Sunday, February 26, 2023

Your Employees Are The Best Safeguard For Avoiding Critical Infrastructure Attacks

 


On Friday of this past week, many countries around the world marked the one-year anniversary of the invasion of the Ukraine.  I certainly have my views on this entire matter, but that is a topic for a different kind of blog setting. 

There have been many ramifications from this war, especially from the Cyber front.  There were huge fears of Ransomware attacks, Phishing attacks, and even the invasion of our own Critical Infrastructure.  While there have been some hacks here and there, to the best of my knowledge, there has been no large scale one, at least not yet.

But is the latter threat, the one on Critical Infrastructure, that scares me the most.  Alarm bells have been flying off from all parts of the Cyber front that we need to take this much more seriously than we are now as a society.  Heck, even our own Federal Government has been issuing alerts this year as well.  Unfortunately, as I have written about before, our Critical Infrastructure was designed back in the 1960s and the 1970s. 

Back then, nobody even thought of Cybersecurity, rather, the main focus was that of Physical Security.  Because of this, many of the technologies are now outdated, and in fact, are even no longer produced.  So we are stuck with a conundrum here:  We simply can’t rip out the legacy systems and put new ones in, and at the same time, we simply cannot put in new patches and upgrades because the technology is so old.

So what is one to do?  Well, it all comes down to basics.  I came across an article this morning, which offered such tips.  Here is what the author proposed:

1)     Employees are the greatest threat:

We have heard about this who knows how many times.  Quite frankly, I don’t agree with it all.  Employees are actually one of your greatest assets.  They can literally be the eyes and ears that you need in order to keep up with any threats, especially when it comes to Insider based attacks.  Rather, it is the environment that they are in which leads to their bad Cyber Hygiene habits.  What I mean by this is that it all comes from the top.  Heck, if the C-Suite doesn’t care, why should the employees?  You can rant and rave as much as you want about how important Cyber Hygiene is in your security awareness training programs, but that won’t mean a hill of beans unless the upper management leads in this effort.  So if you are CISO at an oil supply company, you better be darned sure that that you are practicing good levels of Cyber Hygiene if you expect your employees to do the same.

2)     Social Engineering is the next new normal:

Now, this is something that I fully agree with.  The Cyberattacker of today is going to be ditching the older ways in which they could encroach upon your digital assets.  Now, they will be trying to con your employees (and even other key stakeholders) into giving out information and data.  A typical attack here would be a phone call to an administrative assistant working at a nuclear facility to give away some secrets.  Or, it could be a Business Email Compromise (BEC) attack which is sent to your Accounting department asking them to send millions of dollars to an phony, overseas account.  Now, this is where I believe that a good security awareness training program should focus on.  As a CISO, you need to be teaching your employees what to look out for if they feel they are close to becoming a victim of one.  In fact, just in the last year, Social Engineering attacks cost the Critical Infrastructure over $4.8 million per each incident.  (SOURCE:  https://securityintelligence.com/posts/whats-new-2022-cost-of-a-data-breach-report/?_ga=2.36984227.2031350507.1674256954-834892342.1674256954).  But here is something else you need to keep in mind:  Just because your employee may have fallen victim to a Social Engineering attack does not mean that they are the weakest link in the proverbial security chain!!!

3)     Beware of the IoT:

As you might already know, this is an acronym that stands for the “Internet of Things”.  In a very general sense, this is where all of the objects that we interact with on a daily basis in both the physical and virtual worlds are all interconnected together.  While this can bring in many great benefits, it also has its own set of pitfalls as well.  Many companies in Corporate America have now started to embrace this new kind of technology, and in fact, have started to deploy it.  But the gravest security risk here is that as a CISO, if you do follow suit with this, you are simply expanding the attack surface for the Cyberattacker.  So if you are leading the security initiatives for a Critical Infrastructure, be very careful as to how you deploy any kind of IoT device.  Remember, the vendors who make these kinds of products to bot factor security into them.  If they do, it is very minimal at best.  And always make sure that you set the security default settings to your own requirements.

My Thoughts On This:

As a CISO, trying to make your Critical Infrastructure as Cyber resilient as possible can be one of the most difficult things that you can ever face, given the obstacles just described.  In fact, you may not know where to turn to.  But the good news here is that is a starting point.  The Cybersecurity & Infrastructure Security Agency (also known as “CISA”) has come out with a new framework, which can be seen at this link below:

https://www.cisa.gov/topics/industrial-control-systems

This would be a good place to get started.  Another good place would be to stop thinking that your employees are to blame for every Cyber incident that happens.  We are all in this together!!!  It is very important not to cast blame first until a complete forensics examination has been completed.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...