Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, July 29th, 2022 I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by David Shipley, head of New Brunswick’s Beauceron Security for a discussion. But first a quick look back at some headlines:
Rogers Communications told a parliamentary committee and the federal telecommunications regulator that nothing it knew or did could have prevented the huge internet and wireless network outage its customers suffered on July 8th. Its key distribution routers reacted in an unpredictable way to a maintenance update. Which left many people wondering if a national collapse could happen again. Unlikely, says Rogers, we’re separating the two networks and taking other action.
The average number of weekly attacks faced by organizations in the second quarter was up 32 per cent compared to the same period last year. According to research from Check Point Software, in part that’s due to threat actors trying to take advantage early in the year of the Log4j2 vulnerability and partly due to the cyber war coming from the Russian invasion of Ukraine. David and I will discuss what this report means.
We’ll also look at a report that phishing was believed to be the initial avenue of compromise in a study breaches of security controls at 600 organizations in the past year. The second most likely cause was the exploitation of vulnerabilities.
And we’ll also discuss the seemingly never-ending demand for employees with cybersecurity training or experience.
The average cost of a data breach is still going up, according to the latest annual survey sponsored by IBM. Among 550 companies around the world that suffered a data breach in the 12-month period ending in March. the average cost of finding, fixing the intrusion and lost business was $5.5 million. For Canadian companies the average cost was $7 million. One of the biggest common factors in data breaches: Stolen or compromised user credentials.
More Canadian companies that use the WordFly marketing service are finding out their customers’ data was involved in a ransomware attack earlier this month. The latest to notify subscribers are the Toronto Symphony and Toronto’s CentreStage theatre company. They join the Smithsonian Institution in the U.S. and other arts institutes.
Finally, here’s an irony: the name of the Canadian Anti-fraud Centre is being used in a fraud scam. A threat actor is putting out phishing emails purporting to be from the centre hoping to get victims to click on an infected attachment. This is the latest in a long history of scams using brand names that include Microsoft, banks, courier companies and other organizations
(The following transcript has been edited for clarity. To hear the entire discussion play the podcast)
Howard: Let’s start with a report that the number of cyber attacks are increasing. That’s right, there’s statistical evidence to back up that terrible pressure in your head that things are getting worse, not better. According to Check Point Software, some organizations in some countries faced an average of over 2,300 attempts a week in the second quarter of this year. In North America organizations studied faced an average of 854 attacks a week. That’s up 54 per cent from the previous year. David, are these numbers alarming or not significant to a CISO?
David: I think these are really good cyber weather forecasts that enable CISOs to know when to get the umbrella out. The interesting thing I found from this report was the variety of attacks in terms of the geographic regions. I have the greatest amount of sympathy for global CISOs because they just can’t catch a break. So I think this data is always useful. I do like the phrasing of ‘attempts’ versus ‘attacks.’ These numbers are like shots on goal, which are not necessarily how the pucks are landing. Usually as CISOs we only get insight in terms of ‘Oh crap, we got an incident now.’ But being able to better measure what the averages look like for organizations can tell you a little bit about how your program’s actually working. So I think there’s some use in understanding what the weather forecast is going to be, understanding what the shots on goal heading at your organization may be looking like — at least in terms of benchmarking and planning and preparation.
Howard: One way to look at the numbers is it seems most attacks are going to geographies outside North America. Does that suggest that attackers think that defenses are better here and so they’re directing most of their efforts elsewhere?
David: We do know from some industry reports and other research that North America is further ahead [in cyber defences] than other regions. Asia-Pacific is about a decade behind North America, particularly the United States. So I think that’s part of it. I think geopolitics might play another role as well. It wouldn’t surprise me that there’s a move away from North America, particularly by ransomware gangs and others as the Americans have recently flexed their muscle with their intelligence agencies. They are actually pulling money back from ransomware gangs, and criminal gangs from Russia and Eastern Europe. Recently they pulled back over $500,000 from a North Korean state-sponsored ransomware gang. Typically criminals try and go where the cops aren’t, and go to the areas where they’re going to get greater returns for their criminal investment. So it makes sense [attempts recently are lower in North America].
Howard: Something else in this report interested me. It says that many cyber security companies often claim that there’s no way to avoid cyber attacks and the best thing to do is to invest in technologies that detect attacks after they happen, and then mop up. Check Point Software says the majority of attacks can be prevented. Is this marketing bumf? What should the strategy of an IT security team be?
David: It’s like a hockey team: You don’t win just by having a goalie and defensive players, and you can’t win just with your offensive lines. You’ve got to have a balance between proactive preventative work, and your ability to deal with something after something bad happens. We talk about this to our clients. Take phishing: We acknowledge that any phishing education awareness program won’t get any of your staff clicking on phishes. You’re going to get it to a really manageable number. Under five per cent for example, is a really really good place to be. Then once you have a click rate and you understand the volume of attacks that get fired at your organization and the rough flow through of how effective your email filter controls or other things are, then you can arrive at a theoretical number of how many incidents you might have to handle in a given day, week, month or year. From that you can then build your incident response capacity so that you can handle it.
It’s like taking the lessons of the pandemic in terms of managing public health and saying, ‘What are the things we can do to reduce transmission, be preventative the number of infections down so that we can manage the hospital capacity?’ That’s what we have to do in cyber. But I do think the cyber security industry does not do itself any favors with how we market … There’s way too much fear, uncertainty and doubt. There’s always this herd mentality, like ‘zero trust’ and other buzzwords that everyone follows. A number of years ago someone decided that there was more money to be made and a more interesting sell with a defeatist attitude that you can’t stop attacks so just deal with them after they come in. You can do both prevent and defend. A balanced program tries to do both.
Howard: One of the things I’ve heard from experts is if an adversary has the time and the money you’re going to be hacked.
David: So true, particularly if you’re up against a nation-state. But the environment which a modern organization exists has hundreds of different threat actors. So if your preventative work can keep the script kitty chuckleheads out so that you’re just dealing with a nation-state, that’s all that’s going to get in. But then you can get on top of when they do. That’s great. But if everybody in their dog can come party in your network you’ve got no hope. So it’s good to raise the bar and get the easy wins where you can, and then concentrate your efforts on the actual patient, persistent attacker. But don’t go into the game assuming, ‘Well, I can’t win at all so I’m not going to try.’
Howard: Topic Two – What’s behind successful cyber incidents? Palo Alto Networks did an in-depth study of 600 successful cyber attacks and found some interesting things. People falling for phishing and attackers levering software vulnerabilities were the number one and number two ways that attackers were believed to have gotten into victim firms. Combined, those two ways would account for 68 per cent of causes. Use of brute force credentials or previously compromised credentials brings up the total to 83 per cent of causes in the incidents studied. Aren’t all of those preventable?
David: If not preventable, there’s an opportunity to dramatically reduce the impact that they can have, as I mentioned, on the phishing side. We’ve seen you can drop phishing click rates from an average of 34 per cent without a robust [awareness training] program to less than five per cent. So if 36 per cent of successful attacks are phishing and you can reduce take 31 per cent of that risk away that would be amazing. Similarly, as far software vulnerabilities, it is easy to say on paper to patch than it is to actually deliver patches at scale in an organization with large numbers of devices. It’s easier to control things like OS patching to an extent than all the third-party software applications that you’re using. Needless to say, we have to do a better job managing that. In terms of combating brute-forcing credentials, there are things like multifactor authentication and password managers. So not only are they [compromised credentials ] preventable, there are solutions and proven ways of implementing the solutions to address this risk. I think the focus on all of this detect and respond stuff over the last couple of years has sucked all the oxygen away from doing the preventative work. There’s a strong argument to be made that the gains in Ukraine, particularly over the last six months or so of the conflict, have to do with them going back to the cybersecurity fundamentals and doing more prevention work. You’re entirely right these are preventable. But there’s not enough focus on them because it takes expertise, planning and people to do things that we know are in critical demand.
This is a huge opportunity for us to do better to be proactive and preventative. But it isn’t sexy, cool, looking-at-the-threat-hunting kind of fun stuff where we feel like we’re foiling the bad guy. This is the good, solid foundational work that makes cybersecurity so valuable to organizations.
What also caught my eye in the report was that it now takes 15 minutes from a CV [critical vulnerability] being made public to it being scanned for by threat actors. The moment that researchers published their disclosure and the vendor starts rolling out a patch should start the clock on your patching. That’s incredibly intense. Maybe we should think about the disclosure of CVs and the timing their release. Google’s Project Zero gives vendors X amount of time [before disclosure]. Maybe there should also be broader constraints about when vulnerabilities get published, almost like the constraints about when certain financial information can be published so it won’t immediately impact the stock market. Maybe limit publishing CVs to Monday mornings at 9 a.m.. Then we can rev up to IT team [to install patches].
Howard: I want to paraphrase something from the report, which says once the cyber security basics are covered organizations can move to implement additional capabilities and defenses to address the more advanced hackers and tactics. The goal is to make it as difficult and as costly as possible for attackers to succeed at any stage. It will take everyone in the organization being vigilant and working tirelessly to protect organizations from cyber attacks.
David: I love this for a couple of reasons … Attackers will go to the lowest hanging fruit. Criminals aren’t dumb. They can be incredibly intelligent, but generally they are lazy, because if they were hardworking they would create legitimate businesses and technologies. Instead they take the easy route of trying to be thieves and extortionists. When you make their life harder even incrementally harder you’re not as attractive to them. If they know it’s going to take six months full-time work to break into your organization because you’ve got MFA, you’ve done your phishing education program, you’ve patched your stuff … and then they see a company that’s not doing any of these things, guess where they’re going to spend their time?
Howard: What caught my eye was this number: Fifty per cent of targeted organizations lacked multifactor authentication on key internet-facing systems such as corporate email virtual private network solutions and other remote access solutions.
David: And that’s the game right? We heard some anecdotal stories from intelligence vendors that if an attacker runs into an organization that has MFA right off the bat they think it’s so much work [to break into]. If you’re not doing multifactor authentication on these obvious areas for attack you’re gonna get hit. It’s almost guaranteed.
Howard: Topic Three — Cyber security talent shortage. Guests and I have talked before about the demand for people with cyber security training and expertise. A story in Fortune last week notes that a market research firm predicts the global cybersecurity market, which includes spending on cybersecurity products and services, will grow at a compound rate of 12.5 per cent a year to reach US$403 billion around the world. The thing, is governments and companies aren’t hiring at a 12.5 per cent rate. One solution apparently is the increasing use of artificial intelligence. Is that going to be enough?
David: There are still way too many lofty promises being made about what artificial intelligence can and can’t do. Those bragging cheques are are bouncing more and more. I think there’s a great role for artificial intelligence to supplement a team to make someone more productive and efficient. But we have not yet reached the point where it can replace expertise. Organizations need a core group of talent, and then the question is how are you using technology to amplify the force impact of the team. That’s the right combination. We [Beauceron Security] work with global financial institutions and they were able to use the automation technologies and the insights that we helped them with to not necessarily eliminate a job but to enable people to do even more. They were able to close their future hiring needs. But it can’t replace an entire team. When I think about the preventative side of the [cybersecurity] house versus the instant response detect kind of stuff, it’s more on people and expertise and less on that artificial intelligence side of things. There are lots of ways to automate and create insights when something weird’s happening in a network, and there’s some great vendors in that space and using Ai to various degrees. But someone doing the hard, dirty work of figuring out what your identity and access management strategy is going to be and what the process flow is going to be for the people who are going to manage it and the different systems and understanding risks around that, that’s a multi-year effort in large organizations. It’s a grind, but it requires people to do it. When we do assessments of organizations, large and small, it’s the unsexy cybersecurity proactive, preventative hygiene stuff that never gets done because there aren’t the people to do it. So I have yet to see products in the market that will solve the unsexy problems of cybersecurity. There’s lots of stuff being thrown at the cool stuff. But as we’ve talked about today we’re in dire need of more preventative work.
Just to expand on that, we’ve realized that up to one in four of employee-reported phishing emails aren’t actually even remotely malicious. These are actually internal organization communications that look like phishes or do other things [that staff report as suspicious]. And the solution to that problem is educating people, helping them understand how their business actually works, teaching them, working on people and process. AI is not yet another tech silver bullet. That’s really important about cybersecurity, and it’s the part that always gets lost because we always get distracted by the latest cool zero-day vulnerability and the latest criminal gang and the cool chain of attacks they use or the massive disruption they caused. In some ways I feel the preventative/proactive part of cybersecurity is like the family medicine part of healthcare: It doesn’t get nearly enough credit and resourcing and love and attention. But you can stop so many people from ending up in an emergency room if you have better frontline family-based or primary healthcare.
Howard: There are two security-related people problems. One is educating people who are writing computer programs to write them securely and making sure that managers encourage that and make safe applications a priority. The other is finding people who are actually going to be working on cybersecurity IT teams. So first, what about encouraging people to design safe products?
David: We could have an entire podcast on this topic one. There should not be a computer science university or college graduate who isn’t taught secure coding and penetration testing. It should be mandatory. The other part of it is we actually need to have some professionalization of what it means to be a computer programmer. If we’re going to professionalize this we need to have an ethical body and accounting for this so when people rush and do jobs that they were taught not to do they know they have to raise their hand and say, ‘In order to maintain my professional accreditation here I have to call this out.’ I think part of the bad code problem we still live with today is people aren’t taught in schools enough about security.
The other part is the pressures of commercial software development to ship products. Some of the ways that project management or even agile and other things can create perverse incentives that result in security vulnerabilities. How do we create people that can think critically when they’re being put under pressures that can actually result in unsafe code? There are extreme examples in the nuclear safety industry of all the code reviewing they have — and rightfully so. But what other area sectors and vendors that we rely on critically should be held to a high standard?
The other side is the talent shortage. Many times I think the cybersec security industry and companies shoot themselves in the foot when looking to hire with ridiculous requirements for a kid coming at a school to already have certificates or X years experience or things they can’t even get because they haven’t had the time to get them. We need much more apprenticing and building up of people in this industry. Sometimes there are people you never even thought of within your company who can be excellent cybersecurity professionals. We have to build the talent. We can’t just go looking for theoretical unicorns.