2021-12-30 - 台灣二版有限公司

In recent years, the technological dependence of companies and society has only increased. Companies have increasingly invested in digitizing their processes and providing the best experience for customers, partners, suppliers, and employees.

The digital transformation process and new technologies such as Cloud, Big Data, Internet of Things, and 5G have brought an increase in cyber threats with them. And the migration to remote work models driven by the Covid-19 pandemic has made people and businesses even more vulnerable to malicious attacks. This makes the cybersecurity issue remain on the rise and the protection of this entire infrastructure is increasingly essential in organizations’ strategies.

Thus, as the end of the year approaches, security leaders are looking for the main information security market trends and the challenges that await them for 2022 to be prepared for this threat scenario. According to a Flexera study, cybersecurity will be the top IT initiative for half of the organizations surveyed.

Therefore, in times when data is considered the new oil, it is essential that organizations know the market trends and then outline their cybersecurity strategies to protect this very valuable asset and ensure the continuity of their business.

Next, we present 9 information security topics that will be highlighted in 2022, which should be considered by organizational leaders in their cybersecurity strategies.

1. Greater Coverage of Data Protection Laws

With the exponential growth of data volume, news on data leaks will become more and more frequent. Consequently, the demand for data security and privacy is sure to grow. To respond to this trend, governments tend to increase regulatory pressures through the publication of personal data protection laws. So much so that Gartner estimates the personal information of 75% of the world’s population will be covered by specific data protection laws by 2023. In 2021, China, Saudi Arabia, and Brazil were some of the countries that put specific data protection laws in force. Europe already regulated the transfer of personal data from European Union countries to non-member countries. On the other hand, the United States remains on the list of countries without a specific federal law to guarantee the protection of personal data, depending only on states like California, Colorado, and Virginia to legislate on the subject.

2. Remote Work Protection

Work environments have undergone the greatest transformation in recent decades. Dining rooms were adapted so that we could share workstations and accommodate a remote workforce. According to research by Tenable and Forrester, 74% of security leaders recognize that the remote work measures implemented as a result of the pandemic have left their infrastructure vulnerable to malicious attacks. And even with the end of the pandemic and the return to face-to-face work, the expectation is that there will be a hybrid work adoption. Also, according to the survey, 70% of organizations plan to have their employees work from home at least one day a week.

3. Cyber Awareness

It is jargon in the cybersecurity market that “it is impossible to invest in state-of-the-art security solutions without addressing the weakest link in this chain: people”. Furthermore, as security vendors develop new technologies to protect infrastructure, attackers devise methods to bypass them and carry out their malicious actions. According to Verizon’s Data Breach Investigations Report 2021, 85% of data leaks surveyed involved the human factor, with social engineering accounting for more than a third of those leaks. Phishing was present in 36% of data leaks surveyed by Verizon.

4. Talents Wanted

In recent years, we have seen an increase in the number of projects related to digital transformation and connected devices, as well as a migration to cloud-based environments. Additionally, the risk landscape includes cyberwars and attacks such as ransomware, which increasingly affect business continuity. However, security budgets have not kept up with this escalation. To adequately respond to these risks and ensure infrastructure protection, there is an increased demand for cybersecurity professionals. According to an Information Systems Security Association (ISSA) study, 57% of professionals surveyed said that the lack of cybersecurity talents had impacted their organizations in some way, while 10% recognized this impact as significant.

5. It is All About Connection

The development of 5G and the Internet of Things has led to a growth in the number of connected devices. These devices have enabled connectivity and have become increasingly essential in the daily lives of people and businesses. According to a Cisco report, the number of connected devices is expected to surpass 29 billion by 2023, resulting in a larger attack surface to be exploited by malicious attackers through vulnerabilities and malicious software. According to Gartner, by 2025, cyberattackers will turn Operational Technology (OT) environments into weapons to cause even human deaths. In this way, attacks on the so-called critical infrastructure, such as the generation and distribution of energy, water, and gas, can have serious impacts not only on organizations but also on governments and society.

6. Mobile Attacks

The spread of smartphones has made our personal and professional life easier, stimulating the development of a series of applications for communication, shopping, finance, and travel. In addition, the shift to remote work has led to increased use of mobile devices by employees, bringing benefits such as faster speed and productivity improvements. In 2020, the percentage of internet traffic through these devices surpassed that of desktop computers and laptops for the first time. Cybercriminals have taken advantage of these facts to increasingly use mobile devices as an attack vector.

7. (Even) More Ransomware

Each year, we have seen new records in ransomware-related numbers. And in 2021, that was no different. SonicWall recorded a 148% increase in attacks involving ransomware in 2021, reaching the number of 495 million attacks with this type of malicious software, which is expected to exceed 700 million by the end of the year. It is worth remembering that the techniques used in these pieces of software have also become more sophisticated, showing an evolution in cybercriminals’ planning and execution of this type of attack. Moreover, the Ransomware-as-a-Service models have allowed scaling the development of this type of malicious software, allowing criminals without programming knowledge to develop their own ransomware. In September 2021 alone, SonicWall’s malicious software detection tools discovered more than 370,000 new malware variants, with governments and critical infrastructure being a top target.

8. Social Freedom

In recent years, we have seen social media influencing important events in some way, such as Brexit and the Brazilian and American elections via the Cambridge Analytica scandal. And with new occurrences involving Facebook and its employees, we will continue to see increasing pressure on social media to perform proper controls on their users’ posts. These posts include the dissemination of fake news and crimes such as selling illegal items, financial scams, and child pornography. This will undoubtedly influence governments to regulate and establish better-defined controls on how content is published, including the verification of facts posted on social media and facilitating access by authorities to the respective sources.

9. Artificial Intelligence and Machine Learning for Cybersecurity

The elimination of the security perimeter and the migration to distributed work models, driven by the Covid-19 pandemic, made devices even more vulnerable to cyber threats. And with the increase in these threats, boosted by the lack of specialized security staff, it is essential to use tools based on Artificial Intelligence and Machine Learning to detect cybersecurity risks. Through the use of these technologies, one can analyze and recognize patterns for the prevention and adequate response to these threats. In this way, the cybersecurity process becomes much more proactive and effective.

You can see that 2022 will not be easy in terms of cybersecurity. With the trend of increasing attacks and scarce resources, security teams will have a tough mission to detect and adequately respond to the growing demands in the industry. Now, the question is not whether, but when organizations will suffer a cyberattack. Thus, adequately responding to cyber threats not only must be considered by the security teams but also be part of the business strategies.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Senhasegura
Senhasegura strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

Senhasegura 2021

Similar to how software bugs are triaged for a severity level, so too are security vulnerabilities as they need to be assessed for impact and risk, which aids in vulnerability management. The forum of Incident Response and Security Teams (FIRST) is an international organization of trusted security scientists and computer researchers that have received the task of creating best practices and tools for incident responses teams, as well as standardizing security methodologies and policies.
One of FIRST’s initiatives is the Special Interest Group (SIG) that is responsible for developing and maintaining the Common Vulnerability Scoring System (CVSS) specification to assist the security team to understand and prioritize the severity of a security vulnerability.

Scoring Vulnerabilities

CVSS is known as a standard measurement system for organizations, industries and governments that need consistent and accurate vulnerability impact scores. The quantitative model of CVSS ensures accurate and repeatable measurement while allowing users to see the core vulnerability features that were used to generate the scores. CVSS is normally used to prioritize vulnerability remediation activities and to calculate vulnerabilities discovered on one’s systems.

Challenges with CVSS

Missing Applicability Context

Vulnerability scores do not always count for the right context in which a vulnerable component is used by an organization. A Common Vulnerabilities and Exposures (CVE) system can factor in different variables when determining the score of an organization. However, in some cases others can affect the way in which a vulnerability is handled in spite of the score given to it by a CVE.

For instance, a high severity vulnerability that’s classified by the CVSS which was found in a component used for testing purposes, such as a test harness, might end up receiving little or no attention from security experts. One reason this can happen is that this component is used as a tool and is not in any way exposed in an interface accessible to the public.

Additionally, vulnerability scores do not extend their context to account for material consequences such as when a vulnerability applies to cars, utility grids and medical devices. Each firm would need to triage and account for specific implications based on relevance to the prevalence in the specific vulnerable components for their products.

Incorrect Scoring

A vulnerability score includes a wide range of major characteristics and without supporting information, proper guidance and experience, mistakes can easily be made. It’s not rare to find false positives in a CVE or inaccuracies in scores that are assigned to any of the metrics groups that introduces a risk of losing trust in a CVE or creating panic for organizations.

CVSS has a score range of 0-10 that ranks severity levels starting from low to high. Inaccuracies of variables may lead to a score that maps to an inaccurate CVSS level. CVSS v3.0 can be used for evaluating and communicating security vulnerability features and their impact. The security research team takes part in discovering new vulnerabilities across ecosystems. Additionally, they work to triage CVE scores to properly showcase severities to balance the scoring inaccuracy that’s made by other authorities that issue CVEs.

An organization database provides supporting metadata beyond the CVE details for each vulnerability. The security experts curate each vulnerability with information like details about the type of vulnerability or overview of the vulnerable components that are enriched with reference links and examples to commits, fixes or other matter related to vulnerability.

How CVSS Works

There are three versions in CVSS’s history, beginning from its first release in 2004 to the widespread adoption of CVSS v2.0 and to the present working specification of CVSS v3.0. The specification offers a structure that standardizes the way vulnerabilities are scored in a way that’s grouped to showcase individual areas of concerns.

The Metrics For A CVSS Score Are Allocated In Different Groups:

Base: Impact assessment and exploitability metrics that are not dependent on the times of a vulnerability or a user environment, such as the ease at which the vulnerability can be exploited. For instance, if a vulnerability component is denied total access because of a vulnerability, it will score a high availability impact.

CVSS base metrics are composed of exploitability and impact metric sub-groups and assess their applicability to a software component, which may impact other components (hardware, software or networking devices).

Temporal: This metric accounts for situations that affect a vulnerability score. For instance, if there is a known exploit for a vulnerability the score will increase. However, if there is a patch or fix available, the score will decrease.

The main purpose of the temporal score is to offer context according to the timing of a CVE severity. For example, if there are known public exploits for a security vulnerability, this raises the severity and criticality for the CVE because of the considerably easy access to resources for employing such attacks.

A complete CVSS score is calculated which includes the temporal score part based on the highest risk for a value and will only be included if there is temporal risk. Consequently, any temporal score values that are assigned will keep the overall CVSS score at the lease or lower than the overall score.

Environmental: This metric enables customizing the score to the impact for a user or company’s environment. For instance, if the organization values the availability that’s related to a vulnerable component, it may set a high level of availability requirement and increase the whole CVSS score.

In conclusion, the base metrics form the bases of a CVSS vector. If temporal or environmental metrics are available, they are incorporated into the whole CVSS score.

About vRx
vRx is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

2021 vRx