Nation-state concerns can distract CSOs from enforcing basic security protections

Breathless reporting of overseas hacks can obscure the real danger from procedural security deficiencies

Media reports of high-profile nation-state hacks have many executives looking worriedly outward in anticipation of the next attack, but one security expert warns that many security practitioners are so focused outwards that they are forgetting to implement even basic protections that pose a more immediate threat.

Many companies “are not even getting the basic blocking and tackling of cyber hygiene right,” warned Tenable country manager Bede Hackney, who took over the local reins at the fast-growing security firm several months ago and has seen some consistent themes emerge during his dealings with customers so far.

Areas such as vulnerability management were often being managed based on best-guess efforts that often proved inadequate. One company, he said, believed it had inventoried its exposure to the Microsoft EternalBlue vulnerability that enabled WannaCry and its path of destruction – but when a vulnerability-scanning tool was run it identified 1000 servers that weren’t even on the organisation’s patching list.

“In the Australian enterprise and mid markets, the majority of organisations don’t even have a complete view of their assets, let alone having a complete view of the vulnerabilities in their asset pools,” Hackney told CSO Australia.

Vulnerability management is a core element of the protections espoused by the Australian Signals Directorate’s Top 4 and Essential Eight protections, yet ongoing studies suggest that many companies continue to fall behind when it comes to comprehensive vulnerability management.

The issue is compounded when organisations regularly start and shut down virtual machines, which can create security vulnerabilities that are available for compromise, but shut down within minutes or hours – long before another vulnerability scan is run.

Conflating this type of exposure with the perceived threat of malicious state-backed outsiders, Hackney warned, can keep information-security practitioners chasing shadows while other malware walks in the front door.

“If we have an incomplete view of our cyber exposure,” he asked, “why are we are as an industry focused on advanced persistent threats, and on looking for attacks from China and Russia? Bad actors will take the path of least resistance.”

Estimates of the prevalence of sophisticated nation-state attacks have varied widely, with a 2013 CyberArk survey finding that most executives believed nation-state attacks were a greater threat to their countries than physical attacks. And the Verizon Data Breach Investigations Report 2017 reported that 18 percent of analysed data breaches were conducted by state-affiliated actors.

Increasing reports of the targeting of strategic businesses by nation-state actors – particularly in the wake of the leak of National Security Agency tactics designed for nation-state infiltration – makes it a strategic consideration, warned US Army veteran and security-risk analyst Reid Sawyer.

“When you think about it, there is no other monetisation that’s occurring from these attacks,” he recently told CSO Australia. “Nation-state actors are not only pursuing cyber as an asymmetric weapon, but also for the economic disruption of other states’ economic capacity. Corporations need to understand that they’re literally on the front lines of this risk – and that they should expect that activity will increase.”

Yet even as vendors have rushed to patch vulnerabilities in the wake of reports of nation-state activity – Microsoft, for example, executed a particularly extensive Patch Tuesday in June for this purpose – others are stepping up their call for companies to keep some perspective on their biggest exposure.

“At the end of the day, cybersecurity really does tie back to some basic things that all organisations should be focused on,” ISACA CEO Matt Loeb recently told CSO Australia. “This includes good governance of their information and technology. Information security, as a function, has existed long before the technology.”

“And while we do have mindshare around cybersecurity, a lot of that is based around the risk and the fact that organisations are using legacy equipment and software that wasn’t designed with resilience in mind. We really have to pay attention to this, because the nefarious actors in the space are really well resourced.”