Why 2022 Can’t Come Soon Enough
Share with Your Network
Let’s talk about what has made 2021 so challenging. We’ll go first.
The past 12 months have amounted to one giant stress ball, knotted with historic cybersecurity exploits and attacks, a relentless pandemic, the proliferation of a hybrid workforce, and skyrocketing numbers of new CVEs. And these challenges took a serious toll on CISOs around the globe. According to a ClubCISO survey conducted earlier this year, 64% of CISOs reported heightened stress levels, with 21% reporting “significant stress.”
Who can blame them? It’s not as though it was smooth sailing for CISOs before this year. Leading up to 2021, environments had grown increasingly complex and threat actors had upped their game, leaving CISOs under mounting pressure to reduce more risk with fewer resources and keep their companies out of the headlines. But 2021 carried with it certain angst not felt in previous years. Perhaps it was all the hope the year started off with, as we bid 2020 adieu and looked to 2021 as the start of our post-pandemic lives. Or the heightened threat landscape that is quickly becoming the new normal.
Either way, this one stung.
Biggest pain points of 2021
We have some theories as to why. Here’s a blow-by-blow of the biggest (and riskiest) reasons the last 12 months may have been so stressful.
Ransomware running rampant
2021 was a banner year in ransomware attacks. Riding the wave of their success in 2020, hackers were ready to capitalize once more on fatigued companies who managed to make it through the first year of the pandemic. Just six hacker groups dominated the first quarter of 2021, squeezing more than $45 million from 292 organizations held hostage by ransomware.
Speaking of ransomware, we would be remiss if we didn’t mention the Colonial Pipeline attack, the memorable moment when 5,500 miles of the nation’s fuel pipeline shut down, causing panic among consumers, closing thousands of gas stations, and ushering in a new era of cybercrime. The attack also revealed a long heated debate in the security space about whether or not publishing exploit code has a positive or negative effect. Does it help or hinder those trying to defend their organization from infiltration? In Colonial Pipeline’s case, the answer is obvious.
Read Ed Bellis’ take on the historic incident and what new research reveals: How a Private Dust-Up Over Publicizing Exploits Became Very Public.
Nightmare vulns wreaked headaches and havoc
This year was met with some truly dangerous vulnerabilities, a couple of which earned a top Kenna Risk Score of 100. One particularly memorable vulnerability was a nightmare for Microsoft users—a PrintNightmare to be exact (you may recall it as CVE-2021-34527). This Remote Code Execution (RCE) vuln discovered in the Windows Print Spooler service had all the makings of a truly detrimental vulnerability. As Microsoft rushed to issue emergency patches (some of which didn’t actually remediate the vuln), they recommended teams disable the Print Spooler utility in the meantime. And unfortunately for Microsoft, PrintNightmare was just the latest in a series of Windows Print Spooler vulns that emerged in 2021. Here’s the full rundown of the Windows Print Spooler nightmare (and a dream come true for bad actors).
Rounding out the year was another top offending vulnerability earning another perfect Kenna Risk Score of 100. CVE-2021-42013, which targeted Apache HTTP Servers and Apache 2.4.50, was spawned from a previous Apache vuln that wasn’t wholly addressed in a previous patch. This vuln was particularly painful because of the popularity of both Apache HTTP Servers and running CGI scripts. Luckily, the Apache team acted fast so damage was minimal, but hackers were able to score a few wins in the wild beforehand.
Get all the details on this high-risk vuln (and learn how to predict the next big one) in our November Vuln of the Month installment.
The risks of a hybrid workforce
Security leaders knew they were in for it when waves of workers transitioned out of the office to a remote environment. Endpoint management jumped in priority as more users and their devices traveled outside the traditional perimeter and interacted with company networks. And more employees working from home on more devices means even more opportunities for mistakes. A recent survey revealed that 61% of workers who reported having received required cybersecurity training failed a simple 7-question threat awareness quiz. These results don’t bode well for the people tasked with securing their organization’s environment.
As hybrid workforces emerge, another more nuanced implication is unfolding: the threat of a two-tier workplace. Since an estimated 25% of full workdays will happen at home, Security and IT are under even more pressure to not only ensure the level of fidelity remains the same for in-office and remote employees, but that communication, collaboration, and productivity aren’t sacrificed. In the initial months following lockdown, teams scrambled to stand up video conference capabilities, messaging channels, and project collaboration tools. All of these new features added to the environment’s complexity, attack surface, and opportunity for employee error.
For more on locking down your environment and shoring up your cybersecurity hygiene, check out 1,200 US Workers Just Proved Cyber Training Alone Won’t Prevent Your Next Breach.
Cyber risk just keeps increasing
While the notion that cyber risk is increasing seems like a no-brainer, we’ve added it here because, frankly, it’s the new normal. The conditions are right for a heightened threat landscape: Attack surfaces continue to expand as networks become increasingly complex (and threat actors have even more attack vectors to leverage), companies were fatigued and vulnerable after a year of unprecedented turmoil, and hackers are upping the ante with more sophisticated and aggressive attacks.
At the start of 2021, there was a significant jump in threats with 2,700 CVEs published in Q1 alone (that’s a 380% increase from a decade ago). Averaging 31 new vulns daily, security professionals soon realized they had their work cut out for them. And as billionaires began blasting themselves into the stratosphere with increasing regularity, nation-states began recognizing the future security implications of space-based activity.
Complex challenges call for security made simple
Will 2022 just be more of the same? Certainly, we will see more CVEs, exploits, and breaches. Thinking otherwise is just naïve.
But there’s hope on the horizon. Advanced security solutions are simplifying and democratizing cybersecurity, which traditionally has been the sole domain of Security and IT—and so extraordinarily complex that leadership and others in the organization have only the faintest understanding of how Security does its job. Using interactive dashboards and intuitive risk meters, these new solutions make it possible, for the first time, for more stakeholders to take an active role in protecting the enterprise and reducing risk to the business.
This year, Kenna Security became part of Cisco, and our risk-based vulnerability prioritization technology is becoming a core part of the Cisco Security portfolio. It’s Cisco’s mission to make security simple and available to everyone in the enterprise who can benefit from understanding where the risks lie and how to mitigate them.
Cybersecurity is bigger than just one company, or even one industry. It takes a partnership of everyone involved in managing our collective risk. We’re all in this together, and you can count on Kenna and Cisco to be here for you in 2022 and beyond. For now, though, let’s say goodbye to the year that was. And let’s realize there’s plenty of good reason to meet the coming year with confidence.