Latin America. Learn how hackers can target space, what will happen to cyber insurance, zero trust adoption, and more. The WatchGuard Threat Lab reports on the main threats that may occur in 2022, summarized in 6 predictions:
1. State-sponsored mobile threats trickle down into the underworld of cybercrime
Mobile malware certainly exists, especially on the Android platform, but it has not yet reached the same scale as traditional desktop malware. In part, we believe this is because mobile devices are designed with a secure mechanism (e.g., secure boot) from the start, making it very difficult to create "zero-touch" threats that don't require victim interaction. However, there have been serious remote vulnerabilities against these devices, although more difficult to find.
Meanwhile, mobile devices present a very attractive target for state-sponsored cyber teams due to both the capabilities of the devices and the information they contain. As a result, groups that sell to state-sponsored organizations are primarily responsible for funding much of the sophisticated threats and vulnerabilities targeting mobile devices, such as the recent Pegasus mobile spyware. Unfortunately, as in the case of Stuxnet, when these more sophisticated threats are leaked, criminal organizations learn from them and copy the attack techniques.
Next year, we will see an increase in sophisticated mobile attacks by cybercriminals due to state-sponsored mobile attacks that have begun to come to light.
2. News about hackers targeting space makes headlines
With the government's and private sector's renewed focus on the "space race" and the recent concentration of cybersecurity research on satellite vulnerabilities, we believe a "space attack" will make headlines in 2022.
Recently, satellite hacking has gained the investigative attention of the cybersecurity community among researchers and at conferences such as DEF CON. While satellites may seem out of reach of most threats, researchers have found that they can communicate with them using equipment worth $300. In addition, older satellites may not have focused on modern security controls, relying on distance and darkness for defense.
Meanwhile, many private companies have started their space race, which will greatly increase the attack surface in orbit. Companies like Starlink are launching satellites by the thousands. Between those two trends, plus the value of orbital systems to nation states, economies, and society, we suspect that governments have already quietly begun their cyber defense campaigns in space. Don't be surprised if one day we soon see a space-related trick in the headlines.
3. Spear SMSishing Hammers Messaging Platforms
Text-based phishing, known as SMSishing, has steadily increased over the years. Like the social engineering of email, it started with untargeted decoy messages that sent spam to large groups of users, but lately it's evolved into more specific texts posing as messages from someone you know, including perhaps your boss.
In parallel, the platforms we prefer for short text messages have also evolved.
Users, especially professionals, have become aware of the insecurity of clear text SMS messages thanks to NIST, various carrier breaches, and knowledge of weaknesses in carrier standards such as Signaling System 7 (SS7). This has caused many to move their business text messages to alternative apps like WhatsApp, Facebook Messenger, and even Teams or Slack.
Where legitimate users go, they are followed by malicious cybercriminals. As a result, we are starting to see an increase in reports of malicious spear SMSishing-type messages to messaging platforms like WhatsApp. Have you received a WhatsApp message from your CEO asking you to help you set up an account for a project you're working on? Maybe you should call or contact your boss through some other means of communication to verify that it really is that person!
In short, we expect targeted phishing messages on many messaging platforms to double by 2022.
4. Passwordless authentication fails in the long run without MFA
It's official. Windows has become passwordless! While we welcome the move away from passwords only for digital validation, we also believe that the current ongoing approach to single-factor authentication for Windows logins simply repeats the errors in history. Windows 10 and 11 will now allow you to set up completely passwordless authentication, using options like Hello (Microsoft biometrics), a Fido hardware token, or an email with a one-time password (OTP).
While we commend Microsoft for making this bold move, we believe that all single-factor authentication mechanisms are the wrong choice and repeat the password mistakes of yesteryear. Biometrics is not a magic pill that is impossible to beat; in fact, researchers and attackers have repeatedly defeated several biometric mechanisms. Sure, the technology is improving, but attack techniques are also evolving (especially in a world of social media, photogrammetry, and 3D printing). In general, hardware tokens are also a strong single-factor option, but the RSA breach proved that they are also not invincible. And frankly, unencrypted text emails with an OTP are simply a bad idea.
The only robust solution for digital identity validation is multi-factor authentication (MFA). In our opinion, Microsoft (and others) could really have solved this problem by making MFA mandatory and easy on Windows. You can still use Hello as an easy authentication factor, but organizations must force users to pair it with another, such as a push approval to their mobile phone that is sent over an encrypted channel (no clear text or email).
Our prediction is that Windows passwordless authentication will take off in 2022, but we expect hackers and researchers to find ways around it, proving that we didn't learn from the lessons of the past.
5. Businesses Increase Cyber Insurance Despite High Costs
Since the astronomical success of ransomware starting in 2013, cybersecurity insurers have realized that payment costs to hedge customers against these threats have increased dramatically. In fact, according to a report by S&P Global, the claims rate of cyber insurers increased for the third consecutive year in 2020 by 25 points, or more than 72%. This resulted in premiums for standalone cyber insurance policies increasing by 28.6% in 2020 to $1.62 billion. As a result, cybersecurity requirements for customers have increased considerably. Not only has the price of insurance increased, but insurers now actively scan and audit customers' security before providing cybersecurity-related coverage.
In 2022, if you don't have the right protections in place, including multi-factor authentication (MFA) in remote access, you may not get cyber insurance at the price you'd like, or at all. Like other regulations and compliance standards, this new insurers' approach to security and auditing will drive a new approach by companies to improve defenses in 2022.
6. And we'll call it Zero Trust
Most security professionals have been instilled with the principle of least privilege from the beginning of their careers. Providing users with the minimum level of access necessary to perform their job functions is for the most part an indisputable best practice. Unfortunately, best practices don't translate directly into widespread adoption, let alone its full extent. Over the past few years, or decades in reality, we've seen the ease with which attackers can move laterally and raise their level of access while exploiting organizations that haven't followed basic security principles.
Recently, a "modern" information security architecture has gained popularity under the name Zero Trust. A Zero Trust approach to security basically boils down to "taking on the breach." In other words, assume that an attacker has already compromised one of your assets or users, and design your network and security protections in a way that limits your ability to move laterally to more critical systems. You'll see terms like "micro-segmentation" and "identity affirmed" in discussions about Zero Trust. But anyone who has been around long enough will recognize that this trending architecture is based on existing and long-standing security principles of strong identity verification and the idea of least privilege.
This is not to say that Zero-Trust architecture is a buzzword or unnecessary. On the contrary, it's exactly what organizations should have been doing since the dawn of networking.
We forecast that by 2022, most organizations will finally enact some of the oldest security concepts across their networks, and call it Zero Trust.
Leave your comment