If you were counting on the Summer of 2017 being a time you could relax, free from worry about the rough and tumble world of cybersecurity – you might want to invest in some travel cancellation insurance. Let’s use the news that a cyberattack could cripple the electric industry as a start to a discussion about three key issues that executives, lawmakers and security professionals need to keep top of mind:
- Despite the fear of cyberattacks, critical infrastructures – especially Operating Technologies – have been neglected when it comes to addressing cyber threats. The Ponemon Institute’s recent report and the new cybersecurity guide for electric utilities from US NIST and NCCOE detail as much.
- Web application attacks are successful because software flaws are ubiquitous and because most popular cybersecurity tools only protect part of an application’s code. It doesn’t take a particularly sophisticated hacker to find and exploit flaws – often traceable to an open source component – that can bring organizations to a grinding halt as we’ve seen with ransomware in healthcare and transportation.
- We continue to rely on outdated tools. The bad guys are creative and persistent while businesses and government still rely on decades-old approaches to protecting data and systems. Heuristics are the dominate approach to cybersecurity where we guess if an attack is real. A report this month from NSS Labs shows 80% of today’s top firewalls miss attacks at a time when malicious and state-sponsored hackers develop tools that evade traditional defenses.
Just like it’s easy to find code flaws, but hard to fix them, it’s easy to point out the flaws in the current approach to cybersecurity. There are, though, steps that can dramatically improve protection while reducing complexity, noise and resources requirements.
- Most teams struggle to keep up with routine and emergency patch updates that start a race between hackers with their automated vulnerability scanners and security teams who must apply the updates. Virtual patching instantly applies code equivalent protections from newly discovered vulnerabilities without taking your app out of production or making code changes – taking away the inherent time advantage of hackers. You can always go back and apply the binary patch once the protection is in place.
- Don’t stop with virtual patching. Microsoft for the second time in a month reopened long-dead Windows XP to issue patches linked to newly discovered OS vulnerabilities. Old end-point software is only one part of the problem, so are web applications running on out-of-support Java and .NET platforms. Virtual upgrades, like virtual patching, can instantly bring older platforms up to current platform versions without a long and expensive project to rewrite an application.
- System hardening and attack surface reduction should be the norm. System and application components that are not required should be disabled at all layers of the software stack either manually or automatically with the help of tools. This includes firmware, operating systems, system drivers, services, applications as well as inside managed virtual machines such as the .NET and JVM platforms. This practice can dramatically reduce the attack surface of an organization – significantly reducing the likelihood of a successful system compromise.
- Treat all code that enters an operating system or managed virtual machine as untrusted. Compartmentalize the runtime environment, define trust boundaries and control the interaction between compartments. Untrusted code and 3rd party components need to run in isolated compartments. Industroyer and similar malware showcase the value of running any untrusted code inside restricted sandboxes, containers or other types of runtime compartmentalization solutions that provide isolation of the environment as well as fine-grained control of what operations are allowed or not.
There are encouraging signs that we’re about to see a step-change in cybersecurity. The constant barrage of attacks and newly discovered vulnerabilities has the attention of executives, shareholders, government regulators and legislators – the four groups that can mandate action. Now it’s up to security professionals to take advantage of this environment to drive positive change.
Author:
James E. Lee is the Executive Vice President and Chief Marketing Officer for Waratek. Lee is the former CMO at data pioneer ChoicePoint and an expert in data privacy and security, having served nine years on the board of the San Diego-based Identity Theft Resource Center including three years as chair. Lee has served as a leader of two ANSI efforts to address issues of data privacy and identity management. Lee is also a former global leader at International Paper Company.