Creating protection from cyber attacks in a virtual world
Research by McAfee discovered that 81% of global organisations experienced increased cyber threats during the Covid-19 pandemic. This threat has also extended to the public sector and has become a significant enough concern to prompt the UK government to launch the nation’s first-ever cybersecurity strategy to help protect public sector bodies from bad actors. A Cyber Coordination Centre is also being set up, with the aim of transforming the sharing of data and cyber intelligence.
Following major incidents such as the cyberattacks on SolarWinds and Microsoft Exchange Servers, the UK government is going further by taking steps to introduce new measures to enhance British business cybersecurity. Additionally, ransomware threats have impacted on critical national infrastructure, with a major example being the Colonial Pipelines attack in the United States.
With the immediate need to work virtually due to the pandemic, cybersecurity posture among organisations was truly tested and prompted businesses to step up their cyber strategies, such as code-level software security. Measurable security awareness and the need to adopt a preventative mindset is now crucial, and there are several emerging technology areas that cybercriminals are now starting to target.
The metaverse threat
The metaverse may well be the exciting future evolution of the internet, based in persistent, shared virtual worlds in which people interact as 3D avatars. However, a similar transformation is yet to materialise in the way most industries approach securing software and digital environments.
Infrastructure and devices around these new immersive virtual worlds will need to be made secure. Virtual reality (VR) headsets are the new gateway to huge mountains of user data. Complex embedded systems security is required to make the Internet of Things (IoT) gadgets safe, and the brave new world of mainstream VR and augmented reality (AR) is no exception. As with the Log4Shell exploit, simple errors at the code level can bloom into a backstage pass for cybercriminals, and in a simulated reality, every movement creates data that can be stolen.
With the metaverse in its early stages, its success will hinge on the practical adoption of cryptocurrency. Non-fungible tokens, known as NFTs, mean our real-life wealth, identity, data, and livelihoods are potentially opened up to a new “Wild West” that can put people at risk. Minimising this new, vast attack surface from the ground up should be a priority.
The Log4j attack
The zero-day attack on the Log4j logging tool was reported to be among the worst on record with comparisons made to the devastating Heartbleed OpenSSL vulnerability that is still being exploited over six years later. The aftermath of Log4Shell is also likely to last for a long time. It’s a lesson that many organisations just don’t act swiftly enough to protect themselves. Depending on their size, patching can be incredibly difficult and bureaucratic, requiring cross-department documentation and implementation. Quite often, IT departments and developers don’t have an encyclopaedic knowledge of all libraries, components, and tools in use, and are hamstrung by strict deployment schedules to minimise disruption and application downtime.
While there are already patch management mandates and recommendations in some critical industries, widespread legislation is another story. Preventative software security will always be the best chance to avoid urgent security patching altogether, but best practices dictate that patching is non-negotiable and should be a priority measure. This will be a hot topic, and lead to not-so-subtle recommendations to patch quickly and often.
Focus needs to be placed on architectural security
Significant additions were included in the recent Open Web Application Security Project (OWASP) Top 10 report, including injection vulnerabilities, which fell from first to third place. The new additions reflect a new stage of a developer’s journey in secure coding and security best practices, but most unfortunately remain unequipped to reduce risk due to a lack of appropriate training.
Developers need to be fully skilled in security to battle against common code security bugs. More businesses are taking this challenge on with developer-driven prevention. Despite this, Insecure Design, otherwise expressed as “missing or ineffective control design,” is in the OWASP Top 10 and is characterised by architectural security issues rather than a specific security bug. Developers will need to be encouraged to go beyond the basics once they’ve mastered them.
It’s vital that developers are informed about threat modelling and the security team should also be supporting, which will help to take the pressure off them once developers are skilled in this area. As it stands however, it’s still a knowledge gap for software engineers. The onus is on the rest of the organisation to help create a positive security culture for developers.