The Home of the Security Bloggers Network
Home » Security Boulevard (Original) »
The meaning of “cybersecurity awareness” changed in some pretty meaningful ways in 2021.
Comprehensive employee security awareness training helps organizations to reduce risky behaviors, build a security-first internal culture and prevent cyberattacks. But what does “security awareness” mean? There were some significant ways in which cybersecurity awareness changed in 2021.
Cyberattacks are no longer an esoteric concept that Americans heard about but rarely experienced firsthand. In September, the Pearson Institute and the Associated Press-NORC Center for Public Affairs Research conducted a survey that found nine in 10 Americans were at least somewhat concerned about cyberattacks and about two-thirds stated they were “very” or “extremely” concerned. Significantly, these concerns cross political party lines.
From the ransomware attack on the Colonial Pipeline that disrupted fuel deliveries in 12 states for several days to a similar attack on meat supplier JBS that caused grocery bills to spike, consumers were made starkly aware of the domino effect of cyberattacks on the companies they do business with.
Early in the year, an employee for the city of Oldsmar, Florida, reported a watering-hole attack which planted malware on the employee’s computer. This opened the door for a threat actor to compromise a water treatment plant’s network and attempt to poison the city’s water with lye. Thankfully, the intrusion was discovered in time to stop it, but the threat of similar attacks remains. In October, the U.S. Cybersecurity and Infrastructure Agency (CISA) issued an alert to water and wastewater utilities, warning of ongoing attempts by malicious actors to compromise both their IT and operational technology (OT) networks, systems and devices.
Water utilities aren’t the only critical infrastructure at risk. The year 2021 saw a spate of ransomware attacks against hospitals, state and local governments and municipal emergency services. These attacks don’t just cost organizations money; they put human health and lives at risk.
Throughout 2021, cybercriminals, thwarted by improved technical security tools, increasingly turned to zero-day exploits and other vulnerabilities like mistakes made by end users or IT personnel.
In August, dozens of organizations using Microsoft Power Apps, including multinational corporations and government agencies, inadvertently exposed 38 million records. Many of these records included personally identifiable information (PII) such as COVID-19 contact tracing data and job applicants’ Social Security numbers. The problem was with the Power Apps API, which, until quite recently, had been configured to “expose records for display” by default—unless IT personnel disabled it.
More recently, a server misconfiguration combined with a lack of network segmentation enabled cybercriminals to compromise streaming platform Twitch and leak 125GB of company data.
Another method by which cybercriminals get around rigorous security controls at large organizations is to compromise a softer target further down the supply chain, then use this access as a backdoor into their ultimate target. This is an unfortunate side effect of modern, highly distributed data environments where even mid-sized companies typically have hundreds, sometimes thousands of third-party applications, systems and hardware in their IT ecosystems.
Recently, the FBI issued an official warning to U.S. food and agricultural businesses about ransomware attacks within their supply chains, and Microsoft notified over 600 resellers and partners of its Azure cloud service to be on the lookout for “highly targeted attacks” by the same cybercrime group responsible for last year’s SolarWinds breach.
Considering that managed service providers, SaaS developers and other IT service providers have the same distributed data environments as their customers, supply chain attacks have a potentially massive scope.
Customer and employee PII aren’t the only digital assets cybercriminals are interested in compromising. Digital intellectual property (IP) and other confidential business information is just as valuable as Social Security numbers—and in many cases, even more so.
While creators’ login credentials and financial information weren’t exposed in the Twitch breach, their earnings on the platform dating back to 2019 were. However, Twitch arguably suffered far greater harm than its creators. Cybercriminals got away with a treasure trove of digital intellectual property including the entirety of Twitch’s source code with full commit history, internal red-teaming tools, proprietary SDKs and AWS services and more.
While some aspects of security awareness are evergreen—such as the dangers of clicking on links in unsolicited email—the threat environment is continually in flux, as is employees’ perception of cybersecurity issues. Security awareness training must be an ongoing process to remain effective.
Darren Guccione is the CEO and co-founder of Keeper Security, Inc. Prior to Keeper, Darren served as an advisor to NinthDecimal (f/k/a JiWire), the leading media and technology service provider for the Wi-Fi industry. Prior to that, Darren was the CFO and Co-founder of Apollo Solutions, Inc., which was acquired by CNET Networks (now CBS Interactive). Darren is an engineer and a CPA. He holds a Master of Science in Accountancy with Distinction from the Kellstadt School of Business at DePaul University and a Bachelors of Science in Mechanical and Industrial Engineering from the University of Illinois at Urbana-Champaign. Darren is an Evans Scholar and received the Distinguished Alumnus Award presented by The Department of Industrial & Enterprise Systems Engineering. Darren is a community board member of the Chicago Entrepreneurial Center (1871), which fosters the development of early stage companies, and an advisor to TechStars, a Chicago-based technology incubator for innovative startups. Formerly, Darren served on the Committee of Technology Infrastructure under Mayor Richard Daley. Darren has been named Cutting Edge CEO of the Year in 2019 and Publisher’s Choice Executive of the Year in 2020 by Cyber Defense Magazine’s InfoSec Awards. He is regularly featured on local and national news programs to report on cybersecurity events and topics. He serves as a panelist and keynote speaker in various technology events around the world.
darren-guccione has 2 posts and counting.See all posts by darren-guccione
The Home of the Security Bloggers Network