By Bernard Montel, EMEA Technical Director and Cybersecurity Strategist, Tenable
Critical infrastructure attacks are about to get physical, according to Bernard Montel, EMEA Technical Director and Security Strategist at Tenable
The last year has been turbulent in more ways than one. When it comes to critical infrastructure that underpins the financial sector, in 2021, cybersecurity leaders saw a dramatic increase in bad actors not just looking to steal information, but actually causing physical disruption to our daily lives. The financial sector is critical to the country’s economy, and to citizens daily life, and any outages have a significant impact. Financial institutions are just one key sector that has faced a heightened onslaught of malicious activity that impacted services and proved costly to businesses and customers alike.
The basics are still tripping businesses up
This year, hacktivism and critical infrastructure attacks on financial institutions evolved. Rather than nation state attacks, we are seeing an increase in cyber criminality and the monetisation of attacks. Although most attacks are not that sophisticated, basic vulnerabilities leave organisations as easy targets for bad actors in this space. In 2022, adversary groups will continue to launch low-cost, high impact (LoCoHimp) attacks – especially ransomware, given its potential to cripple organisations.
To thwart their efforts, businesses must focus on their own internal systems and third-party vendors. It is essential to secure these external vendors, and potential points of weakness in particular, by implementing audited industry best practices. In addition, security teams need to utilise security solutions that provide appropriate visibility, security and control across the converged infrastructure.
Attacks are no longer isolated incidents
Attacks, like SolarWinds and Kaseya in early 2021, brought to the forefront of our minds the need to maintain the integrity of the software supply chain. Threat actors quickly realised that they can capitalise on the domino effect by compromising one system which in turn exposes many more victims. Furthermore, as organisations continue to accelerate innovation projects or migrate to the cloud to meet the demands of hybrid work models, businesses are rightly concerned that third-party interdependencies (e.g. software-as-a-service) will continue to expand and attacks increase. Therefore, organisations must critically analyse how their reliance on third parties, even those offering security-as-a-service, has the potential to increase risk.
Another worrying development at the end of 2021 was the discovery of Apache Log4j, a vulnerability that shines a bright light on the risky practice of relying on open-source code libraries to build enterprise-scale applications. Many organisations around the world rely on open-source libraries as a key element in their ability to bring applications to market quickly. Yet, these libraries often stop short of a security-first approach. This dependence on what is effectively a wild, wild west of code libraries will continue to leave organisations vulnerable until time and resources are invested to make them more secure.
With the financial sector heavily reliant on cloud and DevOps, it is perhaps one of the sectors where we’re seeing the largest rise of the Infrastructure as Code (IaC) movement, and to support this movement, cybersecurity needs to innovate with Security as Code.
As organizations move toward everything as code — including applications, cloud infrastructure, even integration and delivery processes for agile development — they have an opportunity to start securing systems earlier and more often than their existing processes. IaC fits into a class of technologies that enable “shifting left”, or moving traditionally late processes earlier. This “shift left” movement promises to improve velocity, resiliency, and security even as systems become more complex.
Treat cyber risk like financial risk
We are all now excruciatingly aware of the risks that hybrid and remote working can bring for organisations as their operations migrate to the cloud, often without enough thought to the security implications of this seismic shift. Businesses must truly understand their expanded attack surface, ensuring that they hold the same level of control, governance and transparency over the cloud as they would for security on-premises. It’s imperative we treat cyber risk as any other business risk and the financial impact incurred if the worst should happen.
Organisations must take time to analyse what operations they are delegating out – and perhaps more importantly, to whom these operations are being delegated – and what security precautions are in place to support these changes. As the world of work continues to evolve and hybrid working grows ever more powerful for business growth, businesses must begin to think about security as they develop applications, put them into production or upload them to the cloud.
The security community as a whole accepts that the state of things is unlikely to improve significantly next year, and that in fact attacks are likely to increase. Therefore, organisations must take a risk-focused approach, meaning that one key word should be on their mind: visibility. Businesses must have a clear understanding of asset criticality and where it is located, be it internally or introduced from reliance on third-party vendors. In this uncertain climate, a prepared business will be a successful business.