Authored by: Sareeka A. G., Product Consultant at ManageEngine
Digitisation and advancements in information and communication technology have revolutionised every aspect of modern life. While a connected digital ecosystem that intertwines critical infrastructure provides enormous potential for innovation and development, it also increases the attack surface. The way a country responds to the opportunities and risks that arise in cyberspace plays a crucial role in its growth and security.
Though we all acknowledge the imminent risks cyberattacks pose, are we aware of the scale of impact such attacks can have on a country and its people? Let's explore the impact as well as who the attackers are, and how they can be stopped.
Who are the attackers and what can they do to a nation?
Based on their motives and scale of attack, cyberattackers can be classified into four groups
State sponsored attackers are non-state individuals or organisations who are discreetly supported by a government entity. These attackers generally operate to fulfil political, commercial or military interests of their country of origin.
In today's world of mutual distrust where nations want to have the upper hand over others, state-sponsored cyberattacks have become commonplace. Attackers use a combination of different techniques ranging from spear phishing attempts backed by well-researched social engineering to sophisticated advanced persistent threat (APT) campaigns in order to infiltrate networks and gain access to confidential information such as trade-secrets, research findings, and war strategies to name a few. Cyberespionage and insider attacks (where a trusted insider is paid for carrying out parts of the attack) are also not uncommon. State-sponsored attacks have the potential to crumple entire nation-states when the right data is compromised.
Hacktivists are individuals or groups of individuals who use cyberattacks as a way of expressing political or ideological extremism.
Numerous cyberattacks have been carried out in the past as a means of expressing resistance. Launching large scale distributed denial of service (DDoS) attacks to render government servers inaccessible and loading videos and images that criticise a state's policies on government websites are some of the most common methods hacktivists employ to make their voice heard. While hacktivism appears to be just a form of electronic civil disobedience without malicious intent, taking down networks of organisations that provide essential services such as hospitals can have devastating impact on citizens' lives.
Organised criminal networks are groups of malicious individuals who form centralised enterprises to carry out illegal activities for profits. Some of the criminal organisations have a political agenda and carry out attacks to induce terror.
Supervisory control and data acquisition (SCADA) system communication networks form the backbone of industries such as electricity distribution, aviation, manufacturing, waste and water control, oil and gas transportation, and others that are crucial components of a modern economy. The SCADA systems are employed to manage physical processes and sensitive functions. Attackers can compromise the communication networks either by gaining direct physical access to the plants or by establishing remote access. Once the attackers have control over the SCADA systems, they can manipulate crucial controls and cause physical harm or gather intel to use in an actual terror strike that creates a devastating impact.
Low-level individual criminals are hackers who compromise individual devices or organisational networks for monetary or personal gains. They usually launch small-scale attacks and do not have any hidden agenda.
This type of attacker might seem to be an implausible threat when you think of national security. But let's not forget that national security doesn't just involve protecting the borders, it also includes securing a nation from within.
Amid the COVID-19 pandemic, governments across the world are employing technology to contain and cure the disease. Imagine this scenario: You receive an SMS allegedly from the Ministry of Health, advising you to download a mobile application that will warn you when a COVID-19 affected person is in your vicinity. Sounds like a wonderful way to keep yourself from getting infected, doesn't it?
The problem is, the SMS could actually be a phishing message, and the app could be malicious and gather information from your mobile device. This information may then be relayed to attackers who can demand a ransom, take control of your device, and commit identity fraud and other crimes. Such an attack on a small scale might appear insignificant, but when thousands of unaware individuals fall prey and their identities are misused, it can lead to a massive security crisis.
Cyberthreats have become a continually evolving and complex security challenge. Implementing a complete, all-inclusive approach towards improving IT security in both physical and virtual realms is the need of the hour.
Fortify physical security
Government and private organisations that house sensitive information must protect their premises from physical attacks by carefully scrutinising and permitting entry only to authorised individuals. A combination of identifiers such as passcodes, ID cards, and biometrics should be employed. Around the clock surveillance as well as proper maintenance and physical isolation of sensitive servers and devices are essential to prevent attackers from gaining manual access to the facilities and tampering.
Locate and fix vulnerabilities
Conducting risk assessment is one of the first steps towards creating a secure IT environment. List all the data assets, identify associated vulnerabilities and the likelihood of being compromised, and estimate the magnitude of impact. Using this information, classify each data asset as a high-, medium-, or low-risk entity and apply appropriate protection controls.
Once assets have been classified, scout the network for vulnerabilities and fix them. Continuously tracking all security information and events is essential to monitor the health of an organisation's IT network. Virtual private networks (VPNs) and multi-factor authentication (MFA) techniques can be used to secure connections over unreliable networks and to prevent credential misuse, respectively. Having up-to-date systems and applying timely software patches can also help protect network devices.
Prevent insider attacks
While perimeter defence mechanisms such as firewalls and proxy servers can help prevent intruders, tackling insider attacks requires a different strategy. Insiders already posses the permissions required to access critical assets that they want to compromise. An adversarial nation-state could compromise an insider's credentials or incentivise a trusted employee to work for it. With the help machine learning (ML) and artificial intelligence (AI) technologies, baseline behaviour can be established for all the user accounts and entities in a network. By comparing current activities of a user or entity with the baseline behaviour, suspicious activities can be detected and IT admins can be alerted.
Automate threat response
Advanced SIEM tools can be customised to perform automated threat-response functions such as suspending malicious accounts or temporarily denying permission to perform certain activities. In case of an attack, this enables IT, administrators, to limit damage, protect surviving assets, and help in business continuity. Modern cybersecurity tools have the capability to correlate vast event logs, deduce imminent cyberattacks, and warn security experts. These tools also generate extensive reports that aid in forensic analysis of a cyberattack.
Apart from the possible ways to prevent cyberattacks from an IT security standpoint discussed above, protecting cyberspace requires the formulation and efficient deployment of strict cyberlaws and regulations. Well-defined rules that explicitly describe criminal activities and associated penalties and punishments will provide a systematic and legal approach to deal with cyberattacks and attackers.
Just like the geographic or physical boundaries, a country's cyberspace requires constant surveillance and security. As a first step to getting started, governments should acknowledge the danger that cybercrimes can pose to a society and act accordingly. Ensuring cybersafety is a combined effort. Without active participation of individuals, cyberlaws would just be statements on paper. Coordinating a multiagency response and executing preventive and counteractive measures against cyberthreats in judicious proportions is the way ahead.