Cybersecurity News - February 2022

The focus on protecting the “crown jewels” is no longer enough. Today, the parts of complex systems that are interconnected within an organization and outside with third parties are now targeted by hackers.

Addressing systemic risks begins with understanding the systems end-to-end—including the parts within them and the third-parties that are interconnected. This includes mapping and understanding the impact if a critical part of a system fails or is corrupted on the larger system. Then it’s a matter of mitigating systemic risk through steps like network segmentation and the isolation of credentials.

Systemic failures and cyberinsurance
Organizations need to recognize that cyberinsurance generally only covers a small part of cyber risk, particularly in cases of a large-scale systemic failure. Learn more about systemic risk by visiting our Insights page at: https://www.mufgamericas.com/insights-and-experience/trending-topics/some-vital-lessons-in-how-systemic-risk-changing-in-cybersecurity.

Source: Zukis, Bob. Some Vital Lessons In How Systemic Risk Is Changing Cybersecurity. Originally published by Forbes. September 2, 2021. https://www.mufgamericas.com/insights-and-experience/trending-topics/some-vital-lessons-in-how-systemic-risk-changing-in-cybersecurity.

Cyberattackers actively exploit environments reliant on third-party support. This means CIOs and CISOs need to account for the third-party elements of their own IT environments. Consider the following measures and actions to reduce third-party cyber risk:

• Establish role-based access controls to applications, databases, and infrastructures aligning with zero-trust controls as much as possible and removing single-user accounts on highly privileged systems. Require multifactor authentication (MFA) for all privileged role-based access.
• Build suspicious third-party use cases (e.g., single-user logins made in a short time period from several geographically distant IP addresses) in order to identify them. • Develop incident guides for third-party supply-chain attack scenarios and conduct tabletop exercises with key software vendors. Ensure all staff members know procedures for handling incidents.
• Require escalation protocols, service level agreements, and security training and certifications in contracts.
• Implement a third-party cyber risk framework that provides risk rating of suppliers. Routine supplier evaluation on relative risk can assist in informing strategic decisions on procurement, risk management, and resource allocation. Reciprocally, third-party providers can take the following actions to support client security.
• Perform security reviews across products and transparently report the findings—including vulnerabilities—to clients.
• Identify and patch product vulnerabilities and communicate these actions to clients.
• Implement threat modeling for product development and share the results with clients.
• Expand code testing to include stress testing on code tampering, degradation of data integrity, and corporate integration suitability.
• Perform red-team exercises on the software supply chain to assess infrastructure security.

Source: Al Issa, Ayman; Bailey, Tucker; Boehm, Jim; and Weinstein, David. Enterprise cybersecurity: Aligning third parties and supply chains. McKinsey & Company. May 12, 2021. https://www.mckinsey.com/business-functions/risk-and-resilience/our-insights/enterprise-cybersecurity-aligning-third-parties-and-supply-chains.

The author of the Some Vital Lessons In How Systemic Risk Is Changing Cybersecurity article, Bob Zukis, explains systemic risk:

“Systemic risk in cybersecurity is the inherent risk that exists within complex digital business systems. It’s the threat of risk spreading into a business from connected third-parties or out of your business into others. It’s also the threat of one part of a digital business system going down, which then cascades and has a much larger negative impact on the extended system.”

Source: Zukis, Bob. Some Vital Lessons In How Systemic Risk Is Changing Cybersecurity. Originally published by Forbes. September 2, 2021. https://www.mufgamericas.com/insights-and-experience/trending-topics/some-vital-lessons-in-how-systemic-risk-changing-in-cybersecurity.

Virtual private networks (VPNs) enable remote users access to internal services with the protections offered to onsite users. These remote access VPN servers are entry points into protected networks, so they are targets for cyber attacks.

Nation-state Advanced Persistent Threat (APT) actors exploit public Common Vulnerabilities and Exposures (CVEs) to compromise vulnerable VPN devices. Some exploit code is freely available online, which enables malicious actors to perform: credential harvesting, remote code execution of arbitrary code on the VPN device, cryptographic weakening of encrypted traffic sessions, hijacking of encrypted traffic sessions, and arbitrary reads of sensitive data (e.g., configurations, credentials, keys). These actions typically lead to further malicious access through the VPN, resulting in large-scale compromise of the corporate network or identity infrastructure and sometimes of separate services.

To help organizations select and harden VPNs, the U.S. National Security Agency (NSA) and U.S. Cybersecurity and Infrastructure Security Agency (CISA) developed the Selecting and Hardening Remote Access VPN Solutions information sheet. Highlights:

• Select standards-based VPNs from reputable vendors that have proven track records of quickly remediating known vulnerabilities and following best practices for using strong authentication credentials. Avoid non-standard VPN solutions because using custom or non-standard features creates additional risk exposure, even when the Transport Layer Security (TLS) parameters used by the products are secure.
• Harden the VPN against compromise by reducing the VPN server’s attack surface with strong cryptography and authentication, running only strictly necessary features, and protecting and monitoring access to and from the VPN.

Source: National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA). Selecting and Hardening Remote Access VPN Solutions. NSA and CISA. September 2021. https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF.

Defining the acronyms

Virtual Private Network (VPN)
Allows users to remotely connect to a corporate network via a secure tunnel.

Advanced Persistent Threat (APT)
An adversary with sophisticated levels of expertise and significant resources that uses multiple attack vectors (e.g., cyber, physical, and deception).

Common Vulnerabilities and Exposures (CVE)
A list of publicly disclosed computer security flaws, each of which is assigned a CVE ID number. Security advisories typically mention at least one CVE ID.

The CIO and CISO both have cybersecurity responsibilities within most organizations. The CISO looks at security and is protecting the enterprise from cyber threats. Meanwhile, the CIO builds security into the broader technologies and ongoing digital transformation projects. These roles can be closely aligned and interconnected, despite the fact that the roles have different objectives.

These roles will further evolve alongside cybersecurity and in managing third-party connectivity as well as mergers and acquisitions. Learn more from various industry professionals about the CISO/CIO dynamic by visiting our Insights page at: https://www.mufgamericas.com/insights-and-experience/trending-topics/how-cisos-and-cios-should-share-cybersecurity-ownership.

Source: Hill, Michael. How CISOs and CIOs Should Share Cybersecurity Ownership. Originally published by CSO Magazine. September 16, 2021. https://www.mufgamericas.com/insights-and-experience/trending-topics/how-cisos-and-cios-should-share-cybersecurity-ownership.