Welcome to Cyber Security Today. This is the Week in Review edition for Friday August 6th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
In a few minutes guest commentator Dinah Davis of Arctic Wolf will be here to talk about some of the things that happened in the past seven days. But first some of the headlines:
Supply chain attacks are a big worry to cybersecurity professionals. Instead of hitting one government or company at a time, by hacking popularly-used software an attacker can compromise hundreds, thousands or more organizations at a time. This week the keynote speaker at the annual Black Hat cybersecurity conference warned platform companies that make operating systems or widely-used applications to tighten their defences. If they don’t act fast, he predicted, a wide-spreading malware attack in his words “will make everything we’ve seen until now look like peanuts in comparison.”
Dinah and I will discuss a recent European Union Agency for Cybersecurity report on supply chain attacks and what IT departments and software companies can do about them.
A number of cybersecurity companies this week issued analysis of cyberattack trends for the first six months. One of them is Check Point Software. Looking at data from its customers around the world, it calculates there was a 29 per cent increase in cyberattacks compared to the same period last year. The number of ransomware attacks was up 93 per cent.
Another report, by a company called Risk Based Security, noted that hospitals, clinics and medical research centres are still a priority for cyber attackers.
Major vulnerabilities that have to be patched were found in a number of internet-connected industrial control systems. Forescout Research Labs and JFrog Security teamed up to find vulnerabilities in an internet stack called NicheStack. It’s been used in many industrial products for the last 20 years. Nearly all major industrial automation vendors incorporate NicheStack in their products and solutions. Hijacked devices can spread malware to where they communicate on the network. IT staff should watch for alerts from their product manufacturers
And Nozomi Networks Labs has warned there are five vulnerabilities affecting Mitsubishi safety programmable logic controllers. Patches aren’t available yet for affected devices. Mitsubishi is issuing guidance.
Finally, a U.S. cyber education research group has created set of cybersecurity learning standards for American schools from kindergarten to Grade 12. The group, called Cyber.org, says the standards help teachers introduce students to the foundational concepts of cybersecurity for personal protection, and to provide them with the knowledge needed if they want to have a career in cybersecurity. Dinah and I will talk about this report.
(The following is an edited version of my discussion with Dinah Davis. To hear the full talk play the podcast)
Howard: I want to start the discussion with supply chain, or what some people call third party, cyber attacks. What is a supply chain attack?
Dinah: There’s four key elements in a supply chain: The supplier, the entity that’s going to lprovide the supplies. The supplier itself has assets — computers, inventory. And a key component is the customer, the person buying either the service or the product from the supplier. And then the customer also has its own assets: Their own documents, lists of people, computers or networks. A supply chain attack is the combination of at least two attacks, the first attack going on against the supplier and the second attack going against the customer, where they use a supplier to get to the customer.
Howard: The keynote speaker at the Black Hat cybersecurity conference that I tuned into this week made the point that supply chain attacks greatly increase the reach of both nation-state attackers and criminals. So for example, one famous supply chain attack was a hack several years ago of Target, the big discount department store chain, through the IT system of its heating and ventilation supplier. That was just one corporate victim. But with recent hacks, for example, a hack of SolarWinds’ Orion software update mechanism, the nation-state attackers sent malicious updates to lots of organizations. So in the end nine U.S. federal agencies and over 100 firms were compromised. He also mentioned that for example, ransomware gangs typically target one organization at a time. In the Kaseya incident of just, a month ago, because malware was spread through the customers of managed service providers over 800 organizations were hit. So the point he was making is supply chain attacks are a great way to launch mass attacks, and hackers are cottoning into this idea.
Dinah: What I like about the European Union Agency for Cybersecurity report [on supply chain threats] has done is give us a way to talk about it. Because are some of these attacks the same?Is the Kaseya attack the same as the SolarWinds? What this European Union report gives is a way to talk about them with a taxonomy. There’s four things for each attack: The attack technique used to compromise the supply chain, the supplier assets that were targeted, how was the customer compromised, and what was the customer’s asset that was targeted.
If we go back to SolarWinds, it’s Orion software monitors and manages networks, which is one of the reasons why attackers would target it. The way that they attacked was to exploit a software vulnerability. They use brute force and social engineering to get in to exploit that vulnerability. And the asset that they were trying to attack was the [update] processes and code.
On the customer side, it has a trusted relationship with SolarWinds. So they’re not even going to think twice about [an update]. When the malware was in the customer’s environment it went after the data, because these were federal agencies.
In the Kaseya attack, they [a ransomware gang] used two zero-day vulnerabilities to get into the VSA IT management software. The attackers used the trust relationship with customers …The interesting thing about Kaseya is it was a double supplier attack, because some of the Kaseya customers were managed service providers who had their own customers.
I like this [European Union agency] framework. It starts to allow us to talk about all of these different, supply chain attacks, compare them, and figure out how we’re going to protect ourselves.
Howard: You mentioned that a zero-day vulnerability was used in one of these attacks. The speaker at Black Hat argued that a number of the recent supply chain attacks made use of zero-day vulnerabilities or chains of vulnerabilities in their initial attacks. And he suspects that the attackers somehow got hold of them before software companies issued security patches. His point is if you’re a security researcher who hunts for zero-days, you need to keep your computer protected from being hacked because you’re a target.
Dinah: That’s absolutely true. So one, as a software company, you need to be careful about where you’re exposing your security issues? Can anyone from your company find out what all your security vulnerabilities are? Two, the researchers need to make sure that their systems are secure and not leaking anything.
Howard: One point the Black Hat speaker made was that reducing the risk of supply chain hacks is going to be up to platform operators. That means companies that make operating systems like Microsoft, Google, Apple and Linux distributors, as well as software companies and website administrators, have got to tighten their security. One big problem he argued is that too many applications give wide access permissions that allow malware to access sensitive parts of IT systems.
Dinah: This Is an interesting train of thought … I would argue that at least 80 per cent of the use cases where people need a computer they don’t need to be able to download absolutely anything and run absolutely anything on it. And good examples of that are the Chrome computers by Google. They’re pretty locked down. You can’t do a lot of extra fun stuff there.
Maybe we should be looking at sending out two flavors of software and hardware: One for developers and the other for the masses which are locked down much more.
Howard: Here’s one thing that perhaps a lesson we can learn from mobile operating systems: Mobile applications very rarely have root access. So if someone hacks a mobile app, what they don’t do is get the ability to take over the phone.
The report by the European cybersecurity agency made recommendations for companies to improve their security so that they’re not vulnerable to supply chain attacks. Can you go over some of them?
Dinah: Identify your suppliers, then define where your risks are with them. Then measure and monitor for those risks for every supplier. That includes finding out what the suppliers have access to. Can their tools access to your system. If so are you okay with that level of risk? If not, how do you mitigate that? You really want to define strong security requirements for anything you buy from suppliers.
Also, look at the contracts you have with the suppliers. If they are compromised and leads to you being compromised, do you get compensation? Is there a recourse? The last piece is making sure you have defined processes to handle the changes in supplier agreements and software updates.
Make sure your infrastructure and code is developed with best security practices in mind. Consider going to a SOC 2 or other security certification. While they aren’t bulletproof, while you’re going through the certification you have to look at different security issues and potential holes in your system. That will inevitably mean that you will have a stronger, more secure system.
Make sure you maintain accurate and up-to-date information on the origin of all the software and components that you are using because you are not only a supplier, but a consumer.
Finally, you and your suppliers should also implement good practices for vulnerability management. Keep all systems up to date to reduce risk of compromise. And not only that they should have strong process fo delivering security patches to customers for their tooling.
Howard: I want to turn to the Cyber.org recommended cybersecurity learning standards for public schools up to grade 12. This sounds like a great resource for school boards that want to add cybersecurity training to their curriculum.
Dinah: I was so excited about it I posted it on LinkedIn and tagged [Ontario education minister] Stephen Lecce saying, we need to do this. We need to do this now. If you followed all this curriculum you could be producing future cybersecurity students. There are three core themes: One is Computing Systems. That has everything you would imagine, like networking and hardware and operating systems and software and stuff. Another is Digital Citizens. How does cyberbullying work? The third is Security. And that’s all about information security and access control and data security. These are all things kids growing up today have to know. If we don’t teach them this stuff, we are remiss in preparing them for the real world.
Howard: It’s not just teaching personal cybersecurity. I noted, for example, that a suggested topic for high school discussion is ‘analyze the different types of cyberattacks that affect network security.’ Well, you wouldn’t bring that up in a social studies course that that level of discussion. That, I think, would only be in a computer, a high school computer science course.
Dinah: They talk initially about what’s your responsibility online? And then in grade six or seven they’re talking about network layers. These are things the kids need to know how the world works. We teach them physics, we teach them biology. We teach them chemistry so that they know that all those things that are happening that use that in the world are not magic. We need the same thing with cybersecurity and technology.