Listen and subscribe to our new podcast! Tripwire’s cybersecurity podcast features 20-minute conversations with the people who protect people from cyber threats. Hosted by Tripwire’s VP of Product Management and Strategy, Tim Erlin, each episode brings on a new guest to explore the evolving threat landscape, technology trends, and cybersecurity best practices.
In this episode, Tripwire CTO David Meltzer breaks down the inside baseball terminology around cyber threats and what the modern attack surface looks like, how we got here, and where security professionals need to focus their attention. Episode excerpts:
Tim Erlin: Welcome everyone to the Tripwire podcast. I’m Tim Erlin, vice president of product management and strategy at Tripwire. Today I am joined by Dave Meltzer, CTO at Tripwire.
Dave Meltzer: Glad to join you, Tim.
TE: Thanks for being here. We’re going to talk a little bit about the attack surface today, but before we dig into some of the details, why don’t we start with just a little bit of conversation about what we mean when we say attack surface. I think this is a term that we tend to throw around inside of the information security bubble but one we still don’t necessarily talk about or understand that much. So Dave, from your perspective, what are we talking about?
DM: The first term that you often hear people talk about are just attack vectors. And attack vector really isn’t much more than, you know, some avenue that someone’s going to use to exploit your systems, your networks, your information and then the attack surface. I think of it as just the sum of all the attack vectors for your company and organization.
Overall, a lot of the more modern attack surfaces we’re now seeing have to do with the changing IT infrastructure. So, as people are rolling out new environments and new systems—whether that be cloud, IoT, or mobile—those are all creating new attack vectors which traditional solutions are not covering. How do we extend coverage into those systems to prevent those attacks?
TE: Well, so let’s talk about that a little bit. I mean, we’re not too far after the end of 2019 at this point. What did we really see change in terms of attack surface in 2019?
Attacks on the Rise in All Respects
DM: Looking back to 2019, I think we saw some incremental growth in terms of the size, scale and complexity of attacks. The scale of attack is something that just continues to grow over time.
Just to give you an example, there are over 200,000 different vulnerabilities that someone could exploit across today’s systems. You compare that back to when I started in cybersecurity back in the mid-90s. At that time, we had a vulnerability scanner I was working on that had about 150 vulnerabilities. That’s over a thousand orders of magnitude less than what we’re now seeing today.
At the same time, the number and scale of breaches are also more serious. In March 2019, The New York Times reported on a data breach that exposed 885 million mortgage documents going back 16 years. Not long thereafter, Symantec revealed that threat actors had compromised more than four billion records in the first six months of the year.
TE: Yeah, it’s, it’s almost unfathomable to think about that number of records and what it might mean to you as an individual.
DM: It’s understandable that people are starting to get this fatigue about how many times their information can be stolen. But the scale of these attacks is just continuing to increase over time. The proliferation of cloud isn’t helping. That’s because the cloud is helping to concentrate data records online. As the result of a single cloud configuration error, therefore, unauthored parties could potentially compromise hundreds of millions of records. Such was the case in Capital One data breach and the exposure of 275 million Indian citizens’ records.
Let’s Not Forget About Manufacturing
TE: I think that we also saw significant change in the last year in terms of the growing awareness of industrial organizations’ vulnerable attack, manufacturing being an example of that. I think utilities were probably the bigger example that we saw in the press. Do you agree?
DM: No doubt the sheer number of incidents suffered by manufacturing organizations played a part. According to Siemens and the Ponemon Institute’s report “Caught in the Crosshairs: Are Utilities Keeping Up with the Industrial Cyber Threat?”, 56% of utilities suffered a digital attack between October 2018 and October 2019. The problem here is that manufacturing companies have been more conservative about overall IT investments. So, it’s not just security that they’re not spending as much of as a bank. It’s just anything in IT. That doesn’t mean the attacks aren’t coming at the same rate, however. And in some ways, attackers are going after the softest targets where it’s easier to get in. That trend places areas like manufacturing and healthcare in their cross hairs. Simply put, the soft targets generally are not large banks anymore.
TE: Well said. Now just to clarify for our audience, why does it matter if a manufacturing organization falls victim to a digital attack?
DM: A shutdown or data loss are particularly prevalent because as these attacks make their way into the OT or the industrial environments, they’re much more frequently hitting systems that might not have a million records that you want to go steal from a programmable logic controller or a robot line in a manufacturing plant. But those are systems that often are brittle and are very easy once you’re inside to just take down with some denial of service. And for manufacturing, the cost of downtime can be extraordinarily high.
Lessons for Organizations’ Digital Security Going Forward
TE: Let’s talk a little bit about what we expect in 2020 in terms of attack surface. What do you think is going to change in the coming year?
DM: Nowadays, I’m in the process of tracking cyber warfare. It’s feasible that digital attacks could ramp up from Iran and other nation-state actors. (That makes me particularly concerned about this cyber physical plane.) The other thing that we’re continuing to see is the growth of ransomware. This digital threat remains a prevalent way for attackers to monetize the exploitation that’s happening.
That being said, I think organizations can take some steps to protect themselves against these and other threats. One of the most important things they should do is have a firm idea of the security framework(s) they’re using.
You know, we’ve seen a lot of adoption of the NIST cybersecurity framework, so whether you’re using NIST, whether you’re using ISO for healthcare company or you’re adopting high trust, you need to understand that framework and how are you going to iterate and continuously improve security in 2020. So focus on the framework, focus on what’s the maturity of your different areas of security programs and do the basics well. If you do those three things, you’ll probably have a good process for improvement in 2020. And you’ll best position yourself to reduce your chances of being breached.
TE: All right. Well Dave, thanks for spending the time with us. I think it was an interesting conversation. To everyone who’s listening, thank you for listening, and we hope you tune in again.
DM: Thanks, Tim.