Caroline Wong is the Chief Technique Officer at Cobalt, a cybersecurity firm with a concentrate on Pentest as a Service (PtaaS).
It’s 2021 — a yr that’s been tormented by a seemingly infinite cycle of high-profile cybersecurity breaches. Safety groups are scuffling with the identical well-known vulnerabilities which have troubled the trade for many years. Sure, you learn that proper. From my perspective, the high-profile cyberattacks that occurred over the previous few years — assume Colonial Pipeline, JBS and the hack involving Photo voltaic Winds — should not essentially completely different from the sorts of assaults we’ve noticed many times for the final 20 years.
Seems cybercriminals haven’t needed to reinvent the wheel when selecting how they’ll exploit firms.
It’s an alarming actuality: Ransomware threats are in every single place. Vital infrastructure is susceptible. Actually, the flurry of cyberattacks on important infrastructure and authorities pc programs has been unprecedented. And, for firms, ransomware assaults have turn out to be an enormous expense. So, what can we do about it?
As you’ll be able to think about, attending to the underside of a global cybersecurity disaster isn’t an issue that may be solved in a day. Nevertheless, there’s one factor that we are able to do now, to maneuver the needle ahead: Double down on cybersecurity laws and compliance to maintain important infrastructure protected. Right here’s how:
Vital infrastructure must be required to repair bugs linked to well-known assaults.
In keeping with the Cybersecurity and Infrastructure Safety Company, important construction “describes the bodily and cyber programs and belongings which might be so very important to the US that their incapacity or destruction would have a debilitating influence on our bodily or financial safety or public well being or security.” So, clearly, we must be doing the naked minimal (at the least) to maintain that infrastructure protected from well-known vulnerabilities by patching bugs for commonly-known threats.
Asset stock and administration are important for all organizations, however much more so for establishments with older programs and applied sciences, particularly if they’re linked to the web. Working vulnerability scans and pentesting on a routine foundation might help us higher perceive what malicious attackers might select to assault. Realizing what vulnerabilities exist is simply the beginning; having a remediation plan and following up in a well timed vogue is the place the actual protection takes place. Software program and infrastructure don’t get safer till vulnerabilities are mitigated and addressed.
Vital infrastructure ought to have safety controls in place to cut back the probabilities of attackers focusing on important infrastructure.
The cyberattack on Colonial Pipeline despatched waves throughout the U.S. economic system, spotlighting cybersecurity vulnerabilities within the nation’s growing older vitality infrastructure. In keeping with Bloomberg, the Colonial Pipeline made the transfer “to close down the largest gas pipeline within the U.S. after ransomware group DarkSide’s know-how infiltrated their community.” The consequences have been stark: A public frenzy, restricted gas availability and better gasoline costs in areas. We should guarantee we’ve got the required controls in place to stop the subsequent Colonial Pipeline-level assault earlier than it occurs. These embrace software program updates, patch installations and testing information back-ups repeatedly to make sure they’re out there.
Vital infrastructure ought to have safety controls in place to stop the identical varieties of assaults from repeatedly occurring.
That is the place obligatory testing and reporting are very important. Proactive, preventative safety controls like pentesting can establish holes in organizations’ safety postures to allow them to deal with recurring points earlier than it’s too late. The vulnerability of safety misconfiguration is a standard pentest discovering and is usually a game-changer if recognized and addressed.
Firms, governments and people have to prioritize correct safety measures and hack post-mortems to keep away from related assaults from occurring sooner or later. Realizing with out doing received’t get us any additional than we’re in the present day.
Forbes Know-how Council is an invitation-only group for world-class CIOs, CTOs and know-how executives. Do I qualify?