Connecting state and local government leaders
As 2018 begins, a top risk consulting firm reflects on how the cyber landscape has transformed over the last year.
As 2018 begins, it’s worth taking a moment to consider how the cyber landscape has transformed over the last year. The risk associated with the internet of things came into focus with the Mirai botnet attack on IoT devices as part of a large-scale network attack. And breaches of large public companies like Equifax and Uber proved that no one is immune to bad actors.
GCN spoke with Adam Isles, a principal at the risk consulting firm The Chertoff Group, about the top six risks in the current threat environment.
The reason for this list, Isles explained, is the lack of macro-level analysis coming from many threat information sharing institutions. It attempts to move beyond issues like how specific malware is forming and instead find ways “to fundamentally modify our security strategy,” he said.
Chertoff's top six risk for 2018 include:
1. Internet of things. When it comes to IoT, organizations should be able to answer some basic questions, Isles said. What IoT devices are resident in the network environment? How much control do IT staff have over how they’re configured?
IoT networks should use segmentation and application whitelisting, but that doesn’t encompass a full strategy. A growing number of IoT devices are not properly configured, enabling them to create “some level of havoc,” Isles said. Organizations could lose access to their service suppliers as the result of an IoT attack, so they should have redundancies in place.
2. Nation-state actors. A 2015 spear phishing campaign mounted by a third party working on behalf of the Russian government resulted in millions of compromised Yahoo accounts. This type of outsourcing of cyberattacks could continue, making attribution difficult. Additionally, nation states could limit their use of traceable zero-day attacks and use attacks that leave behind fewer signatures to tie back to the nation state, he suggested.
“So when you’re thinking, ‘Well, am I being attacked by a nation state?’ The answer may be less clear,” Isles said.
3. Software subversion. Security programs are already focused on network- and endpoint-level defense, but software is proving to be another vector for attack, Isles said. This was seen in the MeDoc and CCleaner incidents last year when hackers were able to embed malware into software updates, so customers who downloaded the updates ended up with malware. Users should start thinking about software lifecycles, consider the reputation of third-party providers and test the software before it’s brought into a network.
4. Identity subversion. According to the 2017 Verizon Data Breach Investigation Report, 81 percent of hacking-related breaches were the result of a weak or stolen password, highlighting the vulnerability of passwords as identity protection devices.
“You have millions and millions of compromised username and password pairs, and adversaries are not only leveraging that, they’re automating the process,” Isles said. Anything an organization can do to move beyond single-factor authentication is a great risk reduction, he added.
Two-factor authentication won’t be an immediate fix, however. The research community will find vulnerabilities in two-factor systems, and bad actors will start leveraging those findings. And if hackers are stymied by two-factor protection, they will move back to fraud and social engineering schemes to “subvert the identity proofing process that underlies multifactor authentication,” he said.
5. The cloud. The cloud isn’t necessarily a security problem -- it’s the management of cloud services that can create vulnerabilities. Developers and program owners can spin up cloud resources on their own, without IT department input. “Users (not cloud service providers) have significant responsibilities for securing the cloud services they use, and yet cloud services operate outside the traditional boundaries of an IT environment,” Isles explained in an email. This means IT managers must pay attention to configurations, the authentication and the third-party software that’s used in the cloud environment, he said.
6. Industrial control systems. Attacks on industrial control systems – like the Stuxnet worm that infected and disabled Iranian centrifuges and the phishing campaign that opened a backdoor for hackers who brought down Ukrainian electric utilities in 2015 -- is expected to continue. Internet connections in industrial control systems could make safety mechanisms a larger target, Isles said. Security analysts have seen a significant amount of reconnaissance of critical infrastructure, he added.