Cyber-attacks have increased in recent years, so much so that even countries cannot be expected to go it alone to defend themselves effectively. Recently, the European Commission proposed new rules to introduce greater consistency in “cyber and information security measures across EU institutions, bodies, offices and agencies.” The goal is to shore up the bloc’s public administration, given increasing threats originating from opportunities afforded by increased digitization and connectivity, continued pandemic challenges, heightened geopolitical tensions and beyond.
The proposed rules for the EU follow on the heels of recent compelling research. For instance, the European Union Agency for Cybersecurity (ENISA) report ENISA Threat Landscape 2021 notes that one of the prime threats facing legitimate entities is the integrity and availability of internet-facing applications, frequently executed through web and Denial of Service (DoS) attacks, which were noted as among the “most critical threats to IT systems.”
Research conducted by Neustar International Security Council (NISC) similarly underscores the persistent headache associated with cyber-attacks and the desire to hold perpetrators and targeted organizations to account. Last December’s Log4j vulnerability caught many information security professionals off guard, to the extent that some were surprised by even having exposure. NISC surveyed global IT professionals in January and found that more than six in 10 fielded some sort of attack targeting the Log4j vulnerability, and nearly nine out of 10 (or 87%) agreed that regulatory bodies should take legal action against organizations that fail to patch known flaws.
Neustar Security Services’ recent threat report identified new attack vectors and increased attack vector complexity, as seen in Neustar’s security operations center (SOC) throughout 2021. Indeed, carpet bombing attacks made up nearly half the attacks seen during all of 2021. A ‘carpet bomb attack’ aims at a range of the target organization’s IP addresses rather than focusing on a single address, so it makes it much more complex to detect and defend. It also revealed an increase in critical vulnerabilities documented in NIST’s most recent common vulnerability scoring system (CVSS) data. This combination of increasingly complex DDoS attacks and a larger attack surface for threats presents a daunting challenge for companies.
Clearly, the threat landscape has evolved significantly, and international governments acknowledge the risks this poses to vital public information and the disruption this can cause to critical services. This policy statement will hold organizations accountable for security breaches, whether preventable or patchable.
" A 'carpet bomb attack' aims at a range of the target organization's IP addresses rather than focusing on a single address, so it makes it much more complex to detect and defend"
The Log4j issue sent many enterprises scrambling for quick patching solutions as they addressed their potential exposures, but it also sent them scrambling to re-evaluate what systems they had in place to reduce exposure. The vulnerability has served as a wake-up call for many institutions. In its January survey, NISC found that nearly half (45%) of IT professionals were moved to re-evaluate their software supply chain security practices, and nearly as many (44%) were re-evaluating their software purchasing decisions. More than a third (35%) were re-evaluating their existing vendor relationships.
Such re-evaluation is a critical best practice, and it would be edifying to see more IT professionals taking steps to reassess their security protocols as a regular course of business.
As systems evolve, are upgraded, and become more interconnected, the attack surface also expands. No single product or service can respond to every existing or potential threat, so organizations rely on a patchwork of systems supplied by various vendors, each with its own standards of security and service. Care should be taken to understand the evolving attack surface and how all these tools and services combine to provide the necessary coverage of protection.
Regulatory rules, such as those being proposed for the EU, can provide organizations with guidelines for selecting appropriate solutions. While waiting for consensus to be reached, entities can take meaningful steps to achieve the level of security their stakeholders expect, and re-evaluation is key. Regular review of assets at stake is essential; IT professionals must have an ongoing awareness of the most valuable assets to the enterprise as well as to cyber-attackers, and they must maintain an understanding of potential exposures and commensurate risk mitigation measures.
IT professionals should be assessing their security partners regularly. Such an exercise helps ensure enterprises remain well informed about the security features and developments readily available to address evolving needs and emerging threats. Likewise, keeping abreast of news and analysis in the cybersecurity space can give IT professionals some notice for setting strategies in motion to thwart novel attack schemes.
Cyber-attacks are rarely isolated, and success on one front will only spur assaults on many more. In today’s global, connected environment, maintaining security requires that all organizations are committed to taking an active role in the security ecosystem — it truly takes the entire village.