In today’s interconnected world, securing our applications and digital assets has never been more important.

As hackers and cybercriminals become more sophisticated in their tactics, it is crucial that we take steps to protect our systems from potential attacks. As we enter 2023, it’s a good time to reflect back on 2022’s key security trends, events, and milestones:

  • What major events occurred?
  • What are the takeaways, key lessons, and best practices going forward?

Whether you are an engineer, architect, manager, director, VP, or simply curious about security, I hope this helps you in planning your security posture and approach this year.

As always, if you need help in you 2023 security planning, set up a discussion with one of our experts.

6 Notable Data Breaches

There are hundreds of breaches every year. Here are 6 that stood out in 2022:

Cash App

What happened? A terminated employee accessed customer financial reports as an act of revenge and downloaded report data without permission, stealing customer details like names and account numbers.

How did it happen? Employee access was not immediately blocked during/after termination.

What was the fallout?

  • Approximately 8.2 million current and former customers notified.
  • A class action lawsuit.
  • Reputational damage, lost customers, lost productivity, compliance costs, legal fees, and more.

What are the main takeaways?

  • Don’t overlook insider threats. Block access ASAP.
  • Terminate accounts immediately before or during employee terminations.
  • Ensure access management practices are effective and efficient.

Marriott

What happened? An unnamed hacking group used social engineering to steal passwords, access Marriott’s internal systems, and extract 20 GBs of sensitive customer data, including personal information and credit card numbers.

How did it happen? Successful social engineering attack to capture Marriott employee passwords and access internal systems.

What was the fallout?

  • The hacking group extracted and sold 20 gigabytes of sensitive customer data.
  • Marriott refused to pay extortion request from the hacking group.
  • Reputational damage, lost customers, lost productivity, compliance costs, legal fees, and more

What are the main takeaways?

  • Social engineering is and always will be effective. Tricking one employee is all it takes.
  • Zero trust principles, data loss prevention (DLP) tools, and multi-factor authentication (MFA) could have averted mass data extraction.

Twitter

What happened? An API vulnerability in Twitter’s systems allowed an attacker to link private email addresses and phone numbers to user accounts. This enabled the attacker to compile a list of 5.4 million Twitter user account profiles.

How did it happen? An attacker leveraged an API vulnerability (that Twitter was slow to patch) to scrape public and private Twitter data.

What was the fallout?

  • 5.4 million Twitter user account profiles compiled and sold.
  • Many anonymous/pseudonymous Twitter users revealed.
  • Reputational damage, lost customers, lost productivity, compliance costs, legal fees, and more

What are the main takeaways?

  • Perform threat modeling to find design flaws and consider abuse/misuse cases.
  • Include APIs during security testing.
  • Act fast or risk breach with slow remediation.

LastPass

What happened? A threat actor gained access to the development environment using a developer’s compromised endpoint and took portions of source code and some proprietary LastPass technical information.

How did it happen? A single developer account was compromised after successful multifactor authentication and the threat actor leveraged their access to impersonate the developer.

What was the fallout?

  • Stolen proprietary information and source code led to another breach just 3 months later.
  • Reputational damage, lost customers, lost productivity, compliance costs, legal fees, and more

What are the main takeaways?

  • MFA is not a silver bullet. There are methods to circumvent MFA.
  • Protect non-production environments too. Threat actors see value in Dev/QA/staging environments.
  • Successful attacks often lead to more successful attacks.
  • If you have something of value (as most organizations do), be prepared for targeted attacks.

Uber

What happened? Attacker gained access to multiple services and internal tools used at Uber: AWS, GCP, Google Drive, Slack workspace, SentinelOne, HackerOne admin console, Uber’s internal employee dashboards, and a few code repositories.

How did it happen? Attacker used social engineering to get VPN access to internal network, found some PowerShell scripts with hard-coded admin credentials, and used these to gain full admin access.

What was the fallout?

  • Attacker immediately disclosed breach to security researchers and Uber personnel.
  • It appears no data was stolen, nor malware, nor extortion. Uber got lucky!
  • Reputational damage, lost customers, lost productivity, compliance costs, legal fees, and more

What are the main takeaways?

  • Social engineering is still effective. Tricking one employee is all it takes.
  • Store and reference credentials and secrets from a secure vault, especially admin.

Toyota

What happened? Nearly 300,000 customers had their personal data leaked due to a publicly-available access key on GitHub for almost five years.

How did it happen? A website development contractor mistakenly uploaded the source code with the access key to a public repository on GitHub.

What was the fallout?

  • Affected customers notified.
  • Reputational damage, lost customers, lost productivity, compliance costs, legal fees, and more

What are the main takeaways?

  • Implement controls to detect and mitigate secrets in source code.
  • Ensure regular review of repositories, especially public ones.
  • Utilize GitHub Advanced Security (GHAS) to perform critical secret scanning and code scanning.

More Data Breach Resources:

  1. World’s Biggest Data Breaches & Hacks — Information is Beautiful
  2. Verizon 2022 Data Breach Investigations Report
  3. IBM Cost of a Data Breach 2022

5 Valuable Reports and Key Findings

Sonatype 8th Annual State of the Software Supply Chain

  • 742% average annual increase in Software Supply Chain attacks over the past 3 years.
  • 6 out of every 7 project vulnerabilities come from transitive dependencies.
  • More mature software supply chain management equates to more job satisfaction.
  • 1.2 billion vulnerable dependencies are downloaded each month.
  • 96% of known-vulnerable open source downloads are avoidable.

GitHub Octoverse 2022: The State of Open Source

  • 90% of companies use open source.
  • Infrastructure as code (IaC) practices are increasingly being adopted across projects on GitHub—including open source projects.
  • 30% of Fortune 100 companies have Open Source Program Offices.
  • First-time OSS contributors favor commercially backed projects.
  • Developers updated 50% more vulnerable packages than in 2021, helping to secure 18 million projects on GitHub.

Google Cloud 2022 State of DevOps Report

  • The biggest factor for good security practices is cultural, not technical.
  • Developers agree that security scanning as part of CI/CD is too late and too slow.
  • Better security practices not only decrease security risk, but also build trust and reduce burnout.

GitLab 2022 Global DevSecOps Survey

  • 70% of DevOps teams release code continuously, once a day, or every few days, up 11% from 2021.
  • 47% of teams report their testing is fully automated today, up from 25% last year.
  • Security professionals are seeing their roles change, particularly when it comes to getting “hands on” with dev teams to get things done.
  • 53% said everyone is responsible for security, a 25% increase from 2021.
  • Security scanning is increasing but the majority of dev teams still aren’t getting scan data in their workflows.
  • 90% of orgs implement security checkpoints and associated governance
  • 82% use automated code review tools
  • 56% increase in building a capability to combine application security testing results
  • Nearly 35% year-over-year growth in “identify open source” and “control open source risk” activities
  • 175% observed growth to fix all occurrences of software bugs found in operations

5 Key Themes and Lessons

So what lessons can we learn from these and other critical breaches? Here are key takeaways to consider as you work to improve your security posture in 2023.

1. Open source and software supply chain security is key. Know your assets and transitive dependencies. You can’t protect what you don’t know. Utilize tools to generate a software bill of materials (SBOM) to understand the full scope of your dependencies. If you’re stuck or not sure how or where to start, give us a call. We have a customizable solution and a team of experts ready to help you succeed. We are also partners with Sonatype and Tidelift – both leaders in application security.

2. Attack surface isn’t just production environments. Dev, QA, and staging environments are targets too. Much emphasis is rightfully placed on production environments, but often at the expense of other valuable targets. Be sure to account for risk in non-production environments and act accordingly. Also, whenever possible, don’t use production data in non-production environments.

3. Apply zero trust principles to reduce the blast radius. Verify access at every request to ensure authorization. Modern day digital work is distributed, not contained within a trusted network security perimeter. It is not safe to assume that prior access is valid the next day or across systems, so frequently challenge requests and ensure entitlements are appropriately set. Accomplish zero trust with effective and efficient IAM practices.

4. Social engineering remains prevalent and effective. Defeating humans is often easier than defeating systems, so provide security awareness training and advocate security as a shared responsibility. Utilize built-in email security controls to filter out known bad senders and suspicious messages. Consider products from KnowBe4 or Proofpoint to raise awareness and decrease successful social engineering attacks.

5. Multi-factor authentication (MFA) is a required security practice but is not foolproof. Many users choose poor MFA mechanisms and are fatigued or frustrated by MFA prompts. Also, users often don’t log out and their session remains open. Threat actors know how to use this to their advantage. Don’t rely solely on MFA to prevent 100% of fraud and identity attacks. Use phishing-resistant MFA and conditional access to mitigate risk.

6 Best Practices

How can you best position your organization to build security into everything you do? Here are some best practices to help.

Have an accurate and complete inventory, including data classification.

Unknown or inaccurate assets are a substantial risk as they are often under-protected or even completely unprotected. Ensure APIs and dependencies are included. Leverage scalable tools to automate asset discovery and verify correct and complete inventory.

Classifying data is important to determine protection needed for sensitivity levels. Mission-critical data needs significantly more security than public data. Without clear data classification, protections will be inconsistent and security resources misaligned with data sensitivity.

Perform regular security assessments, audits, and/or reviews

Measure maturity, compliance, and effectiveness. Conduct small but frequent in-house reviews on focus areas. Leverage independent experts for unbiased and thorough security assessments and audits. Discover key areas for improvement with each evaluation. Coveros delivers a clear strategy and improvement plan as a security assessment deliverable.

Promote “security is everyone’s responsibility” mentality

Consistently and persistently raise awareness about the need for security and the role of each person in maintaining a secure environment. It is vital that everyone understands what they should and should not do to be secure. Send regular reminders to reinforce this shared security responsibility mentality. Ensure this message is received and promoted by influential figures.

Enforce strong Identity and Access Management (IAM) policies

Implement conditional access and phishing-resistant MFA to decrease identity fraud.

Deploy a trustworthy password manager across your organization. Require all users to generate strong passwords for all sites and systems. And an especially strong master password. Change passwords at any notification of breach.

Follow the rule of least privilege access so users can access what they need to fulfill their responsibilities without additional privileges. Beware privilege creep, especially with promotions, role changes, and lateral moves.

Apply zero trust principles across and within architecture

This overlaps significantly with IAM, but a few actionable practices are:

  1. Request access credentials with every session on all systems. Don’t rely on a specific network or configuration to allow access.
  2. Restrict session time limits. For example, set a 30 minute time limit for access to critical data but allow an 8 hour time limit for less sensitive data. Set suitable time limits based on job responsibilities and data classification.
  3. Frequently sync access settings. Access changes should propagate in a timely manner. For example, account terminations should block access immediately.
  4. Configure IAM solution to challenge accounts multiple times per day to ensure validity.

Identify critical and high security risks. Prioritize and remediate ASAP.

Fix the worst stuff first. There is not enough time and resources to address everything, so focus on the highest risk issues. Triage the security issues and start with the critical-risk first, high-risk second, medium-risk third, so on and so forth. Remediate many issues at scale with well-architected secure design. Overwhelmed or not sure where to begin? Call us! Our experienced and qualified experts can help.

Wrap up

In 2022, we witnessed numerous data breaches, increasing cyberattacks, and many insightful findings from security research. It’s important to look back and learn from history or else suffer the same mistakes.

Those who cannot remember the past are condemned to repeat it.” – George Santayana

Thoughtful readers like you know that learning from history and taking security seriously pays off in the long run. We at Coveros agree. But fixing everything isn’t realistic, so let’s focus on the important lessons so we don’t repeat the same mistakes in 2023.

Learn more about our AppSec and DevSecOps services here. Have questions about best to ensure security in your SDLC? Set up a meeting with one of our experts.

Here’s to fresh starts, new beginnings, and making your security goals a reality. We look forward to serving you in 2023 and beyond.

Leave a comment

Your email address will not be published. Required fields are marked *

X