A recently released strategy document from the White House called for stronger defenses against hackers working for criminal enterprises and nations such as Iran, North Korea, China, and Russia. In this document, the White House stated that threats targeting cybersecurity pose a risk to the stability of the United States. Countries such as Iran are boosting their offensive cybercapabilities and spreading their cyberterror around the world. Along with Iran, the U.S. has now also tagged other countries which are targeting U.S. infrastructures. In this day and age, regardless of whether it belongs to a governmental agency, corporation, or a private person, networks are constantly bombarded by cybercrooks who are trying to breach it.
For some time now, authorities have been worried that their critical infrastructure will be shut down or severely compromised. Some institutions experience thousands of attempted attacks on a daily basis by hackers, cybercriminals, and rival nations. According to the U.S. Department of Homeland Security, the following critical infrastructure sectors are especially at risk: chemicals, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials and waste, transformation systems, and water and waste systems.
As an example, the latest attack in January 2018 on the control systems of an industrial plant in the Middle East could signal the beginning of a new cybercrime and cyberwarfare wave systematically targeting critical infrastructure. In this documented attack, the attackers made use of Triton or Trisis malware, which exploits vulnerabilities and fail-safe mechanisms of industrial plants. The hackers were able gain access to some of the plant’s stations and safety control network by exploiting vulnerabilities in Schneider Electric’s Triconex Tricon safety system firmware. The hackers deployed a remote access Trojan to target the industrial control systems. The complex malware infection scenario was directed at breaching the plant’s Triconex Tricon safety shutdown system. If the breach had been successful, the hackers would have been able to sabotage the system in countless ways. Since the actual payload was not delivered, the true intent of the attack remains a mystery. However, the hackers went to a lot of trouble, getting in-depth knowledge of both Schneider products and their target industrial plant. They must have invested considerable time and resources in reverse-engineering Schneider code to find the vulnerabilities in the older 10.3 version of the Triconex firmware.
In its “Global Risks Report 2018,” the World Economic Forum pointed out that the use of cyberattacks to target critical infrastructure and strategic industrial sectors is a growing trend. This, of course, raises fears that in a worst-case scenario, attackers could trigger a breakdown in the systems that keep societies functioning. To illustrate, the report mentioned that the WannaCry attack, which disrupted critical and strategic infrastructure across the world, including government ministries, railways, banks, telecommunications providers, energy companies, car manufacturers, and hospitals.
In the case of organizations dealing with critical infrastructure and systems, as well as governmental agencies and operators, there are several solutions that can assist chief information security officers (CISOs) with their IT networks security. They can deploy appropriate security technology and controls that would be aligned with standard requirements to keep information and infrastructure safe. For more than a decade, those methods included vulnerability scans and penetration tests. Later on, targeted simulated attacks performed by red teams manually were added to the security arsenal. Recently, a new method of security testing known as “breach and attack simulation” has been introduced.
Vulnerability scans are performed by an application (proprietary or open source) and check for vulnerabilities that are already known to vendors, integrators, security experts, or that have already been exploited by cyberattackers. The application scans for thousands of different security vulnerabilities in networks or host systems, such as software bugs, missing operating system patches, vulnerable services, insecure default configurations, and web application vulnerabilities. This is used to assist automating the security auditing process of an organization’s IT. Vulnerability scans can automate security auditing and can be a crucial part in the organization’s IT security, scanning networks and websites for thousands of different security risks. The resulting list of vulnerabilities to patch can be used to remediate them.
Manual penetration testing (or pen-testing) is conducted by human testers (in-house or outsourced to a third party) who try to evaluate the security of an organization’s infrastructure by safely exploiting vulnerabilities. Those vulnerabilities can be present in operating systems, services, or applications, as well as faulty configurations or risky end user behavior. In other words, the corporate network, applications, devices, and/or people are attacked to check if a hacker would be able to penetrate the organization. The tests also reveal how deep an attacker could penetrate and how much data could be stolen or exploited.
Targeted simulated attacks (also known as red teaming or attacker simulation) are gaining in popularity—and for good reason. Apart from identifying weakness in the organization’s security posture, it can also provide valuable insights about your organization’s capability to identify attacks in progress and remove them from the environment to take a proactive approach. The approach uses attacks for distinct adversary types and leverages this knowledge to identify promising combinations of information security controls through simulation optimization.
Breach and attack simulations (BAS) have presented a new option for targeted attack simulations that use a multi-vector approach. This particular platform for simulating targeted attacks is an effective way to measure an organization’s true preparedness to handle cybersecurity threats effectively. Using an offensive approach and defensive actions, BAS exposes critical vulnerabilities by simulating multi-vector cyberattacks from an attacker’s perspective. The key advantage of BAS technologies is the ability to run simulations on-demand or at regularly scheduled intervals which do not cause any business interruption. It immediately alerts IT and business stakeholders about existing gaps in the security posture or to validate that security infrastructure, configuration settings, and prevention technologies are operating as intended.
Even with the availability of these solutions, a worrying trend persists—a lack of skilled security professionals to make them work. There is a global shortage of security professionals that will reach 2 million by 2019 according to ISACA, a nonprofit information security advocacy group. Now you see organizations scramble to hire staff as quickly as possible, usually in desperation, often, compromising on quality. But when employees don’t have enough experience or even the right skills to perform tasks, the organization will remain vulnerable. This is on top of the pressures CISOs are under to comply with the rising tide of rules and regulations. There are a couple of ways for CISOs to go to find cybersecurity professionals to help them out.
- Look for professionals with skill sets other than the traditional tech background. By changing two key hiring requirements (tech background and previous experience in cybersecurity), a whole new talent pool opens up. As the ISACA report points out, 30% of cybersecurity professionals worldwide launched their cybersecurity career after holding a non-technical role such as in business, accounting, or marketing. Some organizations, such as IBM, opt for hiring and training professionals hailing from retail, education, entertainment, and law. However, this approach takes time—a luxury that organizations just don’t have considering the rising tide of cyberattacks using innovative and damaging attack strategies. Cybercriminals use botnets to launch attacks quickly and without the need for human intervention. Furthermore, there is plenty of research showing that cybersecurity professionals don’t have the time to continuously learn on the job although they know that it’s essential for mitigating cyberattacks.
- You can also opt for a managed security service provider (MSSP). Partnering with an external cybersecurity company is a win-win, especially in light of limited IT resources and staff. It allows organizations to use automated tools in lieu of cybersecurity staff. Large enterprises are looking for advanced managed security services, ranging from threat management, vulnerability management, and anti-malware, to scanning and testing. They want to have the most sophisticated solutions in place to boost their posture against the constant barrage of cyberattacks. Distributed organizations, such as hotel and restaurant chains, are prime targets. To protect each of their locations, they turn to advanced managed cybersecurity to protect their data, especially customer details and financial information. Small and medium-sized businesses (SMBs) such as law and accounting firms turn to managed security services since they have limited resources (both budget and HR wise) to protect themselves from cyberattacks while complying with the various regulations.
Over the last year, we saw many new cyber campaigns targeting millions of victims worldwide—from common households to huge organizations such as Equifax, FedEx, and Maersk. These attacks were performed by individual hackers, seasoned cybercriminals, and even nations such North Korea, Iran, and Russia. There is every reason to believe we will experience more of the same throughout the rest of 2018.
However, in contrast to just a few years ago, the awareness of such threats is much, much higher, and the U.S. government is boosting cybersecurity resilience. Various agencies are taking charge of the country’s cyberdefense and are launching offensive actions against the cyberthreats that are out there. Information on how to prepare and better protect is widely available; any household, company, or industry can simply visit the U.S. CERT website to be updated about a wide range of attack methods. The website also offers excellent detailed procedures and tips on a variety of topics, including how to secure your assets, and how to be aware of phishing attacks and malware proliferation. Reviewing and implementing the measures described on that website will not only be useful but also assist in improving cybersecurity resilience to be at par with current and future threats.