Cybersecurity is a flashy topic. Headlines about the potential for massive nation-state attacks that flip the switch on our electrical grid are commonplace. Lawmakers use congressional hearings to grill government officials about whether our most tightly-held secrets are safe from digital deviants. Defense wonks publish white paper after white paper about the capabilities of offensive cyber weapons.
As the line between the digital world and the real world continues to blur, it’s no wonder that companies, individuals and organizations of all kinds feel increasingly vulnerable to a sophisticated attack that they don’t see coming – a cyber “Pearl Harbor,” as the headlines call it.
But as much as we in the cybersecurity world like to fear what we can’t see, the reality is that the vast majority of damage from cyberattacks is incurred via the same old methods that exploit new, more innovative access points – and billions of them. Luckily, that means organizations can get in the fight before they take a punch.
Before we do, let’s take a look to see what’s out there…
Unfortunately, most cyberattacks succeed due to human negligence, not technical deficiency. According to HP’s 2015 Cyber Risk Report, seven in ten successful cyberattacks targeted vulnerabilities, or bugs, that were first discovered more than two years before the attack itself occurred. Disturbingly, a whopping 33 percent of all the attacks (or exploits) examined in the study used an infection vector first detected in the 2010 Stuxnet attack on Iran’s nuclear enrichment facilities, that still had not been addressed by organizations more than four years later.
These stats may come as no surprise to those who remember hearing about the lingering fallout from high-profile zero-day vulnerabilities like Heartbleed, Shellshock and POODLE months and even years after the attacks were discovered. Simply put, organizations need to get a lot better about employing readily available software patches.
When you combine the failure to remediate known vulnerabilities with an exponential increase in the number of devices, that’s when you have a real problem. Indeed, the increase in the sheer number of targets, driven by the growth of the Internet of Things, is what’s truly accelerated the amount of cyber risk in recent years. In fact, Gartner, Inc. forecasted last year that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and that number will rise to 20.8 billion by 2020. In what seems like a perfect storm, each of these elements is compounded by the reliance on legacy systems, which are themselves more difficult to maintain and more vulnerable to threats.
Such a large number of juicy and often vulnerable targets have prompted continued use of spear phishing attacks and malware – highly targeted and persistent, but not overly sophisticated types of attacks. The Verizon Data Breach Reports from the last three years show these attacks remain the most frequently employed methods by a wide margin. Making matters worse, when complemented by social engineering tactics, these attacks appear to be particularly effective. Just this week, a Snapchat employee was fooled by a phishing email designed to look like it came from the Snapchat CEO asking for information on other employees’ pay and personal data. Unfortunately, the employee complied.
What does this all mean for organizations seeking to prevent the fallout from an attack – financial, reputation and otherwise?
On the surface, stubborn vulnerabilities, a growing number of targets and the persistent use of tried and true attack vectors all coalesce to form what appears to be a very daunting challenge for any organization.
Believe it or not, however, the risk presented by each of these examined weaknesses can be significantly mitigated by proper strategy and planning:
Though the task may at times seem intimidating, protecting people, data and reputations can be made significantly easier with a mindset that focuses on safeguarding what you can control, not what you can’t.
For more on what you can do to prepare your organization in the face of mounting cybersecurity risks, you can check out my colleague Corey Ealons’ session at SXSW called “You’ve Been Hacked, Now What” on Saturday, March 12, at 5 PM CST.
Cybersecurity is a flashy topic. Headlines about the potential for massive nation-state attacks that flip the switch on our electrical grid are commonplace. Lawmakers use congressional hearings to grill government officials about whether our most tightly-held secrets are safe from digital deviants. Defense wonks publish white paper after white paper about the capabilities of offensive cyber weapons.
As the line between the digital world and the real world continues to blur, it’s no wonder that companies, individuals and organizations of all kinds feel increasingly vulnerable to a sophisticated attack that they don’t see coming – a cyber “Pearl Harbor,” as the headlines call it.
But as much as we in the cybersecurity world like to fear what we can’t see, the reality …
Continue reading >
