Newsletter

01.04.2022 | 7'' read

Some not-so-dire 2022 predictions cybersecurity predictions

by Ryan Naraine

* The most clicked link from the last issue was Yael Grauer’s Consumer Reports review of the security and privacy of consumer VPN products. Many of you also read VPNs and targeted espionage concerns.
Note.

Monday blues.

Calling attention to an odd thing that flew under the radar this week: CrowdStrike officially moved its “principal executive office” from Silicon Valley (Sunnyvale, California) to Austin, Texas. The company gave no reason for the switch and used a simple statement to point out that official corporate addresses will soon be obsolete in a remote-first world.

CrowdStrike says: “While the traditional notion of a singular headquarters is not required and may become obsolete altogether in today’s transforming world, the Securities and Exchange Commission requires us to designate a principal executive office. Today, CrowdStrike Holdings is designating Austin, Texas as our principal executive office.

I’m reliably told these moves (more of these announcements are likely) is closely linked to Assembly Bill No. 979, a California law that requires publicly-traded California companies to diversify boards with the addition of directors from “underrepresented communities” by December 31, 2021.

The law requires (see coverage): “No later than the close of the 2021 calendar year, a publicly held domestic or foreign corporation whose principal executive offices, according to the corporation’s SEC 10-K form, are located in California shall have a minimum of one director from an underrepresented community on its board.

According to the AB-979, “Director from an underrepresented community” means an individual who self-identifies as Black, African American, Hispanic, Latino, Asian, Pacific Islander, Native American, Native Hawaiian, or Alaska Native, or who self-identifies as gay, lesbian, bisexual, or transgender.

Interestingly, CrowdStrike appears to be in compliance, at least until the end of this year when the law will become even stricter on diversity mandates. CrowdStrike’s nine-person board of directors currently includes two women and at least one director who fits the definition of being from an underrepresented community.

Here’s a related gem of a find: Coinbase says it has no corporate address at all: “[W]e [are] a remote-first company. Accordingly, we do not maintain a headquarters.”

I wish you all a pleasant new year and I hope you’re as happy as me about RSA Conference being pushed back to June.

Cheers,

_ryan

On to the newsletter…


Sponsored:  Symmetry DataGuard
Installed as a read-only service into your sealed environment, Symmetry DataGuard learns data objects from SQL, NoSQL, and object stores and constructs a large access control graph of all principals and objects in the system. DataGuard provides a risk assessment of all data stores down to unique objects and alerts with evidence based notifications during operations. Schedule a demo.

New podcasts.

Two new episodes of the show have been pushed to your podcast software thingies:

Coming up next: An interview with Egress CEO Tony Pepper on the email security market and running a global business during an extended pandemic.

My cybersecurity predictions for 2022.

It won’t be a new year’s edition without the good old cybersecurity predictions.  I actually put some thought into what I think will be the big stories this year.  They include:

  1. Ransomware is mostly solved (politicians will make deals) but APT actors will continue to blur the line between cyberespionage and financially motivated crime.
  2. Supply chain mega-hacks will explode as cybercriminals will join the nation-state APT operators in the supply chain malware free-for-all. It will be a long, painful slog with no clear solution in sight.
  3. The expose of the ugly hacker-for-hire industry will snare a few surprising U.S. companies and will lead to robust debates over blacklisting certain researchers.
  4. China will use hacking competitions like the Tianfu Cup as a kind of military display of Chinese hacking capabilities.
  5. By the end of this year, every major APT toolkit will include UEFI/firmware implantation capabilities, forcing a major revamp of anti-malware defenses. The firmware security problem will explode alongside impossible-to-detect supply chain hacks.

Read more of my thinking into these predictions and some additional ones from the SecurityWeek editorial team.

The Log4j urgency is very real.

One month in, here’s Microsoft on the current status of the Log4j crisis.  It’s not very good :(. I’ve underlined the main takeaways

Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities.

Exploitation attempts and testing have remained high during the last weeks of December. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks. Organizations may not realize their environments may already be compromised.  At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments. Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.

The urgency is real. I recommend the use of this CISA scanner to help find vulnerable Log4j installations.

Vox populi.
  • Google Cloud security chief Phil Venables on the concept of obviousness and CISOs overlooking the simple.
  • Netflix technical engineers document SNARE, a Detection, Enrichment, and Response platform for handling cloud security related findings at Netflix.
  • A telling interview with Palo Alto founder Nir Zuk on the crazy valuations for cybersecurity startups.  The money quote: “I don’t believe that a company that sells for $20 million is worth $6 billion. I don’t know how it happens. If there are investors who are willing to do it, please. The world is a little crazy right now.You don’t even need a business plan. A big dream and hope are enough. That is why the end will be the same as it was in the 1990s.”

Research deep-dives.

Hardware/firmware security.

Hall-of-famer Dan Kaminsky

Tangentially.

P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhoneGoogle/AndroidSpotify and Amazon/Audible.
|

This site uses cookies and may process personal data based on our Privacy Policy