Last year, we shared a number of cybersecurity predictions, most of which either played out as described or are trending that way, with results that remain to be seen. In one instance Ordr CEO Greg Murphy predicted that, “Someone in the U.S. will die as the result of a ransomware attack, resulting in increased push for cybersecurity regulations in healthcare and increased cybersecurity budgets.” Tragically, according to a lawsuit filed in September of last year, that prediction came true.

This year, we asked a number of Ordr cybersecurity experts what they saw unfolding for the next eleven months and are sharing nine of the more interesting responses.

1. Ransomware attacks will continue to increase (Pandian Gnanaprakasam)

The impacts of double extortion and crimeware-as-a-service will continue to plague businesses worldwide. The number of victims will triple, increasing from 20% to 50%, while the number of companies that pay a ransom to recover their data will increase from 10% to 30%.

Cybercriminals will drive these increases through more aggressive tactics, including data destruction, sensitive data leaks, DDoS campaigns, targeting and breaching high-profile organizations (including wealthy families), and disrupting business operations to force enterprises to pay. We will also see a concerning increase in the use of killware in attacks that once were used to sow only ransomware.

2. Organizations will adopt a more holistic security strategy to address a shift from traditional endpoints as IoT, IoMT, and OT devices converge in the enterprise network. (Bryan Gillson)

Recent attacks (i.e., Colonial Pipeline) show us that we are not thinking about cyber resilience and as a result, in the case of thousands of industrial and healthcare breaches, we see loss of services (patients diverted, pipelines shut down). This happened even though the IoT/OT infrastructure was not attacked nor compromised.

This will prompt organizations to recognize that what is needed is to embrace a whole-of-enterprise approach to security that encompasses cloud-to-ground visibility, and analysis and control of all connected assets (from traditional IT to vulnerable IoT, IoMT or OT) in order to enable true cyber resilience.

3. Third party/Supply chain attacks will continue to increase (Brad LaPorte)

2022 will be the Year of the Supply Chain Attack. Already up 430% since 2019, the growth of these types of attacks will increase exponentially and become the #1 global attack vector. As more enterprises adopt more mature cybersecurity practices, criminals will go upstream to weaker targets that can maximize their blast radius and give them an impactful one-to-many attack ratio. Historically, attacks have been spray-and-pray; now, they will become more surgical as supply chain attacks become weapons of mass disruption.

4. Attackers will begin using AI to infect multiple organizations at a massive scale (Srinivas Loke)

It has taken a few decades, but adoption of automation solutions such as AI, ML, and DL has gone mainstream and worldwide. This is great news for cyber defenders, as Gartner finds “33% of technology providers plan to invest $1 Million or more in AI within two years.” The cybersecurity industry is leading the way on this trend, but easy access to open-source AI tools is both a blessing and curse. Cybercriminals have access to the same resources, and the resulting threat is multiplied by strong ideological and financial incentives to use them. This will accelerate the ability of threat actors to conduct targeted, automated attacks at a massive scale. The war of the machines is on the horizon.

5. Attackers are going straight to recruiting insiders for advanced attacks (Danelle Au)

Organizations have focused (rightly so) on shoring up their identity and access management capabilities, and deploying multi-factor authentication within their networks. These solutions have made it harder for attackers to bypass defenses—and so attackers are going directly to insiders. With the promise of a cut of the haul in exchange for access, ransomware gangs are bypassing traditional methods and are instead working to recruit insiders to use their privileged access to install malware directly. The tactics being used by these attackers are similar to HUMINT espionage and recruitment programs. Unfortunately, this means that every security leader now needs to consider insider-originated malware as part of their ransomware protection strategy.

6. Laws or sanctions won’t make a big dent in stopping ransomware and cyberattacks (Greg Murphy)

Over the last several years, the urgency in dealing with ransomware and other advanced attacks at the legislative level has grown, as illustrated with bills like Warren-Ross, a 30-country meeting led by the Biden administration to address the threat of ransomware, and efforts by the FBI to crack down on ransomware gangs. However, political and legislative efforts won’t make a difference as long as cybercrime makes sense economically, and as long as Russia has no incentive to bring threat actors to justice. One possible—though controversial—way to reduce these advanced attacks is to eliminate the anonymity associated with cryptocurrency payments. Without an easy way to pay ransom, these attacks will decrease. Additionally, more scrutiny is needed on cyber insurance, as this practice facilitates easy payments for threat actors, and has the adverse effect of fueling more cyberattacks.

7. Security teams should expect significant Zero Day vulnerabilities (Pandian Gnanaprakasam)

Software development has roared forward for decades without enough thought given to security implications, and we’re suffering the consequences. That was evident to security teams in 2021 with the emergence of vulnerabilities like PrintNightmare in Q2/3, and Log4j in Q4. Similar revelations will continue throughout 2022 and beyond with the evolution and use of malicious, automated scanners leveraging tools like Cobalt Strike to find and exploit new vulnerabilities. In response, software developers should emphasize security best practices, especially when working with open-source software. Manufacturers should also disclose their software bill of materials (SBOM)–nested inventory for software, a list of ingredients that make up software components–to better inform customers and users of the possible security implications of using their products.

8. Telehealth and telemedicine are here to stay. And healthcare organizations need to keep those systems secure. (Darrell Kesti)

The COVID-19 pandemic brought telehealth and telemedicine into the mainstream, and they are not going away even after the threat of the virus abates. For most healthcare organizations, the popularity of telehealth visits versus physical visits will be dependent on insurance providers, and whether they will pay the same amount for virtual versus physical visits. In the UK, telehealth visits are gaining in popularity because of the reduced number of physicians and the long wait time when it comes to scheduling visits. From a cybersecurity perspective, a lot of telehealth/telemedicine environments connect directly from the patient to the specific telehealth vendor, and therefore there is a lack of security visibility into these visits. That needs to change for the sake of patient and organizational safety.

In the U.S., Mayo Clinic began offering hospital-at-home care for patients with non-life-threatening conditions during the pandemic, and saw success from the strategy; not just for patients but also for freeing up space in the hospital. With Omicron and future variants being inevitable, expect that these will also be included in telehealth and telemedicine at-home care, with corresponding medical devices that also need to be secured.

9. Cloud infrastructure will be one of the leading attack vectors in 2022. (Brad LaPorte)

Everything is moving to the cloud—including cybercriminals. According to Gartner, by 2023, 70% of all enterprise workloads will be deployed in cloud infrastructure and platform services, up from 40% in 2020. Through 2025, more than 99% of cloud breaches will have a root cause of preventable misconfigurations or mistakes by end users. In addition, 96% of third-party container applications deployed in cloud infrastructure contain known vulnerabilities. And 63% of third-party code templates used in building cloud infrastructure contained insecure configurations. Threat actors know this, and they are working hard to take advantage. To say that cloud security needs to be a top priority is the understatement of the year.

Those are our thoughts on what’s in store for the cybersecurity landscape in 2022. We’d love to hear yours.

Things move fast in tech. Enterprise infrastructure is growing larger, more complex, and more diverse; and the mix of hardware, software, and innovative new tools used to manage and secure those enterprises are pushing aside the legacy systems that have failed to keep up. The old saying, “You need a scorecard to keep track of the players” would apply but for the fact that the scorecard is probably out-of-date, too.

The CAASM is Growing

Just in case you weren’t paying attention, there’s a new market category—and associated acronym—that has emerged to describe a fast-evolving corner of the cybersecurity industry. Gartner, which coins terms faster than the Franklin Mint, saw activity reaching critical mass in addressing the need to track, secure, and manage the growing number of devices connecting to and comprising the modern enterprise, and defined a new category: cyber asset attack surface management, or CAASM (which you’ll probably want to pronounce like “chasm”).

Richard Stiennon, cybersecurity author and analyst, recently moderated a panel on CAASM as part of the Demo Forum, participated by Ordr’s VP Systems Engineering, Jeremy Haltom. Check it out here (once you register and login, it’s under the “live” section).

It’s good to see this space getting attention. Ordr’s mantra, “See. Know. Secure.” is a simple description of the CAASM approach needed to rein-in complexity to make it easier to secure. As enterprises get populated with devices, known and unknown, managed and unmanaged, the attack surface is also growing. That makes it harder for IT security and operations teams to do their jobs. You can’t protect what you can’t see, and it’s hard to know if the things you can see are compromised unless you have a clear understanding of what it is, what risks it brings, and how it is supposed to behave.

Without Visibility You’re Flying Blind

Absent a way to effect complete asset discovery, track the ephemeral nature of the attack surface in real-time, and manage those assets based on actual data that can tell indicators of compromise from a baseline of normal behavior, you are flying blind. And that’s not where a CTO, CISO, or CSO wants to be.

What’s interesting to us is that the Ordr System Control Engine was conceived as a solution to the challenges inherent with protecting connected systems and the networks they were connecting to. This was a big problem for healthcare organizations that rely on a mix of medical devices—the internet of medical things or IoMT—that defy traditional approaches to IT security and management. If a certain piece of equipment is operating with obsolete, unsupported software that makes it vulnerable to attack, there may be restrictions keeping IT from making any needed modifications. And if a device is in active use, it may be impossible to turn off.

Ordr SCE and the Power of Data

That was the challenge we set out to solve when Ordr was founded. But as Ordr gained traction in healthcare and other industries, our customers found that our platform was excellent at discovering and tracking assets wherever they were in the organization. We heard stories of hospitals that found equipment that had been missing for years, while others took the business intelligence they’d gathered from Ordr SCE to support asset requisition and allocation management decisions. That’s the power of data when it is complete, accurate, and in granular, contextual detail.

We know that the challenges associated with seeing, knowing, and securing cyber-assets are not going to diminish. At last count, devices were being acquired and attached to networks and the internet at more than 125 per second, with an expected 75 billion “things” connected by 2025. That’s a lot of devices, and for those organizations driving that growth through the adoption of IoT, IoMT, OT, and other connected devices, that’s a lot of attack surface to monitor, manage, and secure.

With Ordr You Aren’t Alone

So, whether you were aware of CAASM specifically or intuitively, you already know it has to be a part of an effective cybersecurity strategy. The good news is you don’t have to face the challenge alone. Get in touch with us and we’ll show you how you can see, know, and secure your cyber-asset attack surface with Ordr SCE.

Awareness and concern over security implications associated with the flood of connected devices hitting the market is growing worldwide, and governments are taking notice. Here in the U.S., it started after it was discovered that internet-connected security cameras made in China, and in common use at Department of Defense facilities, were sending data back to their manufacturers. That prompted Congress to take targeted action prohibiting the purchase of communications gear made in China. The Secure Equipment Act of 2021 was signed into law on November 11, 2021.

But unsecure IoT and Internet-connected devices aren’t a problem limited to products made overseas. The journal EE Times recently reported that the security of connected devices is a major concern, and that manufacturers of such products are not reporting known issues and vulnerabilities with their goods.

New UK Bill Aims to Protect Consumers

Now, a new law being considered in the UK seems intended to protect consumers from the threats associated with unsecure connected devices.  The Product Security and Telecommunications Infrastructure (PSTI) Bill is expected to become law sometime in 2022 and would establish new rules for Internet-connected devices made and marketed to consumers. PSTI would prohibit universal default passwords, ensure transparency related to known security flaws and what actions are being taken to mitigate them, and require the creation of better public reporting systems for discovered vulnerabilities.

Industry research, current events, and laws like PSTI show that personal and enterprise security have never been more vulnerable and intertwined. Vulnerabilities in Internet-connected devices don’t just put consumer data at risk, but also put corporate and government enterprise integrity in jeopardy. While PSTI is focused on the consumer-grade IoT market, we know many such devices make their way onto corporate and government networks.

Consumer Devices are Connecting to Commercial, Government Networks

Ordr’s own research (Rise of the Machines 2021: State of Connected devices — IT, IoT, IoMT and OT) has found devices like Pelotons, Sonos and Alexas, Kegerators, and many more unmanaged, consumer devices connected to corporate networks and healthcare environments—often for legitimate purposes and operations. Alexa devices, for instance, are being used as substitutes for the nurse call button, turning on lights and TVs with a voice command. Pelotons are being adopted for physical therapy. Imagine if those devices were to become compromised after connecting to a hospital’s IT infrastructure.

In Ordr’s view, legislation like PTSI should be expanded to cover an even broader array of devices, including those designed specifically for the enterprise as well as the consumer. Enterprise devices, and even medical devices, share many of the same vulnerabilities. Instead of merely requiring transparency, PTSI should mandate designing security into IoT products, ensuring secure protocols and technologies are used for key functions.

More Awareness, Security Needed

PTSI will help make consumer devices safer, but beyond safer passwords and vulnerability management, organizations still need to consider additional security best practices, such as:

• Maintaining a real-time inventory of devices: You can’t protect what you don’t know about. Security starts with real-time visibility of exactly what you have in your network and how those components are communicating in the network.
• Monitoring device behaviors for suspicious communications: Devices have deterministic functions. By using machine learning to baseline what behaviors are normal, you can then identify abnormal device behavior that may be an early indication of an attack.
• Tracking who is using your devices: By tracking and associating devices to users, you can identify compromised devices and also potential account misuse.
• Implementing Zero Trust segmentation for vulnerable devices that cannot be patched: Zero Trust segmentation policies can keep these devices in operations by allowing “normal communications” required for its function, while limiting exposure.

We believe PSTI is a good start, but much more remains to be done to make all internet-connected devices, and the people and organizations that use and rely on them, safe.