An Interview with Mitchelle Schanbaum
A recent cyberattack that shut down the largest fuel pipeline in the United States caused internet security experts around the world to take notice and take stock of their own practices. We sat down with Mitchelle Schanbaum, Chairman & CEO of Specialized Security Services (S3 Security), to gather insights on the growing threat to operational technology, how cyberterrorists are breaching even the most sophisticated systems, and what you can do to protect your company.
The most obvious question might be: With all the advances in cyber security, why is this still happening?
Are the companies who fall pray to these hackers simply unprepared?
Well, first off, it helps to understand these aren’t “hackers” like most people imagine. They’re not a random collection of individuals trying to break into systems in between episodes of their favorite Hulu series. These are highly educated scientists and engineers who are part of large organizations, syndicates or foreign governments. They’re professional criminals who’ve chosen cyberterrorism as their career.
So, it’s not that companies are unprepared or failing to do their very best. But new vulnerabilities are released every day, and these terrorists are notified at the same time you are. Even if you inspect your systems today, there will be new vulnerabilities tomorrow. You may have to rely on manufacturers to develop a patch before it can be fixed, so it’s a hard to keep up with. These criminals are very well organized and well-funded. No matter how many IT people you employ, they have twice as many trying to hack into your system and deploy ransomware.
Does the size of the organization matter? Are large companies more attractive to cyberterrorists or more susceptible to system violation?
Size doesn’t matter. There are all types of cybercriminals and they’re going after everyone. Smaller for-profit groups and solopreneurs go after individuals (like you) because it’s low-hanging fruit. They don’t go after big companies because they know they’ll get caught.
On the other hand, government-based teams go after things that could hurt other countries. The shutdown of a 5,500-mile pipeline that ships 2.5 million barrels of fuel a day not only has the potential to raise gas prices – which was most people’s concern – but cripple whole segments of the economy that rely on transportation. So, government-sponsored terrorism usually targets major industry players like financial institutions, airline companies and government agencies.
As the name implies, syndicates are a lot like the old-world mafia. But instead of trafficking drugs, they’re trafficking data and holding it hostage. They focus on crimes of opportunity, but it has to be worth their investment. Syndicates pay some of the smartest people in the world to build their own encryption programs. There people earn millions of dollars a year and don’t use the same encryption tech twice. Their encryption algorithms are very complicated.
When you put it all together, every external IP is being scanned for vulnerability an average of once every seven seconds.
If nobody is safe – if there’s a cyber-criminal for everyone at all levels – is it just a roll of the dice? Just a matter of time before your number comes up?
Yes and no. Everyone is being scanned, but that still takes time. But you don’t want to be that low-hanging fruit. You want to build multiple layers of security that require a lot of time and evolving expertise to penetrate.
Here’s what I mean: Let’s say there are 10 different companies represented by the first 10 letters of the alphabet. Cyberterrorists don’t just hack away at Company A forever until they make it all the way through. They start with Company A and go as far as they can until they hit a wall. Then they take what they learned and move on to Company B to push through to its limitations. Then they repeat the process with Company C, Company D, until they succeed.
Successful hackers might go through 200 companies with specific vulnerabilities by the time they’re finally able to break through to a point where they can do some damage. It’s like a cybercriminal version of Grand Theft Auto or another video game. You keep trying to get to the next level by reapplying what you learned.
So, how do I reduce the likelihood that my company’s system will be the one these thieves break into?
The most successful solutions are those that consistently implement multiple layers of compatible security. If you live in a nice house and want to protect it, a lock on the front door won’t do. Put two locks on all the doors and think about a security system. If that’s not enough, you can add motion-activated lights or maybe move into a gated community.
The same thing goes for corporate security. If your company and mine both have the same tech, but I have two or three additional layers of protection, I’ve increased the chances of frustrating a thief and forcing him to move along to the next “house.” It makes me just one company in a long list of companies that will be abandoned through trial and error. It’s not about building a better firewall; it’s about building multiple layers of security.
That practice also needs to be re-evaluated and repeated frequently. We can barely see 3-5 years down the road, so you should evaluate your cyber security – hardware and software – every two years.
If new vulnerabilities are released every day are there measures my company needs to take every day?
Aside from real-time monitoring and regular patching, I’d also recommend development of a more structured Vulnerability Management Program; one that includes your own scanning, your own patching, and your own risk ratings. But you need to run a cost/benefit analysis because risk rankings are different for every company.
On the NVD scale of CVSS Scores from 1 to 10 – where 10 is Critical – a certain vulnerability might have a score of just 5. So, some companies won’t consider it critical. Many organizations look at their ratings and decide they’ll only patch critical vulnerabilities with a rating of X or more. So, a company can be on the right patch cycle, but if it’s not a critical vulnerability, they might not patch it and cyber criminals may still be able to get in.
All things considered, what’s the one thing I need to do today?
Review your cyber liability insurance policy and whatever you’ve agreed to. Your cyber liability policy includes terms, conditions and requirements you need to fulfill if you expect them to pay.
Too many companies fail review what the insurance company says you need. If you said you’d patch every 10 days and you only patch every 30 days, your insurance company isn’t going to pay. Once their systems are breached, most companies call their cyber liability carrier first – before they call the FBI or anyone else – and the first thing that carrier will do is have a forensics expert ensure you did everything you were supposed to.
So, make sure you have enough coverage, make sure you’re doing what you’re supposed to, and if you are the victim of cyberterrorism, do your own forensics before you call anyone else.
But, that said, developing multiple layers of compatible security is still the best insurance money can buy.