Surviving the 2023 shockwaves

To slightly misquote a priceless line from a classic film and attribute it to the year that's rapidly approaching: 'Fasten your seatbelts, it's going to be a bumpy RIDE!'

You have only to look at the state of our economy and the political turmoil in the UK right now to realise 2023 is going to be a tough year to get through in sound health as a business. Never mind thriving, more a case of surviving.

Meanwhile, as far as computing security goes, the challenges remain as immense as ever, if not more so, with the number of cyber-attacks soaring and the methods of infiltration growing ever more pervasive and sophisticated. What can we expect, then, in the year ahead? Which will prove to be the 'killer' solutions to ward off the attackers? Will there be new ways to make ourselves safer -ie, where will the next breakthrough come from to bolster our resilience and safeguard the systems on which organisations depend? Computing Security has been asking those who spend their working days fighting against the 'darker forces'. Here is how they see the world, for better or worse, in the 12 months ahead.

"The rate of cyber security breaches is accelerating. There are many reasons for this, but we can really break it down to a few key things. First, it's a fact that the increasing complexity and requirements of IT systems create more opportunity for breaches. For example, with hybrid work, workers are more distributed than ever and IT teams are struggling to best manage this distributed workforce. Cloud deployments are becoming increasingly vast, with many third-party APIs and interconnected hooks into production systems. "Every API in use, every 'one-off' connection, is another avenue for cyber criminals to exploit in an attempt to compromise critical business systems. Digital transformation is accelerating, not slowing down, so we're expecting this trend to continue until a critical mass of businesses realise that there needs to be a balance between fast digital adoption and sustainable security across the entire digital estate.

"Secondly, we've seen time and time again where massive security measures were sidestepped, simply because an end user fell prey to social engineering. For example, the recent Uber breach shows us that technologies like multi-factor authentication are still susceptible to social engineering techniques. In this case, a combination of MFA Prompt Fatigue and carefully crafted WhatsApp messages claiming to be from Uber support were enough to trick an external contractor into helping the attacker get past the MFA process. In this case, and many others like it, proper end-user security awareness training for all users will go a long way towards cultivating a sustainable security culture and help prevent future breaches.

"Finally, one key thing we've seen with Zero-Day threats throughout the year is the fact that the amount of time between the discovery of an exploit and when it begins seeing use in the wild is shrinking. System admins are increasingly under pressure to apply Zero-Day patches in a timely manner, in order to mitigate these risks. In the coming year, system admins need to be aware of this shift, and make sure they stay informed and up to date on their patching schedules, in order to reduce vulnerability."

"Matter will become the household standard for the smart home. Interoperability is a problem that plagues home IoT. Many IoT home devices are proprietarily divided between vendors. In 2022, Matter - a new smart home standard - erupted into the space, with the intention of securing and enabling communication between devices, no matter which vendor they come from.

"In 2023, this ground-breaking new standard will likely be uptaken with great enthusiasm, as users, vendors and manufacturers seize hold of its undeniable benefits. Uptake has already been rapid, with Google, Amazon, Apple and Samsung backing it from inception. The latest Apple iOS 16 is already supporting it and manufacturers will not be able to resist adopting it for long."

Code Signing will move to the cloud. "As Code-Signing becomes an ever-greater asset to supply chain security, industry regulators are stepping up. In November 2022, the CA/B Forum will demand that private keys for OV Code Signing certificates be stored on devices that meet a minimum security standard. In 2023, we predict that users will migrate - en masse - to cloud signing as a direct response to this new hardware requirement."

Mike Nelson, DigiCert: in 2023, users will migrate, en masse, to cloud signing.
Meanwhile, EU Digital Identity will become a model for global government Identities, states Stephen Davidson, senior manager in DigiCert's global Governance, Risk and Compliance team.

"The EU Digital Identity Wallet is a European Commission initiative under the eIDAS Regulation that will create a unified digital identification system across Europe. The EU Digital ID Wallet will allow European citizens to carry eID versions of their official government ID documents in a secure mobile wallet application for use in online authentication and electronic signatures. Also, the wallets will carry 'electronic attribute attestations' - supplemental aspects of identity like a professional qualification - that can be presented either with the personal identity or separately." The EU has significant cross-border projects lined up in financial services, education and healthcare, he points out.

"The spiralling series of DDoS records will continue to be set and broken. In the last few months, we've seen multiple broken records for DDoS attack sizes, in terms of packets per second. In July, a record was set when one unnamed actor launched an attack of 659.6 million packets-per-second. That record was broken shortly after in September, when another attack achieved a new record of 704.8 million packets per second.

"DDoS attacks have classically attempted to send fewer packets of larger sizes, which aim at paralysing the internet pipeline by exceeding available bandwidth. More recent record-breaking attacks, however, send more packets of smaller size, which target more transactional processing to overwhelm a target. In 2023, we'll see even more records broken as attackers deploy ever higher packets-per-second in their attacks."

More breach reports and possible personal executive blowback. "The last few years have seen an explosion of data protection regulation around the world. In 2023, that will mean we see more breach reports as more organisations become compelled to publicly disclose these cyber incidents.

Andy Syrewicze, Hornetsecurity: system admins are increasingly under pressure to apply Zero-Day patches in a timely manner.

"The legal responsibility for bad corporate behaviour when dealing with breaches may also redound to individual executives. Joe Sullivan, former head of security at Uber, was recently found guilty of hiding a breach on the ride-sharing giant in 2016. This example may set a precedent for other court cases in 2023 and make data protection decisions a matter of personal legal accountability for executives.

"DDoS attackers will continue to outwit legacy defences," Stephenson further comments, "and DDoS will still be a weapon in the Ukraine conflict. "Cyberwarfare has always been an aspect of the conflict in Ukraine. DDoS attack numbers exploded after the Russian invasion in February and DDoS will continue to be an asymmetric weapon in the continuing struggle."

"Gartner named attack surface expansion as one of the top security threats of 2022 and we think this is going to continue in 2023. Most organisations start out by thinking of their external attack surface in terms of their known assets. As their security strategy matured, many progressed to tackling shadow IT, which are assets and services that their IT and security teams are unaware of, but are still owned by the organisation.

Camille Charaudeau, CybelAngel: enterprises will likely see increased attacks on extended attack surfaces.

"In 2023, enterprises will likely see increased attacks on their extended attack surfaces, which include their entire supply chain ecosystem of suppliers, distributors, partners, vendors, who in turn bring along their own supply chain with varying levels of maturity in security practices. With increased globalisation and decentralisation of operations, an extended attack surface quickly expands beyond an organisation's own controlled perimeter and robust security practices. Simply doing business with companies with less mature security practices will increase risks in your own systems and processes.

"Security leaders will need to supercharge their external attack surface management (EASM) programs to include digital risk protection solutions (DRPS), as these technologies strongly complement each other, to provide more comprehensive coverage than either alone. This means eliminating blind spots and achieving full visibility with a continuously updated asset inventory, and having a full suite of tools to handle business-critical risks, such as credentials leakage, typo-squatting threats or intellectual property exposure, to fully prevent multi-vector cyber-attacks.

Stephen Cavey, Ground Labs: global regulators are now putting stronger laws in place to protect their citizens' data.

"Organisations need to go beyond perimeter-centric defence and start thinking like attackers," says Charaudeau. "This means adopting a proactive posture and taking an outside-in approach, with vigilant monitoring of possible exposures in their extended external attack surface. Doing this will enable enterprises to fully maximise the value of their vulnerability management, and endpoint detection and response programs, and ensure issues can be remediated expediently before bad actors can take advantage of them."

"The twin forces of globalisation and the explosion of connected technology have made it easy for anyone to do business anywhere. Now, business owners can transact with people across the world from the comfort of their own living rooms. The ease with which businesses now interact with customers and partners anywhere in the world can betray a real concern of being involved in international business: data compliance.

"Over the last five years, global regulators have recognised this reality and are now putting stronger laws in place to protect their citizens' data. If you do business in a territory - however small the revenue or however quick the transaction - then you may be subject to their data protection regulations. In 2023, as international regulations settle into place, organisations will slowly begin to understand what they need to comply with and where they need to comply. Either they'll make appropriate changes or face the consequences from any number of regulatory regimes around the world.

"As cyber-attacks continue and cyber-criminals become ever more creative, cyber-insurance will become harder to attain in 2023. Premiums will increase, requirements will get tougher and more businesses will see rejections for cyber insurance coverage. Companies will begin to understand that they must invest in protecting and managing the data from the ground up and not merely buy a cyber-insurance policy to protect against potential losses.

"As international regulation ramps up around the world, organisations will be forced to question how much data they need to collect about individuals, in order to deliver their product of service. Previous years have been characterised by a hungry accumulation of data, with the hopes that it could be monetised or used to improve services later down the line. However, as international regulation locks into place around the world, organisations will be made to account for the individual types of data they collect and justify this on an ongoing basis."

From a major ride-sharing company to a well-known entertainment giant, breaches that expose sensitive data are becoming commonplace, points out Invicti Security’s distinguished architect Dan Murphy. "Neither of these attacks was a complex zero-day exploit. They both relied on the weakest links of any software process: people.

"Unfortunately, user error will dominate the next year of cybersecurity pitfalls. Because software is now an unknowable complexity where nobody understands every single line of code, it's difficult to predict what may happen in the event of a malicious hacker setting their sights on your organisation. For similar reasons, we'll continue seeing exploits of Log4Shell. While organisations aware of Log4Shell instances can remediate them relatively efficiently, the current concern is in those older, dustier systems without clear-cut owners.

Dan Murphy, Invicti Security: user error will dominate the next year of cybersecurity pitfalls.
"If there's confusion around how a system works and no robust DevSecOps team, it's easy for malicious hackers to slip under the radar and cause chaos. Persistent threat actors are exploiting this vulnerability, using it as one of the many lockpicks they reach for when trying to discover if a website is compromisable. That said, things have gotten incrementally better. Large-scale breaches and vulnerabilities serve as a wake-up call for the InfoSec community, even prompting government guidance on what organisations should do to protect themselves from bad actors.

"Communication at this level shows decision-makers that cybersecurity is worth prioritising. Organisations attempting to right the ship should look at the tactics of malicious hackers and use them for good. An example of this is DAST. DAST scanning uses those same techniques to deliver DevSecOps professionals an end-to-end view of security debt and direct-action items to best secure their web apps and prevent vulnerabilities from slipping through the cracks."

Following the rise of high-profile cyber-attacks this past year, we should expect to see the following three trends in 2023, Fourie predicts:

Enhanced disaster recovery. "The capacity to recover from attacks is often overlooked in favour of outright prevention, yet it is the businesses that adopt a 'when, not if' mindset that will escape the worst results of a cyber-attack. Therefore, the ability to successfully reduce the impact radii of threats is key to successfully rebuilding after an attack. Thus, businesses that understand the need to bolster cyber security will begin by moving to more resilient architectures to be secure by design, rather than rely on disaster recovery sites where live replication of threats and backing up the compromised data because the backup platform is not security conscious."

Jacques Fourie, Kocho: it is the businesses that adopt a 'when, not if' mindset that will escape the worst results of a cyber-attack.
Deepened vendor scrutiny and consolidation. "Supply chain risk is impacting every industry. Uncertainty has businesses reflecting on what systems are already in place and whether they still meet demands. The drive for consolidation is being accelerated by maturing digital regulations, which places pressure on suppliers to prove they are compliant to remain competitive. Additionally, initiatives like Cyber Essentials - a government accreditation scheme for cyber security - are proving challenging for larger organisations to adhere to, despite being increasingly seen as fundamental to proving a basic secure strategy."

Securing modern digital assets. "Many organisations are opting for serverless architectures, like Platform as a Service (PaaS), to ease the overhead of cloud system management. Yet traditional security monitoring struggling to keep up, and the risk of limited coverage and failure to spot attacks is leading more organisations to consider re-platforming their security monitoring services. To aid visibility for the SOC post cloud migration, we are seeing more advanced XDR tooling that supports PaaS, such as containers. Next generation XDR can take telemetry from assets like containers into a more modern Security Orchestration, Automation and Response (SOAR) platform. Tools such as these are becoming an increasingly critical function to support, secure and ultimately keep up with digital transformation."

"2023 will be the year of API security. API traffic has increased 168% over the past year, with malicious traffic growing 117% in the same period. As business infrastructure increasingly moves towards digitalisation, API traffic, malicious and otherwise, will only continue to increase through 2023. If businesses are to protect themselves from the torrent of attacks coming their way, they must recognise the uniqueness of API security. Traditional security solutions, such as WAFs, API gateways and bot mitigation, simply aren't effective at protecting from most attacks aimed at APIs.

"Attacks on APIs are typically 'low and slow', with attackers searching for unique business logic flaws for weeks or even months before they succeed. As these attacks aren't as overt as more traditional methods, they cannot be detected by security tools that are not API-specific. What's more, basic security tools such as authentication, authorisation and encryption fail to meet the challenge of contemporary API security.

"Businesses require deep, detailed context to understand and protect their API ecosystems - that means being able to distinguish normal API activity from anomalies amidst millions of API calls. Basic security tools just don't provide that context, leaving businesses at risk.

"While it's not certain that businesses will wise up to the importance of API security, attacks on APIs will certainly increase. Just this year, Australian telco giant Optus suffered an API security incident with catastrophic results. The breach resulted directly from broken user authentication, the second biggest API vulnerability, according to the OWASP API Security Top 10.

"Attackers know that they can easily exfiltrate data from unauthenticated APIs. With an API security platform able to provide continuous visibility in runtime and show the normal behaviours of APIs versus anomalies, this threat could have been identified before the attacker accessed the user data. If organisations don't learn from Optus's mistakes, 2023 will be riddled with major API security failures. In short, 2023 is either going to be the year of API security or API security incidents. The end result will be determined by whether businesses wise up to the need for API-specific security or continue to rely on old security solutions for a very modern problem.

"As we head into 2023, the financial impact of cybercrime is heading towards the $10 trillion mark, with no signs of slowing. As our world becomes ever more connected and dependent on technology, the traditional approach to cyber security of cleanliness and the rush to patch will continue to struggle to keep up. The doom-and-gloom headlines will continue to be written about data loss and a lack of resilience or trust from an ever-increasing breadth of cyber-attack across the digital world.

"IT teams and users alike are already stretched to the limit, many acknowledging that they do not have the skills or time to keep up with the almost weekly attempted attacks and zero-day patches. Simply monitoring for and patching vulnerabilities that are discovered at the user level is not a battle that can be won by the defenders, especially when attackers only need to be right once to exploit a vulnerability.

"The UK is seeking to do something about this to balance responsibility across the supply chain. Already in 2022, we have seen the Government's PSTI Bill looking to ensure that consumer products are shipped more securely by default, placing more responsibility on the product manufacturer.

"The UK Government is not stopping here, though. As part of the UK's National Cyber Strategy, there is now a focus on the under-lying technology that our digital world is built upon, ensuring products are not only secured by default to help reduce the number of vulnerabilities, but also secured by design of the components and enabling technologies to help protect against the inevitable remaining vulnerabilities.

"UK Research and Innovation's Digital Security by Design Programme, part of the National Cyber Strategy, has been redesigning from the ground up the way software interacts with hardware, so it can block the exploitation of around 70% of the ongoing discovered vulnerabilities by design, while also enabling software development new ways to maintain resilience and integrity. Working across government, industry and academia, the £300m programme has been distributing a prototype, with developers and researchers finding more ways to protect everything digital from cyber and operational incidents.

"As we move into 2023, we will really start to see early examples for sectors where this innovative technology can reduce threats and block exploitation of vulnerabilities. Developers and IT teams will become more vocal, pressing for the day they can benefit from new hardware that can actively block exploitation of vulnerabilities and their need to chase the ever-increasing number of patches."