One of the most chilling developments in IT security this past year were the cyber attacks reported on energy utilities and manufacturing plants, which exploited critical infrastructure vulnerabilities introduced by the convergence of IT and Operational Technology (OT). Yet they were barely noticed by the broader public, not nearly as much as Hillary Clinton pulling rank on her IT staff to use a private email server.
Time for a reality check? For our InfoSec Luminary Lineup blog discussion series, we asked cybersecurity leaders and experts: “What is the most underestimated IT security threat, and why?”
In their responses, they don’t dabble in technicalities of the vulnerability-de-jour variety. Instead, all of our contributors paint the bigger picture.
It isn’t pretty. The most underestimated IT security threat is… - “all of us,” as Frederick Scholl (Monarch Information Networks) writes. His fellow contributors seem to agree. It’s the “‘people aspect’ of cybersecurity,” Law & Forensic LLC’s Daniel Garrie points out, that deserves more of our attention.
While criminal and nation-state hackers may dominate the headlines, serious threats that originate from within the organization remain unaddressed, such as insider negligence or insider accidents.
”CISOs who limit their thinking to malicious insiders,” warns Information Security Forum’s Steve Durbin, “may be miscalculating the risk.” Prevendra's Christopher Burgess urges to address the "carelessness factor." And Jake Olcott of BitSight Technologies reminds us that “many of the most damaging data breaches have originated on the networks of a key vendor, contractor, or supplier.” Tip: Check out our recent post 5 Vendor Risk Reports Every IT Leader Should Read on this blog.
Even the Internet of Things (IoT), Pete Kofod’s pick for “most underestimated IT threat,” fits the “It’s-all-of-us” theme. Like the other picks of our InfoSec Luminaries, IoT vulnerabilities would be less commonplace and critical if it wasn’t for cost and convenience considerations, complacency and users’ capitulation - or, as Frederick Scholl puts it, “learned helplessness.”
The resulting threat scenario is laid out in the recent report The Rise of the Machines - The Dyn Attack was Just a Practice Run [PDF] - a must-read for cybersecurity leaders. The author of the report, James Scott, Senior Fellow at the Institute for Critical Infrastructure Technology (ICIT), rounds out this InfoSec Luminary Lineup discussion.
In his contribution, the ICIT Co-founder identifies “stagnation and complacency” as the most underestimated threats to America’s cybersecurity. James Scott demands to “revitalize national cybersecurity with innovative thought.”
What a better New Year’s resolution for 2017? On that note, we would like to thank our InfoSec Luminary Lineup contributors, and you, our blog readers, with the best wishes for the holidays and a safe, secure and successful New Year!
“Insider negligence and accidents” (Steve Durbin)
As we enter 2017, the pace and scale of information security threats will continue to accelerate, endangering the integrity and reputation of trusted organizations.
Cyberspace is the land of opportunity for hacktivists, terrorists, and criminals motivated to wreak havoc, commit fraud, steal information, or take down corporations and governments.
Perhaps one of the most underestimated threats, or certainly one of the most difficult to counter, is presented by the insider.
The insider threat has intensified as people have become increasingly mobile and hyper-connected. Almost every worker has multiple devices that can compromise information instantly and at scale: impact is no longer limited by the amount of paper someone can carry.
CISOs should take a broader view of insider risk
Simultaneously, social norms are shifting, eroding loyalty between employers and employees. A job for life is being replaced by a portfolio of careers. Most research on the insider threat focuses on malicious behavior; however, the threat is considerably broader.
Insider negligence and insider accidents comprise a greater and growing proportion of information security incidents. CISOs who limit their thinking to malicious insiders may be miscalculating the risk. Managing risk posed by the insider threat should extend across all three types of risky behavior: malicious, negligent and accidental.
In the coming year, organizations need to place a focus on shifting from promoting awareness of the problem to creating solutions and embedding information security behaviors that aﬀect risk positively.
People should be the organization’s strongest control
The risks are real because people remain a “wild card.” Many organizations recognize people as their biggest asset, yet many still fail to recognize the need to secure ‘the human element’ of information security. In essence, people should be an organization’s strongest control.
Instead of merely making people aware of their information security responsibilities, and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in “stop and think” behavior becoming a habit and part of an organization’s information security culture.
While many organizations have compliance activities which fall under the general heading of “security awareness,” the real commercial driver should be risk, and how new behaviors can reduce that risk.
Leading organizations can combat the insider threat in three ways:
- Start by assessing insider risk. For immediate results, implement technical and management controls, and align roles, responsibilities and privileges throughout the employment life cycle.
- Recognise that technical and management controls have limitations. Organizations need to trust their insiders to protect the information they handle – and will always face some risk of that trust not being upheld.
- Embrace a deeper understanding of trust. Organizations must understand where and how they are trusting their insiders – and must augment technical and management controls by helping people to become more worthy of the trust placed in them. Equally, organizations should foster a culture that makes the organisation worthy of trust in return.
The bottom line is that in 2017, leaders who ignore or encourage inappropriate insider behavior can expect to face significant financial, reputational or legal impact.
Steve Durbin (on Twitter: @SteveDurbin) is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Steve has considerable experience working in the technology and telecoms markets and was previously senior vice president at Gartner.
“Third party risk threatens IT security” (Jake Olcott)
The most underestimated IT security threat is the risk posed by third parties and business associates.
Over the last few years, many of the most damaging data breaches have originated on the networks of a key vendor, contractor, or supplier that a business works with.
These include the high-profile data breaches suffered by Target, T-Mobile, and the Office of Personnel Management (OPM).
Cyber attacks against third parties have become commonplace mainly for three reasons:
- First, organizations rely on more third parties for key business functions that used to be performed in-house. With payroll, HR, legal, sales, PR, and even product development functions being outsourced, more third parties have access to more sensitive business information, which presents a great challenge to protect data.
- Second, business environments have become more interconnected, which means that more third parties have been granted direct access to the corporate network to perform essential job functions. This privileged access is great to achieve business objectives, but it also poses significant risk.
- Third, as first party organizations improve their cyber defenses, attackers are increasingly searching for the weakest links. Smaller businesses often have fewer resources to protect their environments and represent easier attack vectors for cyber criminals.
Given their access to sensitive data or even the broader network itself, third parties represent great targets. More mature organizations are now using tools to continuously monitor the security risk of their third parties.
A recent BitSight and IDG survey of IT security professionals showed that 10 percent of organizations are now measuring third party cyber risk on an ongoing basis.
Although third party risk increasingly threatens IT security, most organizations do not have programs and tools in place to properly address the critical security risk posed by third parties.
Jacob Olcott is VP of Business Development at BitSight Technologies. He served as cybersecurity attorney to the Senate Commerce Committee and House Homeland Security Committee. He previously managed a cybersecurity consulting practice at Good Harbor Security Risk Management. Jake is an adjunct professor at Georgetown University. He holds degrees from the University of Texas at Austin and the University of Virginia School of Law.
“The ‘people aspect’ of cybersecurity” (Daniel Garrie)
Be they malicious inside employees or habitual clickers on spam links, the most underestimated IT security threat is people.
In the cyber security industry, the focus is often on the technical side of the attacks, without looking at the human side. This must change.
According to the IBM 2016 Cyber Security Intelligence Index, in 2014, 55% of cyber attacks on a company were perpetrated by insiders. In 2015, that percentage grew to 60%.
Malicious insiders have various motivations, including dissatisfaction with the employer/job, social activism/civil disobedience, and financial crime. In addition to purposeful attacks by insiders, there is human error.
Many employees still fall prey to an email from “TrackingUpdates@fedex.ru” or “firstname.lastname@example.org” or other malicious addresses. Notably, these errors may not be covered by a company’s cyber insurance policy.
To address the “people aspect” of cybersecurity, the culture of a company needs to address security at four different spheres: the board and senior management, within the security organization, within the broader IT organization, and across all staff.
As a Neutral with alternative dispute resolution provider JAMS, Daniel Garrie serves as an E-Discovery Special Master, Forensic Neutral, and Mediator/Arbitrator with a focus on complex software and business litigation, e-discovery disputes, privacy and data breach matters, trade secret theft, and intellectual property litigation. Garrie is the Senior Partner & Co-Founder of Law & Forensics LLC, a technology consulting firm that specializes in e-discovery, software, computer forensics, and cybersecurity. Garrie also is a Cybersecurity Partner at the law firm Zeichner Ellman & Krause LLP.
“A state of learned helplessness” (Dr. Frederick Scholl)
The most underestimated threat is.…us. All of us. Whether security expert or not.
Consider this remark from General Michael Hayden: “You’re going to have to be responsible for your safety [in the cyber domain] in a way in which you have not been required to be responsible for your safety [in the physical domain] since the closing of the American frontier in 1890.” (Source: Wall Street Journal)
I believe that the “you” in this statement is really everyone.
Security professionals have been too reliant on compliance, behaving as though audit standards will guarantee that their organizations would be safe. Those same professionals have focused on new security technology to mitigate risks, even after many gurus have pointed out that this approach does not work.
Finally, business is thinking (hoping?) that government will solve the security problem, so they don’t have to invest. It’s pretty obvious from the headcount of FBI and Secret Service agents that the government does not have enough resources to stop cybercrime.
Many home users are in a state of learned helplessness regarding information security. They read about security breaches and think they cannot do anything.
They don’t realize that good security is simply discipline and sustained, continuous improvement over time. They also haven’t realized the scope of the threat (worldwide) and the fairly simple and effective mitigations for the typical user.
“Invest in Employees’ Well-Being” (Christopher Burgess)
The number one and most difficult threat to mitigate is the insider threat. Insiders have privileged access, which translates into access to the information necessary to execute against their role.
Clearly, some positions are more sensitive than others, and thus the information, if compromised, would be more damaging. If the insider does not exceed their privileged access, then it is near impossible to detect that they have broken trust with their employer.
It is only when the employee exceeds their brief or the entity to which they shared their information reveals the information (accidently or on purpose) that they are more likely to be detected.
It is for this reason that the three prime vectors of attack against any company's intellectual property or other data stores are
- the insider,
- the unscrupulous competitor, or the
- nation state.
Employee security awareness training helps with reducing the carelessness factor in rendering information insecure.
Investing in employees' well being, with health and wellness, financial counseling, legal assistance programs as part of the overall employee engagement, reduces the likelihood of an individual breaking trust due to personal circumstances. This allows the security teams to focus on those breaking trust for the more nefarious purposes.
Christopher Burgess (Twitter: @BurgessCT) is CEO of Prevendra, Inc. He is also an author, speaker, advisor, consultant and advocate for effective security strategies, be they at the office or home for you and your family.
“IoT will become another ‘shadow IT’ headache” (Pete Kofod)
IoT and firmware exploits will prove to be highly effective against both consumers and organizations.
DDoS attacks such as the Mirai powered attack on Dyn and Krebbs will continue to plague organizations, but the attacks will become more intelligent and focused, successfully executing data theft and escalation of privilege of enterprise systems.
IoT systems lack many of the protections that are commonly found in data center and Commercial Off-the-Shelf (COTS) systems. The systems are often low powered, meaning that advanced encryption and data integrity functions are not available.
IoT systems are often designed by small teams that understand the physical problems being solved (cameras, thermostats, solar panels). They, however, often lack the expertise and resources to conduct the requisite security hardening of these systems.
The systems are headless and remotely managed which often requires a "back door" account for system recovery. Software upgrades are subject to malicious code injection, as the IoT systems often lack the capability to cryptographically validate an update.
IoT will become another ‘shadow IT’ headache, as IoT-based devices increasingly pop up across enterprise departments. Facilities departments in particular will need become more integrated with enterprise security as they deploy countless sensors and controllers.
This relationship will be especially important in organizations that maintain critical infrastructure (energy, utilities and transportation) as IoT and SCADA merge.
Peter Kofod, Co-founder of The Sixth Flag, (Twitter: @TheSixthFlag) has over twenty years of technical and leadership experience in Information Technology, including the development of secure hosted services for the transportation industry as well as designing and managing networks in the utility and defense sectors. Peter is also the Founder and Principal of Raleigh-based Datasages Consulting Group LLC, a firm dedicated to providing enterprise management services to industrial and transportation customers. In this role, Pete is often called upon to lend expertise to large-scale transportation projects. He has been a material contributor to the implementation of Positive Train Control in the United States, particularly as it applies to security and availability in a hosted environment and has patents under way related to this work.
“American Cybersecurity is Plagued by Stagnation and Complacency” (James Scott)
The cybersecurity of America’s critical infrastructure is incessantly threatened in an asymmetric threat landscape by script kiddies, cybercriminals, lone-wolf threat actors, cyberterrorists, nation-state Advanced Persistent Threats (APTs), and other threats.
That’s because a severe lack of resources and a lack of cultural awareness of cyber-hygiene and cybersecurity best practices restrict public sector cybersecurity incident response to antiquated defense paradigms of crumbling critical infrastructure systems.
Cyber capabilities are the great equalizer; now, even basic script kiddies (as demonstrated in the recent series of Mirai attacks that threatened to take portions of the Internet offline) can pose serious threats to global superpowers, such as the United States.
Archaic defenses for “Frankensteined” legacy systems
The archaic methodologies, such as defense-in-depth that are relied upon to defend the nation’s “Frankensteined” legacy systems are insufficient response to threat actors who are relatively unburdened by the bureaucracy and high resource demands that hinder critical infrastructure incident responders.
In short, the relentless expansion and evolution of the threat landscape, combined with America’s aging systems and cybersecurity workforce, has resulted in systemic problems in the nation’s cybersecurity posture and ideology.
In response, the nation combats the symptoms of the cybersecurity epidemic without addressing the cause. Over time, as malware evolves, new threats develop, and defenses continue to dilapidate, America may be severely unequipped to defend its cyber-posture and critical infrastructure.
New variants of cyber adversaries continue to develop from the cyber-criminals, cyber-terrorists, nation state threat actors, and others, that already threaten the nation’s critical systems. The asymmetric cyber-battlefield affords threat actors the advantage of agility, the power afforded by sophisticated malware, relatively anonymous activity, and constant innovation.
Within days of release on a public forum or Deep Web market, each new malware has dozens of variants which cybersecurity professionals must detect, monitor, and defend against. To some professionals, the maintenance and security of systems is just a job; but the majority of threat actors are motivated by personal agendas, such as nationalism or greed.
Threat actors innovate more and respond faster
As a result, threat actors innovate more, respond faster, and drastically outpace security initiatives. Deep Web threat actors collaborate and communicate, while many incident sectors are configured to operate as a lone silo.
Each new malware and tool becomes more accessible and easier to use for threat actors at every level of sophistication. Worse, adversaries persistently expand the reach of their malware into the latest technology and into developing areas, such as the Internet of Things, which lack security-by-design and basic cyber-hygiene.
Meanwhile, security professionals are bogged down by an overload of inadequate silver-bullet solutions offered by faux experts and by cyber attack vectors such as insider threat, social engineering, and others, for which no actionable response has been developed in nearly two decades of research.
Critical infrastructure depends on dilapidated legacy IT
The progression of time is an unavoidable, constant, and merciless march. Many of the United States’ critical infrastructure sectors, such as Energy, Healthcare, or Finance, still depend on dilapidated legacy systems, which pre-date or outlive many of the employees charged with their maintenance and defense.
These systems are inefficient and costly in the short-term, and indefensible and dangerous in the long-term. New systems are not installed because in many cases, organizations lack the knowledge to transition vital information and operation, as well as the immediate funds to replace the system.
Resources are not allocated to replace the systems because America’s cybersecurity culture has grown stagnant and complacent in its belief that systems and paradigms that are already implemented do not need to evolve with the ever-shifting threat landscape.
Decades of unmatched threats and a drought of innovation
Similarly, the public and private sector alike remain plagued by many of the same attack vectors and adversaries as they were, over a decade (or two) ago. A drought of innovation and affordable bleeding-edge cybersecurity solutions has widely reduced cybersecurity to a game of defense, incident response, and impact mitigation.
Aside from allocating funds to transition away from legacy systems, and from researching and developing innovative technologies, the nation can elevate its cybersecurity posture by allocating resources to address the talent crisis.
Many of the cyber-professionals are nearing retirement or are no longer adequately educated in their fields. In response, organizations need to acquire fresh, well-educated talent, or they need to offer programs to build upon the education of existing personnel.
It’s time to revitalize national cybersecurity
At the moment, most well qualified cybersecurity graduates seek employment in the private sector due to higher salaries, less bureaucracy, and increased benefits. Critical Infrastructure organizations require the resources and the willingness to strategically allocate those resources, to compete with private sector employers for the most qualified personnel.
The deployment of a young and agile cybersecurity workforce may revitalize national cybersecurity with innovative thought and modern security paradigms, such as layered defense and security-by-design.
The cybersecurity community of America’s critical infrastructure is plagued by a bout of stagnation and complacency that is disproportionately at odds with the innovation and evolution of the cyber-threats incessantly attacking critical systems.
Resources are greatly needed to phase out legacy systems and to hire the cybersecurity professionals capable of combating the ever-evolving threat landscape.
PS: Would you like to be included in future InfoSec Luminary Lineup discussions on the Authentic8 blog? Connect with us through one of the links at the top of this page or use the comment form below.
Check out these recent InfoSec Luminary Lineup blog discussions: