Cyber 3-2-1: 12th November 2021
Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.
This week: How a social engineer beat £2m of security, why most critical vulnerabilities are not critical, and why you need to worry about disgruntled employees.
This week’s action: When someone leaves, disable their access.
>>>>> THREE ARTICLES <<<<<
1: £2m cannot defend against social engineering
We frequently hear how social engineering plays a key role in phishing emails and the majority of cyber-attacks.
But it’s just in the online world. In this short interview (4 minutes), hear how Jenny Radcliffe, one of the original social engineers, defeated £2m worth of physical defences with a pellet gun, a van and an A4 sheet of paper.
2: Insider Threat
“A Kansas man pleaded guilty to tampering with the computer system at a drinking water treatment facility”. The man had resigned from his employment at the plant in January 2019. Two months later, “[the] remote log in system was used [by the man] to shut down the plant and turn off one of its filters.”
We should worry about cyber attacks from outside the organisation. But if you have disgruntled staff, the insider threat is heightened. This is an extreme example of the insider threat. (Technically, he had resigned, so he was no longer an insider. But his access was still active, so the systems treated him as an insider)
I also recall a speaker at an IRISSCON conference talk about a disgruntled staff member deliberately storing pornographic material onto a co-worker’s computer, in an attempt to get them into trouble with their employer.
(Which gives me a reason to mention that IRISSCON 2021 takes place next week in the Aviva Stadium. If you are involved in cybersecurity, it’s well worth a day of your time + €50. More at https://www.iriss.ie/IRISSCON.html)
Read more: https://www.justice.gov/usao-ks/pr/kansas-man-pleads-guilty-water-facility-tampering via www.ncsc.gov.ie/news
3: Focus on the 4%
Security vulnerabilities (i.e. flaws) in software systems are identified every day. No system is perfect because every system is developed and maintained by amazing but imperfect humans.
The central catalog of common vulnerabilities (called the CVE catalog) provides information on each vulnerability, with a severity rating (critical / high / medium / low) based on the danger of the vulnerability to an organisation.
The Problem – The sheer volume of vulnerabilities in the catalog is overwhelming. For example, in 2020, there were over 18,000 new entries, with an average of 28 critical or high severity entries added each day.
The Insight – The US Cybersecurity and Infrastructure Security Agency (CISA) has looked at the data and identified that only 4% of known vulnerabilties are actually actively exploited by the bad guys. The other 96% are primarily theoretical risks. They have also identified that the bad guys may ‘chain’ a series of vulnerabilities, using a low / medium severity vulnerability to gain access and then other vulnerabilities to broaden their foothold. Organisations that focus on critical vulnerabilities may miss these chains, and therefore be exposed.
The Carrot – To help organisations to focus on the 4% of vulnerabilities that are actively exploited by the bad guys, CISA has developed a catalog of Known Exploited Vulnerabilities (https://www.cisa.gov/known-exploited-vulnerabilities-catalog). The list includes 182 vulnerabilities from 2017-2020, and 108 from 2021 so far.
The Stick – To force US government agencies to do something with this information, CISA has issued a binding order that will force agencies to address these known exploited vulnerabilities within a specific and more aggressive timeframe. CISA recommends that private organisations do the same.
Read more: https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf via www.ncsc.gov.ie/news
>>>>> TWO STATISTICS <<<<<
1: 58%
58% of 100 large Irish companies have reported an attempted cyberattack in the last 12 months, according to a survey by Accenture.
2: 5%
Just 5% of the attempted attacks actually succeeded, according to the same survey of large Irish companies.
>>>>> ONE ACTION <<<<<
1: When someone leaves, turn off their access
When someone leaves the organisation, it is imperative to ensure there is a reliable (and preferably, automated) process in place that disables their IT access in a timely manner.
It’s a simple security measure. But an effective one.