Even as organizations strengthen protections against cyberthreats and take pride in workforces trained to recognize and report possible intrusions, the next attack will probably be one they won’t expect — and today’s tools won’t work.
Threats, said John Rutter, vice president of applications and development at Connecticut-based Bob’s Discount Furniture, “are constantly changing. What you’re doing today you won’t be doing tomorrow.”
These include password-spray attacks that go after many logins at once and are less detectable than the usual brute-force attempts at getting into one profile, or hackers who want to leverage a worker’s personal email rather than a work address.
The notorious and debunked Pizzagate story, for example, evolved from a Russian phishing attack on the personal email account of a high-ranking Hillary Clinton campaign official.
“Back when the Chinese were hacking us [in 2008], we figured they were using the information for internal purposes. [In 2016], it was used to create disinformation,” said Shane Hable, Clinton’s campaign CIO, a top IT official on President Barack Obama’s campaigns and director of information technology for the Obama Foundation. “We didn’t really imagine that this was how they would use the information.”
Attacks come from the expected locations, like nation-state-sponsored intruders or overseas hackers who are in it for the money. But the newest hackers seem to be “very privileged teenagers with lots of opportunities, who have been raised by the internet,” said security expert Brian Krebs, author of the noted Krebs on Security blog. “One of our fastest growing exports is cybercrime.”
Business, Healthcare Prove Most at Risk for Cyberattacks
The business and financial sectors remain top targets for attackers, followed closely by the healthcare industry, then entertainment and media, according to the M-Trends 2018 cybersecurity trends report, issued in April by Mandiant.
The average length of time an intruder was able to stay in an organization’s system without being discovered was 101 days, up slightly from 99 days in 2016. That’s the first time the number has risen since Mandiant began tracking it in 2011, when dwell time averaged 416 days.
“The trend of it going down year over year is indicative of the fact that companies have put a lot more time and resources and energy into their protection capabilities,” said Nick Bennett, director of professional services for Mandiant. “This leveling off is something we need to watch as an industry, thinking about what we need to do to up our game.”
IT professionals should think beyond the basic solutions and consider automatic patches, for example, which may not apply to all devices on their networks. “We’ve gotten good at patching Microsoft; we haven’t seen a vulnerability in the wild in several years,” said Sadik Al-Abdulla, director of security solutions for CDW.
But smart appliances or sensors can create unexpected vulnerabilities. They may be seen as peripheral and may not be updated frequently, if at all, he said.
Tips to Protect Your Enterprise from Cyberthreats
Basic precautions that organizations can take include adding multifactor authentication, segmenting the network, better managing network privileges and getting upgrade alerts to notify the IT department of additional forms of attack, Bennett said.
Many companies still don’t have these protections, “not because the security team is terrible,” he said, “but because they didn’t have the political power, staff or resources to fix them.”
The scope of cyberattacks is so broad — Krebs said that he is more surprised to find a network that hasn’t been touched by a nation-state actor, for example — that the thought of beefing up security can be daunting. Think local rather than global, the experts suggested.
“Truly solving the problem is difficult,” Al-Abdulla said. “But solving for your environment? That’s not so bad.”
Check out our event page for more articles and videos from the Managing Risk SummIT.