On December 8, 2021, NetSPI Chief Technology Officer Travis Hoyt was featured in an article written by the Forbes Technology Council. Read the full article below or online here.

+ + +

A move to the cloud comes with multiple cost and productivity benefits for companies, including outsourcing hardware maintenance, the ability to quickly expand and easy access to the latest software. But while the cloud offers convenience, it can also add to a company’s cybersecurity risks. A significant cyberattack on a cloud provider can trickle down and affect all of that provider’s clients. 

It’s important that both cloud providers and the companies who purchase their services stay up to date on the latest and most effective cybersecurity solutions for protecting essential assets in the cloud. Below, 16 industry experts from Forbes Technology Council share new and trending cybersecurity paradigms that companies must consider to best protect their sensitive data in the cloud.

1. Quantum Computing

Ransomware extortion impacts every industry. There are a lot of solutions being used to thwart cybersecurity threats, but one of the most promising solutions is quantum computing. There are still questions about quantum’s viability—particularly around its deployment and high costs—but in the long term, it may prove to be the most effective way to combat cyberattacks and protect user data. – Jason Jantz, ReadyMode

2. A Focus On Access Management And Segmented Environments

Consider automated posture management and strong remediation requirements with a heavy focus on identity access management, including application programming interface keys. Segment your environments at the account/subscription level instead of just at the virtual private cloud level to create hard barriers between your assets, and use focused VPC-to-VPC connections to reduce the potential blast radius. – Travis Hoyt, NetSPI

3. Cloud-Based File Sharing

The debate about cloud security frequently overlooks a common surface of unauthorized data exposure: email. Emailing data, especially to a person outside of your organization, is typically less secure than using a cloud-based file-sharing app. Yet when cloud apps are blocked, an unintended consequence is that users default to email to share sensitive data, thereby creating greater security risks. – Edmund Zagorin, Bid Ops

4. Least-Privilege Policies

Identities are the foundation of cloud security, since the only perimeter between applications and data is a user login. Therefore, companies need to proactively manage identities, including permissions and entitlements. Enforcing least privilege, in which human and machine identities only have access to the resources they need to perform their business functions, is a must in the cloud. – Shai Morag, Ermetic

5. Reviews Of Vendor Cybersecurity Risk Management Protocols

Given the prevalence of supply chain hacks that impact multiple clients, companies implementing cloud services need to request and review their key communications providers’ and internet service providers’ cybersecurity risk management protocols to ensure potential vulnerabilities don’t turn into exposures. – Michael Gurau, Altman Solon

6. Added-Value Email Security Layers

If not done correctly, cloud migration can impart major risks to organizations. With over 90% of malware transmitted over the cloud via email, businesses need to start focusing more on dynamic and added-value email security layers. Only through building a comprehensive blend of new and old systems can you ensure some level of protection. – Oren Eytan, odix

7. Insurance To Cover Ransomware Costs

I was recently part of a meeting regarding a cloud storage company that was hacked. The company could not afford the ransom cost, and all its clients were impacted. The cloud company did not have enough insurance, so leadership determined it was best to just shut the doors. The company had six data centers and 42,000 users. Review your insurance policies to be ready for the worst-case scenario! – Nick Damoulakis, Orases

8. Identity Orchestration

With multiple clouds, data and account passwords have become distributed across many users, who access numerous apps that run across different clouds. This creates a massive attack surface. Passwords are the weak link in the security chain. The ideal solution is to authenticate users without the dependency on passwords. Use identity orchestration to roll out multifactor authentication for your apps without rewriting them. – Eric Olden, Strata Identity

9. Encrypted And Tokenized Data

First, protect data natively rather than relying on old-school (on-premises) perimeter/environment security paradigms, which are haphazardly adapted for the cloud. For sensitive or personal data, encrypt at rest and tokenize when the payload doesn’t need to be known for the process to work. The old behavioral issue of using copies of real data for systems testing must be replaced by the use of synthetic data. – Simone Steel, Nationwide Building Society

10. Multilayered User-Activity Monitoring

Most security risks associated with the cloud have to do with data and access breaches. A lot of cloud service providers have adequate security measures in place. However, it is ultimately up to client companies to install a multilayered method for monitoring user activity. This may include multifactor authentication, data-at-rest encryption and/or a perimeter firewall. – Ondrej Krehel, LIFARS LLC

11. Transformation Of Data To Ciphertext

In a word, the answer is “encryption.” Strong encryption transforms your data into ciphertext, ensuring that any lost data remains unreadable and meaningless to others. This protects you from unauthorized access, data breaches, data exposures, government legislative access provisions and, potentially, even the requirement to provide notifications under various privacy breach regulations such as GDPR. Only you hold the key. – Leonard Kleinman, Palo Alto Networks

12. A Focus On Internal Security

Experts position infrastructure as a service and platform as a service as more secure than any self-managed, organization-owned data center could be, but they fail to mention the shared security model that is inherent in these services. The provider owns some responsibility for security, but not all. You must consider how your internal security team will own and enforce security across applications, workloads and containers in the cloud. – Ian McShane, Arctic Wolf

13. Enhanced Identity Access Management

In eDiscovery, there is no new security paradigm; there are only best practices and proven tools. The approach to risk management changes in the cloud. The single-sign-on portal is the gateway to the data and resources bad actors want. This makes identity access management a top priority. Control your identities, and you can reduce your cybersecurity risks. – Jordan McQuown, George Jon

14. Behavior Monitoring Through Machine Learning

In some organizations, cloud credentials might be outside the scope of internal network security policies and controls. Using machine learning, security teams can distinguish between normal and abnormal behavior. They can easily and immediately discover who is using cloud resources to upload sensitive corporate information or illicitly access cloud applications and revoke their credentials. – Stephen Moore, Exabeam

15. Privacy-Enhancing Technologies

Tech companies should consider privacy-enhancing technologies, which deliver advanced cyber resilience and allow the sharing of data while protecting security and privacy. Given the increased shift to cloud storage, the relevance of PETs will grow in the future since they satisfy legal and regulatory mandates and prevent malicious attacks on sensitive data. – Roman Taranov, Ruby Labs

16. Zero Trust

Migrating to a cloud-based infrastructure means adopting a zero-trust cybersecurity policy. It requires more frequent testing, clearer segmentation and better transparency in a company’s infrastructure. The importance of ID authentication and authorized access to detailed data also increases, especially among company employees, and zero trust also considers the need to limit access to third parties. – Robert Strzelecki, TenderHut

On December 7, 2021, NetSPI Managing Director Nabil Hannan was a featured guest on ITSPmagazine’s Redefining Security Podcast, where they discuss the new OWASP Top 10 2021. Listen below or view online here.

Episode Summary

Every few years, a group of individuals work together to deliver what has become a staple in application security practices: The Open Web Application Security Project (OWASP) Top 10. In the 2021 edition, the team took a fresh look at the data and what it means. Everything changed while staying the same.

Episode Notes

Every few years, a group of individuals work together to deliver what has become a staple in application security practices: The Open Web Application Security Project (OWASP) Top 10. In the 2021 edition, the team took a fresh look at the data and what it means. Everything changed while somehow stayed the same.

The real changes are in how organizations should look at this information and how to use it to make a difference in their application development and information security programs. While data analytics played a huge role in changing the game for the OWASP Top 10 for 2021, it’s the humans that will see the outcomes come to fruition. Or, at least we hope.

____________________________

Guests

Diana Kelley
On ITSPmagazine https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/diana-kelley

Andrew van der Stock
On LinkedIn | https://www.linkedin.com/in/vanderaj/
On Twitter | https://twitter.com/vanderaj

Nabil Hannan
On LinkedIn | https://www.linkedin.com/in/nhannan/
On Twitter | https://twitter.com/nabilhannan

On December 2, 2021, NetSPI Managing Director Florindo Gallicchio was featured in an article written by David Marshall for VMBlog.com. Read the full article below or online here.

Wondering where cybersecurity is headed as we enter 2022?  Read these predictions from 15 security industry experts as they weigh in and offer up their thoughts on the coming year.

++

Kevin Breen, Director of Cyber Threat Research, Immersive Labs

“We’ve seen an unfortunate increase in ransomware attacks, data leaks, and the sophistication of overall attack methods in the past year. While government-issued mandates have driven a positive increase in information sharing and disclosing rich technical details shortly after vulnerabilities are identified, we are still lacking critical workforce-wide cyber education. 

In 2022 there’s a lot more we can do to educate the entire workforce on how they can best identify and be prepared for cyber risks – and empower them to be defensive assets to their organizations. This now lies beyond security teams; it’s everyone’s responsibility and remit, from legal to sales to technical teams. Organizations need to ensure there is a fundamental understanding of security and cyber crisis preparedness workforce-wide, and I expect we’ll see businesses make more deliberate efforts and investments to address this gap.

Unfortunately, ransomware is likely not going anywhere in 2022, but we will see attackers evolve their strategies in light of heavy crackdowns and supply chain insecurities. The attack surface will likely reduce as larger groups dissolve, and in turn we’ll see affiliates move between RaaS operators as they rise and fall like REvil and BlackMatter. The attackers will always have the first-move advantage, but that’s why it’s crucial that we exercise the wider organization’s cyber crisis response to ensure everyone is prepared when the worst case scenario strikes.”

+++

James Christiansen, VP and CSO Cloud Strategy, Netskope

“In 2021 we’ve seen a rise of the “Great Resignation” and the utilization of gig workers. Specifically, with gig workers, the rapid churn of short-term projects and the widespread set of skills in demand means that background checks may be overlooked and the security of their own computers isn’t up to corporate standards. At the same time, in 2021 Netskope Threat Labs found that departing employees upload 3X more data to personal apps in their final month of employment. Taken together, both of these developments point to a need for corporations to rethink their insider threat strategy.”

Ray Canzanese, Director, Netskope Threat Labs

“By the end of 2022 malicious Office documents will account for more than 50% of all malware downloads as attackers continue to find new ways to abuse the file format and evade detection.  At the beginning of 2020, Office documents accounted for only 20% of all malware downloads and have increased to 40% in 2021. This trend will continue due to the pervasive nature of Office documents in the enterprise and the many different ways they can be abused, making them an ideal malware delivery vector.”

+++

Theresa Lanowitz, Head of Cybersecurity Evangelism, AT&T Business

Further acceleration to 5G networks 

“While 5G adoption accelerated in 2021, in 2022, we will see 5G go from a new technology to a business enabler. While the impact of 5G on new ecosystems, devices, applications, and use cases ranging from automatic mobile device charging to streaming, 5G will also benefit from the adoption of edge computing due to the convenience it brings. We’re moving away from the traditional infosecurity approach to securing edge computing. With this shift to the edge, we will see more data from more devices, which will lead to the need for stronger data security.  

Ransomware will be the most feared adversary 

The year 2021 was the year the adversary refined their business model. With the shift to hybrid work, we have witnessed an increase in security vulnerabilities leading to unique attacks on networks and applications. In 2022, ransomware will continue to be a significant threat. Ransomware attacks are more understood and more real as a result of the attacks executed in 2021. Ransomware gangs have refined their business models through the use of Ransomware-as-a-Service and are more aggressive in negotiations by doubling down with DDoS attacks. The further convergence of IT and OT may cause more security issues and lead to a rise in ransomware attacks if proper cybersecurity hygiene isn’t followed.

While many employees are bringing their cyber skills and learnings from the workplace into their home environment, in 2022, we will see more cyber hygiene education. This awareness and education will help instill good habits and generate further awareness of what people should and shouldn’t click on, download, or explore.” 

Bindu Sundareason, Director at AT&T Cybersecurity

Zero Trust will be the security model of choice

“Traditional cybersecurity practices focus on a ‘castle and moat’ model, where security protocols concentrate on keeping threats out. This approach assumes that any user with the right credentials to access a network has done so legitimately and can be trusted to move freely through the system. However, as more organizations move their data and operations to the cloud more rapidly, the concept of a security perimeter as we know it is becoming obsolete. As a result, organizations will continue to focus on adopting a Zero Trust security model which restricts network access to only those individuals who need it.

Securing data with third-party vendors in mind will be critical 

Attacks via third parties are increasing every year as reliance on third-party vendors continues to grow. Organizations must prioritize the assessment of top-tier vendors, evaluating their network access, security procedures, and interactions with the business. Unfortunately, there are many operational obstacles that will make this assessment difficult, including a lack of resources, increased organizational costs, and insufficient processes. The lack of up-to-date risk visibility on current third-party ecosystems will lead to loss of productivity, monetary damages, and damage to brand reputation.”

+++

Jason Rebholz, CISO, Corvus Insurance

Ransomware + Impacts on Cyber Insurance

“Ransomware is the defining force in cyber risk in 2021 and will likely continue to be in 2022. While ransomware has gained traction over the years, it jumped to the forefront of the news this year with high profile attacks that had impacts on the day to day lives of millions of people. The increased visibility brought a positive shift in the security posture of businesses looking to avoid being the next news headline. We’re starting to see the proactive efforts of shoring up IT resilience and security defenses pay off, and my hope is that this positive trend will continue. When comparing Q3 2020 to Q3 2021, the ratio of ransoms demanded to ransoms paid is steadily declining, as payments shrank from 44% to 12% respectively, due to improved backup processes and greater preparedness. Decreasing the need to pay a ransom to restore data is the first step in disrupting the cash machine that is ransomware.

Although we cannot say for certain, in 2022 we can likely expect to see threat actors pivot their ransomware strategies. Attackers are nimble – and although they’ve had a “playbook” over the past couple years, thanks to widespread crackdowns on their current strategies, we expect things to shift. We have already seen the opening moves from threat actors. In a shift from a single group managing the full attack life cycle, specialized groups have formed to gain access into companies who then sell that access to ransomware operators. As threat actors specialize on access into environments, it opens the opportunity for other extortion based attacks such as data theft or account lockouts – all of which don’t require the encryption of data. The potential for these shifts will call for a great need in heavier investments in emerging tactics and trends to remove that volatility.”

+++

Brian Murphy, CEO and Founder, ReliaQuest

Tackling the skills transfer issue to finally make progress in addressing the gap

“If this past year taught us anything, it’s that cyber attacks are only increasing, so it’s paramount that organizations have the best talent to prevent and address these breaches when they occur. In 2022, the industry will need to make substantial progress in addressing the cybersecurity skills gap as efforts thus far haven’t shown the progress we need to properly address increasing threats. (ISC)2’s recent report made it clear – there aren’t yet enough cyber pros to build secure tech, implement protections or respond to breaches.

While it’s great to see the efforts of the private sector prioritize training in cyber skills, and making cyber awareness training accessible to everyone, I hope, and expect, the industry will direct more of its efforts into tackling the broader skills transfer issue. There are plenty of people ready to raise their hand and help with this ongoing problem, but we need to better equip them with the right skills. I hope to see more companies in the new year investing in meaningful skills initiatives, like Microsoft’s work with community colleges and ReliaQuest’s work with 3DE high schoolers. These education-based efforts aim to encourage the next generation of the workforce to take interest and gain critical skills to shape the future cyber workforce.”

Marcus Carey, Enterprise Architect, ReliaQuest

“2022 will be the year cryptocurrencies go mainstream. Already, big players are making moves into this space and NFTs are becoming increasingly popular among celebrities. We’ve unfortunately seen businesses use cryptocurrencies to make ransomware payments, but in 2022, they will become a more widely utilized method for companies to do things like compensate employees and take payments from customers. This will open up a whole new paradigm for security teams and CISOs, as there will be an increased emphasis on the security aspects of these new technologies.

CISOs and security teams will need to have an understanding of all of the facets of cryptocurrencies, including different blockchains like Ethereum and Solana, smart contracts, and hot and cold storage. Just as cybersecurity teams audit code now, they will have to audit smart contracts – which are automated agreements written in code and incorporated into the blockchain. Cybersecurity teams and IT teams will need to manage hot wallets, which are used for transactions, and cold wallets, which are used for long term storage. There are various aspects and implications that CISOs and their teams will need to understand in order to keep money secure. Cryptocurrency is the “Wild West” of the digital world today. Companies need to prepare now for the impact it will have in the year ahead.” 

+++

Tobi Knaup, CEO, D2iQ

Putting forth a DevSecOps approach from the start

“The pandemic pushed us further into the cloud, which has made us more reliant on microservices and containers. However, the rapid proliferation of microservices has outpaced the cyber security capabilities of most organizations. In an effort to improve cloud native cyber security practices, organizations will begin to embed security from the very beginning of the development process, ensuring microservice remain secure wherever they are deployed. As organizations become more agile, putting forth a DevSecOps approach from the start ensures microservices are adequately secured.”

+++

James Condon, Director of Research, Lacework

“Linux and cloud infrastructure are emerging targets of malware and ransomware attacks: Threat actors are looking for the path of least resistance – the easiest way to break through with the greatest return. The traditional methods of enterprise network intrusions to obtain data (or other valuable company information) is still resulting in success. However, cloud infrastructure is heavily Linux-based (80+ percent) and with cloud adoption increasing, especially as a result of the pandemic, threat actors are turning their focus to cloud-based targets. The Lacework team found that PYSA Ransomware Gang added Linux Support, which indicates that ransomware gangs and other attackers may be pivoting to cloud strategies. Furthermore, continued identification of new linux malware families are growing increasingly complex, adding to the mounting concerns.”

Chris Hall, Cloud Security Researcher, Lacework

“Crimeware actors will continue leveraging initial access brokerage and crypto jacker techniques: Currently, we are seeing a lot of cloud environments being compromised by crypto jacker techniques. These aren’t generating a ton of noise within the larger cyber community currently; however this is an area that attackers will continue to leverage and start to carry out on a larger scale in the coming year.”

+++

Eric O’Neill, National Security Strategist, VMware

If 2021 was the year of the Zero Day, 2022 will be the year of Zero Trust: 

“In 2021, defenders caught the highest number of Zero Days ever recorded. We saw a massive proliferation of hacking tools, vulnerabilities, and attack capabilities on the Dark Web. As a response, 2022 will be the year of Zero Trust where organizations  “verify everything” vs. trusting it’s safe. We’ve seen the Biden administration mandate a Zero Trust approach for federal agencies, and this will influence other industries to adopt a similar mindset with the assumption that they will eventually be breached. A Zero Trust approach will be a key element to fending off attacks in 2022.”

Karen Worstell, Senior Cybersecurity Strategist, VMware

Accelerated delivery of the benefits of 5G infrastructure will highlight IoT security needs.

“The pandemic made it abundantly clear how important 5G infrastructure is for rural areas in the U.S. The rollout of 5G will enable better access to healthcare, educational innovations, and public services. The Biden administration’s infrastructure bill, which includes  provisions for broadband delivery and access, provides the industry with another nudge in the right direction to roll it out. As 5G service delivery expands, there will be a growing demand for IoT security and engineering to ensure that network complexity does not become yet another security liability. We must also focus on securing the far edge much like we handle the data center edge today — this will put new demands on incident detection and response. Future-ready capabilities like EDR (endpoint detection and response) will need to evolve  in order to keep an expanding service level and constituency safe.”

+++

Florindo Gallicchio, Managing Director, Head of Strategic Solutions, NetSPI

Cybersecurity budgets will rebound significantly from lower spend levels during the pandemic

“As we look to 2022, cybersecurity budgets will rebound significantly after a stark decrease in spending spurred by the pandemic. Ironically, while COVID-19 drove budget cuts initially, it also accelerated digital transformation efforts across industries – including automation and work-from-home infrastructure, which have both opened companies up to new security risks, leading to higher cybersecurity budget allocation in the new year. Decisions are being made in Fortune 500+ companies with CFOs on the ground, as these risk-focused enterprises understand the need for larger budgets, as well as thorough budgeted risk and compliance strategies. Smaller corporations that do not currently operate under this mindset should follow the lead of larger industry leaders to stay ahead of potential threats that emerge throughout the year.”

+++

Stephen Cavey, Co-founder of Ground Labs

Awareness and gamification will lead the future of data security plans

“As employees went remote the amount of potential data exposure greatly increased. This increased risk highlighted the strongest security weakness that criminals were actively targeting the organization’s people.

Traditional forms of mitigation of this risk in the form of physical training through classroom delivery have not been as effective as required to reduce the instances of data breaches caused by employees. In the coming year, CISOs and IT leaders will incorporate all parts of an organization into creating a well-rounded cybersecurity strategy that places employees at the center in order to mitigate risk.  We’re going to see more next-generation job roles such as “head of remote.” These new roles will be tasked with improving the remote experience which can open up a strong opportunity to weave a culture of data security and good data hygiene and awareness practices that are driven through educating on the unique risks of working remotely in isolation for prolonged periods. Adding elements of gamification is also an excellent way to remind, engage and motivate employees to practice better cybersecurity habits.”