44.8 F
Washington D.C.
Tuesday, December 6, 2022

PERSPECTIVE: Report Shows Glimmers of Light in Eye of the Cybersecurity Storm

Government information systems are of considerable concern to the welfare of the country. With significant breaches including the U.S. Voter Database, National Archives and Records Administration, and Office of Personnel Management (OPM) over the past decade – not to mention many breaches at the state and local level – I think it’s safe to say that the public has moved beyond surprise when a new attack hits the news.

I, along with so many people I know, were intimately affected by the OPM breach, and it goes without saying how a compromise to voting records and technology could affect the nation. Because of these concerns, I tend to view cybersecurity research with keen interest in how the government stacks up against other industries. While our 2018 Nuix Black Report research carried several reasons for concern, I think it also shows that there’s cause for cautious optimism, but we still have a long way to go.

Gone in 15 Hours

According to our respondents – hackers, penetration testers, and incident responders – who all answered our questions anonymously, they are more often than not capable of breaching their target, locating critical value data, and exfiltrating it in under 15 hours.

You read that correctly, but I’ll reiterate. If a determined attacker decides they want your critical value data – whatever that term means to your organization – at 7 a.m., they’ll most likely get it by 10 p.m. the same day. As many industry-standard reports tell us, breached organizations normally don’t detect a breach for anywhere between 200-300 days. That’s an awful long time to go without acting, especially when the nation’s security is potentially at stake.

Bad, But Not All Bad

In a word, this situation is unacceptable, yet it persists. The reasons for this are manifold and require a complete shift in the way we defend our critical systems and data. As I read through the results, however, I began to wonder how our respondents felt about attacking the government compared with, for example, retail organizations. This was one of the differences between our 2018 research and what we produced in our inaugural report – a breakdown of responses by industry.

What we found was encouraging. Consider the responses to the following questions:

  • How long does it take to breach the perimeter, identify critical value data, and exfiltrate that data?
    • Percent who said they could do so to specified targets in under 15 hours:
      • Federal government: 53 percent
      • State/municipal government: 54 percent
      • Retail: 63 percent
      • Food and beverage: 66 percent
    • How long on average does it take you to breach the perimeter of your target?
      • Percent who said they could breach the specified targets in under 10 hours:
        • Federal government: 62 percent
        • State/municipal government: 70 percent
        • Retail: 85 percent
        • Hospitals/healthcare: 78 percent

The second question is really a subset of the first, but in both cases, government targets fare well compared to other industries. The report has a full breakdown of the results across 16 different target categories, which yield further insights.

These numbers bear scrutiny. Why are government targets more difficult to breach and steal information from? Are they “doing security” better than the other industries? That might be the case, and there’s evidence in the form of the 2017 Personal Data Notification and Protection Act proposal that the federal government, at least, is starting to take a more serious view of cybersecurity.

Hoping for a Brighter Day

Until we start seeing a continued, positive trend where breaches get harder for criminals to pull off, and a shrinking gap between successful attacks and detection, I’d hesitate to say that we’re completely on the right path. There’s too much evidence to the contrary still, but at least we see a faint glimmer of hope in the numbers.

Unfortunately, there is no silver bullet to make that change a reality. It will take work, dedication, technology, and money combined to realize the necessary changes and break through the storm clouds that cover the cybersecurity horizon. I believe listening to the people on the front lines – the hackers and incident responders – who work on both sides of the fence is an important step forward. Their influence, when combined with traditional industry research, gives us a better chance of focusing our attention on the right areas.

Hopefully someday we’re writing another article and talking about how attackers need days and weeks to break into our systems, and detection is happening before they make off with our critical data. It won’t happen overnight, but it could become reality if we truly listen and dedicate ourselves to making it happen.

Chris Pogue
Chris Pogue is head of services, security and partner integration at Nuix. He has more than 15 years’ experience and 2,000 breach investigations under his belt. Over his career, Chris has led multiple professional security services organizations and corporate security initiatives to investigate thousands of security breaches worldwide. His extensive experience is drawn from careers as a cybercrimes investigator, ethical hacker, military officer, and law enforcement and military instructor. In 2010, Chris was named a SANS Thought Leader, ran an award-winning security blog (The Digital Standard), and has contributed to multiple security publications. Chris holds a Master's Degree in Information Security and is also an adjunct cybersecurity professor at Southern Utah University.

Related Articles

- Advertisement -

Latest Articles