Security Goes On the Offensive
The world broke a new record in 2021. In September, just a week before GSX 2021, the 66th zero-day was discovered—nearly double the amount found in 2020, setting a new threshold for the most zero-days to be discovered in one year.
“But while the record-setting number grabs attention, it can be hard to know what it tells us,” according to MIT Technology Review’s coverage of the milestone. “Does it mean there are more zero-days being used than ever? Or are defenders better at catching the hackers they would have previously missed?”
The answer could be a bit of both. And it highlights how the security profession is changing to take a more proactive approach to identifying and mitigating threats, instead of taking a more traditional reactive approach. With the rise of threat hunting, red teaming, and more, security professionals are increasingly being asked to go on the offensive with their strategies and protection measures—not just the defensive.
This approach is also creating more opportunities for physical and IT security teams to work together to manage risk, especially when it comes to cyberattacks that target physical systems.
High-profile incidents from the past year include the Colonial Pipeline ransomware attack, where hackers were able to infect the company’s corporate network with ransomware—causing it to take the unprecedented step of shutting down its operational technology network to ensure it also did not become infected.
“Companies are beginning to understand that both OT and IT systems need to be managed holistically under the umbrella of risk management,” said Coleman Wolf, CPP, senior security consultant at ESD Global, Inc, and chair of the ASIS International IT Security Community, in an interview with the GSX Blog.
On Monday at GSX 2021, Wolf presented “Hacking Building Controls for Fun and Profit: Security Risks to Cyber-Physical Systems” to explore and demonstrate the vulnerabilities that can be exploited in building control systems and the measures that can be used for defense. His session is one of 11 in the Offensive Strategies: Preparing for an Attack Learning Theater, which are presented in person and livestreamed to a virtual audience across the globe.
Part of Coleman’s session was devoted to a demonstration that shows how easy it is to identify, locate, and access some building control systems and what people will need to do to address these vulnerabilities.
For instance, he showed how to use Shodan—a search engine to find things that are connected to the Internet, from smart refrigerators to wind farm management systems. While Wolf said he would not attempt to go further beyond identifying systems on Shodan, he said others might then use that identification to look up default passwords and attempt to gain unauthorized access to them.
“Everyone in the session will leave with a good understanding of the differences between operational technology and systems and information technology and systems,” Wolf explained.
Other sessions in the learning theater will focus on extending zero trust, or the process where implicit trust is removed from the infrastructure.
“Zero trust is a way of thinking, not a specific technology or architecture,” according to Gartner Distinguished VP Analyst Neil MacDonald. “It’s really about zero implicit trust, as that’s what we want to get rid of.”
More organizations are embracing zero trust to more proactively manage their attack surface, which changed drastically in 2020 with the major shift to remote work. Recent analysis from IBM Security found that the average cost of a data breach in 2020 in the United States was $1.07 million more when remote work was a factor in causing the breach.
Along with cybersecurity, the Offensive Strategies theater will feature sessions on red teaming, domestic violence threats, business continuity in the age of COVID-19, and drones and securing your airspace as the technology becomes increasingly available. All of these topics highlight areas where security professionals are taking proactive approaches to get ahead and mitigate the actions of threat actors.
Digital attendees will be able to livestream sessions in the Offensive Strategies Learning Theater. Recordings will also be available within two weeks for all-access and virtual attendees to watch on demand.
For more information on the sessions in the “Offensive Strategies: Preparing for an Attack” Learning Theater, visit gsx.org.
Monday
- 10:00 a.m. – 11:00 a.m.: “Hacking Building Controls for Fun and Profit: Security Risks to Cyber-Physical Systems”
- 11:30 a.m. – 12:30 p.m.: “Red Teaming: The Key to Effective Security”
- 2:00 p.m. – 3:00 p.m.: “Risk Assessment vs. Risk Analysis: The Digital Transformation into Dynamic Risk Analysis Data”
- 3:30 p.m. – 4:30 p.m.: “Controlling Your Airspace from Drone Threats”
Tuesday
- 10:00 a.m. – 11:00 a.m.: “Become Stealth Online: Secure Your Online Identity, Activity, and Information While Minimizing Your Vulnerabilities”
- 11:30 a.m. – 12:30 p.m.: “Extending Zero Trust to the Modern Enterprise”
- 2:00 p.m. – 3:00 p.m.: “A Guide to Protecting Physical Security Systems from Cyber Attacks”
- 3:30 p.m. – 4:30 p.m.: Post-COVID Pandemic Business Continuity Challenges and Opportunities”
Wednesday
- 10:00 a.m. – 11:00 a.m.: “Hidden Threats: Domestic Violence and its Impact on the Workplace”
- 11:30 a.m. – 12:30 p.m.: “Achieving Complete Airspace Security Amid Loosening Drone Usage Regulations and Emerging Threats”
- 2:00 p.m. – 3:00 p.m. “Cybercrime Investigations: A Comprehensive Overview”