Cybersecurity hygiene, the necessary maintenance to protect the health and security of users, devices, networks, and data, needs to evolve significantly to combat increasingly sophisticated cyber threats, security experts say. The statement was made at the Billington State and Local Cybersecurity Summit held in Washington, DC. on wednesday.
“A system cannot be said to be secure if it is not trusted, and it cannot be trusted if it is not secure,” said Colin Ahern, New York's chief cyber officer.
“There were large, sophisticated nation-states that were trying to gain strategic access to certain systems. [with] Introduced less sophisticated intent-based attacks and cybercriminals. And they were after one thing: money,” he said of what cybercrime security experts once worried about.
However, nation-state attackers are now using hacking techniques to achieve more destructive objectives, including proactive espionage tactics against critical infrastructure.
“So the idea that we were able to take the same threat posture, the same set of activities as an organization probably 10 years ago when these systems were purchased and installed and contracts were written is clearly a sustainable reality. Not,” he said.
bad cyber hygiene
“Cyber hygiene practices must evolve with the cyber threat landscape and regulatory requirements,” Wisconsin Chief Information Security Officer Troy Steerwalt said at the conference.
Poor cybersecurity hygiene can have a devastating impact on the public sector. Last year, the city water department in Aliquippa, Pennsylvania, suffered a cyberattack on one of its water facilities when an Iranian-backed hacker group disabled monitors used to regulate water pressure. Plant managers continued to operate the system manually, so service was not interrupted and drinking water quality was not affected.
The Department of Homeland Security sent investigators to Aliquippa on Nov. 26, the day after the attack, and discovered a glaring oversight. At the time of the cyberattack, the water department was still using the software's default password of 1111.
“With poor cyber hygiene, configurations such as administrative passwords are not changed in the first place and something is taken away. Someone can do some reconnaissance and find out that this is the model they are building and the defaults are still there. ,” Steerwalt said. “The fact that we're still dealing with SQL injection 20 years later and one input validation could fix the problem. That's bad cyber hygiene.”
The Cybersecurity and Infrastructure Security Agency considers the use of strong passwords, regular software updates, and multi-factor authentication to be basic cyber hygiene.
Steerwalt said Wisconsin practices “quick attack, quick response” when it comes to cybersecurity preparedness, which is an important part of good cyber hygiene.
“We constantly evaluate cyber threat intelligence to see industry trends and then evaluate controls to determine how resilient or resistant they are,” Steerwalt said. says Mr. “How do we limit the negative impact on our systems so that our organizations can absorb the blow, maintain operations, and provide services?”
shared responsibility
Steerwalt said many states and local governments in the U.S. have not adopted a shared responsibility model for cloud management, without understanding the basic services provided by cybersecurity and IT professionals and how to implement them. He criticized the practice of blind reliance.
Increasing understanding of cybersecurity is leading many state technology officials to adopt a statewide approach to cybersecurity, in which all public sector organizations in the state combine resources to strengthen defenses against ransomware and denial of service. This is one of the reasons for proposing the model. attacks and other cybersecurity threats.
“Cyber officers play an important role in providing what I think of as 'translation services,'” Stearwalt said. “But we need to increase everyone's cyber awareness and help everyone understand what their role is from a cyber-ready and intelligent perspective.”
