While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
Hackers now have a pretty wide attack surface available to them, with the ever-growing Internet of Things and wearables such as smartwatches coming on the market every day. And while we know that hackers are busy identifying all of the attack vectors those new technologies open up, it doesn’t mean they’re spending any less time on their old tried-and-true methods.
Cybersecurity experts say federal agencies should focus more attention than ever on old hacks, which are still widely used for one simple reason: They work.
“There actually isn’t really anything in particular that’s novel,” says Monzy Merza, director of cyber research and chief security evangelist for Splunk. “There are sophisticated attackers, and they’re doing interesting things, but that’s very, very rare.”
Case in point: the decade-old tactic of ransomware, which encrypts PC and server data. Virtually impossible to break because it uses the same high levels of encryption as the best enterprise-grade security tools, the tactic’s effectiveness is lucrative for those willing to take advantage of it.
“Hackers are selling encryption keys in bulk,” says Cisco’s Gavin Reid, director of business development in cybersecurity for the U.S. public sector. “They give you a discount. They’re targeting entire organizations.”
For years, email represented the primary means to spread ransomware. More recently, hackers have supplemented the method with malvertising, or website ads whose provocative copy lures people into clicking on them, triggering ransomware downloads.
Malvertising represents a particularly effective strategy for hackers, in part because it’s new and therefore unfamiliar to its victims, but primarily thanks to its distribution network — mainstream news websites.
“People who visit illicit sites sort of expect that there might be some bad stuff out there,” says Rob Roy, Hewlett Packard Enterprise public sector CTO for security. “But when they go to a legitimate news site or a search site, they expect a clean experience, and they can’t always get that these days.”
To combat the threat, employee education will go far to minimize malvertising ransomware’s reach and effectiveness. Agencies should also consider performing more frequent backups.
“If you’ve got a backup, you can recover pretty easily from ransomware,” Roy advises.
Malvertising is only the latest example of how hackers adjust their tactics and targets to find new opportunities as old ones dry up.
“When IT groups improved data center protection, hackers switched to going directly to the end users through social engineering, fooling them into running malicious software,” Reid says. “The ability to compromise PCs in those ways is pretty much saturated, so hackers are turning back to server-based applications and can compromise even more endpoints, or even infiltrate entire organizations.”
IoT technologies, indeed, represent new opportunities to improve government efficiencies and service delivery. But they also are an emerging opportunity for hackers looking to launch mass attacks, in any direction.
For example, when the ultimate target is server data, a hacker could use a compromised IoT-connected device as a back door entry point for an agency’s network. Or an attack could originate instead from an agency’s compromised server, then spread out to thousands or millions of IoT-connected devices. One scenario: remotely causing an agency’s entire fleet of vehicles to slam on its brakes or hit the gas — attacks that hackers have already demonstrated on a small scale.
Thwarting IoT-related hacks won’t be cheap or easy, mostly due to what enables mass attacks in the first place: scale. IoT-connected devices by design need to be inexpensive in order for agencies to deploy them as widely as they should (such as within every vehicle in an agency’s fleet). Lower costs mean limited processing power and memory, which in turn provide limited ability to support traditional cybersecurity tools such as encryption and anti-malware.
When developing an IoT-related security strategy, agencies should understand and prepare for the reality that the security tools and methods traditionally used for notebooks, smartphones and tablets very well may not apply to IoT devices. And going with inexpensive IoT devices might not prove to be cost-effective in the long run if their limited security capabilities result in expensive — not to mention embarrassing — breaches. Instead, it might make more sense to pay a premium for IoT-connected devices that can also support end-to-end encryption and sophisticated anti-malware tools and software.
Adding nodes to the network’s edge, where they can scrutinize IoT traffic as it comes and goes, represents a potential alternative. Those nodes may also serve to tackle a second challenge: the deluge of data IoT devices are capable of unleashing. Edge nodes serve to make all of that data manageable by using policies and analytics to determine what’s worth passing on to an organization’s core users and devices.
Security might be treated similarly, with those same edge nodes able to decide when to alert humans or when to respond on their own to combat threats, such as by blocking access to a particular device. That approach also helps when facing a shortage of cybersecurity personnel, and it can help to avoid the fatigue that comes with responding to alert after alert, day after day or even hour after hour. Many organizations and agencies already take that approach for non-IoT tasks.
“They might not even have a human in the loop to handle those kinds of things, whether blocking something in the firewall or reducing someone’s access on the fly,” Merza says. “That level of involvement is reserved for a very small number of things.