Vulnerabilities are unavoidable, breaches are not – interview
The threat of a damaging cyberattack from Russia got authorities hunting for vulnerabilities. However, the biggest flaw is that human creations such as software are not infallible.
Russia's war in Ukraine has taken cybersecurity to the forefront. Experts fear that what Moscow lacks in military power, it might try to compensate with cyberattacks on critical infrastructure against the US and its allies.
Recently, The Five Eyes, an intelligence-sharing alliance consisting of the US, UK, Australia, Canada, and New Zealand, issued a joint warning, claiming Russian state-sponsored actors, together with cyber gangs, might strike critical infrastructure in the West.
US authorities, for example, discovered a new strain of malware that targets industrial control systems (ICSs). Dubbed INCONTROLLER, the malware abuses known vulnerabilities and is capable of inflicting severe damage on the infrastructure it's unleashed upon.
"Human beings write software, and human beings are inevitably flawed. The more pieces of software you have, the more likely it is that you will get breached."-Paul Martini, cybersecurity expert and the CEO of a cloud security company, iboss
Paul Martini, cybersecurity expert and the CEO of a cloud security company, iboss, says that elevated focus on vulnerabilities distracts security researchers from the more acute problem of access to critical systems.
"Human beings write software, and human beings are inevitably flawed. The more pieces of software you have, the more likely it is that you will get breached. It takes any one of these applications, any one of these ICSs, to have a vulnerability," Martini told Cybernews.
We discussed how nations guard against financially motivated as well as state-sponsored attacks. Martini explained that instead of figuring out who's going to pull the trigger, we ought to take note of industries that have already faced major physical security threats in the past.
Recently, there's been a lot of focus on a potential Russian cyberattack against the US and Western allies. Where do you think Moscow would hit first?
Critical infrastructure is a very vulnerable area because there's a lot of legacy software and technology. With all the sanctions and everything else going on with Russia, I think they'd attack wherever there could be the biggest impact. Obviously, the United States, UK, and Europe. I think that any largely populated western country could become a target for any type of attack.
Last week, the US authorities warned of a novel malware targeting industrial control systems (ICS). Do you think it's even remotely possible all businesses have managed to mitigate this risk by now?
I don't think that every business has mitigated that particular risk. The issue with ICS is that software will become vulnerable at one point or another. And especially with industrial controls that are very old since a lot of these are not patched. Actually, a lot of industrial controls can't be patched that easily: they're not connected, and the software itself needs to be installed in a certain way.
But the core issue here is access. The recent discovery of malware only adds to a trove of vulnerabilities. CISA had found 95 vulnerabilities on a single day on March 3rd. They are coming daily. If I were a Russian hacker, I'd look at those vulnerabilities as a roadmap to create the attack.
We need to put the equivalent of an airport security checkpoint in front of these systems to prevent these attacks. If we do this in software, there's no way Russia or any other attacker can get to that control system or software because they can't get past the checkpoint. Zero trust can do that.
Even though the system is vulnerable, there's no access to it. Vulnerabilities are inevitable, and they are going to come week after week. There's no way these all ICSs have been patched to be secure from all vulnerabilities because the sheer volume of all vulnerabilities is staggering.
"Instead of figuring out which one of the millions of people of Russia might want to attack the system, you deny everybody and allow just the one person who actually might need to do some administrative work on that system. Everyone else is denied by default."-Paul Martini, cybersecurity expert and the CEO of a cloud security company, iboss
Employing zero trust en masse sounds like a long-term solution. However, governments warn of a possible attack in the short term.
I would recommend it as something you can implement short-term. Organizations can start with the highest impact on resources first. You don't have to put everything behind a zero trust checkpoint. Look at the most critical applications and resources you have, like industrial control systems, and put those behind zero trust first. Maybe there are a thousand different applications that are scattered throughout an organization. But if you can get the four or five key ones behind a checkpoint, you basically cut off access.
Russia is not going to come with soldiers in-person to create these attacks. They're going to do this on the internet. By just doing the several vital resources, whether it's an industrial control system, an OT system, or a very critical piece of software application, you're basically making those applications invisible. I think it can be implemented for high-impact, high-priority resources.
Human beings write software, and human beings are inevitably flawed. The more pieces of software you have, the more likely it is that you will get breached. It takes any one of these applications, any one of these ICSs, to be vulnerable. The goal is to mitigate this access.
Why do you think zero trust is not as widely employed if it's that useful?
The US government is moving its entire apparatus to zero trust, with the 800-207 guidelines, within the next two years. They realized that if the root cause is unauthorized access, whether something like Snowden or a breach, they need to control that part. The old way of doing things was putting things within a data center, keeping people in the office, and ensuring that there was no physical access. But what happened with COVID in the last 24 months was that everybody left office.
And all of the applications that we use every day left the office, too. That's why we see many breaches and ransomware attacks. They're no longer in the data center. So, the government is moving very quickly. When the US government says they're going to move in 24 months, all agencies are mandated to move to zero trust under the executive order. It's for a reason.
This move also changes the approach to the problem. Let me give you an example. If I gave you a job to prevent an airplane from being attacked, there are two ways you could approach that problem. One solution is to figure out which one of the 8 billion people on the planet might blow the plane up.
The zero trust model inverts the solution. It says 8 billion people are not boarding that plane, there are only 500. What we're going to do is we'll only look at the 500 that should be boarding the plane. And that's why you put a checkpoint. That's why you see an airport's security checkpoint. If you don't have a boarding ticket and you don't have your ID, you're not stepping on that plane.
Zero trust does the same thing. For example, you have an industrial control system. How many people need to have access to it? Probably a few. It's the people that actually run the system. There shouldn't be hundreds or thousands of people that have access to it.
Instead of figuring out which one of the millions of people of Russia might want to attack the system, you deny everybody and allow just the one person who actually might need to do some administrative work on that system. Everyone else is denied by default.
There's been a flood of ransomware attacks on critical infrastructure in the West in 2020 and 2021. Interestingly, many of the most notorious ransomware groups are based in Russia. Some, like Conti, even pledged allegiance to Putin himself. Do you think some of those attacks were made on behalf of the Russian government?
It's a possibility. Cyberwarfare between nation-states happens every single day. However, the simple answer is that many of these attacks are financial crimes, a modern version of bank robbery. And if you can commit bank robbery in a country that doesn't enforce the laws, you will commit the crimes there.
Countries like Russia allow threat actors to do these things without legal repercussions. I think this is why we see a lot of ransomware attacks coming from Russia. But it's also a great way for the government to masquerade if they're making a state-sponsored attack. To blame the hackers that are getting the money, but maybe they're attacking with the blessing of the Russian government.
Do you think Russia could employ ransomware groups to further disrupt systems in the West? After all, financially motivated groups serve as a rather convenient smokescreen.
Why wouldn't they, right? They have sanctions against them. The government could sponsor that. Definitely. We wouldn't know. We know that there are no repercussions when they commit those crimes. In my opinion, this behavior is also a form of support by the government because they're not punishing the crime.
You just don't see as much of that coming from the US, UK, or Germany because if you did that there, authorities would hunt you down, and there would be repercussions for the crime. Whether they sponsor the initial attack or choose not to enforce the punishment for the crime, it's the same thing. It is state-sponsored regardless. They're condoning this type of behavior.
More from Cybernews:
Subscribe to our newsletter