On her first day on the job as America’s first female White House CIO, Theresa Payton had a chilling conversation with Andy Card, then chief of staff to President George W. Bush.
“There was this chair, and you had to sit in it and talk to him — that was the rule,” Payton recalled, speaking during the keynote session of ISC West, the leading trade show for physical and converged security, which is running through March 31 in Las Vegas. “We get to the end and I’m so nervous, and Andy said, ‘I just want to say one thing. I know it’s not a matter of if but of when — I know that’s the thing in cybersecurity.’ And I was so relieved. And then he said, ‘But never here.’”
The White House did not experience a significant cyberattack (at least none that were made public) during Payton’s tenure as White House CIO from 2006 until 2008, a fact that Payton, who is now a speaker, adviser to corporate boards and author of Manipulated: Inside the Cyberwar to Hijack and Distort the Truth, considers one of her greatest achievements. “That’s always the best thing you can say, that nothing bad happened on your watch.”
Today’s security professionals, both in information security and physical security, are also trying to ensure nothing bad happens on their watch, but the job is tougher than ever. Technology is advancing rapidly, and threat actors are taking advantage. Industries are deploying billions of connected — and therefore, hackable — devices inside their plants and factories. And increasingly, the technology to operate and secure facilities are likewise connected and vulnerable.
That’s not going to change. Citing research by data platform provider DOMO, Payton said the world is completely digital, always on and thoroughly mobile. For example, each minute of every day, 5.9 million Google searches are conducted, 1.7 million pieces of content are shared on Facebook, and 66,000 photos are uploaded to Instagram. And that’s just a “snapshot,” she said, “an executive summary.”
“When I look at those statistics, I think, good golly, that’s a lot of data. Is it all encrypted? Is it all protected? It is being kept private?”
Click the banner below to follow receive the latest content after ISC by becoming an Insider.
Email Continues to Confound Businesses
For all the talk of threat actors’ growing degree of sophistication, their favorite attack method continues to be remarkably prosaic: sending malicious emails to employees and then hoping they open it and click on the link. It’s popular because it works.
That doesn’t mean people are necessarily foolish. “People always used to say to me ‘Why do people click on emails and open the links?’” Payton said. “And I would say, ‘Because it’s their job.’”
At the same time, hackers are getting more sophisticated in their social engineering tactics. To illustrate the point, Payton took her audience through a common methodology used by threat actors when targeting a victim.
The hacker starts by gathering publicly available data about, say, the CEO of a publicly traded business. Free tools available online can provide the hacker with a list of potential email addresses and office phone numbers and even potential cellphone numbers for that person. From there, the hacker looks for potential passwords that might have leaked. Other tools will provide access to the targeted CEO’s personal social media accounts and allow the hacker to examine the metadata of the photos the CEO has shared, providing clues to where the target spends time and perhaps even where he or she lives.
READ MORE: How to keep ransomware at bay with an effective backup strategy.
“You get a heat map of where the person has been,” she said. “I can get a pattern of their life and start to see what looks like a vacation spot and what looks like their residence.”
Another common tactic is to search LinkedIn for anyone who has posted a phrase such as “I’m looking forward to starting my new position.” Many people makes statements like that on LinkedIn every day. The hacker can then craft a phishing email to that individual, posing as his or her new employer’s CISO, and instructing the employees to visit a portal to take the company’s cybersecurity training.
The CISO tells the employee that it’s vital that this training is completed — and quickly. All they have to do is click the link.
“Why am I telling you this? It’s not so that you’ll never use LinkedIn again,” Payton said. “On the contrary, I’m telling you this to show that you are better than these guys. You can outsmart them.”
What Will Cybercriminals Think of Next?
Payton also made several predictions about new cyberthreats likely to emerge in the next two years:
- Deep-fake AI personas will enter the workforce. “This is the process of taking your real-life information, then appending it with fake information and creating an avatar,” Payton said. This creates risk not only for the person victimized but also for employers, who — in an age of digital work — may hire someone who is not even a real person. Employers need to ensure that their prospective employees are who are say they; indeed, that they are anyone at all. Payton advises that they make sure all new employees present themselves physically somewhere, at least for a period of time.
- A smart facility will be hacked into lockdown, with hostages taken. If hackers become frustrated by businesses’ refusal to pay ransoms in exchange for the return of their data, they may turn to something even more dangerous: taking humans hostage. “They’re going to find something else,” she said. “And what is the something else? A smart building and the people who work there.” A hacker could take control of a facility’s access control technology and use it to lock down a building with people inside, refusing to free them until a payment is made. She said physical security professionals need to ensure such access control solutions have a kill switch that can’t be breached.
- Hackers use bots as internet pirates. “It’s never been easier to spin up a bot, give it instructions, use artificial intelligence and send it out into the internet to look for vulnerabilities, and then tell it that if it sees valuable data, to steal it, encrypt it and hide it,” Payton said. “And you do it all by just managing a botnet.”
Keep this page bookmarked for articles from the event, and follow us on Twitter at @BizTechMagazine and the official conference Twitter feed, @ISCEvents.