February 13, 2020//Tony Howlett
We’ve made it through one full month of the New Year and the outlook for terrorism-related cyber incidents is already pretty stormy. During the standoff with Iran, cyberattacks were listed as one of their top possible responses. The City of Las Vegas was hit with a sustained cyberattack attributed to Iranian-related groups and there have been a few other instances of attacks on small U.S. government sites hosted overseas after this event. In the wake of these incidents, the U.S. Department of Homeland Security warned private enterprises that support critical infrastructures such as banking, health care and public utilities to be braced for more possible reprisal attacks.
There are a lot of reasons that cyberattacks are attractive to nation-state actors. First of all, they can be done from anywhere to anywhere. They cross physical borders at the speed of light on high-speed data lines and take effect instantly. They are also hard to directly attribute if the actor wants some amount of plausible deniability. And if they fail, usually nobody knows, so there is less chance of an embarrassing failure. Finally, cyberattacks don’t risk valuable troops and military hardware—it’s just bits and bytes fired from keyboards, so it’s a very cost-effective response.
Cyber terrorists are different from other cybercriminals in that they are usually not seeking monetary gain. They are seeking to cause pain, either physically or emotionally, on the opposing country’s citizens through either denial or destruction of cyber-infrastructure and resources. They may also see to commandeer such resources to cause terror, such as tampering with dams or power utility infrastructure. And now with so much of our economy relying on technology that is connected to networks, it is a more attractive target space than ever.
Modern first-world economies, the United States included, are even more vulnerable since much of the critical infrastructure is in private hands. It is much more difficult to secure many disparate corporations or quasi-public entities such as local electric companies, hospitals, school districts, and small governments than it is to secure a unified attack surface. Many different technology platforms, staffs and general security awareness levels make security even more difficult.
When state actors seek to do harm or send a message, they want to affect as many people as possible. Affecting one hospital or one city government isn’t very impactful. Affecting dozens or hundreds of sites is much more powerful and newsworthy. We saw this effect when 22 cities in Texas were taken offline in August 2019 in simultaneous ransomware attacks. This “mass” ransomware event overwhelmed even state-level resources and caused the governor to declare a state of emergency. The same thing happened in Louisiana a few months later. The Texas attack was perpetrated by breaking into a third-party vendor that all the cities used to infiltrate and attack many targets at once. This methodology provides an attacker with a force multiplier for their efforts to spread digital destruction and mayhem to multiple sites at once.
How do you protect yourself from these types of mass attacks launched through third-party vendors? It starts with good third-party vendor hygiene, also known as third-party risk management. This means that if a vendor is going to have access to any part of your infrastructure, they should get special scrutiny before, during and after onboarding. If they are to have privileged access to systems, this assessment should be even more thorough. You want your third parties to be as secure as you are, at least when it comes to accessing your networks and systems.
Once you’ve vetted your vendors, you will want to manage and monitor them with good technical controls. Solutions such as Vendor Privileged Access Management (VPAM) can help you process vendor access efficiently and securely and be able to audit their activities for both security and compliance.
All these things are part of a vendor management program that any organization with more than a few vendors should have. Hopefully, your organization will never become the target of cyberterrorism. But, with the right vendor management tools, processes, and procedures such as third-party risk management, you can much more likely to withstand any attacks, as the City of Las Vegas was able to do in the attack mentioned above. Good luck out there!