Editor’s note: We had planned to publish our Hacky Holidays blog series throughout December 2021 – but then Log4Shell happened, and we dropped everything to focus on this major vulnerability that impacted the entire cybersecurity community worldwide. Now that it’s 2022, we’re feeling in need of some holiday cheer, and we hope you’re still in the spirit of the season, too. Throughout January, we’ll be publishing Hacky Holidays content (with a few tweaks, of course) to give the new year a festive start. So, grab an eggnog latte, line up the carols on Spotify, and let’s pick up where we left off.
It's not just Santa who gets to have all the fun — we in the security community also love to make our lists and check them twice. That's why we asked some of our trusty cybersecurity go-to's who and what they'd place on their industry-specific naughty and nice lists, respectively, for 2021. Here's who the experts we talked to would like to give a super-stuffed stocking filled with tokens of gratitude — and who's getting a lump of coal.
The nice list
Call me boring, but I am pretty stoked about the Minimum Viable Security Product (MVSP), the vendor-neutral checklist for vetting third-party companies. It has questions like whether a vendor performs annual comprehensive penetration testing on systems, complies with local laws and regulations like GDPR, implemented single sign-on, applies security patches on a frequent basis, maintains a list of sensitive data types that the application is expected to process, keeps an up-to-date data flow diagram indicating how sensitive data reaches the systems, and whether vendors have layered perimeter controls or entry and exit logs for physical security. Its success depends on people using it, and this industry tends to be allergic to checklists, but it strikes me as super important. - Fahmida Y. Rashid, award-winning infosec journalist
Editor's note: Check out our Security Nation podcast episode with Chris John Riley on his work helping develop MVSP.
All of the security researchers that have focused their research and efforts to identify vulnerabilities and security issues within IoT technology over the last year. Their effort have helped bring focus to these issues which has led to improvements in product and processes in the IoT industry. - Deral Heiland, IoT Research Lead at Rapid7
Increased federal government focus on securing critical infrastructure. Examples: pipeline and rail cybersecurity directives, energy sector sprints, cybersecurity funding in the infrastructure package. - Harley Geiger, Senior Director of Public Policy at Rapid7
Huntress Labs and the Reddit r/msp board for their outstanding, tireless support for those responding to the Kaseya mass ransomware attack. While the attack was devastating, the community coalesced to help triage and recover, showing the power we have as defenders and protectors when we all work together. - Bob Rudis, Chief Security Data Scientist at Rapid7
The January 20th swearing-in of Biden is on the nice list, not because of who won but the fact that the election worked. We've talked an excessive amount about election security, but the reality is, there was no big deal. It was a largely unremarkable election even in the abnormal environments of the pandemic and the cyber. Election computers will continue to be wildly insecure, but since we've got paper trails, it won't really matter. - Rob Graham, CEO of Errata Security
The naughty list
The Colonial Pipeline and Kaseya attacks are far above any other "naughty" case. They affected millions of people around the world. However, like the big things from past years, I think it'll be solved by lots of small actions by individuals rather than some big Government or Corporation initiative. No big action was needed to solve notPetya or Mirai; no big action will be needed here. Those threatened will steadily (albeit slowly) respond. - Rob Graham, CEO of Errata Security
Microsoft, bar none. They bungled response to many in-year critical vulnerabilities, putting strain on already beat up teams of protectors, causing many organizations to suffer at the mercy of attackers. Everything from multiple, severe Exchange vulnerabilities, to unfixable print spooler flaws, to being the #1 cloud document service for hosting malicious content. - Bob Rudis, Chief Security Data Scientist at Rapid7
The whole Pegasus spyware from NSO Group is bad news start to finish, but the fact that the ruler of United Arab Emirates used the spyware on his wife in a custody battle? That was just flabbergasting. We talk about stalkerware and other types of spyware — but when you have something like Pegasus just showing up on individual phones, that is downright frightening. - Fahmida Y. Rashid, award-winning infosec journalist
All manufacturers of IoT technology that have not heeded the warnings, taken advantages of the work done by IoT security researchers to improve their product security, or made efforts to build and improve their internal and external process for reporting and remediating security vulnerabilities within their products. - Deral Heiland, IoT Research Lead at Rapid7
Apparent lack of urgency to provide support and phase in requirements for healthcare cybersecurity, despite ransomware proliferation during the pandemic. - Harley Geiger, Senior Director of Public Policy at Rapid7
More Hacky Holidays blogs
- 2022 Cybersecurity Predictions: The Experts Clear Off the Crystal Ball
- Rapid7 2021 Wrap-Up: Highlights From a Year of Empowering the Protectors
- Metasploit 2021 Annual Wrap-Up
- 5 Security Projects That Are Giving Back
- Sharing the Gifts of Cybersecurity – Or, a Lesson From My First Year Without Santa
- Hacky Holidays: Celebrating the Best of Security Nation [Video]
- Hacky Holidays From Rapid7! Announcing Our New Festive Blog Series