Читать книгу Digital transformation for chiefs and owners. Volume 3. Cybersecurity - Джимшер Челидзе - Страница 5

The main trend in the field of IS – professional managers come to the industry. Those who used to be engaged in “technology”, but now have grown up to managers. They think about the technical side of the issue, as well as about money, the processes in the organization, about the responsibility that they take on themselves. Additionally, this is a serious challenge for IS companies. After all, they need to communicate not just with experts who are in the topic, but find a common language with managers. That is to explain primarily in the language of money and guarantees.

The second trend – the transition from smeared protection throughout the organization, promotion of maturity levels and the use of best practices to a model of guaranteed protection against unacceptable scenarios: disruption of technological cycles, theft of money, confidential information, data encryption. That is, the transition from IS 1.0 to IS 2.0.

This is because everyone is already aware of the impossibility of protection from everything. First, the growth of digitalization and automation has led to an increase in the number of software used. Which means there’s an exponential increase in the number of attacks. Secondly, as we have said before, all IT solution developers try to reduce costs. For example, even the world IT giant IBM transfers its production to India, because there is cheaper labor programmers. At the same time, the quality of the code from most Indian developers leaves much to be desired. It’s like Chinese replicas of original products. All this leads to a decline in software quality and an increase in the number and criticality of vulnerabilities.

Additionally, even published “holes” developers do not hurry to eliminate quickly. Here are indicative statistics from PT. Of all vulnerabilities in industrial IT systems identified and sent to developers in 2021, less than half – 47%. In this case, they become known to the world quite quickly – within a few hours.

In total, about 25,000 new vulnerabilities discovered by security researchers were identified and confirmed in 2022.

The increase in the number of startups and their programs, as well as the failure to comply with the principles of safe development, can lead to this number being only increased.

As a result, it turns out that in more than half of the attacks, hackers quietly use these vulnerabilities and get the necessary access in a few minutes. PT specialists themselves, using known vulnerabilities, were able to access the internal network of companies in 60% of their projects. Additionally, now add the fact that there aren’t many white hackers and researchers, and the developers just don’t know about all the holes. Hackers do not seek to publish found vulnerabilities in the public domain. At the same time, the shadow market of hackers itself is on the rise.

Dynamics of the shadow market

Third, attacks become targeted rather than mass attacks. As mentioned earlier, it was 43 per cent, now it is 70 per cent.

Fourth, no matter how advanced the technology, the bottleneck is still people. Therefore, since 2017, the number of people caught on phishing letters, not only has not decreased, but, on the contrary, has increased multiple. Additionally, in the top most used and effective ways to penetrate the company is still phishing via email. In this case, the topics that people open most often remain unchanged from year to year: salary, bonuses, social programs, DMS, resume. In addition, the best mailing lists dedicated to events in a particular company or division. That is, the growing role of social engineering.

The statistics of attacks against ordinary people are interesting. After all, the endless leaks of personal data make it easier for hackers to choose the right people when planning an attack on the organization. So, in 2021 in 58% of attacks hackers infected users’ devices with malicious software: these were applications for remote control (34%), spyware (32%) and bank trojans (32%). By the end of 2022, spyware was already used in 49% of successful attacks.

At the end of 2022, phishing sites (42% of successful attacks) and emails (20%) were the most common source of infection. Hackers also combined people’s personal devices and organized so-called ddos attacks, that is, simply overloaded the IT infrastructure of the victim organization. Additionally, in massive phishing attacks hackers used the current news agenda: purchase of fake certificates of vaccination, creation of fraudulent sites before the European Football Championship, premiere of a new episode of the series “Friends” or other “delicious” event.

Additionally, fifthly, managers are pragmatic people who want guarantees. As a result, we came to the second trend – the formulation of simple and understandable for top managers queries, so that the unacceptable could not be implemented.

In my opinion, this is quite a normal situation. It is impossible to build up armor indefinitely and close. If you like to drive tanks, remember the example of the Mouse tank, which eventually became sluggish and in life could not move at all, becoming only a museum exhibit. At the same time, the development of technology still made it pierced. In the struggle of armor and projectile always in the end wins the projectile.

Returning to the language of business, I will share an observation. Increasing the armor sometimes leads to the growth of useless bureaucracy. I’ve seen companies close so that business processes stop, and people just go outside the company, start working communication and document exchange in open messengers and personal mail. After all, they have KPI and they require results. And waiting for a week or two until the technical support solves another problem, they cannot. In the end, we want to defend ourselves, but only by multiplying the risks.

The third trend is the development of cyber-polygons and cyber-battles, which provide an opportunity for cyberbes professionals to try their hand at detecting and suppressing malefactors, testing infrastructure and obtaining information for analysis and development. Additionally, since the beginning of 2023, there is active creation of programs to search for vulnerabilities for reward. Such programs are called Bug bounty. This allows “white” hackers and researchers to apply their knowledge for the good and get a reward for it. This applies mainly to the financial sphere (vulnerability search programs) and large corporations (participation in cyber battles).