What the Industry’s First Coleopteran Chief Vulnerability Officer Predicts for 2019
Let’s not beat around the bug – 2018 was not a good year for my kind. As of now, nearly one in three computers was hit with a malware attack this year, and ransomware attacks were up 43% over 2017, with nothing to signal that these trends will decrease any time soon.
Shortly after Thanksgiving, Marriott disclosed a breach of 500 million customers’ data, including passport numbers, as well as the fact that the unauthorized party had access for four years prior to the discovery. That’s equivalent to 450 more days than my projected lifespan. Quora, a question-and-answer website, also recently revealed a hack that exposed 100 million users’ information.
Unfortunately, these are not isolated incidents, but rather a weekly occurrence that should make organizations more vigilant about the magnitude and sophistication of cyber threats. Recently, I’ve spent a lot of time pondering what’s to come in the year ahead, and I’m not sure the news gets any better for my species. After conferring with my team at RunSafe Security, here are our projections for what we expect to see in 2019.
Internet-Connected Healthcare Devices Finally Merit Attention – The medical device supply chain will experience heightened scrutiny. Increases in vulnerabilities, accelerated by the integration of mobile devices, will propel cybersecurity as the top concern for manufacturers, healthcare providers, and regulatory bodies. Patient awareness will drive industry participants to adopt new approaches to mitigating the threats.
While aiming for the goal of improving patient outcomes, the increasing interconnectivity of medical devices introduces potential weaknesses for data security. One reason is that these implements for the diagnosis, prevention, monitoring, treatment or alleviation of disease were not built with security in mind. As such, they are an easy entry point for attackers, who can gain network access through the internet. From there they can move on to a server, which likely has rich patient data, or just cause mayhem by sabotaging a device’s intended use. Abbott and the Chertoff Group recently released a white paper that shares findings from their study of 300 physicians and 100 hospital administrators on cybersecurity challenges. They found that while the professionals interviewed view cybersecurity as a priority, the majority feel underprepared to combat cyber risks.
U.S. Government Gets Serious About Weapon Systems Security – With the publication of reports from the GAO and MITRE, as well as Secretary of Defense Jim Mattis’ launch of the Protecting Critical Technology Task Force, the Department of Defense will begin to address cyber vulnerabilities in legacy weapon systems.
The GAO report concluded that the Department of Defense weapon systems are “more software dependent and networked than ever before,” and therefore are susceptible to cyberattack from software vulnerabilities as well as the increased attack surface caused by their connectivity. Even more alarming is their assessment that between 2012 and 2017, nearly all major acquisition programs that were operationally tested had mission-critical cyber vulnerabilities that adversaries could compromise. The memorandum launching the task force stated that these vulnerabilities are “eroding the lethality and survivability of our forces.” It’s incumbent upon the Pentagon to rethink how to address cybersecurity at every stage of development, acquisition, and deployment. More specifically, the MITRE report recommends that “product integrity, data security, and supply chain assurance should become key contract award criteria.”
International Tensions Promote Cybercrime – As trade wars and tension between the U.S. and other countries escalate, international cybercriminals will utilize both ransomware and the injection of malware into embedded devices to disrupt the operation of critical infrastructure.
Stuxnet, WannaCry, NotPeyta, and Triton are just a few examples of the massive global damage that can be enacted to cripple healthcare, energy, manufacturing, and communications organizations. More than half of the world’s mobile phones, as well as almost all of the printed circuit boards are made in China. That country is suspected of embedding malicious microchips into server motherboards. The positive news is that on November 16, President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018. This landmark legislation elevates the mission of the former National Protection and Programs Directorate (NPPD) within DHS and establishes the Cybersecurity and Infrastructure Security Agency (CISA). CISA leads the national effort to defend critical infrastructure against the threats of today while working with partners across all levels of government and in the private sector to secure against the evolving risks of tomorrow. It is good to have additional focus on this issue, but more steps are required to proactively protect critical infrastructure.
The Need for Protection Overtakes Detection – Whether we’re considering threats to the medical supply chain, weapon systems, or critical infrastructure, traditional cybersecurity measures aren’t built to prevent malware from propagating, because they rely primarily on network and perimeter solutions like gateways, firewalls, intrusion monitoring, and anti-virus agents. In other words, these tools identify symptoms rather than address the underlying causes.
While established tools have worked for decades on known attack types, their effectiveness continues to diminish against motivated adversaries skilled in designing new types of exploits. Detection offers no protection in cases where the supply chain itself is compromised, such as in file-less attacks like memory corruption exploits, stack and heap attacks, zero-day attacks or return-oriented programming (ROP) chain attacks
One of the most effective means to reduce risk is to cyberharden systems using Runtime Application Self-Protection (RASP) technology. RunSafe Security’s Alkemist hardens software binaries by using RASP techniques such as binary stirring, control flow integrity, and stack frame randomization, processes that ensure that attackers can’t calculate in advance how to successfully execute their code. This can prevent an entire class of malware attacks from executing and spreading across multiple systems and devices. Remember, no matter what happens in cybersecurity in 2019, it’s not always the bug’s fault. So, before you blame us, ask yourself whether or not cyberhardening your ICS, embedded systems and devices would have helped you reduce the risk. And then contact us today to get the process of hardening your binaries started before we turn the page on 2018.
BugZ is RunSafe Security’s Chief Vulnerability Officer. He is committed to educating people that software bugs don’t have to result in damaging cyber attacks. Before he is eaten by a frog, BugZ is poised to make binary randomization, control flow integrity, and stack frame randomization the gold standard for critical infrastructure cybersecurity.