A range of pressing cybersecurity issues was discussed by members of the RSA Conference advisory board during a virtual session this week.
The panelists began by highlighting the elevated profile of cybersecurity during the COVID-19 pandemic, which is increasingly coming to the attention of business leaders. Caroline Wong, chief strategy officer at Cobalt, noted that “when I began my career, I really had trouble explaining to folks what it was that I did.” Now though, “everyone understands data breaches and that they happen.”
Despite the industry’s enhanced status, Wong believes there has been very little change in the main security risks facing organizations. For example, she pointed out that the OWASP Top Ten Web Application Security Risks listed in 2003 and 2021 “are frighteningly similar,” despite an enhanced understanding of how to find and fix vulnerabilities. As a result, she said the cybersecurity industry needs to focus on getting back to basics and getting the fundamentals right.
Dmitri Alperovitch, executive chairmanof Silverado Policy Accelerator, has observed security teams and CISOs gaining more exposure to boards and c-suites during COVID-19. Organizations that enable CISOs to have such exposure have the best security because it “sometimes involves saying no to the business” when boardroom ideas are too risky. “They need to be there when critical decisions are made about product strategy, business strategy and market strategy,” he commented.
Dawn Cappelli, vice president, global security, and CISO at Rockwell Automation, said that increased executive involvement in cybersecurity has led to the development of cloud environments with built-in security, which is very positive. However, organizations mustn’t lose sight of the fact that there are still many on-premise legacy applications that are business-critical. “I find that the asset management and vulnerability management can slip because you’re so enamored with the new stuff,” she said.
Ransomware
Attention then turned to trends in ransomware attacks, with Alperovitch observing an interesting change in approach by cyber-criminals. “We’ve not seen any attacks like Colonial Pipeline, Kaseya or JBS in recent months,” he noted. “But we’ve seen numerous attacks on smaller organizations, hospitals, school districts and many companies in critical infrastructure.”
He highlighted the recent arrest of members of the notorious REvil ransomware group by Russian authorities as a positive development. If Russia does continue to crack down on these groups operating in their country, there will be significantly fewer attacks.
Nevertheless, Cappelli said it is important to recognize that ransomware attacks are still “happening all the time,” with many not reaching public knowledge. “It’s just too easy; why would ransomware attacks stop when it’s easy and low risk?” she asked.
“Why would ransomware attacks stop when it’s easy and low risk?”
She also expressed surprise that so far, there has not been a repeat of the Kaseya incident last year, in which a supply chain breach was used to spread ransomware to hundreds of organizations.
Wong discussed the growth of ransomware-as-a-service (RaaS), which she believes is making this vector more specialized. For example, “the folks who are making the malware are distinct from the folks who are using the malware.” Ultimately, this trend “can make it even more difficult for potential victims” to repel attacks.
Log4j Vulnerability
First and foremost, organizations must understand that the Log4j vulnerability, first exploited in December 2021, is not over, according to Alperovitch. In fact, it’s “going to be the gift that keeps on giving for many years.” While there is no universal way to exploit the vulnerability, there will continue to be “downstream effects” that impact organizations further down the line.
While organizations reacted quickly to initially deal with the vulnerability, “many enterprises are not ready for the continuous battle with this vulnerability,” he added.
Cappelli pointed out that her company, Rockwell Automation, quickly sent out disclosures to customers regarding the vulnerability. This was due to having in-built processes pushing out security practices across its supply chain, meaning it was well prepared to deal with the issue. This included requiring third parties to have a software development life cycle (SDLC) and following the executive order on cybersecurity regarding supply chain requirements issued by President Biden last May.
Wong concurred, noting that Log4j was not a big deal for some organizations, but for others, it was a “nightmare.” This showed the difference between organizations with security fundamentals already in place, such as efficient asset inventory and tested backups, and those that did not, who had to subsequently rush to mitigate the problem. “It’s a fascinating study in risk management,” she said.
Supply Chain Security
The panelists then pondered the issue of supply chains further and highlighted its continued expansion, which is creating more opportunities for threat actors to strike. For example, Cappelli said that at Rockwell Automation, supply chain risk management initially focused on software companies before extending to software suppliers and manufacturers. Therefore, organizations must remain flexible and continuously adapt their supply chain security strategy. “Every year we have to expand the supply chain again, we need to add a new part of that ecosystem,” she commented.
While the supply chain is becoming an increasingly major security issue, Wong believes it is solvable. “We’ve just not figured it out yet for software.” This may require the creation of more regulation in this area. This has to answer the practical questions: “How do we prove to our customers that we’re managing risk sufficiently and we’re sufficiently secure, and how do we evaluate our suppliers?”