Hackers may be the top adversary of the IT security professional, to be sure, but hackers can also be valuable teachers, said Keren Elazari, a cybersecurity analyst, author and researcher, speaking at CDW’s IT Leadership SummIT held Oct. 10–11 in Chicago.
“Hackers are not just digital natives,” she said. “We’re also early adopters. That means if you look at what hackers are doing now, you’ll have a good glimpse into the future as well.”
Elazari spoke on “What Every IT Leader Should Know About Cybersecurity: A Friendly Hacker’s Perspective.”
Lesson 1: More Than Protecting Information
“Cybersecurity these days is not just about protecting information,” Elazari said. “It really is about a way of life.”
Case in point: Ransomware attacks on the city of Baltimore that left some city services unavailable for days. According to CNN, she said, more than 140 organizations in state and local government, police departments and healthcare, among others, have been infected by ransomware this year.
These attacks not only prevent people from conducting their day-to-day business, but they also impair trust in public institutions, Elazari noted.
Yet ransomware attacks are likely to continue because, for criminals, they work. Only a few victims need to pay off for them to be lucrative.
The impacts, of course, go well beyond the effects on individuals and organizations, said Elazari. They have the potential to disrupt supply chains and even the financial markets.
“Cybersecurity is not about information,” she said. “It’s about the systems that run our healthcare, our aluminum production, our cities, the phones in our pockets or the chips that go into the phones in our pockets.”
MORE FROM BIZTECH: See some of the most common vulnerabilities revealed by penetration tests.
Lesson 2: Motivated Attackers
Elazari also emphasized that attackers’ motivations vary and may not always be clear. Yet they are worth thinking about.
Consider NotPetya, the malicious piece of code that masqueraded as ransomware but was actually a wiper, causing more than $10 billion in damages when it disrupted operations of global shipping company Maersk, according to an article in Wired. A White House statement attributed the cause to “the Kremlin’s ongoing effort to destabilize Ukraine.”
Incidents like these raise important questions about motivation, Elazari said, that IT leaders need to understand.
“When we see attacks that are destructive in their nature, and we’re going to see more of these attacks, what are the motivations of the attackers?” she said.
Elazari pointed to another case in which an attack was merely a smoke screen to divert attention while the hackers stole money from bank servers. Geopolitics, international conflicts, finance, ideology — hackers may have any number of motivations, and these may not be transparent, she said.
Lesson 3: Expanding Attack Surface
Something notable happened in 2018 that has big ramifications for IT professionals, according to the “Munich Security Report”: For the first time, it was estimated that connected devices on Earth outnumbered humans.
These devices aren’t just increasing, Elazari said, they’re also getting smarter and communicating with each other. What’s more, these devices are appearing in places where you might least expect them, she said: Think networked public toilets with remote-controlled locks and cleaning systems, or mountaintop transportation systems.
Networked cameras and printers have already been subject to attacks, and much of the Internet of Things is incredibly vulnerable from poor password protection, Elazari said.
One solution, she said, will be laws like that passed last year in California, the first state to establish an IoT cybersecurity law. The law makes it illegal to sell or market a device that has internet connectivity and a default username and password combination.
“This may seem like a small step, but this is actually landmark legislation,” Elazari said.
And it raises another important question, she said: “Who will bear the responsibility for protecting all those new technologies as we connect them into our lives?”
Lesson 4: Everything Has Value
Another challenge of cybersecurity is that criminals can find value in the most unexpected places, Elazari said.
Of note, she said, is that these types of attacks are often possible simply because someone made a mistake in a security configuration.
It’s just the type of weakness that makes up the OWASP Top 10 list, which compiles the most common application security risks — including issues such as broken access control and insufficient logging.
If audience members went back to their organizations and reviewed them against OWASP’s Top 10, Elazari said, “I’m absolutely certain … you will find some issues that correspond with this list.”
In addition to facing financial loss resulting from business impact, companies may be subject to regulatory fines, a trend that Elazari predicted is likely to continue.
“This is a new phenomenon,” she said. “When I say everything has value, security issues now have a new cost associated with them. Regulators are a lot more empowered to put on these incredibly big fines, so that is another type of value we have to think about when we think about data and how to protect it.”
California’s Consumer Privacy Act, for example, allows for statutory damages for consumers who are compromised as a result of a company’s “violation of the duty to implement and maintain reasonable security procedures and practices.”
Lesson 5: Automation and Innovation
Finally, said Elazari, IT leaders must be aware that hackers are just as focused on improving their game as companies are.
“Automation and innovation are not just big buzzwords,” she said. “They’re also the hackers’ best friends.”
With WannaMine, for example, a hacker repurposed existing ransomware to create a new cryptocurrency malware.
“That’s the type of innovation you can see in the criminal underground,” said Elazari.
Like every other industry, the hacking field finds new ways to use technology for its own ends, from more sophisticated social engineering scams to the use of deepfake voices to provide fraudulent verbal confirmation — turning an established security protocol on its head.
“If there is a clever app for a new technology, be assured a criminal will find it first,” said Elazari.
The race to fight these evolving threats is complicated by the limited pool of available talent with the necessary skill sets.
One antidote to these challenges is to empower staff at all levels to see themselves as the front lines of defense.
“We make hundreds of security decisions every day,” Elazari said: recycling a password, clicking a link, downloading an application or ignoring a security update. “The people who work for you make hundreds of security decisions every day … These decisions will shape our future.”
Read articles and check out videos from BizTech’s coverage of the CDW IT Leadership SummIT here.