Cyber-attack headlines in the last couple of months read like a summer blockbuster novel filled with espionage, international hackers and advanced weapons systems. In fact, cyber-attacks against financial organizations, government sites and critical infrastructure have escalated in the past six months.
In March and April alone, financial institutions like Wells Fargo, American Express, Bank of America and JP Morgan Chase were hit by cyber-attacks, costing these organizations millions of dollars. Another attack in March brought down South Korea’s banks and television networks.
These attacks have extended toward government agencies. According to a Pentagon report on Chinese espionage prepared by the Defense Science Board, Chinese attackers accessed designs for major weapons systems. Many of these weapons form the backbone of the Pentagon’s missile defense for Asia, Europe and the Persian Gulf. This level of compromise creates an operational edge in a conflict (severing communication links, crashing planes and satelittles) and savings in development and time-to-market costs that benefit China’s emerging defense industry.
Last month, Homeland Security officials issued a warning from an agency called ICS-CERT to warn U.S. companies about attacks on critical infrastructure. The warning urged chemical and energy companies to take steps to protect their systems. Of course, this is not the first time cyber-attacks have occurred on business and control systems. Viruses were used in the Saudi Aramco (Saudi Arabia’s national oil company) and Qatar’s RasGas attacks last year. The RasGas computer network and website were down for days while data was wiped clean from about 30,000 computers in the Saudi Aramco network . Both Saudi Aramco and RasGas attacks were suspected to be the work of Iran’s new “cybercorps,” which formed after Stuxnet affected their nuclear facilities.
Cybersecurity is Now Our Responsibility
These cyber-attacks not only pose severe consequences for governments but also impact a number of private organizations that own electric utility grids and cellular networks. This means that cybersecurity now spans government agencies and private organizations. Worse, the trend for many of these attacks appears to be moving in the direction of destruction versus economic espionage.
There are new regulations under development meant to address cyber-attacks. For example, the chairman of the Joint Chiefs is on the brink of making changes to the U.S. military’s standing rules of engagement that dictate when, how and with what tools America will use to respond to an attack. In the new set of cyber rules, military commanders can counter direct cyberattacks without needing White House or the National Security Council (NSC) approval.
In the face of increased cyber-espionage, we have a responsibility to implement a robust cybersecurity strategy that protects all critical systems, meets regulatory compliance and ensures national security. But, what are the fundamental considerations for developing such a strategy?
Building Blocks For A Robust Cybersecurity Strategy
The fundamentals are still reliant on the Forrester Research Zero Trust principles — trust no one, inspect and log all traffic, and ensure secure access to all-important assets in the data center.
Compartmentalization or network segmentation is a key component of Zero Trust and is important to limit the exposure of an attack. In the case of the targeted attack on Saudi Aramco, even though the Shamoon virus was believed to have deleted data from more than 30,000 computers, the oil production system was not impacted because it was in a different network segment.
One of the unique considerations for cyber-attacks is identifying the avenues of attacks. While internal employees tend to be the weakest link when it comes to targeted attacks, cyber-attackers are also now looking at the extended ecosystem of partners, contractors and supply chains for alternative avenues of attack. Additional effort needs to be made to secure, control and safely enable the application access for these extended users.
Inspection and logging of all traffic also needs to extend to targeted, modern malware. The term advanced persistent threat is an oversimplification of a more comprehensive, multi-stage, multi-vector attack strategy that is now being used by attackers. Yet again, the industry is moving toward piecemeal technologies that attempt to tackle this one attack component via virtual sandbox analysis. But, the reality is that a robust cybersecurity strategy requires a comprehensive approach to malware similar to an attacker’s lifecycle approach of infecting a network. This means identifying all traffic and how malware tends to hide (encryption, tunnels, evasive tactics), controlling risky applications and users, and managing the unknowns in addition to the virtual sandbox analysis. And of course, the last important piece is a robust monitoring, reporting and logging system that can provide visibility into the network, and enable proactive actions if something suspicious is found.
In summary, the building blocks for a robust cybersecurity strategy are not uniquely different from security requirements for a traditional enterprise. However, in most cases, the attackers are more sinister and, more importantly, where there is an attack, the stakes and impact are much higher for all of us.