Virtualization Technology News and Information
6 Lessons in IT Security So Far in 2017


Article Written by Matt Dircks, CEO of security provider Bomgar

In response to the numerous serious malware attacks and the security breaches that have plagued 2017 so far, organizations must take the time and reevaluate the security landscape for the remainder of the year. Hackers at the Defcon conference this year were able to compromise voting machines in the "Voter Hacking Village" in about 90 minutes. Methods such as using a Windows XP exploit from 2003 - one the machine was never patched for - was just one of the attack pathways used. "Attacks" such as this are part of a mix of prevailing threats that include malicious insiders, insecure third parties, and hacking groups growing in sophistication and diversifying in motives. While organizations decipher what they can learn from cyberattacks and other IT developments, we also must determine what breaches tell us to anticipate as we enter the latter half of the year and beyond. 

Let's review six lessons from 2017's tumultuous security environment:

1.     Privileged access hacks will continue: Data breaches as a result of compromised privileged access are widespread. It's all about privilege-attackers need high level access, which they get through targeting privileged users like IT professionals, CEOs and vendors via phishing or malware to achieve their financial goals or other motivations. These users are targeted by the threat actor because they are likely to have access to other privileged credentials that the attacker can leverage to increase dwell time and compromise the targeted organization. We have seen this all too often in 2017 as in the leak of content from Netflix's Orange is the New Black as a result of a vendor attack. The most recent HBO breach further emphasizes the importance of network security and serves as clear reminder that cyberattacks aren't just limited to financial, health or personal information. Businesses need to get serious about security around their most privileged users-identifying them, monitoring their access, and closing off access to what they don't need.

2.     Vendors, service providers, and other third parties continue to be initial points of compromise for breaches: Organizations in public and private sectors alike are increasingly working with vendors who either have access to or store sensitive data. This significantly increases the risk of that information being leaked or a breach occurring due to a contractor being compromised, as was the case with the historic OPM breach. As 2017 progresses, we'll continue to see organizations victimized in this way because they unsafely assume their contractors uphold the same security standards as they do. To mitigate this risk, organizations must set security policies for all external groups and enforce adhering to them as a prerequisite for doing business.

3.     The most at-risk industry for a cyber-attack in 2017 is manufacturing: The technology to run critical infrastructure systems like power, water, and oil refinement weren't designed with information security in mind. Increasingly, we see that many of the players engaged in cyber warfare understand and seek to exploit this. In fact, 2017 turned out to be the year where we saw the first ever malware framework designed and deployed to attack electric grids, cleverly named CRASHOVERIDE or Industroyer depending on the source of the analysis. The good news is that there is a push to rapidly modernize and harden these systems with adoption of industry standards such as the NIST Cybersecurity Framework and NERC CIP, developed to help reduce risks to critical infrastructure. The bad news is that securing vulnerable systems takes investment and commitment. While standards and increased awareness in closing security holes is an improvement, most critical infrastructure has significant exposure that leaves it vulnerable to an attack.

4.     The security blame game will heat up: The IoT and integrated relationships with security solution providers mean companies are not able to easily account for ownership or origin once a breach happens. Who is responsible for securing, maintaining and patching the various technologies? Worse yet, has a product been connected that can't even be patched? A number of IoT devices are often overlooked, because they fall outside of IT's traditional purview. Companies might even be unaware the security responsibility lies with them, leading to a scenario in which a connected device ends up on a vulnerability database and is quickly exploited. In other instances, security updates might be maintained by a vendor or another third party who has access to the company's system. A company is only as secure as its least secure device or relationship. When a breach occurs, even with layers of security, the question of who "owns" responsibility for it and who had power to do something about it will create intense reactions and finger-pointing.

5.     Healthcare will continue to lose to cyberattacks. Healthcare data breach costs are the highest among surveyed sectors for the seventh straight year, according to the IBM and Ponemon 2017 Cost of a Data Breach Study: Global Overview. As seen with the WannaCry attack and its paralyzing impact on major hospitals in the UK, healthcare will suffer another major security breach this year as the industry is particularly susceptible to ransomware attacks. Losing access to patient records can cripple the ability to provide services to patients, putting the health of consumers at risk. Attackers know this risk and aren't hesitating to target organizations with inadequate security controls in place. 

6.     Security overshadows M&A as companies begin investigating security hygiene in their own industry: We'll not only see more enterprises get serious about security around their most privileged users, but those of their acquisitions and takeovers as well. According to a survey by stock market operator NYSE, about 85 percent of executives said uncovering major vulnerabilities during the audit of an acquisition target's software assets would "likely" or "very likely" affect their final decision to move forward with the deal. Companies and investment funds will begin investigating the security hygiene within their own industry and evaluate not only the deal itself, but the entire security infrastructure of the acquisition. This may cause major deals to fall through in 2017 and beyond, and cause companies across the board to invest more seriously in modernizing their security. Companies are paying attention to the security issues they may be inheriting when striking a contract with another organization, and we will see this heightened awareness continue throughout the year.

Although IT security is moving at a dizzying pace, organizations can take incidents thus far and use them to adapt their security strategies to improve security from within and tightening how they interact with vendors and other partners. Leading organizations are mindful that every interaction can pose a security threat, and are learning how IT security decisions today will affect them tomorrow. At this time next year, we don't want to discover that we weren't thoughtful enough.


About the Author


Matt Dircks is chief executive officer of Bomgar, a leading provider of secure access solutions including remote support and privileged access management.

Published Monday, August 07, 2017 7:31 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<August 2017>