Going beyond patch cycles and change control to keep cyber criminals away

Governments must work with industry to have a collaborative approach and response.

The risks of running unpatched hardware/software in their environments in the current environment has been disastrous for government and private organisations.

Last week the Australian Government announced it had been the victim of sustained cyber attacks by sophisticated actors, showed the importance of having the right controls in place.

Fernando Serto director of security technology and strategy Asia Pacific at Akamai Technologies told CIO Tech Asia, he had done some research to try and understand how long large enterprises in both public and private sector take to patch vulnerabilities depending on criticality.

“Perhaps instead of relying on patching cycles and change control, organisations should consider a different approach to protecting their assets,” he said. “The methodology used for this was to use Shodan’s APIs to track devices online and indexed by their engine.

“I [also] used a couple of tools available on GitHub to test a device for this particular vulnerability, and to ensure the data was as accurate as it could be, I worked with a friend to test against an unpatched device vs patched to make sure results would be accurate.”

Serto said at the end of the exercise and to get enough data for a couple of engagements he ended with results on Australia, Singapore, India, USA and Brazil.

The percentages of devices still vulnerable at the time of my research were:

  • Australia at 7 per cent
  • USA at 12 per cent
  • Singapore at 18 per cent
  • India at 23 per cent
  • Brazil at 28 per cent

“While in some cases the percentage value may seem low, like in Australia, this still leaves around 140 organisations exposed, some in the public sector, which would be a high value target to a nation state,” he said. “In the USA, 12 per cent also equates to over a thousand organisations potentially exposed to this same attack vectors.”

Serto said it really showed there “are no tools to fix the people and processes part of the equation”.

Another way of ensuring cybersecurity takes precedent in organisations both private and public, Joseph Carson chief security scientist and advisory CISO for Thycotic, said it was time for “Australia to strongly consider a Cyber Defence League”.

“News of sophisticated nation-state cyberattacks targeting Australia should set alarms off around the world,” said Carson. “However, the lack of information released from the Australian Government also raises more questions than it answers. Using words such as ‘sophisticated’ without sufficient context or ‘nation-state actors’ without evidence of attribution reduces the confidence of the statements.
He said it was critical to be clear on the cyberattacks:

  • On what stage they are at and what companies should know to detect and protect against such attacks.
  • If the attacks are indeed targeting both government and industry, then we need to know more about what techniques are being used so we can all work together to respond effectively.

“During such times, governments must work with industry to have a collaborative approach and response,” he said.

Carson said it was the right time for Australia to strongly consider a “Cyber Defence League such as the one that Estonia implemented after the cyberattack in 2007” so that cyber volunteers can bring their expertise to defend against cyber bullying.
According to Carson When mercenaries or cybercriminals are involved they tend to be more noisy and use more common classic techniques.

“The government must share the exact techniques being used so companies and citizens can help defend against such attacks,” he said.


Leave a Comment

Related posts