CONVERGE17: Three Things We Learned On Day 2

Scott Rubin Posted on 10.19.17 — by Scott Rubin

We heard the latest on the global breach landscape and discussed the challenges presented by state-sponsored hacking, among many other topics. Throughout the day, we saw three key themes emerge.

Denise Zheng, Suzanne Spaulding, Frances Townsend state sponsored hacking CONVERGE17

Denise Zheng (left), Suzanne Spaulding (center), and Fran Townsend discussed state-sponsored hacking at CONVERGE17.

Critical infrastructure, state-sponsored hacking, and the importance of cybersecurity basics were top-of-mind for speakers during the Day 2 general sessions at CONVERGE17. Throughout the day, we saw three key themes emerge:

  • State-sponsored hackers favor critical infrastructure
  • Humans are our most vulnerable “endpoints”; and
  • Organizations still struggle to get the cybersecurity basics right.

State-sponsored hackers favor critical infrastructure

While state-sponsored hacking is an issue for every organization, critical infrastructure owners and operators face the biggest threat, according to Denise Zheng, VP of The Business Roundtable, who moderated a panel discussion on the topic.

“Cyberthreats to critical infrastructure are no longer theoretical events,” she said. “They are real, and they target the private sector and the government.” The question then becomes: what is the role for government in securing those entities? “If they are facing nation-state-sponsored cyber actors who are well resourced, sophisticated, and have legal protection of their government,” said Zheng, “should we pursue an Israel-like model in which government plays some role monitoring for threats?”

Describing the relationship between the tech community and the U.S. government as “scratchy”, panelist Frances Townsend, EVP MacAndrews & Forbes, said, “I’m skeptical you can accomplish it. Deploying an Israeli model where you have government actors inside a private sector company is unlikely and, frankly, uncomfortable. Public companies have to assess their reputational risk by virtue of their relationship with the government. It raises privacy and civil liberties issues, and it might not be feasible in the U.S.”

A more comfortable framework, said Townsend, would be a third-party organization through which threat information could be shared on an anonymous basis. The organization could serve as “a watchdog between the private sector and the government,” she said.

As governments and businesses grapple with these and other challenges, the nature of state-sponsored attacks is changing. “In 2011, when I started at DHS, we’d think about nation-state actors in terms of capability and intent,” said Suzanne Spaulding, Former Under Secretary, Department of Homeland Security. “We would talk about the fact that we had a couple key state actors – China and Russia — with significant capability but low destructive intent and [countries such as]  North Korea and Iran with less capability but higher intent.”

Since then, Spaulding said, “we’ve seen increasing sophistication in the capabilities of those who would like to do us harm, and increasing tension with those who have significant capabilities.”

Meanwhile, the line between criminal activity for financial gain and nation-state activity for espionage is blurring. “You see that most clearly with North Korea, where they are trying to finance their regime in part through cyber-enabled threat,” said Spaulding. “We’re seeing nation-states use non-state actors as contractors. The lines are definitely blurring.”

Lines are also blurring between the worlds of physical and cybersecurity, particularly for organizations involved in our critical infrastructure. It’s essential for people responsible for the physical security of an organization and those responsible for cybersecurity to think of themselves as one team, according to Spaulding.

In fact, bringing a broad cross-section of stakeholders into your cybersecurity conversations is key to understanding the full business implications of a breach. “Your IT expert can no more tell you about the cascading consequences to your business of a cyberattack than your electrician can tell you about the cascading consequences to your business if the electricity goes out” said Spaulding. “You’ve got to think outside the IT box to the broader team.”

Humans are our most vulnerable “endpoints”

Equally important is having a clear-eyed view of how your employees are likely to behave. “When there’s not a vulnerable system, there’s always a vulnerable person,” said Chris Novak, co-founder/global director of the Verizon Threat Research Advisory Center, during his presentation “A View Into the Cyber Threat Landscape.”

He noted that one  in 14 users falls for some form of social engineering or phishing attack, and a quarter of them fall for it more than once. As an example, Novak said, one organization he worked with recently told him that, when they did quarterly cybersecurity awareness training for employees and then conducted practice phishing, their victimization rate was 3%-4%. But, when they stopped the training for a few months, the victimization rate jumped to 38%. “Some organizations tell me it’s closer to 60%-70%,” he said.

Given the number of attacks coming into an organization through phishing, Spaulding noted that organizations need to continue to invest in training the workforce and implementing basic tools such as multifactor authentication, segmentation, and application whitelisting.

“It’s all about the basics,” said Novak. “Organizations are so focused on the advanced and sophisticated, and we’re leaving the doors and windows open. if you’re not doing some of the basic elements, things are going to fly out the window.”

Getting the cyber hygiene basics right seems to elude many organizations. “I don’t think you can assume the basic hygiene,” said Townsend. “Companies have done a lot, but I continue to be mystified they haven’t done some of the basics.”

Organizations still struggle to get the cybersecurity basics right.

Getting the basics right isn’t easy, especially for enterprise-scale organizations. For example, moving from single-factor to multifactor authentication can introduce a host of challenges for an organization, not least of which is pushback from users who chafe at the idea. “But, the reality is most of these things could be thwarted or slowed down dramatically if you only had multifactor authentication,” said Novak. “And you have to have it in multiple places. Everybody tells us, ‘yes we have it.’ But when we start digging, we discover they didn’t have it everywhere in the organization. They didn’t have it for admins, for example, so you create these pockets of vulnerable populations who are going to be targeted.”

Patching is an oft-cited and critical cyber hygiene basic, but Novak said “more important than just being able to patch is knowing what you have. Patching has to go hand-in-hand with asset inventory. If you get 99% of everything patched, what’s the ‘everything’? Every organization has a hacker’s playground inside it. It’s those parts of the organization that the organization doesn’t even realize it has.”

At the start of a breach investigation, one of the first steps for Novak and his team is to request an asset inventory. “We went into one breach investigation where they produced three different asset inventories for us, and none of them were true,” he said.

In another investigation, in Japan, he said “we went in and we started following what the threat actors were doing, and we noticed all of a sudden they vanished from the radar, but we could see data was still being exfiltrated. We discovered assets in the environment nobody could account for. We found 30,000 assets they had no record of. When we asked them, they told us ‘we acquire two to three companies a month.’ So, there’s a margin of error about what they understand they own.”

As organizations struggle to get the basics right, the business of hacking continues to mature. Most groups trading on the the Dark Web operate like a business, according to Novak. “We’re all here because our companies are out there to do well, make money, and make our customers happy,” he said. “These guys are doing the exact same thing. They want to make money and make their customers happy. You can go to these sites and submit an RFP for malware. You’ll have folks basically tripping over themselves to try to provide you with the malware. You can buy botnets, anything and everything you could possibly need in these sites. It’s important for folks to realize the ease with which the underground community has access to this kind of data and information.”

While nation-state attacks provide fodder for media headlines and our collective anxiety, “it’s usually not that interesting,” said Tanium CEO Orion Hindawi in his Day 1 fireside chat with Fortune’s Robert Hackett. In many cases, he said, “It’s someone exploiting a known vulnerability” that should have been patched months ago.

The good news is that no one in this industry is working on these challenges in a vacuum. We can share information and key learnings with one another at events like CONVERGE and through discussions in the Tanium Community. We can continue to refine employee training to equip humans — our most vulnerable “endpoints” — with the knowledge they need to stay safe. And we can find new ways to communicate with our senior executives and our boards about the need to invest in cybersecurity. Because when you’re in a business that has no finish line, the best you can do is learn to enjoy the race.

More from Tanium CONVERGE17:

Got questions? We’ve got answers. Join the conversation today and connect with your peers and Tanium technical experts in our Tanium User Community.