[HN Gopher] What does 2022 have in store for cybersecurity and c...
___________________________________________________________________
What does 2022 have in store for cybersecurity and cloud security
specialists?
Author : BlackPlot
Score : 53 points
Date : 2021-12-29 13:50 UTC (9 hours ago)
(HTM) web link (cast.ai)
(TXT) w3m dump (cast.ai)
| jabroni_salad wrote:
| On my end the growingest vector is audit remediation. Your cyber
| insurance providers have noticed that you constructed your
| environments out of swiss cheese and are now mandating actual
| pentesting and practical demonstrations of your fixes if you want
| to maintain your policy. Those self service checklists seem to be
| going away.
|
| gotta say, audit remediation is a pretty chill field to be in as
| well. The recent round of 'hackers dont sleep for the holidays'
| articles made me feel glad to get out of the incident response
| game.
| SandwichTeeth wrote:
| Doing incident response was the most stressful job I've ever
| had. I left it to do security engineering and don't miss it in
| the slightest. So many nights and weekends blown on calls with
| lawyers, executives, etc.
| ethbr0 wrote:
| It's insane they wrote policies without this as an expectation.
|
| I mean, you _could_ write a policy that 's essentially
| LifeLock's "What are the odds someone will actually notice
| you?" priced, but I feel like market forces would have resulted
| in drastically under-pricing those premiums (to get sales).
| Mountain_Skies wrote:
| Self-certification has been a big thing over the past few
| years. It doesn't make much sense to me unless insurers are
| planning on rejecting claims when previous self-certification
| claims can't be verified.
| wilkommen wrote:
| What company do you work for (if you don't mind being asked)?
| I'm curious about audit remediation, it sounds like a field I
| might be interested in. I'm currently in an SRE role.
| deletriusotis wrote:
| 2022 seems to be really intense and interesting
| Syonyk wrote:
| They just so happen to see a lot of challenges that their
| software is well suited to resolve... no surprises there.
|
| My predictions for 2022: An awful lot of work to be had before
| you go insane.
|
| I'd expect the trends of "massive complexity causing problems
| solved by more complexity" to continue, because that's
| _literally_ the only thing the hardware and software industry
| seems capable of doing anymore. Stacks of complexity that then
| require more complex hardware to run, and the cycle continues.
| _Nobody_ understands the whole stack anymore, except perhaps the
| malware authors who freely move up and down the stack to
| accomplish their goals. Those writing the software and,
| theoretically, auditing the software don 't seem capable of
| finding badness hidden in it - and decades of experience says,
| "Humans can't find suitably stealthy badness hidden in software,
| intentional or not." Look at how long some of the really nasty
| bugs have been floating around (exploited or not, we don't know)
| before someone finally got around to noticing them. I mean, _how
| long_ was Debian only generating one of 32k SSH keys?
|
| I don't see a good path forward for "connected, computer based,
| all the things." If we were willing to consider dumping, say, 80%
| of the features of modern computing, we could probably do a
| pretty good job securing the other 20% (the commonly used ones).
| But at too many places, payment and promotion is for features,
| not bugfixes, not security patches. So new features just keep
| getting released, old stuff gets abandoned, and the cycle of
| promotion goes on. The incentives are simply wrong to create
| anything faintly resembling secure software.
|
| And I expect a continuing wave of people who've been doing
| security for 20-30 years just... quietly retiring to a life of
| not much consumer tech. The joke in my circles is that we'll be
| goat or llama farmers, and I'm not sure it's too far from the
| truth. I expect a large collection, in decades to come, of "You
| clearly enjoy this farming thing, I don't think you care a bit
| about making money, and why is the most advanced bit of
| technology on this place a couple Arduinos?" You'll find them run
| by former low level security types.
|
| I don't know how much runway is left in the current trends of
| tech, consumer and enterprise, but we're clearly at a point where
| _nobody_ can reason about the stuff anymore, and even if you 're
| using all the patches, all the best practices... you can still
| have your whole company shut down by ransomware and such. It's
| less likely, but still far from impossible, when we see things
| like former NSA 0days used to deploy ransomware. Pretty hard to
| defend against 0days.
|
| Were I to do a business these days, I'd probably take a serious
| look at doing things like "Training employees on Qubes" (and
| buying hardware that can run it). You may not be able to make
| things impossible for an attacker, but you can sure make them
| want to go somewhere else for easier pickings (if they're not
| targeting you, specifically - if they are, you're probably
| screwed). The whole "Giant Windows Domain" thing repeatedly
| proves impossible to secure in practice.
|
| Or maybe just go back to typewriters and a good secretary or two.
| mrweasel wrote:
| Thank you, I wouldn't say I enjoyed it, because that is a dark
| future you're painting. The point on complexity is spot on with
| the trends I'm seeing.
|
| Simple projects are increasingly solved by systems growing in
| layers and complexity, all in the name of making things easier
| to the developers that sits at the tips of the complexity and
| does see the horrors of the lower layers, and to pump out a
| ever growing bundle of features that shouldn't be. We write
| more and more code, to avoid changing broken procedures. A
| broken world is painted over with shiny code, which few truly
| understand, all because we don't want to fix the underlying
| problems.
| Syonyk wrote:
| > _... because that is a dark future you're painting._
|
| I'd argue, but I can't...
|
| When a basic "cross platform application" now has 1-1.5GB of
| build directory for all the 50,000 nested Node dependencies
| that allow you to not have to write your own left pad, you
| can't know what most of the code is. It's simply not
| possible.
|
| Windows 95 was about 50MB installed. A modern _chat client_
| is a couple hundred meg, because it 's a web app, carrying
| it's own browser around, running in Javascript, and... etc. A
| quad core 1.5GHz CPU will struggle with it (source: I run
| Rpi4s for desktops and Element really, really tends to lag on
| text input if you type fast).
|
| I don't see how it gets better when these are the trends. New
| frameworks, new libraries, new UI toolkits, more complexity,
| less understanding, and ever new and shiny security bugs.
|
| But those bugs aren't a problem, because nobody is punished
| for them. Whoopsie daisy, _giggle_ , my logging function
| allows for remote code execution! I'm not saying that
| individuals should be jailed for bad code, but if you're a
| company and you ship a product, "Oh, well, that open source
| part we used was bad..." shouldn't be a good excuse for why
| someone with your product installed can be pwned from across
| the internet.
|
| Yes, that implies lower complexity of software, and, yes,
| that's my exact point.
|
| I use a computer in 2021 for a lot of the same stuff I used a
| computer for in 1997. Writing documents, writing code,
| chatting with people, visiting websites, sharing photos,
| editing photos, etc. The difference is that now I need a
| 6-core processor and 32GB of RAM to do it sanely, when I
| could do roughly the same stuff in 1997 on about 32MB of RAM
| and a single processor, running at sub-100MHz.
|
| I don't see a good path forward regarding computer security,
| which is part of why I've been starting to use computers less
| and less, and finding other ways to accomplish things that
| aren't internet-vulnerable-to-everything. I just don't see a
| way out when all the incentives are wrong.
| phyalow wrote:
| Very thoughtful comment thanks.
|
| >>Or maybe just go back to typewriters and a good secretary or
| two.
|
| https://www.theguardian.com/world/2013/jul/11/russia-reverts...
| 1cvmask wrote:
| The importance of the pervasive use of stronger multi-factor
| authentication and a good patching policy to mitigate against the
| vast majority of current and emerging risks.
| throwoutway wrote:
| This just seems like a rehash of old themes and a bit of
| blogspam. Is there an original idea in here?
| sys_64738 wrote:
| Ransomware is the biggest nightmare I'm seeing. Everything
| connected to a company network is having to be audited for
| patches and approved OS installs. IT needs to have root access to
| every system. Any system not approved to be networked will be
| isolated at the switch to knock off the network and that team's
| other IT systems will be knocked off too.
|
| Security just went least privilege for network access where I
| work.
|
| This is especially prevalent to VMs and containers. Anything with
| an IP address is being audited. Anything.
| legulere wrote:
| IT having root access to every system is how every system was
| infected at the company I'm currently working for. And they're
| not learning from it.
| antaviana wrote:
| Ramsomware has found a business model greatly thanks to
| cryptocurrency which has removed a lot of friction in the
| payment process.
|
| You do not have to leave anymore a paper bag full of cash in
| the park to get your files unencrypted.
|
| A healthy business model helps to attract talent into the
| ramsomware business, which improves the time-to-market of
| exploits.
|
| All this helps to increase the need for security and business
| continuity investments so for 2022 I anticipate healthy growth
| of that industry.
|
| IMHO, Bitcoin role is not really a mere store of value with
| built-in inflation protection. Bitcoin is also an enabler for
| strong growth in the information security industry.
| TriNetra wrote:
| These things are part of the basic tenets [0] of the NIST's
| Zero Trust Architecture [1], which has become an important
| cybersecurity target for enterprises.
|
| 0: https://aspsecuritykit.net/blog/7-tenets-of-nist-zero-
| trust-... 1:
| https://csrc.nist.gov/publications/detail/sp/800-207/final
| blowski wrote:
| My experience is companies treating security as if it were a
| competition where having more "security points" than the
| hacker means you can't be hacked. Which leads to bizarrely
| wrong trade-offs like "we don't need passwords on the prod
| database because it's only accessible through the private
| network". Even worse is "we're on AWS so we have Amazon-level
| security".
| TriNetra wrote:
| That's actually anti-ZT practice, which clearly requires
| that you put maximum security controls you can to protect
| every resource. especially do not assume trust based on
| network location/perimeter, is very first tenet. But yeah,
| security in many orgs (regardless of the size), is another
| item to be ticked, and thus a false sense of security
| prevails until an incident happens.
|
| Eventually, only such orgs will survive and thrive which
| will be able to defend their resources, in the increasingly
| hostile online environment with state-backed attackers.
|
| Whether this defense comes from individual organizations or
| their state, or a combination of both, that's something to
| be seen in the next 5 to 10 years.
| [deleted]
| 3pt14159 wrote:
| Good. We're finally, FINALLY getting some pressure to fix all
| these broken systems. I was literally losing sleep over some of
| the crazy shit I saw. It's still a tire fire, but at the very
| least there is some movement to fix it.
| Zababa wrote:
| I don't know much about computer security. Is this a domain
| where you can fix something that was broken and be okay, or
| is this a constant race between attackers and defenders? If
| it's the first, more pressure is great. If it's the second,
| it's a bit depressing to spend even more time and energy on a
| zero sum game.
| aerostable_slug wrote:
| It is a constant arms race that the defender is nearly
| guaranteed to lose (for a variety of reasons). This is why
| resilience is incredibly important.
|
| Unfortunately, too often we see M&M security -- hard
| crunchy shell exterior, but once you're in it's delicious
| sweet chocolate that the business is unprepared for the
| attacker to start eating.
| unethical_ban wrote:
| I'll miss the good old days where our lab environment was
| never looked at by security or IT.
|
| I was a firewall admin at a F100 bank and we had some linux
| servers we used to do automation against our production
| firewall systems. We did some of the best, most secure work
| we ever did because we had access to scripting systems and
| Python. We built a host of auditing, ops, and secure
| automation and cleanup tools. It took months if not literally
| a year or more to convince all the right "stakeholders" that
| we need a prod server for such a purpose. Same reason we used
| Bottle.py for our web GUI: We didn't have to install it; it
| ran on system Python install.
|
| I also remember standing up Dokuwiki because our company was
| two years away from deploying Confluence (puke), and remember
| setting up Gitlab in a lab environment two years before we
| got Gitlab, because we only had... some IBM version control,
| all the tooling and regs around it were built around
| enterprise product development, not backend.
|
| In other words, shadow IT led us to be a more secure
| organization. It seems IT in the 2020s is getting a clue when
| it comes to deployment, and now that _they_ have automated
| everything from deploy to scan, it isn 't such a huge ask to
| get a linux server with which to program. Maybe shadow IT
| won't be needed anymore.
|
| Then again, perfect enforcement of laws is a dangerous thing
| in society. Maybe too in cyber?
| mrweasel wrote:
| A lot of people don't understand how much gruft is in IT.
| While I doubt it, my hope for the new year is that business
| will slow down and shift focus. Rather than building ever
| more complex system, for what ever reason, perhaps we can now
| focus on simpler and more secure solution.
|
| The collective memory of our industry is shockingly short. If
| Log4J has taught me anything it is that the old meme: "LOL;
| It OPSs problem now" is very much still all too real.
| formerly_proven wrote:
| > Everything connected to a company network is having to be
| audited for patches and approved OS installs. IT needs to have
| root access to every system. Any system not approved to be
| networked will be isolated at the switch to knock off the
| network and that team's other IT systems will be knocked off
| too.
|
| It's not _wrong_ to do any of this (it seems to be the norm,
| actually) but doing NAC kinda implies you 're thinking of your
| intranet as some kind of perimeter to secure which is
| ultimately not that helpful and makes people lazy and
| complacent because "our service is just on the secure network,
| amirite?".
| orev wrote:
| One can make an argument like this about anything, and it's
| just a defeatist attitude. Why bother to do anything then?
|
| The reality is that security should be done in layers, and
| this is an important layer. The handwavy "and then it causes
| everyone to become incompetent" type of argument is really
| just nonsense that needs to go away.
| legulere wrote:
| Not necessarily. Your security model should be that any
| computer on your network could be infected. It's very
| likely to happen and if there's any flaw that allows
| infection it's not your whole network that gets
| compromised.
___________________________________________________________________
(page generated 2021-12-29 23:01 UTC)