The pandemic, the economic upheavals associated with it, the war between Russia and Ukraine, and other events in 2021-2022 gave impetus to the emergence of technological innovations, including large-scale breakthroughs in the areas of cloud and edge systems. Long-established companies are reshaping their business modesl and turning them into completely contactless online services. According to Radware's "The State of Web Application and API Protection" report, 70% of production web applications are currently running in the cloud. Moving workloads to the cloud and the edge at scale is becoming a new source of work for hackers. In this article, we will talk about the most popular vulnerabilities of 2022.
The annual losses from cybercrime in the world already amount to trillions of dollars. The pandemic has accelerated digital transformation and exacerbated the problem, exposing the vulnerabilities of IT systems. As a result, cybersecurity has become the most important economic factor that directly determines the company's profit. The scale of the problem is only growing, and no one will be able to leave cybersecurity risks unattended. However, work in this direction requires investment, process restructuring, and adaptation to new threats.
According to the data provided by Cyber Polygon, in 2021, the classic attacks were dominant — coronavirus-themed phishing sites, issuance of supposedly genuine vaccination documents, fraudulent transactions with services, and advertising of projects that bring instant income. Such malicious acts accounted for more than 85% of attacks. Approximately 10% of attacks recorded in 2021 were ransomware that targeted corporations. The most famous example is the attack on the Colonial Pipeline, which paralyzed the giant gas station network in the United States. And the least attacks were, no more than 5%, of a targeted nature, extremely well organized, aimed at government structures in different countries. They have not yet been fully explored.
No one could have imagined that the cybersecurity industry would experience absolute chaos in 2021: Record-breaking ransomware attacks, multiple supply chain disruptions, data privacy battles, and endless leaks. A year ago, all of this might have seemed too bold a scenario to be true. What awaits us next?
Government interest and influence in cybersecurity will grow. SolarWinds, the attack on the Colonial Pipeline, spyware, and privacy concerns have all the attention of world governments on the industry. Experts agree that the coming year will be full of new rules and investments.
The US election drew attention to the spread of disinformation to influence the outcome, but after massive cyberattacks on critical infrastructure, the focus has shifted to new national security urgency.Researchers predict that these immediate cyber threats will remain the focus of government attention throughout 2022.
According to Jonathan Reiber, senior director of cybersecurity strategy and policy at AttackIQ, the US government is already actively working to strengthen the nation's cybersecurity. Zero Trust Architecture recommendations will be rolled out and operational across all important government entities in the first half of 2022.
''As the federal government implements this practice, more private entities will follow suit by building higher walls around high-value assets,'' Reiber said.
According to Trevor Hughes, President and CEO of the International Association of Privacy Professionals (IAPP), in 2022, both state and national laws are expected to protect consumer privacy. The expert believes that private companies will continue to use privacy to build trust and attract customers but will also use their weapons against lagging privacy competitors.
Safety and security of our clients is our essential priority.
Nothing will change, and in 2022 people will still be people, which means that they will still make mistakes, regardless of the consequences for organizations' security. They are what cybercriminals will rely on to make their social engineering scams work.
Mike Wiacek of Stairwell says that social engineering will not give up its positions in the new year. This is one of the most difficult security problems because no amount of security measures can change the fact that people are imperfect and can be deceived. During the workday, otherwise serious people can be incredibly nonchalant, and that's unlikely to change anytime soon. Did Mike really take the flash drive in the parking lot and plug it into his corporate laptop? Did Alan really believe that he could get a free Rolex by clicking on the link? Cybersecurity is an issue for which everyone is responsible, but only a few understand the damage that their individual actions can cause.
In addition to the widely recommended user education, Wiacek suggested that cybersecurity professionals change their approach to internal communications in 2022. In his opinion, security teams should interact directly with their colleagues and be easily accessible. We need to stop carrying on our shoulders the image of strict colleagues who always say ''no.'' Building a strong safety culture requires working on trust and good relationships. To persuade employees to your side is the main task, even if it's Joe from accounting whom you don't really like.
The presentation of information should also be simplified. Instead of ''gamifying,'' try talking to people in their language and presenting everything in a format that is familiar to them, such as, humorous videos. Whatever the cybersecurity professional tries to convey to employees should look and feel exactly like the content they choose to consume on apps like Facebook, TikTok, Instagram, YouTube, etc.
Ian McShane, CTO of Arctic Wolf, believes that the industry will begin to change its view of ransomware this year and understand that the problem is not with the ransomware itself but the entry point. We will focus on predicting and protecting the first line of attack by using data science to model scenarios that can reveal potential weaknesses in the supply chain.
Supply chain ransomware is of particular concern due to the potential of a single attack to affect hundreds or thousands of companies. According to Deepen Desai, CISO and VP of Security Research and Operations at Zscaler, the number of ransomware attacks in the supply chain will not decrease in the next 12 months either. According to Desai, attacks on technology companies increased by 2,300% in 2021. What will happen in 2022 is scary to imagine.
Experts even suggest introducing a small reward for users for proper security behavior. Rewards can encourage them to become more attentive to details and not make mistakes that cost companies dearly. These common users most often interact with common supply chain attack vectors.
According to Troy Gill, Senior Threat Intelligence Manager at Zix | App River, in 2022, email will increasingly be subject to targeted and high-quality spear-phishing attempts, requiring a change in security tactics. Spear-phishing attacks are attacks in which cybercriminals personalize emails. In 2022, organizations will respond to this by prioritizing building more specific email protections.
Ransomware-as-a-service (RaaS) has helped turn digital ransomware into a thriving business, and 2022 is likely to be another big year for hackers.
Alas, the RaaS model will continue to be popular as it has proven to be an incredibly effective means of maximizing profits. An increased government presence in protecting critical infrastructure will encourage hacker groups to use ransomware to attack small and medium enterprises. This will help them attract less attention but still achieve their goals. Insufficient funding and indifference of staff in small and medium-sized companies only fuel the interest of hackers.
As we can see from the evolution of malware and phishing as a service, hackers are ready to join forces to achieve mutual success. In 2022, we will see cybercriminals form even stronger working relationships that help strengthen the crime market.
According to Ian McShane, as far as the cybersecurity community is concerned, there is a lot of work to be done to strengthen the entire ecosystem. This means that large companies must share tools and talent with small and medium-sized enterprises that do not have the resources to protect themselves.
In his view, the industry must work to democratize security, especially as talent shortages and staff retention continue to drain teams. Digital transformation and the expansion of technology have created great opportunities for attackers, and securing the entire supply chain is the only way to protect us all.
This classification is somewhat conditional but still the result of a process using the implementation of cybercriminals.
These include hackers with basic training. Often work alone or in small applications. This is mainly because large companies require weak protection, beautify data, demand a ransom, and sell information on the dark web. Their financial resources are limited.
They prefer to work by order, discovering the possibility of hacking. They are engaged in exceptional preliminary intelligence, searching for employees of companies who are willing to provide data for capture for a fee. Very well technically equipped exclusive toolboxes hacked confidentially. Their main goal is to terminate the company's activities, industrial espionage, the theft of confidential data of top managers, and the spread of reputation. They have the financial resources to carry out attacks.
You can prevent your belongings both real ad virtual. Learn to recognize the modern threats.
Their qualifications are practically not inferior to the special services. They work very secretly, use the most advanced technologies for anonymity, and develop highly sophisticated tools for stealing data that can bypass standard monitoring systems. Their goal is to destroy the infrastructure of corporations, control over CII, and obtain strategically important information. Their level is so high that only special services in cooperation can cope with them.
Some of these groups are supported by states (PRC, DPRK, RF) that provide appropriate cover. Sometimes they are hired by the intelligence services themselves to attack government sites and infrastructure. In fact, such groups have turned into corporations that have all the tools and financial resources for large-scale attacks on any company or country.
During the discussions, the SOS forum and Cyber Polygon participants noted several critical issues that companies or government authorities have not yet resolved.
Access control enforces the policy so that users cannot act beyond their intended permissions. Failures typically result in unauthorized disclosure of information, alteration or destruction of all data, or performance of a business function beyond the user's capability. Common access control vulnerabilities include:
Cryptographic Failures was named a disclosure of sensitive data in the 2017 OWASP Top 10 list. If you notice, the title "Confidential Disclosure" is actually a symptom, not the root cause.
Confidential data can be exposed in many ways, but the description of this vulnerability actually indicates that the cryptography was implemented incorrectly! So I think OWASP did a great job here as they now add the root cause instead of the symptom — a great step in the right direction. Otherwise, everything was at least confusing.
Some of the problems that fall under this category are:
But I hope you get the basic idea right: if you mess up a cryptocurrency or don't use it at all, you've left an open door leading to this vulnerability!
SQL injection is currently not only a widespread vulnerability but also one of the most dangerous, according to OWASP Top 10 Application Security Risks 2021.
The essence of vulnerability is your execution of an arbitrary query to the database. The request can be anything: for reading, writing, modifying, and deleting any records. Sounds catastrophic, doesn't it? But everything is not limited to these threats since you can get to read/write local files or even code execution under certain circumstances! It all depends on the goals pursued by the attacker, the system used, and how it is configured.
There are several types of SQL injection:
Insecure Design is a new category for 2021 that focuses on the risks associated with design flaws. It is a broad category representing various deficiencies expressed as ''missing or ineffective control design.'' Unsafe design is not a source for all the other ten major risk categories.
There is a difference between an insecure design and an insecure implementation. We distinguish between design flaws and implementation defects for a specific reason; they have different root causes and solutions. A secure design can still have implementation flaws leading to exploitable vulnerabilities. An insecure design cannot be fixed by a perfect implementation because, by definition, the necessary security controls were never designed to protect against specific attacks. One factor that contributes to insecure design is the lack of profiling of the business risks inherent in the software or system being developed and, therefore, the inability to determine what level of security is required.
Security misconfiguration occurs when security settings are defined, implemented, and maintained as defaults. Good security requires a secure configuration defined and deployed for the application, web server, database server, and platform. It is equally important to keep the software up to date.
This vulnerability is ranked sixth in the Top 10 in the 2021 Community Survey but also has enough data to be in the Top 10 in our analysis. This category is a known issue that developers have difficulty testing and assessing its risks. This is the only category that does not have Common Vulnerabilities (CWEs) associated with the CWEs included, so their ratings default to an exploit and an impact weight of 5.0. Notable CWEs: CWA-1104: Use of non-serviceable third-party components and two CWEs from the Top 10 2017 and 2021.
You are not protected:
The threat landscape is rapidly changing, with groups of state-sponsored actors and professional hackers working in tandem to break systems apart. The 2021 threat thinking process is an excellent step towards an equally evolving security environment, where the focus is shifting from identification (and subsequent mitigation) to proactively preventing security flaws through robust and secure product design with an equal focus on App Sec and Secure alignment. Development in software design and development.
Enjoy this blog?
Please, spread the word :)
Pareto Principle in IT Security
''Fiddle with'' web traffic like a pro with Fiddler web debugger
Geniusee received an ISO 27001:2013 certificate
Organizational structures of IT department
But did you know that 80% of software vulnerabilities are accidental, and 20% are intentional?
Written by Ihor D.
Over the years has been developed a number of tools for inspecting traffic. Let's look closer at one of the best in the development community.
Written by Roksoliana V.
Find out how we received an ISO 27001 certificate and what benefits you gain from it - read and get into details in our news item!
Written by Yaryna Y.
How to properly assemble the efficient work of your IT department to get the best business results and amaze your customers? Learn here with Geniusee.
Written by Sofiia K.
Learn how UX testing methods can help you provide a better user experience and customer journey, which lead to increased revenue flow.
Written by Dmytro M.
These useful insights for FinTech, based on the real case might save you a fortune and prevent you from hidden dangers on your path to victory.
Written by Sophia K.
What is the Anonymous group, what was before it, when did it first reveal itself to the world, and what and why they do now - in the article!
We are honored and happy to be ranked among the world leaders in our industry and we will continue to evolve together with our clients.
If you are interested in how to create an online learning platform like Udemy or Coursera, now is the time to do so while the market is in a booming phase.
Written by Nazariy H.
We are thrilled to develop for you and develop ourselves. Another recognition is already here to prove the highest quality of services we deliver!
Cyber security breaches might cost a fortune for your company and that's something you definitely don't want to happen. Our expertise can prevent you from that.
In this article, we’ll explore the top most successful FinTech startups and financial technology companies you need to pay attention to in 2022 and beyond.
Written by Sofiia V.
Fintech is a fertile ground for development. However, there are barriers to entry with regulations. But don’t worry; this guide will give you the information you need to get started!
We are honored to be recognized as an ISO 9001:2015 certified company. Why constant growth is important to us and why it matters for our clients - read here.
If you are still undecided on the Agile vs. Waterfall vs. Scrum vs. Kanban conundrum, this article will point you in the right direction.
Written by Alisher A.
We can either change an existing retail software
solution or develop retail software from scratch that meets your requirements. Let's discover our
successfully implemented projects in the field of e-commerce.
A digital platform built to merge traditional banking systems with new-age digital assets such as cryptocurrencies and NFTs. The platform allows tracking and managing of children’s (6-17 y.o) spending...
Android and iOS mobile app with automated payments, add geolocation services, integrate local market stakeholders, and as a result - the product for rapid grocery delivery in 15 minutes? Say no more....
Meet one of our clients – Drum! This 5-star application is a platform designed for creators. That’s a great tool for people who care about their personal brands to engage with their followers, earn...
Our client, a technology solutions company in MedTech, aims to make the latest technological advances available to millions by providing high-caliber, more affordable solutions to all. Target audience:...
Our main goal was to develop a digital platform for healthy habits called EinkaufsCHECK. We aimed to create a hybrid app for iOS and Android for the easiest and most accurate diet tracking and food...
Our client is a secure, automated platform that streamlines the merchant cash advance process and enables ISOs and lenders to manage their businesses from one centralized, convenient place. Combining...
For Crave retail Geniusee has developed 2 enterprise mobile applications that solve the double-sided problem for every shopper visiting the fitting room. The Fitting Room application allows shoppers...
Outstanding case in Geniusee portfolio, Pause – mobile app for meditation. iOS application was downloaded 1000+ times on the launch day.
The Ajuma company was founded by a couple after the birth of their child. They wanted to protect their baby from the harmful effects of ultraviolet radiation sunburn and from potentially generated skin...
Zedosh is a new digital advertising platform that financially empowers Gen Z. Using Open Banking, we provide insights into their spending behaviour, tips on how to master money and crucially, the ability...
Revenu is an All in one POS (Point of sale) management system . It uses the latest trends of technology to manage different types of Food & Beverage from scratch up to reaching ultimate clients...
Realm Five develops devices that collect various data, such as soil moisture, rainfall, amount of water in tanks, condition of tractors and their location, etc. from different parts of agriculture.
FactMata is an AI-based platform that identifies and classifies content. Advanced natural language processing learns what different types of deceptive content look like, and then detects...
Tradesmarter is leading in providing white label trading solutions offering a web responsive trading platform that enables top financial companies to unleash a new era of competition, innovation...
Swoon is an online furniture brand with a difference. Their main idea is that everyone should be able to buy beautifully designed and crafted furniture at reasonable prices. The brand has...
Frenotec LLC is a motorcycle distribution company eventually grew into the nation’s largest distributor of Brembo motorcycle brake components as well as became the exclusive importer and...
Validify Access is a new innovation discovery platform that showcases only best-in-class and pre-vetted emerging retail technology solutions. Validify helps leading retailers access curated...
NCourage was created to understand the nature of anxiety & stress, the cause of problems with falling asleep, which promotes personal growth, success work and increase productivity....
Wyzoo App is built on artificial intelligence and learning techniques to identify patterns in your customer data.
Tamam on-demand mobile application connects customers with independent local couriers, who acquire goods from any restaurant or shop in a city and also deliver urgent packages for a variable...
DigitalBits™ is an open-source project supporting the adoption of blockchain technology by enterprises. The technology enables enterprises to tokenize assets on the decentralized DigitalBits blockchain;...
The blockchain based platform - Totalizator. The goal of this R&D project was to validate the possibility of using blockchain technology in order to create an objective betting platform.
The Virtual Console is the graphics space that actually allows you to control your light shows during live events. It visually displays a number of so called widgets and aim to represent all...
PoolParty app allows increasing your popularity on Instagram by sharing links to the community of users, that will like, share and follow such links.
My Uber app allows everyone with a car to join the community of uber drivers within a couple of clicks - the company will take care of everything else. My Uber provides support and education for all...
Due to the high volatility of the cryptocurrency market, a trading company faced with an issue that traders need to quickly analyze cryptocurrency market information.
This system provides a complete omnidirectional view for armored vehicles crew (transparent walls effect) and the possibility to receive necessary data and interactive tips on helmet screen.
BuzzShow is a video social media network which incorporates the blockchain technology in a reward-based ecosystem. The platform offers full decentralization and a unique social media experience to users...
ZaZa is an expert in online learning and education abroad that helps its clients to get the highest quality services for quite affordable prices. They bring together native-speakers from all over the...
PrintBI has the largest and most detailed database of printing companies worldwide, powered by advanced technologies and market intelligence tools.
Tell us how we can help you.