Monday, July 4, 2022
Bringing the Latest in News Straight to Your Screen


Pushing Back Against The Rising Tide Of Cybercrime

By News Creatives Authors , in Small Business , at July 19, 2021

James Legg, President, ThycoticCentrify.

No one is feeling wistful about it, but there was a time when extortion, blackmail and kidnapping for ransom were crimes committed against individuals, generally resulting from face-to-face encounters. But today, many of these same crimes are now being done virtually, online and often against organizations instead of individuals. As a result, the volume of cybercrime has bloated to industrial scale, alarming both public and private companies.

Ransomware attacks using unauthorized network access have been surging in both frequency, and the size of their victims and payoffs for the perpetrators have risen to hundreds of millions of dollars. This past year, the New York Times reported that there were approximately 2,400 ransomware attacks in the U.S., and many of them were ultimately resolved by the victim making ransom payments, often using untraceable cryptocurrency, to restore their files.

Until recently, however, most of the known hacks, attacks and data hostage-taking targeted smaller, poorly defended organizations including libraries, hospitals, schools and local governments. Now, the attacks have expanded to include targets like giant fuel delivery networks and the Massachusetts Steamship Authority. 

As bad as they are, most of the known attacks so far have mainly focused on data related to intelligence gathering, not on the destruction of physical infrastructure or military assets. The astonishing hack of SolarWinds’ network updates is largely understood as an example of spycraft rather than obliteration. 

That could change quickly, as the capabilities are already available. For example, a 2014 North Korean attack on Sony Pictures destroyed the company’s computer infrastructure. A 2015 Russian cyberattack on Ukraine’s power grid shut down 230,000 customers’ electric service for up to six hours. They were ominous signs of what a full-scale cyberattack could do to an adversary.

Understandably, the U.S. federal government has demonstrated a heightened level of concern. It has undertaken a series of initiatives in response, most recently on June 3. A bluntly worded letter from the Biden Administration urged the U.S. business community to implement security measures against ransomware attacks and to adopt many of the same defensive steps that it recently required of federal agencies and their contractors.

It followed an escalating series of related federal steps. On April 13, the U.S. Justice Department announced an effort to close any software backdoors, public or private, that had been exposed as a result of a problem found in Microsoft Exchange. 

On April 28, The Washington Post reported that a bipartisan group of lawmakers was planning to create a crack team of invited cybersecurity professionals to respond quickly in the event of an attack on federal networks. The Senate Intelligence Committee chairman has been hard at work on legislation that would require private sector organizations to provide notification of any breaches resulting from cyberattacks. 

On May 12, the President issued an executive order placing strict new security standards on any software purchased by the federal government. The incentive for private vendors to observe the tougher standards is that any companies whose products are found to be below the standard will be barred from federal contracts. The administration’s first federal budget proposal, announced later that month, included $9.8 billion in funds for cybersecurity. 

That does not include the $10.4 billion that the Department of Defense wants to spend on cybersecurity in fiscal year 2022. Other related expenses proposed include $2.1 billsion for CISA, the Cybersecurity and Infrastructure Security Agency, $20 million for a new Cyber Response and Recovery Fund and $500 million for the government’s Technology Modernization Fund.

While many are applauding the government’s growing interest in cybersecurity, there is also a bit of concern. Some of it is rooted in the declining level of confidence in government integrity. After all, if the government had largely unfettered access to a company’s private data, what if it did not like what it was seeing? And what about leaks of sensitive information? 

Beyond that, government rules often follow a one-size-fits-all formula. Regulations tend to be static, generating a culture of check-box compliance, or sometimes even vague certification requirements such as those found in the Cybersecurity Maturity Model Certification framework. Yet the adversaries against whom those rules are directed have been extremely agile. So even though there have been calls for government intervention to protect vital U.S. industries, and there are ways in which the government can be helpful, there is often a mismatch between private sector problems and public sector solutions. 

The good news is that there are decisive steps that private organizations — as well as government agencies — can take right now to better secure their data, regardless of the regulatory environment. For example, Forrester (gated) has reported that 80% of all hacking-related data breaches involved the abuse of privileged credentials. An appropriate response would be to implement “zero trust” principles when providing system access, leaving behind the outdated “trust but verify” posture and replacing it with a “never trust, always verify” mandate. 

Other steps to safeguard against intrusion could include the widespread use of multi-factor authentication, which can filter out malicious outside threats; privilege elevation that grants limited access rights to administrators once authenticated and then only for specific tasks and windows of time; using password vaults to discover, store and manage access to shared accounts and passwords; and securing remote access without requiring the full network exposure usually associated with virtual private networks.

Implementing these and other security measures for identity and access management will require persistence, imagination, technology and investment from both the public and private sectors. It will also involve constant education. Ongoing employee training to minimize the success of social engineering and phishing scams will remain essential. 

The good news is that many of these steps can immediately benefit from solutions that are already available. But regardless of any new federal regulations, funds from the government, including the Technology Modernization Fund that was adopted as part of the American Rescue Plan, can play an important supporting role in accelerating security measures and combatting the current scourge of cybercrime. 


Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?


Comments


Leave a Reply


Your email address will not be published.