File photo: A person at a workplace. — SignVideo, London, U.K. (CC BY-SA 4.0)
To gain an insight into some of the challenges that business may face early into 2022, Digital Journal caught up with Matt Sanders, Director of Security at the consultants LogRhythm.
The main concern that Sanders’s expresses relates to open source software. This refers to computer software that is released under a license. Under terms, the copyright holder grants users the rights to use, study, change, and distribute the software and its source code to organizations for whichever purpose they choose. While this creates a flexible working model, it means that such software is more prone to having weaknesses and more open to different forms of attack.
This means that each component selected by a firm to work with must offer both functionality and it needs to be secure. A further risk arises through the companies that produce the software having business models focused on delivering new updates with new features for end users. Whilst extra functionality is invariably of interest, each update throws up the possibility of a new threat.
However, this is not to say all open source software is bad and there are security advantages too. Open source projects are often more flexible and can fix vulnerabilities and release patches and new versions much faster than with larger-scale or bespoke commercial software.
Indeed, Sanders says we can expect something on a bug scale, predicting: “There will be a successful large-scale attack delivered through open-source software.”
Open source vulnerabilities include weak or vulnerable code that enables attackers to conduct malicious attacks or to perform unintended actions that are not authorized. One common tactic is to use vulnerabilities in order to launch denial of service operations against businesses.
As to why this is likely to be the case, Sanders explores the context that the business world faces, noting: “Malicious actors have repeatedly demonstrated their technological aptitude at infiltrating and compromising organizations. Those same skills will be increasingly applied to the open-source software ecosystem (which welcomes all contributors), where attackers can intentionally introduce vulnerable code to widely used open-source software components.”
The vulnerability creates a situation that increases the risk that business need to contend with, as Sanders points out: “This would allow cybercriminals to exploit vulnerabilities on a massive scale, targeting companies that have built products using open-source technology without reviewing the code before copying and pasting it into their platforms.”
More concerningly is the likely success of these malicious activities. Sanders points out: “Such attacks can be extremely difficult to detect. It is likely that several instances of such attacks are already present in widely used open-source software today, which may be found in the year to come.”