satisfying customer needs. Users are increasingly security-conscious but also need convenience and personalization; there will be rising demand for identity tools that can tick all the boxes – and don’t think these aspects are in competition with each other. Demonstrable privacy is every bit as much a part of good user experience as smooth access.
7) Privacy regulation
Privacy is also a subject high on regulators’ agendas, and organizations of every size can expect to feel increasing pressure. Privacy requirements will get tighter and companies will need to be sure their provisions can satisfy not only customers, but also the authorities. Given that each jurisdiction is developing its own rules (implying great variance between different countries, or even different US states), compliance will be a minefield. It will be necessary to design data protection measures to the highest standard, and to have real-time, comprehensive verification of that protection.
8) Zero trust
With this background, we expect security to be more closely integrated into the development process. As a result, close collaboration between security, developers and operations teams will become standard.
Ultimately, we see clear pointers that a zero-trust model may come to dominate development – this may be the biggest trend of all. Between vulnerabilities arising from remote working, and the urgent need to satisfy privacy requirements, zero-trust architecture could be the only way to provide an appropriate level of data security. One example is Integritee’s decentralized solution, which uses blockchain technology to verify the security of trusted execution environments. With remote attestation verified on chain, there is no need to trust your service provider or collaborators.
Of course, zero-trust is a mindset as much as anything, and that is our key prediction for 2022: the paradigm is changing. Social engineering, ransomware and supply chain issues are all just different aspects of the same core problem. Threats will continue to proliferate, and while we know attacks are coming, always, and can predict the most likely vectors, we will never be able to foresee the details or seal every security gap.
In an age of Big Data, we understand the power of information, but we also know the value it has to hackers. Data protection is becoming a core issue for every organization, and only those data services that can demonstrate strong confidentiality by design will be able to thrive.
Alain Brenzikofer is co-founder of Integritee AG, a hardware-enabled confidential computing solution that combines blockchain and trusted execution environments. Active in blockchain since 2013, he contributed to the Quartierstrom peer-to-peer energy markets initiative and founded Encointer, a crypto-based universal basic income project. In 2020, he led the team that won the Energy Web Innovation Challenge for a project that used trusted execution environments for off-chain computation.