February 17, 2017
Researchers at the SANS Institute detailed a range of cyber-threats enterprises are currently dealing with and ways to become a less inviting attack target.
SAN FRANCISCO—f you didn’t already believe we live in dangerous times, a session at the RSA Security Conference on Feb. 15 here might have convinced you.
Speakers connected with the SANS Institute, a security training organization, laid out what they believe are the top seven new attack techniques being used to compromise not only computer systems, but things that connect to computers like industrial process controllers and Internet of Things devices.
This is the 10th year speakers from SANS have made this presentation at the conference, which also included advise for prevention and dealing with cyber-attacks.
The rise in so-called Ransomware was the top threat cited by Ed Skoudis. He says the scheme, where malicious software is used to hold data or system access hostage, has moved beyond a threat to individuals to being a real concern for enterprises.
“We’ve seen this can bring down a whole network of file servers and we expect many more attacks,” said Skoudis. His advice is that companies practice network security “hygiene” and limit permission for network shares to only those jobs that require it.
“You also should consider in advance that you may be attacked and who in your organization will be prepared to pay if necessary,” he said. “You may have a business principle of not wanting to pay [Ransomware], but you may face a choice of losing data worth millions of dollars. That’s a business reality.”
Companies that increasingly rely on remote web services may also be at risk, said Johannes Uhlrich, Dean of Research at the SANS Institute.
He noted that when companies first moved to the cloud they moved their infrastructure, but rather than pay for services that aren’t always used companies are moving to individual web services.
“As a result you don’t own the server or the operating system or the framework, you just run the services as you need them, but those services can be at risk,” said Uhlrich. He suggested companies carefully authenticate these services and validate all data received when using them.
Another speaker, Michael Assante, is a director of training at SANS and Technical Director for the U.S. National IT team that helped the Ukraine after a high-profile attack on its power grid in 2015 caused widespread blackouts.
Ironically, he said the relatively primitive and distributed nature of the system allowed the utility to reestablish power via circuit breakers and manual means. “But what if there was an attack on a more advanced, automated system that was more centralized as in the U.S.? The outage is going be broader and harder to restore manually,” he warned.
Turning to IoT, Skoudis said the devices themselves aren’t much of a security risk because they have limited computing power, but the systems and networks that control and connect them, are.
“In the last six or seven months we’ve seen IoT evolve as a target to an attack platform that can infect tens of millions of systems across a terabit of traffic,” he said. “It’s a significant platform for denial of service attacks and perhaps other types of attacks in the future.”
Skoudis said everything from toilets to toothbrushes are being connected to the Internet and that it’s past time to consider the security implications. He suggested using a secure WPA-2 connection on a separate network for IoT devices and set up a separate cloud account to manage them.
“We need to drain the swamp of vulnerabilities and vigorously push vendors to help clean this up,” said Skoudis. “I think we’ll see more product recalls. We’ve already seen this with some cars and DVRs where they had to be recalled because they didn’t have foundational security.”
Referencing a potentially scary future threat, Skoudis asked, “What would you pay to get your car turned back on?”