Federal agencies were spared from the WannaCry ransomware attack that spread around the world last month. That was largely because of the cyber sprint that started after the Office of Personnel Management breaches, according to acting federal CIO Margie Graves. Agencies also instituted a patch to vulnerable Microsoft systems that the software giant issued in March.
However, the attack made clear that malware is no longer the domain of nerdy kids in basements hacking systems just to prove they can. Cybercrime is big business and harder than ever to thwart, because the perpetrators, arsenals and targets are constantly changing.
The toolkits that cyberattackers use are now commodities, and anyone with a credit card can purchase these tools to become a hacker. These exploits are also continually evolving into different forms, enabling them to evade detection and maximize damage.
Malware Remains a Problem for Agencies
“I always say if I had a nickel for every time I said, ‘Boy, I never thought that would happen,’ I probably wouldn’t have to work anymore,” says Dan Schiappa, senior vice president and general manager of the end-user and network security groups at Sophos. “Hackers will find ways you can’t even imagine to get through.”
Adding to the challenge of defending against these threats is the emergence of mobility, which has transformed virtually every industry. Mobile devices have increased workplace flexibility and productivity, but they have also exposed agencies to unprecedented cyberthreats.
Many agencies regularly patch servers, desktops and notebooks while ignoring the mobile devices that access their networks. Even if agencies employ mobile device management software, they have a hard time ensuring that the personal devices employees bring into the office have the latest operating systems or application updates, says Karen Scarfone, principal of Scarfone Cybersecurity.
The emerging Internet of Things market makes their jobs even harder,Scarfone adds. Many agencies don’t even realize that devices such as heating, ventilation and air conditioning systems or IP-enabled warehouse equipment can expose their networks to attack.
As threats evolve, so must the defenses that agencies implement. In addition to deploying traditional security tools aimed at keeping hackers outside of networks, they need to rely on next-generation products that provide a breadth of coverage from each endpoint and throughout networks.
“There’s never been, in the history of cybersecurity, a protection that’s 100 percent perfect,” explains Schiappa. “So the idea is if a hacker finds a way around your machine learning, you’ll have some behavioral detection. If he finds a way around that, you have the ability to see if he’s using common exploit techniques.
If you keep throwing all sorts of technologies at him, it becomes much more complicated for the attacker to circumvent them.”
Hackers Target Endpoints and Apps with New Exploits
Not long ago, most agencies focused their security efforts on network defense. But as the number of mobile endpoints grows and, in turn, the number of entry points, this approach becomes less effective, explains Sadik Al-Abdulla, director of security solutions at CDW. “Once hackers crack that outer shell, they have almost free rein.”
Their chances of success are growing, thanks to the commoditization of hacking tools. “There’s a complete business around the enablement of nontechnical people to be hackers,” says Schiappa.
A common strategy is for hackers to exploit vulnerabilities in websites and applications, then sell tools that enable others to take advantage of the same exploits. Ransomware is an example of malware that is often deployed via this model, says Schiappa.
Adding to the threat is the growing ecosystem of cyberattackers in search of zero-day vulnerabilities — weaknesses in applications that have gone undetected and therefore have not been addressed by software or security vendors. Once vendors discover vulnerabilities, they publish patches. Until then, however, hackers can take advantage of these holes.
Current threats are particularly challenging to deal with because they change as they move through systems, making them difficult to detect or stop. Schiappa says that 88 percent of the malware samples Sophos sees are unique to the organizations in which they’re found. “You need a broad set of technologies to protect against the unknown,” he adds.
For more on security solutions, visit CDW.com/security.
This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.