In this year’s Cybersecurity Predictions, the WatchGuard Threat Lab suits up at the news desk to update you on the top security-related headlines that we could see in 2022. Watch to learn how hackers might target space, what will happen with cyber insurance, Zero Trust, and more!
1. State-Sponsored Mobile Threats Trickle Down to the Cybercrime Underworld
Mobile malware certainly exists – especially on the Android platform – but hasn’t yet risen to the same scale of traditional desktop malware. In part, we believe this is due to mobile devices being designed with a secure mechanism (e.g., secure boot) from the start, making it much more difficult to create “zero-touch” threats that don’t require victim interaction. However, serious remote vulnerabilities have existed against these devices, though harder to find.
Meanwhile, mobile devices present a very enticing target to state-sponsored cyber teams due to both the devices’ capabilities and information contained in them. As a result, groups selling to state-sponsored organizations are mostly responsible for funding much of the sophisticated threats and vulnerabilities targeting mobile devices, such as the recent Pegasus mobile spyware. Unfortunately, like in the case of Stuxnet, when these more sophisticated threats leak, criminal organizations learn from them and copy the attack techniques.
Next year, we believe we will see an increase in sophisticated cybercriminal mobile attacks due to the state-sponsored mobile attacks that have started to come to light.
2. News of Hackers Targeting Space Hits the Headlines
With renewed government and private focus on the “Space Race” and recent cybersecurity research concentration on satellite vulnerabilities, we believe a “hack in space” will hit the headlines in 2022.
Recently, satellite hacking has gained investigative attention from the cybersecurity community among researchers and at conferences like DEF CON. While satellites might seem out of reach from most threats, researchers have found they can communicate with them using about $300 worth of gear. Furthermore, older satellites may not have focused on modern security controls, relying on distance and obscurity for defense.
Meanwhile, many private companies have begun their space race, which will greatly increase the attack surface in orbit. Companies like Starlink are launching satellites by the thousands. Between those two trends, plus the value of orbital systems to nation states, economies, and society, we suspect governments have quietly started their cyber defense campaigns in space already. Don’t be surprised if we see a space-related hack in the headlines one day soon.
3. Spear SMSishing Hammers Messenger Platforms
Text-based phishing, known as SMSishing, has increased steadily over the years. Like email social engineering, it started with untargeted lure messages being spammed to large groups of users, but lately has evolved into more targeted texts that masquerade as messages from someone you know, including perhaps your boss.
In parallel, the platforms we prefer for short text messages have evolved as well. Users, especially professionals, have realized the insecurity of cleartext SMS messages thanks to NIST, various carrier breaches, and knowledge of weaknesses in carrier standards like Signaling System 7 (SS7). This has caused many to move their business text messages to alternate apps like WhatsApp, Facebook Messenger, and even Teams or Slack.
Where legitimate users go, malicious cybercriminals follow. As a result, we are starting to see an increase in reports of malicious spear SMSishing-like messages to messenger platforms like WhatsApp. Have you received a WhatsApp message from your CEO asking you to help him set up an account for a project he’s working on? Maybe you should call or contact your boss through some other communication medium to verify it’s really that person!
In short, we expect to see targeted phishing messages over many messaging platforms to double in 2022.
4. Password-Less Authentication Fails Long Term Without MFA
It’s official. Windows has gone password-less! While we celebrate the move away from passwords alone for digital validation, we also believe the continued current focus of single-factor authentication for Windows logins simply repeats the mistakes from history. Windows 10 and 11 will now allow you to set up completely password-less authentication, using options like Hello (Microsoft’s biometrics), a Fido hardware token, or an email with a one-time password (OTP).
Though we commend Microsoft for making this bold move, we believe all single-factor authentication mechanisms are the wrong choice and repeat password mistakes of old. Biometrics are not a magic pill that’s impossible to defeat – in fact, researchers and attackers have repeatedly defeated various biometric mechanisms. Sure, the technology is getting better, but attack techniques evolve too (especially in a world of social media, photogrammetry and 3D printing). In general, hardware tokens are strong single factor option too, but the RSA breach proved that they are not undefeatable either. And frankly, clear text emails with an OTP are simply a bad idea.
The only strong solution to digital identify validation is multi-factor authentication (MFA). In our opinion, Microsoft (and others) could have truly solved this problem by making MFA mandatory and easy in Windows. You can still use Hello as one easy factor of authentication, but organizations should force users to pair it with another, like a push approval to your mobile phone that’s sent over an encrypted channel (no text or clear email).
Our prediction is that Windows password-less authentication will take off in 2022, but we expect hackers and researcher to find ways to bypass it, proving we didn’t learn from the lessons of the past.
5. Companies Increase Cyber Insurance Despite Soaring Costs
Since the astronomical success of ransomware starting back in 2013, cybersecurity insurers have realized that payout costs to cover clients against these threats have increased dramatically. In fact, according to a report from S&P Global, cyber insurers’ loss ratio increased for the third consecutive year in 2020 by 25 points, or more than 72%. This resulted in premiums for stand-alone cyber insurance policies to increase 28.6% in 2020 to $1.62 billion USD. As a result, they have greatly increased the cybersecurity requirements for customers. Not only has the price of insurance increased, but insurers now actively scan and audit the security of clients before providing cybersecurity-related coverage.
In 2022, if you don’t have the proper protections in place, including multi-factor authentication (MFA) for remote access, you may not get cyber insurance at the price you’d like, or at all. Like other regulations and compliance standards, this new insurer focus on security and auditing will drive a new focus by companies to improve defenses in 2022.
6. And We’ll Call It Zero Trust
Most security professionals have had the principle of least privilege grilled into them from the very beginning of their careers. Giving users the minimum level of access needed to perform their job functions is for the most part an uncontested best practice. Unfortunately, best practices don’t directly translate into wide adoption, and least to their full extent. Over the past few years, or decades really, we’ve seen the ease in which attackers can move laterally and elevate their level of access while exploiting organizations that haven’t followed basic security principles.
Recently, a “modern” information security architecture has grown in popularity under the name of Zero Trust. A Zero-Trust approach to security basically boils down to “assuming the breach.” In other words, assuming an attacker has already compromised one of your assets or users, and designing your network and security protections in a way that limits their ability to move laterally to more critical systems. You’ll see terms like “microsegmentation” and “asserted identity” thrown around in discussions on Zero Trust. But anyone that has been around for long enough will recognize this trending architecture is built on existing, long-standing security principles of strong identity verification and the idea of least privilege.
This isn’t to say Zero-Trust architecture is a buzz word or unnecessary. On the contrary, it is exactly what organizations should have been doing since the dawn of networking. We are predicting in 2022, the majority of organizations will finally enact some of the oldest security concepts all over their networks, and they will call it Zero Trust.
Follow the latest security insights powered by the WatchGuard Threat Lab at www.secplicity.org, which includes daily blogs, live Firebox Feed data, and Corey’s Daily Security Bytes.