On May 2, 2024, Avril Haines, Director of National Intelligence briefed the Senate Armed Services Committee about the growing threat posed by nation states and other threat actors. The hearing was recorded and is available from the Senate Armed Services Committee web site (hearing starts at 00:15:25 into the video). Although not everyone will find Senate hearings about cyber-security riveting, rest assured, Black Kilt is on the job. We diligently reviewed every word and so we can relay the relevant facts to our clients and followers.
Facts At a Glance
The theme of the briefing was clear. The United States is facing a growing threat on multiple fronts, including cyber warfare capabilities. There was a significant emphasis and concern from the committee regarding state sponsored threats posed by China, Russia, Iran, and North Korea. Director Haines cited a 74% increase globally in ransomware attacks, noting US entities were the most heavily targeted with significant increases in the healthcare sector.
Also noted were increases in industrial controls attacks against US organizations. These types of attacks can target private industry as well as critical public infrastructure such as water, power, and other heavily automated public works projects.
Director Haines noted the most common attacks unfortunately still focus on default or weak passwords, unpatched vulnerabilities, and poorly secured network connections. This was presumably based on an analysis of the recent attacks against US entities.
Why This Matters
During the briefing, Director Haines acknowledged the risk is still relatively low that any single cyber-attack will cause a wide-scale problem for the United States. However, she also cited the fact that the increase in volume and intensity of attacks poses an elevated risk that any single attack could be significantly more impactful.
More importantly, the numbers are in. The Ponemon Institute research shows the US continues to lead the pack for the 13th year in a row with the dubious honor of having the most expensive average cost of a data breach. For 2023, the numbers topped $9.48 million, more than double the global average cost of $4.45 million.
The report goes on to state the average time to detect a breach was a staggering 204 days, with another 73 days to contain it. And, breaches taking more than 200 days to detect and remediate cost 23% more on average, driving up the impact. And, these numbers are applied across industry verticals, with healthcare topping the charts in 2023. Even the public sector was represented, indicating a shift from purely financial malicious intentions to more disruptive intent.
Insurance companies are using this data to set rates for cyber policies and to control their exposure and limit their risk. Accounting firm Yeo and Yeo calls out this trend in a recent article. As breach costs continue to rise, expect insurance firms to pass this on to customers in the form of stricter requirements to obtain a policy, higher premiums and increased likelihood of denied payments due to policy non-compliance.
4 Things You Can Do
Businesses and government entities should note the concerning fact cited by Director Haines that a majority of attacks were not at all sophisticated in nature and took advantage of exploits that are relatively easy to prevent. Specifically, businesses should look to shore up any gaps in the following areas:
- Change default passwords before connecting any devices to a network
- Force the use of complex passwords for both users and devices
- Patch software and hardware vulnerabilities in a timely manner as security patches are released
- Secure network connections and monitor for unauthorized access attempts
To find default passwords, commercial vulnerability scanners commonly include this feature. For those on a budget, there are opensource variants that may be a passable substitute, though typically not as convenient or easy to use as their paid counterparts.
To prevent the use of weak passwords, active directory group policy objects (GPOs), lightweight directory access protocol (LDAP) servers, and other configuration management tools should be set to enforce complex password rules. Again these risks can be audited and discovered with a variety of commercial and open source utilities, depending on the budget and skill level of your organization.
In today’s world, patching should be a no-brainer. It’s easy to automate, relatively low risk to perform, and as outlined earlier, will have a highly positive impact with respect to stopping attacks. In the past, a common excuse for not patching was the fear that a bad patch might crash all machines in the company at the same time. These fears are largely overblown and easy to mitigate by implementing a rolling patching strategy that accelerates over time. And once again, both commercial and open-source tooling is highly effective at detecting and applying missing patches, leaving little excuse for not implementing patch scanning and reporting for organizations of any size.
Last but certainly not least is the need to secure and monitor network connections. This is probably the most complex of the four tasks often requiring special skills and advance tools. Again, both paid and open-source tools exist to help with this task, but they are not designed for the novice admin. It is highly advisable to partner with an external firm that specializes in network and penetration testing to regularly probe corporate networks and external facing connections to ensure adequate security is in place.
How Black Kilt Can Help
Black Kilt Security hires only the most seasoned professionals when it comes to infosec staffing and advisory support for your organization. Averaging more than 10 year’s experience, our consultants are guaranteed to have the specific expertise to meet your organization’s needs. We’ve performed hygiene, operations and network management tasks for some of the largest companies on the planet and are sure to have the expertise to meet your needs at an affordable rate. And we have our own network of trusted partners for those areas where it’s best to have specialized expertise to ensure the right level of detail and focus. We’ll graciously extend our partner network to our clients directly, or we can manage them for you through our own contracts, whichever you prefer.
Contact Black Kilt today for a free consultation and hygiene assessment.