Take a look in the cybersecurity rearview before you look ahead

It’s good to gaze into the cybersecurity crystal ball, as happens at this time of year when our cup overfloweth with predictions for 2023.

But it’s also good to look in the rearview at a year that will be over in less than two weeks, both for what happened but also for what it all might mean and what we can learn from it.

With that as a goal, you could say (or sing) along with the late Frank Sinatra that “it was a very good year.” Not all good news, but plenty to learn. Even when it’s painful, it’s useful.

So here, in no particular order of significance or chronology, are a few of the events of the past year that varied from encouraging to disturbing to alarming, but were all instructive.

Ounces of prevention, pounds of cure

Most of the headlines about cybersecurity would make you think the news in the industry is always bad, much the way carnage and crime always lead the evening news. And there is plenty of bad news, as we will note.

But there was good news as well, and some of the best of the year you were unlikely to have noticed, which is why we’re calling it to your attention. In fact, it’s good news specifically because it resulted in things you didn’t notice — some unknown number of disaster headlines that didn’t have to be written.

In a couple of major areas, software got safer in 2022. That means while bad things will still happen, they won’t happen as much.

One way is the increased use of the programming language Rust in the Linux kernel, the main component of the free and open source Linux operating system. The Linux OS, developed starting in 1991, had previously been written mainly in C, a so-called “low-level” language that makes it easier and faster to write code and handle high-performance demands, but that is also notorious for security bugs.

Rust delivers the performance pleasure without nearly as much pain. Travis Biehn, technical strategist with the Synopsys Software Integrity Group, said Rust “is suitable as a high-performance systems programming language, and it also provides safety. Its introduction to operating system components like the Linux kernel means developers can start writing new projects in a safe, modern language. It’s the first step toward better security in Linux kernels. Hopefully Linux isn’t the last project to pursue them.”

Indeed, fewer errors, fewer vulnerabilities, yielding a smaller attack surface. Very good news.

Something similar is happening on the browser front, with Mozilla’s Firefox. Web browsers have traditionally been written in low-level languages like C to yield high performance but they suffered from the resulting plague of vulnerabilities.

“One really error-prone area of programming is writing parsers, video, and audio codecs,” Biehn said. “But Mozilla pioneered an approach with the community so that Firefox can wrap these routines in a special sandbox that prevents software bugs from compromising users’ machines. That’s a huge win, and a new way to use sandboxes to protect users.”

Ransomware still rising

By now, ransomware qualifies as old news — according to security firm CrowdStrike, the first attack was 33 years ago — at least six generations in information technology. The victims had to send all of $189 to a post office box in Panama.

But ransomware keeps evolving and is now a global plague that sucks at least $20 billion from its victims annually, easily making it one of the top cybersecurity (or lack of cybersecurity) stories of every year for more than a decade.

According to Statista, there will likely be more than 472 million ransomware attacks worldwide by the end of the year. That’s about 15 every second — way more than enough to keep Bleeping Computer’s long-running feature “The week in ransomware” supplied with material.

And, as was painfully demonstrated this past year, attackers can create chaos and crisis in critical infrastructure, from food to fuel, transportation, utilities, healthcare, education, and more.

Indeed, the U.S. Department of Health and Human Services issued a warning earlier this month about Royal, a ransomware group that is specifically targeting the healthcare sector. Rebecca Herold, CEO of Privacy & Security Brainiacs, said that in her home state of Iowa, “the CommonSpirit ransomware attack that started in October not only shut down the MercyOne system of hospitals’ networks for several weeks, but it also resulted in a 3-year-old boy being accidentally given a huge overdose of opioids, patients with cancer having their surgeries and treatments delayed, and ambulances being diverted from hospitals. Ransomware is not just a digital problem. It is a health and critical infrastructure problem as well, that continues to expand.”

Ironically, the best ways to minimize the risks of falling victim to ransomware are old news as well. There is unlikely ever to be a silver bullet, but the primary reasons those attacks succeed are a lack of security in software and systems, plus a lack of awareness about how to resist social engineering.

Herold said too many organizations, instead of building more secure software, using end-to-end encryption of data, creating more effective backup and recovery procedures, and teaching employees how to spot phishing attempts, decided “either to take the chance that they wouldn’t be targeted or purchased cyber liability insurance and assumed — usually incorrectly — that the insurance would cover all the costs of a ransomware attack.”

“Cyber criminals love this,” she said.

SBOM: Acronym of the year

If you don’t know the meaning of the acronym for software Bill of Materials, you are part of a vanishing minority. Which is some of the best security news of the year. Yes, its profile got off the ground nationally in 2021 as a key component of President Joe Biden’s “Executive Order on Improving the Nation’s Cybersecurity,” but it gained some serious critical mass within the cybersecurity industry during the past year.

It’s good news because one of the realities of software security is that, as many experts have said, improving it means doing more fundamental things than transformational things. And an SBOM is, or ought to be, a fundamental. It’s an inventory of everything in the supply chain of a software product, including where a component came from, who made it, who is maintaining it (or not), and whether it contains any known vulnerabilities or licensing conflicts.

In short, it helps organizations know what’s in the software they’re using, and if it needs to be patched.

The less good news is that the road to making SBOMs mainstream could be bumpy. A few weeks ago the Information Technology Industry Council (ITIC), a lobbying organization with a membership that includes tech giants like Amazon, Apple, Microsoft, Intel, IBM, Cisco, Samsung, and Zoom, wrote to the federal Office of Management and Budget(OMB),urging it to “discourage” federal agencies from requiring an SBOM for software products they would buy because SBOMs aren’t yet “scalable and consumable.”

“We believe that SBOMs are not suitable contract requirements yet […] At this time, it is premature and of limited utility for software producers to provide an SBOM,” the ITIC wrote.

No public response yet from OMB, but the reality of the security cliché remains: You can’t protect what you don’t know you have.

Worst of the worst

Every year there is more software written — lots more. We were up to 2.8 trillion lines of code two years ago. And since it is written by imperfect humans, it is imperfect as well, which means every year there are more software vulnerabilities.

According to Statista, with a couple of weeks to go before the books close on 2022, there have been more than 22,500 of them added to the Common Vulnerabilities and Exposures (CVE) list — a new record.

But obviously some are worse than others. And 2022 was bracketed by a couple of the worst. The Log4Shell group of vulnerabilities in the Apache Software Foundation’s immensely popular logging library Log4j were actually discovered at the end of 2021, but they bled into 2022 and remain a major threat to organizations, many of which have failed to install updates, perhaps because they don’t even know that Log4j is buried somewhere in their software supply chain.

Then, in late October, came word of a vulnerability in the widely used OpenSSL cryptographic library. It turned out not to be Heartbleed 2.0 — generating sighs of relief after a week of frantic speculation — but it was another warning that open source software, while it offers multiple advantages to developers and users alike, is no more or less secure than any other software. And since everybody everywhere is using open source, a good New Year’s resolution would be to keep track of it (with the help of an SBOM) and keep it up-to-date.

A weaponized IoT

The Internet of Things (IoT), with a global “population” of about 13.1 billion devices — closing in on double the world’s human population of 7.8 billion — is increasingly labeled the Internet of Everything.

And because both vendors and buyers of those things still care more about features than security, it’s been the biggest attack surface in the world for years.

But a more ominous IoT trend has gained traction in the past year. The risk is not just that hackers can compromise your “smart” device to steal your money or your identity.

Herold noted that IoT products are increasingly being used by criminals to “track and hunt down targeted victims.” According to Vice, eight police departments in the U.S. reported 50 cases of women saying they had received notifications that they were being tracked by a device they didn’t own.

Two women filed a class action lawsuit earlier this month against Apple alleging negligence after their ex-partner or husband used AirTags to track their movements and locations. The complaint alleges that AirTags, which have been promoted as a way to track items like luggage, “are one of the most dangerous and frightening technologies employed by stalkers.”

And Congress responded to the threat with a bill titled the “Tech Safety for Victims of Domestic Violence, Dating Violence, Sexual Assault and Stalking Act.” Its sponsors,

Sen. Ron Wyden, D-Ore., and U.S. Reps. Anna G. Eshoo, D-Calif., and Debbie Lesko, R-Arizona, say it would “would provid[e] new grant funding to clinics and other partnerships focused on addressing domestic violence and technology-enabled abuse.”

“It’s not just Apple — all other types of GPS trackers could also be used for such purposes,” Herold said. “There have been more and more of these types of situations reported throughout 2022, and [these devices] will increasingly be used for malicious purposes while they lack cybersecurity controls and privacy protections.”

The skills gap widens

Multiple headlines at the end of the year about the tech economy were about layoffs. Crunchbase reported 90,000 jobs cut by more than 370 companies going into mid December, with names as big as Netflix, Adobe, Facebook parent Meta, Cisco, Amazon, and Salesforce on the list.

But for the most part, those didn’t hit the cybersecurity sector, which has the opposite problem — an ongoing skills gap.

It was bad last year. Most experts predicted it would get worse this year. It did. It will likely be worse next year. According to the (ISC)2 2022 Cybersecurity Workforce Study, the gap increased 26.2% from 2021, to 3.4 million.

While the study found some encouraging trends — a large majority (72%) of organizations expect to increase their cybersecurity staffing during the coming year — the shortage is expected to continue, and not just because of a lack of skilled applicants.

A lack of talent was cited as the biggest cause for the shortage of cybersecurity staff, but the research showed that there were numerous other internal factors: struggling to keep up with turnover/attrition (33%), not paying a competitive wage (31%), not having the budget (28%), not offering opportunities for growth/promotion for security staff (24%) and not putting enough resources into training nonsecurity IT staff to become security staff (23%).

While it wouldn’t eliminate the problem, organizations could start with one of the mantras of security experts: Security is everybody’s responsibility.