Following reports this morning of international intelligence agency, Five Eyes, warning of Russian cyber attacks, please find below a comment from cybersecurity expert on the ways to shore up corporate cybersecurity in a climate of tension and raised threat levels.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
The Five Eyes advisory is a show of solidarity, and it says very clearly that these five countries\’ resources are in alignment. It also says that information might come from any number of networks, and all of these countries are highly competent at cyber offence and defence. Finally, it says that this is no one state\’s propaganda. It is, in effect, attested to by allied but mutually exclusive defence and government structures. Overall, the advisory will have a positive effect, as anything that gets uptick and coverage increases the likelihood that people who need to know, will know. It also means that more countries, and more of the private sector than just one country, will get the alert. And in reality you can\’t sound the alarms too many times, because the majority of critical infrastructure has public safety implications but remains private sector owned and operated.
Luckily for Cisco, this vulnerability was discovered by a researcher and not an attacker, or this would have been a very serious zero day – and potentially a great pay day for a threat actor able to develop an exploit. The fact this vulnerability enables admin-level compromise – the holy grail for attackers – makes it particularly concerning. This kind of access really gives and actor the keys to the kingdom, able to escalate privileges, create backdoors into systems, exfiltrate large datasets undetected and to basically come and go on any device and system no questions asked.
This is the second time that Cisco has had issues with its SSH keys, so it really needs to take a closer look at how it manages these critical machine identities – otherwise, they might not be so lucky next time. However, Cisco is not alone. SSH keys are incredibly powerful machine identities and are used everywhere, but they are also poorly understood and managed, making them a prime target for attackers.
Compounding the issue is their longevity. Unlike other machine identities like TLS, they don’t expire. This means that a compromised identity could be abused for months if not years without an organisation knowing. Given the high level of privilege they are afforded, this is a very serious gap in organisational security.
Yet we are seeing organisations waking up to the issue. We are witnessing a trend towards companies replacing SSH keys with SSH certificates, which do include an expiry. Beyond this, companies must have visibility over all their machine identities, enabling them to set and enforce policies that automate the rotation of machine identities that might leave them exposed. With so many machine identities now present in organisations, automation is an absolute must for any company taking machine identity seriously.
Russian cyber-attacks are always opportunistic. The teams of attackers find times of geopolitical unrest to leverage baseline attacks while focus is directed elsewhere. However, Russian attacks never stop especially against what they see as their largest competition for influence within the world. As such the United States is constantly under attack from Russian state sponsored groups even if it is not apparent, they are specifically directed by the Russian government.
All of these attacks are focused to be as efficient as possible and so providing the recommendations for all organizations, especially those which identify as critical infrastructure, to follow basic cybersecurity hygiene guidelines is highly effective. Organizations should always focus on those basic foundations of cybersecurity, vulnerability, and patch management, multi factor authentication methods, and reduced or significantly controlled device access methods. Organizations should also make sure they are reviewing their supply chains as well, due to the ability of attackers to pivot from a downstream vendor into a more robust target.
Shockingly, despite the fact the UK has been working remotely for over two years, one in five home workers have received no training on cyber security. At the same time, cybercriminals have been actively exploiting people’s concerns around COVID-19. Indeed, there have been a wealth of phishing scams where attackers have posed as the World Health Organization (WHO), pretending to give advice or circulating fake medical updates in order to get victims to click on bogus links. Education is key.
Business leaders should engage with employees and project a safety-first mindset across the whole company – driven by c-level executives and filtering down to everyone. There are a number of ways to go about this, but whether it’s online training sessions with a CSO, weekly team meetings or external courses, education can be the difference that makes an employee stop for that split second before they click on a phishing link.
As well as cyber security training for employees, business leaders need to adopt genuinely robust, but flexible, security measures such as SASE – secure access service edge. In the new era of hybrid working, security needs to span on-premises and the cloud, protecting every corner of the decentralised network.
Companies who do not invest in quality cybersecurity precautions could be leaving themselves exposed to cybercriminals, risking reputation and serious financial consequences. Businesses only need to look at the massive, recent ransomware attacks on JBS and the Colonial Pipeline to see that no company is too big to be hit and face devastating consequences. In fact, the boss of the Colonial Pipeline admitted to paying a staggering $5 million ransom. No matter how prepared a company thinks they are, cybercriminals will get the upper hand by taking advantage of weak spots.
If the past two years have taught businesses leaders anything, it’s that cybersecurity must be flexible to allow for a suddenly remote workforce, without restricting employees from doing their jobs, and education is crucial.
With the latest Five Eyes warning to UK critical infrastructure organisations about the danger of Russian state-sponsored cyber attacks, it’s important that leaders keep their workforces well-informed and aware of the way threats can infiltrate a company.
Threat actors will be keen to capitalise on the anxiety and fear in this uncertain climate, so prompt and clear communication is a key first step to navigating through these situations safely. To combat a potential salvo of cyber attacks, basic digital hygiene can go a long way in defending against potential Russian threats.
When using tech, being wary of phishing attempts operating through fake emails and messages is vital. Alongside scam awareness, one of the best methods of protection is regularly updating passwords and ensuring they are unique and long, and Multi-Factor Authentication (MFA) can also add an extra layer of defence here. Keeping devices and apps updated also helps patch over new vulnerabilities that cyber criminals might be looking to exploit.
Sharing knowledge and expertise has never been more important. As Russian threat actors look for chinks in the armour, it’s crucial that businesses keep staff educated and well-equipped to keep their devices clean and safe, so that sensitive corporate information doesn’t fall into the wrong hands.