t cht lk
TECH TALK
PremiSys technology allows customers to
grant and restrict access to doors, lockdown
facilities and view integrated video. Once
exploited, the most severe flaw would
give cybercriminals administrator access
to the entire badge system database via
the PremiSys Windows Communication
Foundation (WCF) service endpoint. Using
the administrator privileges, attackers can
perform a variety of actions like downloading
the full contents of the system database,
modifying its contents or deleting users.
“The digital era has brought the cyber and
physical worlds together thanks, in part,
to the adoption of IoT. An organisation’s
security purview is no longer confined by
a firewall, subnets, or physical perimeter
– it’s now boundaryless. This makes it
critically important for security teams to
have complete visibility into where they are
exposed and to what extent,” said Renaud
Deraison, Co-founder and Chief Technology
Officer, Tenable. “Many manufacturers
in the new world of IoT don’t always
understand the risks of unpatched software,
leaving consumers and enterprises
vulnerable to a cyberattack.”
Intelligent CIO Europe caught up with
Gavin Millard, Vice President of Intelligence,
Tenable to hear his views on the risks posed to
businesses as a result of poor cyberhygiene:
Current cybersecurity risks facing
enterprises and how these are
being tackled
“
WE SHOULD
BE MAKING IT
DIFFICULT FOR
CYBERCRIMINALS
TO MONETISE
AND UNTIL WE
DO, THEY’LL JUST
KEEP BREEDING.
The evolving threat landscape
There are two main themes resulting from
developments over time, one being the
number of assets we’re trying to manage
is ever increasing and the amount of these
assets is expanding exponentially. The
problem with those assets is that they’re
also changing type. If you look back a few
years ago, people were dealing with static
and accessible physical assets. Nowadays,
we’re moving to ephemeral and immutable
assets. Everyone is going through the Digital
Transformation process and pushing things
into the cloud – which is a good thing – but
One of the biggest problems that
organisations have is basic cyberhygiene.
If you consider some of the big breaches,
they’re always said to be sophisticated
threat actors, nation-state and really
advanced. I think that’s a get-out. A lot
of the issues organisations are facing are
simple foundational things that they’re
not doing well such as patching. If you
think about the way that an attacker gets
in, they’re taking advantage of known
vulnerabilities to deploy code.
Of all the big breaches, they are very rarely
nation-state, they are very rarely advanced,
they’re just persistent. Any network that
is broken into is done by finding the right
flaw to take advantage of and this isn’t
done by a complex attack, it’s usually a
lack of a patch.
78
INTELLIGENTCIO
it also means that their attack surface is
increasing and the amount of available
assets to target is increasing. Irrelevant of
type, the amount of vulnerabilities that
are being disclosed every day is increasing.
This year, the amount of vulnerabilities
is expected to grow to around 52% in
comparison to last year.
Another thing to consider is that many
organisations are utilising Machine Learning
(ML) and Artificial Intelligence (AI) and
doing some really clever things with it. If
cybercrime is a multi-billion-dollar industry,
we must believe that they are making
those same investments. So, they are also
leveraging ML and AI to automate flaws in
people’s environments. Attackers are going
to get smarter, but so are defenders. As an
example – we are building ML models to
predict the vulnerabilities that attackers are
going to use. We’ve got PhD Data Scientists
working on this right now, allowing them
to predict which vulnerabilities attackers
use. If we can predict this, irrelevant of their
method, we can close that attack surface
down. Defence and attack are going to
increase in speed and volume.
Prioritising patching vulnerabilities
Not every vulnerability is the same and the
ones that get noticed are the ones that have
a catchy name and logo. They’re not always
the scariest vulnerabilities out there. The
vulnerabilities that need to be patched are
those that attackers are actually using. We
need to take a more threat-centric approach
to vulnerabilities. I don’t care about the
15,000 vulnerabilities that were disclosed
last year, I care about the 7% that actually
had exploits available for them. I care
about the assets of the 7% of those 15,000
vulnerabilities that are Internet-facing.
They’re the things we need to be patching.
You can’t patch everything, let’s make sure
we patch the right things.
Greatest emerging threats
Gavin Millard, Vice President of
Intelligence, Tenable
I think the greatest threat is the money. The
biggest issue that faces cybersecurity today
isn’t the latest vulnerability, it’s the fact that
cybercriminals can monetise. Compared to
20 years ago, cybercriminals of today can
make millions from cyberattacks. Criminals
are involved in attacking organisations
through IT because it’s massively profitable.
www.intelligentcio.com