If one thing has become clear in the world of cybersecurity over recent months, it’s that too many of the solutions organisations rely upon for protection are no longer fit for purpose. Playing a game of catch-up is never going to allow IT professionals to gain the upper hand in the evolving battle against financially motivated hackers and state-sponsored cyber-gangs. Whether it’s dependency upon pre-disclosed threats for anti-malware protection, or reliance on an endless cycle of patching for systems’ security, something has to change.
Governments and legislators have an important role to play in framing the next generation of cybersecurity standards. As the world becomes increasingly connected, there is a requirement for clearly defined statutes and a move towards a zero-tolerance architecture. Stricter data protection rules and harsher penalties for non-compliance (like those inherent in the GDPR) are a start, but cybersecurity needs to be addressed from the roots up.
Better late than never
The recent Executive Order (EO) issued by the Biden Administration recognises the clear and present danger to national infrastructure posed by cyberattacks. It calls, not for incremental improvement, but for “bold changes and significant investment” to secure its infrastructure. It states: “the prevention, detection, assessment and remediation of cyber incidents is a top priority”.
In addition to recognizing the importance of intelligence gathering and sharing, the EO acknowledges the need to modernize the government’s approach to cybersecurity. In recognition of the recent SolarWinds attack, it highlights the importance of software supply chain security and calls for improvements to the way vulnerabilities are detected and remediated.
The US is not alone in its renewed focus on cybersecurity. In a May 2021 statement, the Australian Home Affairs spokesperson acknowledged that Australian national infrastructure faces “immediate, realistic and credible threats”. This recognition is welcome, especially in light of the evolving threat landscape:
- The advanced, persistent nature of today’s cyberattacks threaten more than just data loss, they carry with them a significant financial burden, the ability to disrupt national infrastructure, an existential threat or even the potential to destabilise a government.
- Cyberattacks are not the exclusive domain of lone hackers working from dimly lit basements. Many are the product of sophisticated and well-funded cyber-gangs, driven by both financial reward and political motivation. Less idealistic revolutionaries, more state-funded mercenaries.
- Increasingly, the most effective malware and ransomware attacks are those that leverage signatureless, undisclosed, or zero-day exploits to inflict as much chaos as possible in as little time as possible. Get in, get paid and get out.
- Despite an almost universal recognition (91% in a recent TechTarget survey for Thales) that organisations’ cybersecurity strategies do not effectively address the evolving landscape, there is still a pervasive sense of apathy amongst enterprise and government stakeholders.
State-sponsored attacks on critical national infrastructure are becoming increasingly common, redefining what constitutes an act of cyberterrorism. The increase in activity specifically targeting critical infrastructure prompted President Biden at his first face-to-face with President Putin to provide a list of 16 critical infrastructure sectors that should be “off-limits” and not targets of cyberattack (again).
Financial services and healthcare organisations remain perennial targets, not so much because of the potential to cause harm, but because of the sensitive and detailed nature of data held on customers. This represents rich pickings for cybercriminals targeting account access or identity theft.
IP-intensive sectors such as pharmaceuticals, IT, aerospace and high-tech manufacturing, are also targets for data theft. However, these organisations are less likely to reveal successful breaches of their unencrypted data (for obvious reasons) unless, of course, mandated to do so by strong cybersecurity regulations.
Trust nothing, encrypt everything
It’s one thing for governments to warn their agencies and business sectors of imminent, realistic and credible threats – things that are otherwise obvious to all. It’s quite another to mandate forensically responsible behaviour through tougher regulations.
One of the tenets of the Biden Executive Order is the creation of a zero-tolerance architecture. Perhaps a more accurate name should be zero-trust. If organisations start from the perspective of “trust nothing and encrypt everything” they would be in a stronger position.
Anti-malware solutions should just assume everything coming onto the network needs analysing and sanitising. Eliminating any content that doesn’t belong, whether it contains a tell-tale signature or not, minimizes the risk of exposure to zero-day exploits and undisclosed attacks.
Encrypting data in motion not only protects the potentially sensitive or valuable data from being exploited in the event of a breach, but also secures the network itself. End-to-end, authenticated encryption also protects from rogue data injection, mitigating one of the primary risks to critical infrastructure services.