Last updated at Tue, 27 Dec 2022 18:49:16 GMT

It's the holiday season when children all over the world cross their fingers in the hope that they don't end up on a certain red-clad big man's naughty list. Turns out, we at Rapid7 have a similar tradition, only we're the ones making the list and there's a whole lotta naughty going on (not like that, get your heads out of the gutter).

We've asked a few of our experts to share what in cybersecurity deserves to be on the naughty list, and what needs to be on the nice list. Some of these represent personal gripes, others are industry-wide, and still others are specific to certain aspects of what we do all day.

Obviously, we all lived through the many levels of Shell this year so we are taking that as the quintessential 2022 naughty entry. These are a few others that you may or may not have been tracking, but are worth thinking about as we put this year to bed.

Here, without further fan fare, is our non-exhaustive, thoroughly delightful, slightly deranged, 2022 Cybersecurity Naughty and Nice List. Enjoy.

The Naughty List

Virtual Private Nopes: I try, really hard, to take a charitable read on people's motivations. So, normally, it takes a lot to get on my bad side. That said: I nominate the entire consumer VPN industry for this year's Naughty List. This is based on a paper published by the University of Maryland titled, Investigating Influencer VPN Ads on YouTube, by Omer Akgul, Richard Roberts, Moses Namara, Dave Levin, and Michelle L. Mazurek.

Not to spoil the surprise, but the study shows that many consumer VPN influencer ads contain potentially misleading claims, including overpromises and exaggerations that could negatively influence viewers’ understanding of Internet safety. It also found that the ads’ presentation of information on complicated subjects of cryptography, networking, and cybersecurity in general is likely counterproductive and may make viewers resistant to learning true facts about these topics.

Naughty, naughty indeed. You can hear more about this on Security Nation, or if you're feeling particularly ironic, on YouTube. – Tod Beardsley, Director of Research

When IoT Products Attack: There is a never ending flood of cheap white labeled IoT goods available for consumers to purchase online. Many of these devices have little or no security. Worse, most of these products don’t even have vendors backing them when vulnerabilities are found. As a result, many of the issues will never be fixed.

As this pile of garbage continues to grow, it seems we are just forced to wait and anticipate another Mirai-style botnet (or worse) to emerge and create havoc. – Deral Heiland, Principal Security Researcher, IoT

Ambulance Chasing in the Wake of the Uber breach: It is critical for cybersecurity vendors to react to cybersecurity events as quickly as possible and often in as close to real-time as we can get. From a marketing standpoint, this can be an opportunity to impart a timely, relevant message that showcases a security product in a positive light.

There's nothing inherently wrong with that, but when vendors use it as an opportunity to tsk-tsk those who didn't use their product they come off as unhelpful at best, and dangerously boastful at worst.

The Uber breach that hit headlines earlier this year is a good example of this where some of the most vocal vendors were also shown to be unable to stop the breach. Everyone should be proud of their products and their capabilities, but let's stick to being helpful to the community rather than resorting to ambulance chasing and Monday morning quarterbacking. – Ryan Blanchard, Product Marketing Manager, InsightCloudSec

The Nice List

U.S. Government Agencies Pass New Cybersecurity Legislation: During 2022, the U.S. took some significant steps—in the form of regulation and legislation—to ensure proper disclosure of major cybersecurity incidents.

In March, President Biden signed new cybersecurity legislation mandating critical infrastructure operators report hacks to the Department of Homeland Security within 72 hours and within 24 hours of ransomware payments.

Additionally, the SEC voted to propose two new cybersecurity rules for publicly-traded companies. The first mandates reporting of material cybersecurity incidents in an 8-K form within four business days of the incident. The second requires companies disclose their policies for managing cybersecurity risks, including updates on previously reported material cybersecurity incidents.

In July, the House of Representatives passed two cybersecurity bills. The first requires the Federal Trade Commission to report cross-border complaints involving ransomware and other cybersecurity incidents. The second directs the Department of Energy to establish an energy cybersecurity university leadership program. – Ryan Blanchard, Product Marketing Manager, InsightCloudSec

Consumer Protections for IoT Devices: In October, the White House hosted a meeting with IoT industry leaders to start the process of developing an IoT Labeling system for consumers to help them identify products that meet a standard level of security.

Although this project will take time to complete, and the use of the labels will be voluntary for vendors, I do expect many vendors will embrace this labeling solution to help promote their products above their competitors. This project will be a major step forward for consumers, which will help them to make sound security decisions on what products to deploy in their homes. – Deral Heiland, Principal Security Researcher, IoT

Adventures in TOTP Token Extraction: I let backups for my phone lapse … for the entire pandemic. Oops. So, when my phone gave up the ghost, I lost the primary authentication device for 2FA (in addition to countless photos of my wife and I playing board games during lockdown). Oh no!

I was using a cloud-based TOTP token manager and was still authenticated and logged in on my desktop. So, “no problem,” says I, “I can just use the web UI to export these tokens to the new phone!” Well, not so fast—it turns out that it is super hard to grab these tokens and port them around. Which is infuriating.

Thankfully, Guillaume Boudreau published a completely hacky method to extract those TOTP tokens, which is totally nuts and also totally works. Yay! – Tod Beardsley, Director of Research, Rapid7

In Conclusion, We've Concluded

So, there you have it. A bit of naughty, a touch of nice, something about TOTP tokens, this blog post has it all. Thank you from the entire Rapid7 team for being with us throughout this wild year!