The IT Nerd

The UK’s National Cyber Security Centre has joined US calls to be wary of Russian state interference in critical infrastructure IT systems including telecoms networks, energy and utility suppliers, transport operations and logistics and distribution specialists. This comes shortly after a joint advisory published by CISA and the FBI urged CNI operators to “adopt a heightened state of awareness and to conduct proactive threat hunting”. 

I have a total of three comments on this. The first is from Sam Jones, VP of Product Management, Stellar Cyber: 

“The current security state of complex infrastructure systems is unfortunately one of massive opportunity for attackers. The attack surface of these systems is so large, and oftentimes very outdated, that it is incredibly difficult to defend everything. This is why mentally assuming a breach is so important and focusing on defending only what matters most is the only realistic approach to staying secure.”

The next comment is from Bryson Bort, Founder & CEO, SCYTHE:

We don’t have a cyber problem. In this case, we have a Russia problem, and the worldwide, private industry continues to suffer because of it. As with all persistent adversaries, they will get in. Companies should assume they are a target. As part of that, they should use an assumed breach mindset, that they’ve already been compromised. After mitigating the specific vulnerabilities mentioned by these agencies, they should focus their limited time and resources to get the highest return on investment for their security programs which is why yesterday was the best time to implement MFA.

The final comment is from Sanjay Raja, VP of Product Marketing and Solutions, Gurucul:

“The NCSC and CISA are absolutely missing the mark. Preventive measures are certainly an important layer of defense, but antivirus is fairly useless against most advanced attacks. Vulnerabilities are no longer the primary entry point (aka initial compromise) for most attacks. While a vulnerability is often exploited as a step in an overall attack campaign, the primary mechanism being more actively used by many adversarial nation states is a combination of phishing and social engineering. This means that initial compromise is dependent on human behaviors and impossible to prevent 100% of the time. All it takes is one successful compromise to circumvent most preventive controls and certainly antivirus, especially as variations in attack strategies are implemented to circumvent signatures, pattern matching and rule-based machine-learning detection analytics. What is required is a stronger detection program that also monitors for and identifies risky access controls, entitlements and user behaviors and associated abnormal or deviant activity. This includes potential threats from the inside, not just outside threats. More advanced and adaptable technologies that use machine learning and artificial intelligence to compensate for threat actor activity and human behavior have proven to be more effective at stopping successful attacks. “

Russia being a bad actor has to be a top of mind issue for companies regardless of industry. The warnings are out there. It’s time to act on those warnings and take the right measures to ensure that bad actors of any sort can do their evil.

UPDATE: Ayal Yogev, CEO and Cofounder, Anjuna Security provided me with this comment:

“Great advice. But most organizations have literally millions of vulnerabilities that originate from open computing and networking. Patching them individually is as useful as swatting a swarm of mosquitos. Organizations must focus on mitigations that have the broadest effect on overall risk. Moving to zero-trust infrastructure, such as confidential cloud computing can be relatively simple mitigation that, in most organizations will put them in a fundamentally stronger security posture against these threats.”