Geopolitics and the Threat Landscape: A Webinar Recap
Anytime we get together with our partners at CyberCX is sure to be insightful, and our recent webinar, Geopolitics and the Threat Landscape, was no exception. During the webinar, CEO US of CyberCX, Larry Letow facilitated a conversation between CyberCX advisor and former Director of the National Security Agency, Admiral Mike Rogers, and KirkpatrickPrice Founder and President, Joseph Kirkpatrick. The three experts discussed the current threat landscape and how it will affect us on an organization and national level.
Note: The answers to the questions below have been summarized for the purposes of this blog. Listen to the full webinar for a more in-depth discussion.
With hostilities around the world continuing, we seem to be seeing a spike in attacker activity. Will it continue to get worse? What should companies and individuals focus on?
Unfortunately, it’s most likely going to get worse before it gets better, and this should act as a reminder that cyber exists in a broader context than many people realize. Many of the conflicts around the world have a cyber aspect to them. In fact, Admiral Rodgers said he couldn’t think of a crisis in the last few years when there hadn’t been a cyber dimension. He brought up the example of Russia in the current war with Ukraine and how Russia went after supply chains. It’s important to remember that even if you or your organization isn’t a direct target of cyber hostility, you may still be affected, like many organizations were by the supply chain attacks. Admiral Rodgers had these remarks:
“You need to think about the broader world around you. You can’t just have your head down. You have to have your head up, and you need situational awareness about what’s going on in the world because, oftentimes, it will be a precursor to cyber activity that you’re going to see clearly.”
This is why cyber-resilience is so important. The Admiral mentioned that if he had to choose between cyber defense and cyber resilience, he’d focus his money on cyber resilience. If we jump back to the Russia and Ukraine conflict, Ukraine has done a great job of building up a high level of cyber resilience. They are a good example for organizations that are trying to make sure they are ready in the event of penetration. The focus shouldn’t solely be on stopping attacks but rather assuming cyber-defense efforts fail and the adversary is able to gain access to an organization’s networks and figuring out how to keep going in a time of crisis.
When you are at peace time, how do different political ideologies and systems impact a nation’s approach to security and its view of global threats?
Different countries view cyber in different ways. Admiral Rodgers pointed out that counties like Russia and China tend to argue that cyber is an extension of sovereignty. In other words, they believe cyber should be viewed similarly to the physical terrain or territory of a nation state. Just as they control the activities of what goes on within their territory, they believe that they should be able to control what is going on in cyber. However, other countries like the US argue that cyberspace should not be viewed as an extension of any particular nation state and should remain largely ungoverned.
The Admiral points out that there are competing models around the world regarding how cyber should be governed. Because of these differences, there’s been very little luck over the last twenty years in establishing broad, international cybersecurity standards.
Joseph voiced his concerns of complacency in times of peace. When there is conflict, organizations are more likely to stay vigilant, always looking for threats and vulnerabilities, but in times of peace, some organizations lose their sense of urgency. He reminds organizations to always be watching for what’s coming next.
We hear about zero trust everywhere nowadays. What does it mean to you, and how should organizations effectively implement it to enhance their security posture?
Jospeh mentioned that it’s nice to hear people talking about and recognizing the importance of zero trust. He sometimes still calls the practice by its older name, “deny all.” The concept of deny all — restricting access to everything and only explicitly allowing people what they need — has been around in cyber security for decades. However, the difference between deny all and zero trust is that people are starting to acknowledge that we shouldn’t trust our privileged environments and our internal environment.
Often times, in an audit or penetration test, our clients will say, “We don’t care about the internal network because that’s where all the authorized people are.” These clients believe that the only threats come from outside of their environments. If no one is allowed internally, why would we test it? There’s often a false sense of security when it comes to their internal environments, but zero trust is causing people to realize that we shouldn’t trust internal environments either. We need to verify who has access to these sensitive parts of our networks.
Admiral Rodgers added that identity is an increasingly tenuous concept, not just user identity but also identity with respect to hardware, software, and devices. We can’t assume that the only challenges are external.
Zero trust can take a lot of time and resources to do effectively, but it’s something that needs to be done in today’s threat landscape to keep an organization’s data as secure as possible. The effort will pay off in the end.
How do you think the US is performing on Public and Private collaboration and how can the two sectors collaborate more effectively to mitigate cyber threats and vulnerabilities on a national scale?
Admiral Rodgers makes the point that, in this context, collaboration has always been where one party does their own thing, and the other party does theirs. As they come across knowledge or insight that they think might be of concern to the other party, they will share that information. Historically, this approach is insufficient for the challenges that we’re dealing with.
A better solution is a more integrated model that gives the country greater speed, greater situational awareness, and a much more resilient and integrated approach to both cyber defense and the ability to create cyber resilience. The Admiral suggests shifting from a model of collaboration to integration.
It’s important to make those around you aware, and Joseph noted that importance of sharing the information at your disposal. When information is shared, we can better secure our organizations. We can’t discover all of the threats and vulnerabilities alone, so sharing information allows us to be better than if we were trying to do it all on our own.
With the landscape of cyber threats changing every day, how are the NIST and SOC frameworks keeping up with the demands?
Joseph stated that NIST has a cycle of updating their frameworks and providing resources and references that keep up with the threats, although they are always a little behind. The SOC frameworks remain woefully behind; however, at its core, the SOC framework preaches risk management, which is always relevant. Risk management is the portion of the SOC framework that Joseph thinks companies should be taking away. You can’t always rely on a document to tell you that controls your organization needs to put in place, but you can rely on solid risk management principles to help determine what controls your org needs.
Even if certain frameworks fall behind, you can always take what you know about risk management and go from there. Some companies do a risk analysis once a year, but for others, that’s not enough. It’s all about assessing the risk associated with your organization and working to manage and mitigate that risk to the best of your ability.
No framework will ever be the end all be all to protect your organization. It’s important to remember that frameworks are there to provide guidance, but every organization is different and has different needs when it comes to incident response planning.
Admiral Rodgers mentioned that an important part of risk management is making sure everyone has a clear understanding of what to do if and when a security event occurs. Training, simulations, education, and self assessment are all key steps to strengthening your organization’s security posture in this ever-changing threat landscape.
What is the comfort level with certificate-based authentication as a replacement for multifactor authentication (MFA)?
Joseph voiced his discomfort with certificate-based authentication, noting the various ways to spoof illegitimate certificates. Even though the number of issuing authorities has been cleaned up over the years, there are still ways to get around that authentication.
Admiral Rodgers added that it’s important to realize that there is no one-size-fits-all solution for every organization. We shouldn’t necessarily be thinking that all we need to do is focus on one technology like choosing between certificates and MFA. The Admiral believes in a multi-layered approach to cybersecurity that seems to offer the greatest probability of success. There are ways for bad actors to get around both certificate-based authentication and MFA, so a combination of the two approaches is smart for many organizations.
We know financial institutions have been major targets of bad actors, but what other industries are being targeted more than they were, say, five years ago?
We’ve seen an increase in small to medium sized businesses being targeted in addition to the larger enterprise corporations that have been targets in past years. This seems to be the biggest change in the last five years that Joseph has noticed. Companies of just a handful of people have had issues with cyber attacks and are working on how to protect their organization and become more cyber resilient. Years ago, smaller businesses weren’t as big of a target as they are now.
There’s also been an increase of attacks in the healthcare industry. Many organizations in the healthcare industry need penetration testing, cybersecurity audits, and compliance audits.
Admiral Rodgers added that he’s seen an increase of threat activity in education as well due to the amount of personal information institutions like universities are responsible for.
Not too long ago, there were a couple of ransomware attacks on popular casinos. One paid the ransom and one didn’t. What are your thoughts on ransoms? Is there a time when you have to say yes or no to the ransom?
Admiral Rodgers acknowledged that there is no one-size-fits-all solution again in regards to ransomware attacks. Each attack is different. A question these organizations should be asking themselves is if failure to pay the ransom will result in any injury or death. Is there a human dimension to the attack? What kind of financial loss will be the result of paying the ransom?
The Admiral suggests companies have a policy in place for these types of attacks that states that you will not pay the ransom unless certain criteria are triggered, like injury or death.
Joseph suggested that every board work through an exercise where they are faced with the decision of whether or not they will pay the ransom. The hope is that the board can work through this scenario and come to a conclusion on what they would need to do in a real-life situation. From there, it’s important that organizations use their experiences in these exercises to develop and invest in incident response and disaster recovery planning and testing.
AI is a hot topic on everyone’s mind lately. We don’t have national guardrails up to say what companies should or shouldn’t do with the technology. What are your thoughts on this topic?
Admiral Rodgers started off by pointing out that AI, like most technology, is going to come with some pros and some cons. It can be a tool that will help us learn and adapt faster from a cybersecurity perspective. It will also help us anticipate adversary activity better than we could before. On the other hand, AI will allow threat actors to write more effective and malicious malware. It’s not all good or bad, but it is advisable to continue to learn about this new technology and see how we can use it to make organizations better.
With the speed that new technology enters the scene, we don’t have the capabilities to continuously evaluate every facet of the technology, Joseph added, so it’s important to go back to the principles we know. We know what our disclosure polices are with third parties, and that’s what AI is, another third party. We still need to understand where our data comes and goes. We’ve dealt with these topics and issues in our policies and procedures before ChatGPT and other similar platforms, so whenever something new comes onto the scene, we need to apply the principles that we already know to this new technology.
What is one or two things that organizations can do to prioritize staying ahead of cyber adversaries?
Admiral Rodgers suggested really focusing on training. It’s important for organizations to develop procedures and then actually practice them. He also advises going back to the basics. So much of cybersecurity revolves around the basics. Make sure you fundamentally understand the structure and the connectivity of your organization.
To end the session, Joseph agreed that going back to the basics or really understanding your risk and communicating that risk with your employees is essential to stay ahead of cyber adversaries.
You Don’t Have to Face Today’s Threat Landscape Alone
As we learned from this conversation, there’s a lot to think about in regards to today’s threat landscape. Organizations aren’t only being targeted by individual bad actors, but global conflicts are also threatening the security of their data and systems. It can feel overwhelming to think about securing your business when the stakes are so high, but don’t worry; you don’t have to face the threats alone.
Here at KirkpatrickPrice, we are committed to helping you feel confident when it comes to your organization’s security and compliance. We offer risk assessment reviews, advisory services, penetration tests, and more to help you feel confident in your organization’s security practices. Make sure to check out our partners at CyberCX to further strengthen your org’s security program by managing cyber risk, building resilience, and growing with confidence. If you have questions about anything discussed in the webinar or are ready to strengthen your organization’s defenses against today’s threats, connect with one of our experts.