Almost everything is connected to the internet which will expand the number of attack surfaces.
Cybersecurity threats are looming everywhere. As the Internet of Things grows, so too does the attack surface for malicious actors to take advantage.
With Russia’s recent invasion of Ukraine, cybersecurity experts are warning of sophisticated attacks against infrastructure. With the stakes getting higher and the avenues for attack becoming more plentiful, understanding how to prevent an attack is key.
“The consequences are no longer just loss of finances, loss of reputation; it’s now potentially loss of life, and really things playing out in our physical environment,” said Arielle Baine, a cybersecurity advisor at CISA, at a recent panel from the Advanced Technology Academic Research Center.
With the prominence of internet-connected devices, attack vectors are all around us. From the obvious like smart phones, to the not-so-obvious like internet-connected coffee mugs. Baine said that water treatment facilities, hospitals and even bridges are connected to the internet. And we are seeing adversaries target these pieces of critical infrastructure to devastating effect in other parts of the world.
Baine said that in 2015, there was a cyber-attack in Ukraine that left over 200,000 people without electricity.
“You may have like a power outage at home. But what about all those people that don’t have power and don’t have generators? People can be stuck in an elevator, right? That’s potential loss of life,” Baine said. “Hospital equipment relies on energy. The water sector, how do you think water is pumped out of ground? It’s also with electricity. And a lot of systems sometimes aren’t built with that resilience in mind.”
When it comes to defending against attacks that could result in catastrophe, William Welch, a senior advisor for cybersecurity at the Department of Energy, said being vigilant when checking email is important.
“Throughout my 12 years in IT security, I will say that the number one threat vector has not changed. It’s email,” Welch said. “We have put in filters and blocks, and we pay out the nose for different types of security. It doesn’t stop some random body just opening up their web browser and going to Gmail and clicking a link.”
Gaining unauthorized access to critical systems doesn’t solely require computer savvy; today malicious actors tap into their interpersonal skills to gain access. Social engineering can be practiced on anyone, and worse yet, it may not even require any interaction that the victim knows about.
“I go to your TikTok and see that you really like a certain kind of music. Next thing I know I’m sending you concert invites to go, ‘hey, free tickets or reduced price tickets,’” Welch said. “I can get you to click on anything if I know enough about you.”
Phishing attackers are becoming more sophisticated using social media. A target posting information about their location and associations they are a part of is valuable to attackers, especially if they are a senior executive. Baine shared a story of a business executive sharing on Facebook that he coached his son’s football team. An attacker pretended to be a senior member of the football league and was able to convince the executive to send money. By establishing trust through a connection outside of the workspace that this executive thought was legitimate, a malicious actor walked away with his money.
Baine said that social media users should balance their need to share what they are doing with friends and family with the risks that presents, and to not act on emotions when receiving emails and text messages.
Keeping attackers at bay is a full-time job, meaning that cybersecurity professionals use a variety of tools to reduce the attack surface.
Bruce Hembree, the field chief technology officer at Cortex, Palo Alto Networks, said automation is useful for finding problems quicker than a human, or team of humans, can. If an engineer works on something and in doing so exposes a server to the outside, automated systems can detect that much faster than the engineer. Working under the assumption that adversaries are also using automation underscores the importance of this.
“And by far, the biggest attack surface inside of the cloud is a misconfiguration. Almost every single time it is a misconfiguration,” Hembree said. “So when you’re scanning yourself and looking at what you look like from the outside, you can understand when one of your developers makes a change that exposes something to the outside that should not be exposed. Then when you become more mature with it, you can even start automation against it.”
The speakers also highlighted the need to institute the right culture. A culture of fear will lead to people working to hide mistakes, which is the last thing security experts want to happen in the secure cloud environment, Hembree said.
Chris Martin, the director of the financial management systems group at Centers for Medicare and Medicaid Services, said that leaders should not create fear, but rather encourage everyone to keep the information flowing freely.
“We want to make sure that the software vendors and our contractors are also transparent. Because if they’re hiding something, we’re not going to know about it,” Martin said. “And I don’t know if one of my monitoring tools will find it.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Robert O’Shaughnessy is a digital editor of Federal News Network.
Follow @rposhaughnessy