Edward Gately

Puerto Rico’s power utility recently was hacked, serving as a reminder that entities that run critical infrastructure across the United States and globally are not prepared to defend against cyberattacks.

Puerto Rico Electric Power Authority (PREPA)’s customer-service system wasn’t affected and customer data was not at risk. The cybercriminals responsible have yet to be identified.

The attack came just after President Trump blamed Russia for targeting the U.S. power grid.

So what makes critical-infrastructure organizations so vulnerable to cyberattacks? We asked Craig Hinkley, CEO of WhiteHat Security. His company’s research shows: on average, utility companies have 2.2 critical cybersecurity vulnerabilities per site; 64 percent of applications in the utility sector remain vulnerable on a daily basis; and 81 percent of hacking-related breaches in the United States leverage weak or stolen passwords.

WhiteHat Security’s Craig Hinkley

“Most of us grew up in a world where we didn’t think about the fact that these critical infrastructures – power and utility grids, gas service lines – now in essence are online,” he said. “And the same way we read about companies being hacked and breached, I don’t think people have made the leap to that same hackable breach now occurring with the power utilities, gas utilities, etc., or the intelligent transport systems around the world.”

The age and long-term life cycle of critical infrastructure add to its vulnerability, Hinkley said.

“You could be being serviced by a power plant that was built 20-30 years ago, so the technology around that power plant was very basic, was very analog,” he said. “So now folks have tried to modernize and digitize them, so in essence they’re sticking internet network adapters … Internet of Things (IoT) converter boxes to help take these plants from analog to digital, to internet-native, and in doing so these systems weren’t built to be exposed to the internet and therefore a lot of what would be built into companies today, from controls and protection mechanisms, didn’t exist back then.”

For some time, U.S. security officials have been warning that the country’s energy and utility infrastructure is vulnerable to cyberattacks, and application security is now a mandatory requirement for critical infrastructure protection (CIP), Hinkley said.

“So part of what companies can do, if they have not, is they should have a standard security vulnerability assessment process in place that goes across their entire environment,” he said. “That should be providing continuous scanning and verification of security vulnerabilities. The companies need to be continuously looking for points of entry into the critical infrastructure because every time they do a release of a new application, a release of a new operating system or upgrade any of the infrastructure that then faces the internet, they need to be continuously scanning that environment to make sure no new security vulnerabilities were also introduced.”

Critical infrastructure presents a big opportunity for the channel, as one of the biggest challenges in the security market today is …

… the lack of security talent and expertise, Hinkley said.

“So from a channel perspective, if it’s hard for Fortune 500 and Fortune 1000 companies to attract security talent, it’s going to be (much) harder for a Pacific Gas and Electric (PG&E), for example, to attract potentially the security talent they need to be able to build out all of the capabilities they need internally,” he said. “So from a channel-partner perspective, there’s an opportunity to find solutions that can help secure that critical infrastructure that’s out there, or the industrial control systems, and therefore sell some turnkey security solutions to help detect and protect the industrial control systems that are now coming online.”

Christina Richmond, IDC’s program vice president of worldwide security services, said partners just starting out in managed security services should steer clear of utilities and critical infrastructure because it is extremely difficult.

IDC’s Christina Richmond

“It takes a very particular set of capabilities and tools,” she said. “There are some security service providers, whether they’re MSSPs or just consulting companies, who can handle that utility or critical-infrastructure environment, but it’s still really the wild west for advanced service providers. It’s really difficult to monitor and very difficult to find challenges in.”

In the meantime, awareness of critical-infrastructure vulnerability is going to help drive understanding, and understanding is going to drive action, Hinkley said.

“Similarly, if you look at any other key sectors, whether it’s health care or financial services, you’re now seeing those industries have always been on the leading edge of thinking about security, but even more so now because you’re seeing the results of breaches in the digital economy resulting in CEO turnover,” he said. “So it isn’t being contained to just the information security officer or even the CIO when you now have officers of the companies that are being held accountable for breaches, like Equifax and others. It’s that awareness that in this digital economy it is really the responsibility of everyone in the company, up to and including the officers of the company, to understand and have an appreciation of what the risks are to the business in the event of a software attack or a cyberbreach.”

Identity Guard + IBM Watson = Channel Opportunity

Identity Guard, an identity theft protection service provided by Intersections, has been paired with IBM Watson. Identity Guard uses Watson’s cognitive computing to personalize and customize its protection against identity theft and misuse of personal information.

Barry Kessel, Identity Guard’s chief marketing officer, tells us that businesses and organizations are providing the service to their employees as an employee benefit.

“Because the Identity Guard-with-Watson solution taps into many, many data sources – from the dark web, to public records, to social media and credit bureau data – we can more quickly and thoroughly identify patterns that pose threats by …

… harnessing the power of artificial intelligence (AI),” he said. “Those potential threats could be to employees, customers or the businesses themselves.”

Identity Guard’s Barry Kessel

Intersections sees a real opportunity to have channel partners participate in its distribution of Identity Guard with Watson, Kessel said.

“Our experience in data breaches has shown us that smaller companies that do not have a dedicated IT staff are unprepared for a data breach and have been without a solution up until now,” he said. “They often don’t know if their data has been breached or what steps to take to minimize the possibility of a breach. We recently completed an agreement with a respected national solutions provider in a specialized vertical market to make this solution available to their clients and hope to engage other partners.”

Partners can think of Identity Guard with Watson as a “powerful early warning system whose state-of-the-art AI capabilities continuously scour billions of data points to discover vulnerabilities and alert individuals when their identity may be at risk,” Kessel said.

Deceptive Networks Increasingly Part of Managed Detection and Response

The global deception-technology market is expected to exceed $2 billion by 2021, accelerating at a compound annual growth rate (CAGR) of 15 percent, according to a report by Market Research Engine. Deception technology can discover, analyze and defend against zero-day and progressive attacks, often in actual time.

Alton Kizziah, vice president of global managed services at Kudelski Security, tells us that within the channel, the opportunities to leverage deception technology can be multifaceted. Kudelski offers deception networks as part of its managed security services (MSS), and managed detection and response (MDR) offerings.

Kudelski Security’s Alton Kizziah

“Certainly, the channel can help clients solve tough problems by reselling deception to their clients,” he said. “Those channel providers and VARs who can really make a difference can use deception technology a couple of ways. They can provide managed services around the technology to give their clients peace of mind [around the clock] and the channel can provide professional services around the technology, including integrations, forensics and incident response.”

Deception systems deceive the intruder who is attempting to command and control, or other attacks on the endpoint, Kizziah said. With deceptions deployed throughout an environment, an attacker must get every step of their “kill chain” correct, and the analyst only needs one alert anywhere in the chain of events, he said.

“You don’t hear much about the successful defense of a cyberattack, only the failures,” he said. “As deception is adopted more broadly, I think companies will have a capability to detect stealthy movements [more quickly] and have a better understanding of the attack methodology. Word of mouth at conferences and peer groups will be one of the ways that the deception market will grow. I also believe that there are many research firms currently looking at deception and the marketplace. These factors combined will most likely lead to …

… rapid adoption in the coming years.”

Malicious Mobile Apps Down, But Other Threats Emerge

Malicious mobile apps were on the decline in the fourth quarter of 2017, mostly due to a decrease in the inventory of AndroidAPKDescargar, the most prolific dealer of blacklisted or unsafe apps, according to RiskIQ‘s fourth-quarter mobile threat landscape report, which analyzed 120 mobile app stores and more than 2 billion daily scanned resources.

The report documents the return of familiar threats such as brand imitation, phishing and malware — as well as the discovery of a bankbot network preying on cryptocurrency customers.

The Google Play store again led the way with the most blacklisted apps, but the analysis confirmed that feral apps – apps available for download outside of a store on the web – fell in popularity for the first time in several quarters.

“Securing the mobile app ecosystem continues to be a challenge for app stores of all sizes, but efforts to improve version control, monitor for abuse, employ verification techniques, and offer security education can help,” said Mike Wyatt, RiskIQ’s director of product operations. “Tracking the use of brand names and likeness is an equally daunting challenge for corporations. Brands should evaluate and implement solutions that constantly monitor their digital footprint online and in mobile app stores.”

RiskIQ researchers found a mobile app that was trying to pass itself off as a cryptocurrency market price app. This app was found to be part of the bankbot family of mobile trojans and would monitor the device that installed it for a list of target apps. If the app was launched while the trojan was installed, the trojan would put an overlay over the legitimate app and collect sensitive information, such as login credentials from the banking customer.