By Scott Manning
In the wake of the recent cyberattacks against the Colonial Pipeline and the meatpacking company JBS SA, Gerard Gagliano explains the nature of recent cyberattacks and what measures must be implemented in new security systems to keep governments and businesses safe. Gagliano is a cybersecurity expert and the founder of Prodentity, a Corrales company that specializes in developing security solutions. According to Gagliano, the current approach to cybersecurity in business and government emphasizes the importance of credentials which determine and restrict access to sensitive information. This access-control model will be familiar to readers: to access an online account, one must present a username and password as identification. In a more sophisticated implementation, different users on a server are granted credentials based on their role in the organization. This means that an individual of authority in a business or organization may be granted extensive access to a variety of sensitive materials in the computer system. To access these materials, the user simply presents the correct credentials as proof of identity.
Gagliano explains that this current credential-based model of cybersecurity is 60 years old and seriously flawed. Consider, for example, what happens when a hacker obtains the correct, credential information of a high-ranking official in an organization. This hacker can use the credential information to pose as the official and access highly sensitive information from the computer system. Or take the case where a hacker obtains a low-level credential which enables only limited access in a computer system. The hacker can remain inside of the computer system to assess the security weaknesses of the system from within. Over time, the hacker can gain higher access credentials or observe activities that take place in the organization’s computer system and server. In a ransomware attack, the criminal accesses highly sensitive information and encrypts the company or government data so that a key is required to access the information. The criminal then charges the organization a large amount of money and gives the organization the key in exchange.
The Colonial Pipeline and JBS SA suffered from ransomware attacks in May. Ultimately, both Colonial Pipeline and JBS SA were forced to pay the criminals ransom in exchange for the keys to encrypted company data. These examples demonstrate that the credential-based model does not provide adequate security against sophisticated hacking and ransomware. Gagliano explains that a new security paradigm must be embraced that supplements credentials with a “trust and context” model of security. This new model of security, developed in the 1990s, creates a criterion of behaviors and patterns that must be followed for a credentialed user to be trusted in a computer system. To understand this approach, consider the situation where your car breaks down and you need repair services.
Most people would consult with their friends and family for a referral to a good repair service before consulting with the yellow pages because we trust our friends and family more than anonymous third parties. This model of trust can be mirrored in the cybersecurity setting: users in a computer network exhibit behaviors that constitute a spectrum of cyber trust. In practice, this trust model would translate to a variety of applications. For example, a sophisticated security model would consider not just the credentials of an individual but also the network that the individual is using to access the computer system. If the company is domestic with no international operations but a credentialed user attempts to access the computer system from a server outside of the country, then the security system would restrict this access. This kind of irregular server access yields lower trust than domestic server access.
Context also matters. Say that a cybersecurity network identifies that a certain credentialed user often accesses the computer system during a standard workday. Then there is an attempt made to access or work in the computer system made at 1 a.m. This behavior is also suspicious because it deviates from the normal work schedule. This kind of low-trust behavior can also be monitored and controlled. And to supplement access credentials, additional security questions and requirements of proof of identity could be required of users as they operate a computer system. All these considerations would make the trust-based model of security far safer than the current credential model. Gagliano explains that this new security model aims to be proactive in security rather than reactive. The traditional security model is reactive, meaning that it works to identify and minimize damage done after a breach has already occurred. The new trust-based model would limit breaches from occurring at all by restricting broad access to credentialed individuals and only granting access to the parts of a computer system that specific operators regular use. This change minimizes the risk that one compromised set of credentials would threaten vast amounts of data contained in a computer system.
Gagliano says that this new security framework must be adopted to fundamentally change cybersecurity. Other solutions may help to move away from the old model, but without this new framework the solutions are at best an incremental step forward. Both businesses and governments use the outdated, credential-based model of cybersecurity. Gagliano suggests that organizations have been hesitant to implement cybersecurity changes for a host of reasons. In his experience as an advisor for the government, government officials were afraid to make large decisions about cybersecurity. And Gagliano suggests that some businesses have been more focused on profit margin than on solving the cybersecurity problem. This inertia is only worsened by naiveté in the severity of cybersecurity threats and by procrastination.
According to Gagliano, the cybersecurity issue is made worse by a lack of transparency from companies and the government about cyber-attacks. Experts speculate that fewer than half of ransomware attacks are made public in any way. Gagliano suggests that this is because companies and governments are embarrassed to reveal their vulnerabilities to their customers and citizens. The concern for citizens and consumers is further compounded by the fact that there exist no laws that require compensation for individuals who are associated with a hacked company or government service. If a company loses a customer’s credit card information in cyberattack, the bank will often just issue the individual a new credit card without further compensation. Cybersecurity is also a concern for the ever-expanding internet of things (IOT) which encourages the model that devices of all kinds should be connected to the internet. These kinds of products include everything from smart home devices to kitchen appliances that are connected to the internet. Many of these consumer devices are designed with little to no consideration of cybersecurity. According to Gagliano, this kind of cybersecurity sloppiness exists all the way down to the individual living routers where people install WIFI networks and leave the default password on the machine. To combat this sloppiness, Gagliano calls for comprehensive security considerations for all internet devices.
The recent cyberattacks at the Colonial Pipeline and at JBS demonstrate that natural resources and food supplies are susceptible to cyberattacks. Gagliano calls for a new model of cybersecurity that considers all internet devices because any network is potentially at risk. Cyberattacks have evolved over the past few decades into sophisticated operations. In the infancy of cyberattacks, the goal of such attacks was simply malicious. These malicious attacks aimed to cause harm to computer networks. But cyberattacks have evolved into a commoditized industry. These days, ransomware services are offered to hackers who pay to use ransomware platforms to encrypt and ransom sensitive corporate and governmental data. The hacker keeps a portion of the money made and gives a percentage to the ransomware service that provided the hacking infrastructure. The next frontier of offensive cyber defense involves tracing these hacking infrastructures and shutting them down. Unlike most companies, the government has the resources and reach to trace internet interactions concerning this commoditized hacking industry. But these hacking groups are savvy about preserving their infrastructure. DarkSide, the criminal group behind the Colonial Pipeline attack in early May, announced that it was disbanding. This move was likely done to bury the evidence of the hack and to preserve its infrastructure for further use.
In addition to commoditized cyber-attacks by lone-wolves and criminal organizations, there is the question of foreign involvement. A major concern is hacking from rival nations such as China and Russia. Gagliano explains that hacking groups located in China or Russia are, if not officially state sponsored, then tolerated and accepted by the government. Gagliano advises that the trust-based security model be adopted by government and industry regardless of what political agreements are reached concerning cybersecurity. Gagliano admits that hackers are bright individuals and that someone will always figure out a workaround in any security system. Therefore, even after adopting the trust-based cybersecurity model, companies and governments must remain vigilant and open to further security solutions. Improvements to cybersecurity will be an ongoing process. A good first start would be to eliminate the outdated credential-based model.