Budgets May Be the Biggest Obstacle to Comprehensive Cyber-Risk Management — EEWeb
Over the past few weeks, the state of cyber-risk management has not been good. Foreign actors have stepped up disinformation campaigns in the U.S. elections and phishing attacks associated with ransomware are rising dramatically. In September, IT Governance Ltd., a British cybersecurity firm, reported 267 million data breaches around the world. One-fifth was targeted at students returning to school via remote learning.
The cost of cybercrime is a fraction of the cost of protecting a network. A criminal can purchase a ransomware kit from rogue organizations for $50. A single hacker can cause millions of dollars of damage and even endanger patients’ lives in the health sector.
Microsoft has said that they spend $1 billion annually on cybersecurity and will continue that budget into the foreseeable future. But, according to IDC, companies should be spending a minimum of 0.2% of total revenue on security. Microsoft has some way to go to meet these spend levels.
However, according to Matthew Rosenquist, CISO at Eclipz.io Inc., “It takes a proper risk-management program to understand what it takes to reach and sustain the right residual risk levels. There is no equitable scale for investments as it relates to risk reduction. Nothing is a fixed ratio like $ X dollars = $ Y in risk. It just does not work that way.”
Today’s networks have a high level of complexity with hundreds of technologies and services that sometimes do very specific jobs while overlapping and contradicting protections from other technologies. Regardless of what technology or service you purchase to protect your enterprise, none can provide ubiquitous coverage.
IoT devices have become a popular attack vector and they can take almost any form, from an old cellphone to a kitchen appliance. In an Ars Technica report on a Wi-Fi-controlled coffee maker, the iKettle from Smarter., researchers found they could recover a Wi-Fi encryption key from the device going back to all versions since 2015. A hacker could replace the factory firmware with malicious code and control all aspects of the device remotely. The researchers were able to install ransomware into the device that in turn propagated throughout the network, including the router and modem. Literally, the only way to stop it was to unplug the device.
Companies offering solutions
There are many companies focused on securing IoT systems within industrial settings, such as Intrinsic ID and Sectigo. This can make sense financially, as the vulnerability of connected household appliances is very real.
Another company of interest is Tosibox, a Finnish company selling hardware and software systems to address the problem.
According to Jarno Limnell, CEO of Tosibox, their goal is to eliminate the complexity of securing IoT in enterprise while, at the same time, making it affordably scalable and authenticating both ends of digital communication. The process is relatively simple. Anything that connects to the internet — server, desktop/laptop computer, digital device, etc. — is connected to a Tosibox hardware appliance or software application, which, in turn, communicates with any other protected system within the network. Tosibox validates the sender of the communication and then the return communications. Costs for a starter kit range from $800 to $1,400, according to configurations.
This approach would have protected the IT team at Tyler Technologies and its customers. The technicians could do updates from anywhere, and even an iKettle in that network would be safe from intrusions. The difficulty arises when someone outside of the protective net tries to connect to the network. They just would not be allowed in. That is not necessarily a problem for an industrial setting where outside communication is not necessary. This could impact enterprises doing business outside of their network (banking, retail, and other service industries).
Tosibox, Ayla Networks, and Secomea offer similar benefits and downsides, but a new stealth company is slowly removing the wraps on their all-software, AI approach.
Airgap Networks is already releasing its solution to select customers, but when widely available, it can be deployed across the largest enterprises and even small networks, according to CEO Ritesh Agrawal.
Agrawal identified complexity, legacy systems, and the growth of the cloud as the three factors affecting enterprise security. To paraphrase him, shared VLANS designed in the 1990s worked well for a time but are not relevant these days and create excessive, uncontrolled access between the devices. “There is no reason a coffee machine should be communicating in any form to another computer?” he said. “But this a classic IoT threat vector that hackers are exploiting. That’s what should be fixed.”
Airgap uses zero-trust isolation to block unauthorized lateral traffic within an enterprise. This approach is the inverse of the shared VLAN legacy designs that have now been identified by Airgap as an unnecessary vulnerability.
Ransomware Kill Switch
Agrawal said he talked to hundreds of CIOs during product development. He found that they generally start yanking cables and shutting down systems when they learn of a ransomware attack. “Clearly, this isn’t a great idea if you are managing mission-critical systems such as health care or manufacturing,” he said. That led the company to the development of a particular feature, the Airgap Ransomware Kill Switch (RKS). This appears as a “one-click” button on the CIO’s computer and stops all unauthorized lateral communication, ensuring that the ransomware doesn’t propagate across the entire network. User access to popular applications are not affected, so business can go on while removing the malware from the enterprise.
The incident response team can now investigate, secure in the knowledge that an infected device is totally isolated. Once the ransomware attack is sourced and eliminated, the “one click” can be used in reverse to instantly normalize the network.
What’s more, Agrawal explained, a device in the network doesn’t have to be subscribed to the service. If someone logs into the network with an infected, unsubscribed device, the system will isolate the infected device and the user will barely notice. It will never be permitted to upload data onto the network.
Airgap offers the technology on an annual SaaS subscription basis, per device, and is installed on any enterprise network in just a few minutes without system upgrades or software agents for devices. Deployment can be staggered based on the IT organization’s schedule and budget. While the subscription costs are not free, they are well within the budgets of the smallest organizations, according to Agrawal.
If Airgap Networks’ complete solution works as claimed, this could be the holy grail of digital security.
The full interview with Agrawal is on Crucial Tech. Comments and questions are always appreciated.