We have discussed various environmental factors that can lead to rather disastrous outcomes in the networked world when cybersecurity measures fail to protect systems. We have also discussed certain cybersecurity failures and subsequent attacks that can lead to a cascading or multiplying effect. A while ago, I also wrote about the enormous growth of IoT devices that can potentially lead to massive uncontrollable events comparable to a chain reaction.
The previous blogs lead me to something that should be obvious: the absolute importance of prioritizing cybersecurity risks. Unfortunately, it is not always so obvious and is certainly not always dealt with in a befitting manner. Cybersecurity risks can have a massive cumulative impact over risks that can have a sizeable net effect (payload), even though they are not as voluminous as more minor and seemingly innocuous risks.
An analogy would be something like a nuclear attack. The impact of such an attack is quite massive, and it is essential to address such risks and create protections commensurate with the potential impact. However, while such risks are high on the list of threats to handle, it is at least equally important to address lower-impact risks with the potential for high-volume exploitation.
For example, it is critically important to ensure thousands of IoT devices entering a nuclear weapons facility do not bring in cybersecurity risks, which, when exploited, could potentially lead to a security breach. The good news is that many safeguards are in place in the world of nuclear weapons to prevent such outcomes. Part of the reason is that the impact is very well understood.
Clever attacks are not ones where the attacker goes forth boldly and causes red flags. A competent attacker will stealthily do things and exploit minor flaws over time to avoid detection, and this can still result in a big disaster in the end. The infamous STUXNET attack of 2010 is a good example. It was a worm designed to destroy or hamper Iran’s nuclear refining capabilities, and it was quite effective. While the attack was executed in 2010, research indicates that the capability's development and testing began as early as 2005. Because of all the countermeasures, these attacks are challenging to perform.
Let’s pan to the enterprise world. Understanding the impact is often non-intuitive with enterprise systems and critical infrastructure. We are only marginally capable of assessing the impact and risk of cyber attacks that have yet to occur. We are even worse at paying attention to minor issues that can lead to such events. The daily news feeds are filled with our failures.
Why does this happen? We tend to focus on what appears to be a prominent attack scenario and not give adequate attention to minor points of ingress. The attention bias is more pronounced when the minor points of ingress seem innocuous. Small weaknesses can lead to big problems. In the real world, a major compromise is commonly a result of multiple small vulnerabilities exploited in sequence.
This concept is essential to internalize today. Services such as the Arctic EWS provided by Arctic Security are designed to enumerate these potential attack vectors. When you investigate the findings, there may be no blockbusters. Many may appear innocuous but could very well be the avenue a cyber criminal actor will exploit to deliver the big payload later. We have observed it in practice when a root cause analysis of a cyberattack comes back with a finding that had been present in the Arctic EWS notifications for months before the attack.
Now, there is also a question about managing the number of smaller vulnerabilities when our software footprint is increasingly expansive and reacting to everything is just not feasible. Let’s ponder on this topic, and I will dig into this more in a later article.