4 minute read
Cybersecurity
from IdaHome--October
It’s not just TECH
BY HAILEY MINTON
The majority of cyber attacks come from criminal organizations; however, nation states backing cyber attacks in the U.S. has become one of the large challenges facing our country. Nation states have resources beyond most criminal organizations’ capabilities. “Our adversaries are willing to spend unlimited amounts of money creating a team environment, giving them all the technology they could possibly consume and as much time as that team wants… to embed itself into our infrastructure and to potentially impact us kinetically through a cyber attack,” says Edward Vasko, Director of the Institute for Pervasive Cybersecurity at Boise State University.
The hacker group known as Cozy Bear is an example of a nation state-backed group. According to The Washington Post, it is part of the Russian foreign intelligence service. The group is believed to be responsible for the SolarWinds incident that allowed them to access the network of 30,000 public and private organizations in the U.S. However, the Russian government denies involvement.
The SolarWinds incident highlighted the importance of software supply chain security. Most people think that technology is the biggest defense in cybersecurity, but this incident occurred due to a faulty business process. SolarWinds offers IT management software that essentially acts as an administrator for the system using it. According to businessinsider.com, in early 2020, hackers successfully added malicious code into SolarWinds’ software system. The breach went undetected and the company sent out an update to their clients, which is common practice with software products. The update included the malicious code that provided a backdoor into the companies and organizations using it. This gave hackers administrative power in each of the systems they infiltrated, explains Vasko. SolarWinds has many high-profile clients, including government agencies like the U.S. Departments of Treasury and Commerce and even the U.S. cybersecurity firm, FireEye.
“We’ve known for a time that the source code supply chain could be compromised,” says Vasko. Twenty or thirty years ago, companies built source code for their technology platforms in-house. For example, Microsoft had a team of people dedicated to building out Word. The world has since shifted to using distributed code. Let’s say a person builds a great piece of code that would take anyone a long time to build. Instead of someone else building that code from scratch again, they can license that code from the first creator. “You can reduce your cost to build out a new platform and increase the speed you can get to market,” Vasko explains. That code is then embedded into a platform and product. Anyone can build and sell modules of code in different marketplaces. The problem lies in verifying the sources and identifying the responsible party for code that gets distributed.
Sometimes code is built maliciously to have backdoors. That code can be implemented by someone who is trying to build a good module. But with bad code embedded in the good code, you have a cuckoo’s egg. The more it gets used, the further it spreads. “Unfortunately, as with any major event, there’s a reaction,” says Vasko. “As much as we would love people to be proactive, the majority of industries respond after an event occurs. Now that the SolarWinds intrusion occurred, you’re seeing the federal government issuing mandates that demand source code supply chain controls in understanding who your source code partners are. You’re keeping track and making sure that person isn’t using someone else’s code. If they are, they disclose where that code came from. You can move down the chain to see if there is a weak link and weed out any potential cuckoo’s eggs.”
The SolarWinds incident is an example of hackers exploiting the business process that allowed bad code to sneak in. “Someone at SolarWinds simply ‘approved’ the code for inclusion and released it, bad code and all,” says Vasko. However, good cyber defenses must address technology, as well as people and processes.
One common attack called spearfishing targets a specific person in a company and tries to exploit the relationship they have with their coworkers. Let’s say attackers profile a CEO. They discover from his social media post that he is on vacation. At that point, an attacker creates a fake email that looks very similar to the CEO’s. Posing as the CEO on vacation, they send an email to employees asking them to initiate a wire transfer to a new client. Chances are, if the CEO is on vacation, he won’t be answering his phone if they try to verify the transaction. An “ö” instead of an “o” can be the only difference between a correct or fraudulent email. Vasko says that this tactic is as prevalent as ransomware and has existed for well over a decade, but people still fall for it. Technology can aid in this instance, filtering emails and tagging errant ones from out of network.
With each passing moment, cyber attacks and criminals who design them are becoming more sophisticated. BSU’s cybersecurity curriculum is particularly innovative because it uses an all-encompassing technology, people, and process approach in student education. The university collaborated closely with the Idaho National Laboratory to create the curriculum. Student interns can explore INL’s Cybercore Integration Center that hosts a University Lab dedicated to the collaboration of INL experts and students. Cyber attackers are working this very moment to illegally infiltrate systems for profit and power. Clearly, our national and personal safety depends on cybersecurity systems evolving faster than these IT intruders. BSU is already at the forefront of the future.