Editor’s Note: The digital world can be a scary place. Whether lurking in the shadows of the dark web or hiding in plain sight, cyber spooks are out to trick and terrify you, with no treats in sight. It’s no coincidence that National Cybersecurity Awareness Month and Halloween share a spot on the calendar.
In the spirit of the season, we sat down with Bryan Murphy, director of consulting services at CyberArk, and leader of our remediation services team. With more than 20 years’ of cybersecurity experience*, Bryan has seen or read about nearly every ghoulish threat and dastardly data breach imaginable. Here, he describes some of the stories, trends and risky practices that keep him up at night. Read on… if you dare.
I once worked on a large-scale server build project. The team was using a default password, which I guessed – without even meaning to – while describing an example login scenario. Beware, a company-related acronym or stock symbol plus “123” does not make for a strong password. If you think adding a simple exclamation point at the end will save your administrative accounts and servers from impending doom, think again. And remember, resurrecting the ghosts of passwords past for reuse, or using the same ones across multiple systems will surely come back to haunt you.
A Perfect Storm Is Brewing
Last spring, many people thought that cutting out commutes and working from home would give them more time to focus on other endeavors – like family, friends, hobbies, even exercise. Reality quickly sunk in as schools closed, responsibilities shifted or increased, and in many ways, life got even more hectic than before. As the FBI reported a 400% spike in cyber attacks, including targeted hits on remote access tools, corporate security boundaries relaxed and employees adopted risky habits in the name of efficiency and productivity. Today, workers are multi-tasking like never before – they can shop online, homeschool their kids and do domain administrative work on corporate systems – all from the same device. It’s like watching every scary movie cliché at once. What could possibly go wrong?
The Masked Insider Threat
It’s hard to spot a malicious insider in your midst, and even harder when it’s an outsider masquerading as a legitimate employee. Consider the recent Twitter attack, where a motivated external attacker used compromised insider access to gain powerful levels of system access to execute a financially motivated social engineering scheme. Incidents like this remind us that trust is not a security policy and that devils often hide behind angel costumes. Strong privileged access controls cannot be an afterthought. Embed them into your design process from the start – be sure to actively monitor access – and stop spending your days looking over your shoulder.
When Nightmares Become Reality
Increasing attacks on critical infrastructure have the potential to paralyze entire cities or weaponize connected systems. Crippling ransomware attacks are forcing healthcare organizations to make impossible life-or-death decisions. This fall, a German hospital was hit by a ransomware attack. The resulting outage forced a woman with a life-threatening condition to travel to an alternate facility about 20 miles away. She died after a significant delay in treatment. I’ve been asked, “What do we do first? Bring back our servers or get the lights on in surgery?” Just this week, several federal agencies warned hospitals about “credible” information “of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers” while COVID-19 cases and hospitalizations surge around the country.
No organization today can outrun the bogeyman. There is no silver bullet. Fortunately, many of the risks we face can be vanquished by staying vigilant and following fundamental security best practices like patching software, securing privileged credentials and identities, enforcing the principle of least privilege and backing up data. Remember, cybersecurity is a journey, not a final destination, and you don’t need to go it alone.
Stay safe out there and keep fighting the good fight. Happy Halloween.
*Note that these experiences are personal anecdotes and reflective of examples gathered throughout Bryan’s career and are not limited to his work at CyberArk