It was just announced today that 9 Iranians were involved in hacking 144 universities. They targeted professors and research departments in order to gain access to vital intel. In today’s realm of cybersecurity this does not surprise me. Many small to even larger institutions do not adequately protect they’re network, most do not even have a border firewall. These institutions fully trust their entire network, from the student and the business side. This is the wrong way of protecting your institution from these types of attacks. Yes, a border firewall is needed in order to block unsolicited or malicious traffic coming into the network. However this is not the Rosetta stone security professionals think of when protecting their business from cyber attacks. As our societies become borderless with companies moving to the cloud in addition to a very mobile workforce, we must take other considerations into account. These primarily include identity and access management and the move away from role based access control to attribute based.
Attribute based access control takes many different types of criteria, and if a person meets that criteria, then they are granted access to a given resources. For example, a user tries to gain access to a given company resource. In order to gain access to that resource, first we check whether the user is even authorized to gain access to the resource, from there we check to see if a company certificate was installed and we can validate it. The end point, whether a mobile device, laptop or desktop is up to date and possibly running some type of anti-malware. We then check for a higher level of assertion of the identity through the use of multifactor authentication. If the user is able to meet all the criteria then at that point they are allowed access, if not, it is then based all upon the level of risk the business is willing to accept. If the business states that you are required to authenticate with MFA however your web browser is a version out of date. That user may at that point be giving limited access to the corporate network and the resource the user was trying to access. Attribute based authentication is becoming the new standard as to how an organization identifies a given user to ensure that even if a credential was compromised, it would make extremely difficult to almost impossible to gain access to the data on a given resource.
We must also not forget about vulnerability and web based scans. A majority of organizations in the public and private sector do not have an adequate patching cadence which leaves their system vulnerable to attack. Another issue is that employees have the tools to run the scans however they do not have the knowledge to understand the vulnerabilities revealed in the report nor do they know how to fix it. This is a huge problem that must be addressed and the blue teams of the company are not given the necessary training to fulfill their job roles. As leaders, we must not only provide the tools but we also need to provide training to best utilize those tools so that our IT resources are protected. Without training, we are only solving half of the overall problem.
As the days go by, I am sure we will hear more about how this type of attack occurred. As the details are released, we as a security community should pay attention to the way in which the hackers were able to gain access, and perform our own lessons learned to see how we can improve upon our cybersecurity. If we do not take the time to do this, then someday our own organization will end up in the news or on Brian Krebs website. That is a day I do not want to experience.
CNBC: Iranian hackers attacked college professors, US agencies and companies: Justice Department
MarketWatch: U.S. charges Iranians for hacking into universities, U.N. and Labor Department