No End in Sight to Snowballing Hackers and Threats


Posted on by Robert Ackerman

If we have ultimately learned only one fundamental tenet about cybersecurity attacks over the years, it is this: They continually worsen, notwithstanding growing cybersecurity budgets, and it’s unclear if or when this will ever change.

Just one of the multiple examples harkens back to 2017. That was the year of the infamous data breach of credit bureau Equifax, which stole the assorted personal information of more than 146 million American consumers. At one point, World Privacy Forum Executive Director Pat Dixon called this cyberattack “about as bad as it gets.”

If this happened today, however, the claim would hold zero water. Data breaches impacting tens of millions of people, as harmful as they are, aren’t nearly as bad as breaches that can muck up people’s day-to-day lives in a meaningful way or, in some cases, put their lives in jeopardy.

Two such breaches have already occurred this year. In February, hackers accessed the water treatment plant of a small Florida city in an effort to poison the water supply. In minutes, the level of sodium hydroxide fed to Oldsmar water customers skyrocketed. Fortunately, an employee noticed the change and managed to prevent a catastrophe.

Then, in May, many Americans experienced first-hand the impact of a cyberattack that knocked offline an essential US gasoline pipeline, the Colonial Pipeline, serving nearly half of the people in much of the eastern half of the country. For several days, many gas stations had no gas to sell. If people had to go to work or a hospital or do something else important, many were out of luck.

Who is to say that criminals won’t follow in the footsteps of Colonial and hack, say, the communications systems of an air traffic control facility, closing an airport? Even worse, they might embrace the example at Oldsmar and hijack machinery at a pharmaceutical plant and undermine the contents of medication. At such so-called operational technology facilities, technology is often layered on top of decades-old legacy systems with vulnerable outdated hardware and unpatched software configurations.

Meanwhile, the number of ransomware attacks against the Colonial Pipeline and thousands of others has exploded to the point that the FBI now likens this threat to the deadly 9/11 terrorist attacks in New York. According to a report by Deep Instinct, ransomware attacks increased by 435 percent last year. “This is the worst period ever for these attacks, and the pain is not over by any means,” says Karim Hijazi, the CEO of cybersecurity company Prevailion.

Problematic, too, is the huge diversity of cyberattacks. In addition to malware, here are some other especially damaging types of cyberthreats over the past year:

+ Cloud computing vulnerabilities. The soaring growth of cloud computing, whose security has been undermined by mediocre cooperation between cloud purveyors and customers in executing security measures, is a perfect lure for hackers. They now orchestrate millions of attacks annually. Criminals scan for cloud servers with no password, exploit unpatched systems and perform brute-force attacks to access user accounts.

+ Social engineering. According to Data Breach Investigations Report 2020, almost a third of the breaches last year incorporated social engineering techniques, mostly phishing. Many workers have admitted phishing-based mistakes that have compromised cybersecurity. A year ago, Twitter fell victim to a phishing attack that penetrated the accounts of Microsoft founder Bill Gates, then-presidential hopeful Joe Biden and reality star Kim Kardashian West, among many others.

+ Third-party software. More than 80 percent of the top 30 e-commerce retailers in the United States have an ecosystem vulnerability that could lead to a breach, according to cybersecurity firm Cyberion. If one of the applications within this ecosystem is compromised, it opens a gateway to hackers to other domains.

+ DDoS attacks. According to Help Net Security, more than 4.8 million distributed denial-of-service attacks were attempted in the first half of 2020 alone. To form a botnet required for a coordinated DDoS attack, hackers employ devices previously compromised by malware or hacking, often making users unaware of criminal activity in their machine.

The good news, relatively speaking, is that organizations are not defenseless. Here are some security tips—first for cyberattacks in general and then expressly for attacks on operational technology entities.

+ Conduct a security risk assessment. The goal is to understand the most critical threats to your business, then determine the impact they may have on your company. Regular assessments should be routine because the cyber landscape chronically changes.

+ Keep software up to date. Unpatched or out-of-date software opens the door to breaches. According to various research reports, nearly a third of victimized organizations were aware of this vulnerability but did not patch it in a timely manner.

+ Use multiple layers of protection. Implement a password policy requiring strong passwords and require multi-factor authentication. Also deploy firewall, VPN and antivirus technologies, and make ongoing network monitoring a priority.

+ Control access to computers. Each access point poses an individual risk. So limit employee access to specific data they need for their jobs. Administrative privileges should be granted only sparingly.

+ Know where your data resides. The more places it exists, the more likely it is that unauthorized individuals will be able to access it. In addition, back up corporate data at a remote site.

As for security tips for operational technology entities, the most important is to implant a pro-safety culture or work to improve one if it already exists. This needs to include dedicated leadership and resources, written procedures and mechanisms to measure performance. Employees must know that a cyberattack can be just as lethal as a flouted safety regulation. Also, of course, fight technology with technology. You can’t defend against hackers of industrial infrastructure without multiple layers of protection.

Cyber breaches are now projected to cost well over $2 trillion worldwide. Nonetheless, nearly 80 percent of IT security leaders still believe their organizations lack sufficient protection against cyberattacks, according to an IDG survey. It goes without saying that entities must get more aggressive on the security front. Otherwise, much of what else they do could eventually be upended.

Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Hackers & Threats

hackers & threats cloud security social engineering access control

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs