Truvantis Blog

The Cyber-threat Landscape; Where are we now? August 2022

Written by John MacInnis | Aug 30, 2022 3:00:00 PM

Headlines: Experts agree remote workers and BYOD have permanently changed the threat landscape. Quantum computing is emerging as an encryption-breaking tool leading NIST to nurture post-quantum cryptography algorithms. Ransomware is peaking as a driver of revenue for cyber-criminals. Cyber-insurance adoption is vital as both a mitigator of risk and a driver for better cybersecurity practices. More organizations are pursuing compliance frameworks as a foundational layer for risk management.  

Post-Quantum Cryptography 

Encryption uses math to protect sensitive electronic information, including securing websites, protecting data, and authenticating identities. Widely used public-key encryption systems rely on math problems that the fastest conventional computers cannot crack. 

However, a capable quantum computer could solve these math problems quickly, defeating today's encryption systems. To counter this threat, The U.S. Department of Commerce's National Institute of Standards and Technology (NIST) has chosen the first group of encryption tools that are designed to withstand the assault of future quantum computers. 

The four new quantum-resistant algorithms rely on math problems that both conventional and quantum computers should have difficulty solving, thereby creating a future resilient solution.  

Source: NIST Announces First Four Quantum-Resistant Cryptographic Algorithms

 

The Twitter Whistleblower – The State of Privacy in Social Media 

You've probably heard the news about "Mudge" Zako, the Twitter whistle-blower. As reported by the Washington Post, Mudge filed a complaint with the FTC alleging Twitter routinely ignored security vulnerabilities and knowingly violated consumer privacy policies. In addition, the report claims that Twitter hired agents of the Indian government and gave them unfiltered access to user data.  

The WP notes: "Zatko's complaint says he believed the Indian government had forced Twitter to put one of its agents on the payroll, with access to user data at a time of intense protests in the country." 

"A respected and well-known hacker, Zatko was hired by Twitter in 2020 after a spate of security incidents that saw high-profile users losing access to their accounts." – Washington Post 

In case there was any question as to whether consumer privacy exists on social media platforms, it doesn't. 

Ransomware-as-a-Service (RaaS) & Extortion Economics 

The Microsoft Security Team reports it has been tracking the trend of ransomware-as-a-service (RaaS) in the cybercriminal economy - a connected ecosystem of many players with different techniques, goals, and skill sets - which remains one of the most impactful threats to organizations.  

Ransomware attacks have become more impactful as RaaS ecosystems have adopted a double extortion monetization strategy. Attackers are not only encrypting data but also exfiltrating it and then threatening to post it publicly to pressure the targets into paying the ransom and selling data on the black market. 

The team reports that in almost every incident where ransomware was deployed, attackers began the campaign using compromised weak credentials followed by lateral movement and privilege escalation. "In almost all attacks where ransomware deployment was successful, the attackers had access to a domain admin-level account or local administrator passwords that were consistent throughout the environment." – Microsoft Security 

Sophos Ransomware Report 2022 

The Sophos Whitepaper on 'The State of Ransomware 2022' claims ransomware attacks are increasing in complexity and impact.  – of the 5,600 organizations polled, 66% admitted being hit by ransomware in the last year and 65% of attacks resulted in data encryption. 

The good news, organizations are getting better at restoring data after an attack. Backups are the #1 method used to restore data by 73% of organizations whose data was encrypted. – 99% of organizations reported getting at least some of their data back. Unfortunately, 46% of organizations paid the ransom. 

Ransomware is driving the adoption of cyber insurance as a risk mitigation strategy. – 83% of organizations have cyber insurance against ransomware. Reassuringly there is a 98% pay-out rate on ransomware claims. 

Expectedly, the broad adoption of cyber insurance is driving improvements in cybersecurity.  –  94% of organizations have found it more challenging to secure cyber insurance than the previous year. 97% of organizations with cyber insurance have upgraded their cybersecurity posture to better their cyber-insurance position. 

Cybersecurity and the Food Chain 

Cyber-attacks and ransomware are significant threats to food firms, according to speakers during a panel discussion about food fraud and defense organized by the World Health Organization. Tim Lang, professor of Food Policy at City University London Centre, said, "The cyber threat is due to investments we've made in super-efficient computer logistics. Cybersecurity issues are a new avenue for potential disruption where deliberate adulteration, extortion and fraud are tied together. The potential for food to be used as a weapon is ahead of our regulatory approaches." 

The Increased Need for Cybersecurity Compliance 

Compliance is now a fact of every business owner's life. According to Packetlabs blog, Cyber-Threat Landscape: 2022, two concurrent trends are pushing an increased need for cybersecurity compliance; increased government regulation and risk management requirements. Most businesses are bound by compliance requirements such as HIPAA, GLBA, or PCI-DSS.  

The EU's General Data Protection Regulation (GDPR) and California's California Consumer Privacy Act (CCPA) have placed new demands on organizations to protect user data.  

The trend towards compliance is not only propelled by new regulatory requirements. The need to manage risk drives an increased number of ISO 27001, SOC-2, CIS Controls, and NIST CSF-compliant vendors. In addition, the increased risk presented by the cyber-threat landscape is forcing more companies to become cybersecurity savvy and choose partners that can demonstrate similar behavior. 

How to Protect Your Organization from the Evolving Threat Landscape 

You've probably heard that 'security is a journey, not a destination. You may have also heard the quote, "You don't have to run faster than the bear …" My point is reasonable protection practices are well known. Yet, for most organizations, managing cybersecurity issues usually goes on top of the list of 'least favorite things to do.' However, with some help, you can achieve a cybersecurity and privacy program that balances your budget and resources with your risk appetite.  

The basics of cybersecurity and privacy protections have not changed much. For example, as reported in December 2020, while the U.S. Treasury Department was a target of the SolarWinds breach, IRS taxpayer information was not compromised.  

According to The Hill, "Media outlets have reported that several federal agencies were breached as part of a hack on IT company SolarWinds. The attack is widely believed to have been carried out by a Russian military group." 

Says the PCI Guru Jeff Hall, the IRS was not compromised because they have a solid defense-in-depth practice. "The IRS didn't have a problem because they regularly maintain restrictive network egress rules. And not only do they restrict egress, but they also monitor it." 

Cybersecurity & Privacy Best Practices 

The Microsoft Threat Intelligence Center (MSTIC) says these are the four biggest problems alongside the four best practices for a practical defense strategy. 

Problems 

Practical Defenses 

  1. Stolen passwords or easily compromised identities 
  2. Missing, disabled or misconfigured security products. (e.g., production network gear with default passwords) 
  3. Misconfigured 'legacy' applications enabling attacker lateral movement and escalation of privilege 
  4. Slow Software Patching – In 2022, MSTIC reports older vulnerabilities are still a primary attack vector  
  1. Strong Authentication – enforce multifactor Authentication and enable passwordless Authentication. 
  2. Perform a periodic attack surface analysis and test security tools, configurations and incident response 
  3. Harden internet-facing assets (e.g., remote access to employee desktops) 
  4. Keep systems updated – It can be a challenge to maintain, but still, the best way to harden software is to keep it updated 

 

About Truvantis

At Truvantis, we also have a three-pronged approach to building and maintaining information systems for cybersecurity, privacy and compliance: 

  1. Conduct a formal risk assessment, including an attack surface analysis. - Determine where you are positioned concerning the threat landscape, budget, and risk appetite.  
  2. Implement policies and controls leveraging standards-based frameworks. (e.g., SOC 2, CIS Controls, ISO 27001, PCI-DSS, NIST CSF) 
  3. Pentest your security and response systems. 

Truvantis is a cybersecurity, privacy and compliance consulting organization. We specialize in helping our clients by implementing, operating, auditing and testing information security programs that work – balancing budget with organizational risk appetite. Contact us today to speak with a cybersecurity, privacy and compliance expert.