[BreachExchange] Cybersecurity Lessons Learned for 2017

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jan 5 18:56:12 EST 2017


https://www.thecipherbrief.com/column/agenda-setter/
cybersecurity-lessons-learned-2017-1092

Pundits will pick over the lessons of 2016 for a long time, and as they do,
cyber experts are looking at the past year and finding lessons as well,
with far-reaching implications for our nation’s security.

For most Americans, the 2016 election was the year cybersecurity moved from
being an IT issue to one of great political significance. This was
evidenced by the 20,000 hacked emails released by WikiLeaks on the eve of
the Democratic National Convention to the phishing attack that gained
access to Clinton Campaign Chairman John Podesta’s email. No previous
election has highlighted for the American people how much we rely on the
cyber domain and how much is vulnerable to attack as a result.

With 2016 now behind us, it is worth looking at some of the lessons we
learned that will change the way we see cybersecurity and, as a result, our
national security.

Cyber is now pervasive

The public is beginning to understand that cybersecurity is no longer
solely about protecting computer networks but rather protecting how we
live. The convergence of business, national defense, and personal
activities on the same devices and networks create opportunities for
adversaries to exploit the smallest details of our lives. The network we
must now protect includes so much more than computers; it includes things
like networked cars, connected appliances, and millions of sensors and
processors in addition to the phones, tablets, and devices on which we now
rely for information and connectivity to the rest of the world.

This became clear in the days leading up to the election when cyberattacks,
generated from millions of hacked home devices, targeted a company that
serves as a “switchboard” for the web. Slowing Internet connections on the
East Coast to a crawl, the Mirai distributed denial of service (DDoS)
attack, as it became known, shut down sites such as Paypal, Twitter, CNN,
and Netflix, and those hosted by Amazon. With tens of millions of attacks
coming at the targeted company from thousands of devices, the attack showed
how diverse the cyber ecosystem of devices has become, and how vulnerable
we are to losing the services it provides.

Cyber warfare is targeting commercial companies and private institutions

The cyber domain – the very same network where we communicate, work, bank,
and seek entertainment – is now the terrain over which nation-states are
playing out their battles.  Cyber warfare is being waged across commercial
networks with companies and private institutions in its sights. We saw this
during the election, as the DNC and targeted Gmail accounts were the
targets of sophisticated nation-state hackers. With most of our critical
infrastructure and more than 85 percent of the known Internet to be in the
hands of the private sector, we can expect in the future for .com to be
just as important, or more so, as .gov and .mil.

A major concern is in protecting that commercial domain. When hackers enjoy
the resources of a nation state, most companies and private organizations
without more sophisticated tools and intelligence don’t stand a chance.

Global supply chains increase our vulnerability to insider threats

The day after the election, news broke of Android phones in the U.S.
sending data back to a Chinese manufacturer that is owned by the state.
This event, while not connected to the election, revealed how easy it is
for actors across a global supply chain to compromise personal devices
without the awareness of customers or manufacturers. This kind of
compromise does not require a hacker to break into a network. Instead, it
was an insider threat—one with acknowledged access—siphoning mountains of
data. Without cybersecurity technologies that monitor how data is moving,
our networks and devices could be secretly working against us.

We are still vulnerable to the simplest of attacks

Today, the majority of initial attacks are still rather simple and easy to
execute. John Podesta’s email breach, for example, was caused by a basic
phishing attack: a disguised email, which even fooled the campaign’s IT
team, prompted Podesta to change his password via a malicious link.
Defending against this kind of attack requires basic training for those
entrusted with access to a network. It is still the case today that few
employees are told what to be on the look-out for that is suspicious. This
reinforces the notion that people are still the most important element in
effective cybersecurity.

Non-state actors are as dangerous in the cyber domain as nation-states

Director of National Intelligence Jim Clapper announced in October the
massive Mirai attack was not the work of a nation-state but instead,
non-state actors. For cyber experts, the use of this term set off alarm
bells. Non-state actors in cyber are becoming more dangerous as the
international marketplace for cyber mercenaries grows. Nation-states hoping
to keep their actions in the cyber domain hidden have been known to
outsource this work—often overcoming a lack of expertise inside their own
borders. As a result, hacker networks can thrive and proliferate with
sponsorship, and they can move from country to country evading criminal
prosecution.

The non-state actors behind the Mirai DDoS attacks have no proven
connections to nation-state sponsorship, but they, along with those behind
other attacks on U.S. hospitals and police departments, have shown the
dangerous impact hacker mercenaries can have on our way of life while
nation-states may be restrained from such actions without a declaration of
war.

We do not have enough cyber experts

If the cyberattacks of 2016 have shown anything, it’s the dire need we have
for more cybersecurity professionals. While companies are finding more ways
to connect the products they make and the services they provide to the
Internet, the opportunities for attacks are growing exponentially. At the
same time, we are not training the workforce fast enough to help companies
and institutions navigate and defend their interests in this domain. The
realization is setting in that we will not out-hire the cyber threat.
Instead, we need investment in the technologies that can tip the balance
back in the favor of the defenders. The self-healing systems that DARPA
(Defense Advanced Research Projects Agency) is helping to create, the power
of quantum physics for encryption, and virtual security operations centers
for those companies not prepared to defend against sophisticated threats
all offer promise. At the end of the day, innovation brought us the
Internet, and it will require innovation to secure it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170105/ea6fe9dd/attachment.html>


More information about the BreachExchange mailing list