Healthy dose of skepticism and reality will carry companies through next cyberthreat

National Cybersecurity Awareness Month

Trick-o-treaters throw eggs at houses on Halloween. It's a fact of life, but the expectation of an egging greatly reduces the impact of the cleanup.

The same is true for cyberthreats. Acknowledging their possibility and the reality of their fruition is the first step in creating a plan that can mitigate impact.

However, unlike an egging, where protecting physical property is nearly impossible, protecting digital data is a bit more conceivable.

This year, cyberthreats took full advantage of the vulnerabilities within consumer and enterprise networks. Though breaches have recently dominated headlines, 2017 was a year of cyberthreat revolution. New tactics and autonomous deployment measures were taken which made quarantining a threat that much harder.

However, some cyberthreats only highlighted the work human error plays in a damaging attack. May's WannaCry impacted nearly 200,000 users across 150 countries. It propagated through a vulnerability in devices still running Windows 7 despite advisory warnings to update to Windows 10 months prior to the attack.

Patching is a redundancy measure often resisted for the fear that some operating systems are just too old to be patched. But research typically dispels such assumptions, said Ryan Kazanciyan, chief security architect for Tanium and a technical consultant for "Mr. Robot," in an interview with CIO Dive. The systems that were impacted by WannaCry were widely running versions of Windows that could have been patched or otherwise hardened to prevent its mass expansion.

If companies cannot patch a vulnerability, they need to "at least put in compensating controls for them if they can't patch quickly enough. To do this, they need to get a handle on their assets, both managed and unmanaged," Avivah Litan, VP distinguished analyst at Gartner, told CIO Dive in an email.

Patching is oftentimes referred to as a fundamental of cybersecurity, yet IT departments are more inclined to invest in "chasing security threats" rather than reexamining what is already available and fixable.

It is not uncommon for security teams to view a coverage of only 60% as enough to protect their network, said Kazanciyan. However, that unprotected 40% margin can be "catastrophic" for a self-spreading cyberthreat.

The case for Nyetya

Nyetya emerged as a variant of the Petya ransomware attack and spread not by means of the internet but through a commonly used Ukrainian accounting software called M.E.Doc.

An update through the software invited the malware onto the computers of M.E.Doc users. The uniqueness of the Nyetya attack was not only that the code disguised itself as a wiper, but that hackers were able to initiate the attack by first compromising a software company's product, according to Kazanciyan.

Nyetya used an automated technique that stole password credentials and then manipulated those passwords to continue gaining system access. In other words, Nyetya took a decade long technique traditionally performed manually by by hackers and made it automatic.

But weak passwords are one of the largest threats to network security, Chris Duvall, director at the Chertoff Group, told CIO Dive. Encryption, multi-factor authentication, fingerprinting and SMS code are all potential remedies for creating a stronger barrier between hackers and password manipulation.

Once again, reexamining the basics of cybersecurity is the key to acknowledging a threat and hardening a system enough to withstand its impact.

"It's a layered approach, combining prevention, detection, and deception with advanced analytics and orchestration, so that alerts are correlated and security events are prioritized in terms of which need critical attention," said Litan.

Part of this layered approach is reexamining the tools used in a network as a new hacker tactic is exploiting the trustworthiness of popular software. The hackers behind the CCleaner threat in September used a popular maintenance tool to obtain data from the 2.27 million users it hit.

The malware spread through a download available to consumers for almost a month prior to its discovery. It was later discovered that the attack was primarily targeting major tech companies including Microsoft, Sony, VMWare and Samsung for their intellectual property. Understanding risk is in part understanding who is most attracted to sensitive data, according to Duvall.

Who can you trust?

While the damage of the CCleaner threat is yet to be disclosed, attacks exploiting the supply chain are increasing. Such is the case with the current Kaspersky Lab software accusations and its related espionage. While this also only has speculated damage, Kazanciyan admits it may still be possible.

Exploiting vendor trust is becoming a new challenge for IT departments as they are now forced to ask "what software do we trust?" Once that question is answered, the follow-up question arises: "where is it in our system?"

It's commonplace for hackers to take advantage of the human side of tech, which is true for phishing threats.

Phishing schemes are also dependent on exploiting the end-users' trust. "So many phishing attacks are reliant on exploits and they are reliant on simple deception. But deception can still be prevented with technical safeguards," Kazanciyan said.

Some companies are looking to mitigate risks produced by human error by implementing AI and ML capabilities, but before adding new technologies to a system, the fundamentals need to be reassured as not to allow even "unauthorized machine-to-machine communication," said Duvall.

No matter the safeguard protocols used, if a company cannot withstand the impact of a phishing scam, it is "a failure of engineering," according to Kazanciyan. One employee's poor decision made under the false pretenses of disclosing information or clicking a malicious link is often inevitable but it should not be the reason an entire digital infrastructure is dismantled.