Category: Cyberattacks

Electricity, transportation, water, communications – these are just some of the systems and assets that keep the world functioning. Critical infrastructure, a complex interconnected ecosystem, is what props entire countries up and is vital for the functioning of society and the economy. This is why it is under attack. Threat actors, usually nation-state backed, know this very well. By taking down the poorly protected power grid of a city or even a country, cyber attackers cannot only cause mass chaos, but any threat to the critical infrastructure sectors could have potentially debilitating national security, economic and public health or safety consequences. 

It is evident that cyberattacks targeting critical infrastructure have become the new geopolitical weapon. Across the globe, countries are seeing these attacks rising rapidly. In fact, the North American Electric Reliability Corporation (NERC) reported in early 2024 that the number of vulnerable U.S. power grids is increasing at an approximate rate of 60 per day. Additionally, the U.S. Department of Energy found that grid security incidents reached an all-time high in 2023. 

But it is not just in the United States that critical infrastructure such as power grids, water supplies, or communications are being targeted. According to a November 2023 report from the International Energy Agency (IEA), weekly global cyberattacks against utilities more than doubled from 2020 to 2022 – in just two years.

So, why are we seeing this rise in critical infrastructure as a target? 

Unlike financially-motivated threat actors, hackers targeting these critical systems are not seeking information in order to leverage a ransom. Instead, they are looking for access to the integral puzzle-pieces of enemy nations’ power, water and more, for the purposes of disruption, terrorism and/or espionage. The hackers conducting these attacks are typically backed by nation-states from one of the big four: China, Russia, Iran and North Korea.

There have been several of these attacks over the years, each with terrifying implications; but thankfully not yet overly successful. In 2021, the Colonial Oil pipeline was famously hit in a huge ransomware attack. Considering the pipeline supplies a significant portion of gas and fuel to the East Coast of the United States, this resulted in a state of emergency to be declared in four different states when the pipeline was forced to be offline for 11 days. This attack was carried out by the Russian hacker group DarkSide and is just one example of note. 

The serious reality is that critical infrastructure is almost constantly being attacked globally, even if it is not being talked about in the news. According to Forescout Research – Vedere Labs, from January 2023 to 2024, critical infrastructure was attacked more than 420 million times across 163 countries. While the U.S. has been the main target, many other countries like the UK, Germany and Japan, have also been highly impacted.

These rising attacks come in the context of the larger cybersecurity war in progress. In May 2023, the U.S. government determined that an intrusion impacting a U.S. port had come from a Chinese-backed government hacking group. Indeed, the inspectors tasked with looking into this intrusion found that several other networks had been hit, including some within the telecommunications sector in Guam. In Guam, there is a U.S. military base that would likely be a primary point of American response in the case of a Chinese invasion of Taiwan. The intrusion from the Chinese government had been a web shell allowing remote access to servers and, if successful, the intrusion likely would have aimed at electric grids, gas utilities, communications, maritime operations and transportation systems — all with the goal of crippling military operations. 

For organizations that supply even the smallest amount of support in the enormously interconnected global infrastructure network, it is high time to become serious about protecting society as we know it. So far, critical infrastructure attacks have yet to be truly catastrophic. However, at the rate these attacks are increasing, the next level of global disruption is inevitable. 

What is important to note as well is it is not just major infrastructure organizations that need to be concerned, but smaller businesses that are a part of the vast network of utilities, electricity, water, power and more. These businesses have the potential to be taken advantage of as the entry point for crafty-enough and malicious-enough nation-state backed cyber actors. 

Governmentally and diplomatically, geopolitical cybersecurity risks must be understood. In addition, businesses and individuals must place a priority on comprehending what the risks of these attacks are and how they can prevent them because in the end, it is going to be the individuals who are impacted. 

Like in physical wars, it is going to be the citizens who pay the price.  If one of these critical infrastructure attacks is successful enough to cause a catastrophe, it is going to be the people who will suffer from a lack of water, power loss or other resources. For this reason, it is the people who must spearhead a shift to global cybersecurity preparedness. 

 

The post The New Geopolitical Weapon: The Impact of Cyberattacks Against Critical Infrastructure appeared first on Cybersecurity Insiders.

[By: Matt Lindley, COO and CISO at NINJIO]

Although the cyberthreat landscape is constantly shifting, several major cybercriminal tactics have stood the test of time. Phishing is one of them. Despite being among the best-known cyberthreats, the damage inflicted by phishing attacks keeps rising. This is because phishing exploits ingrained psychological vulnerabilities that are difficult for victims to overcome, and it has proven uniquely capable of adapting over time. 

 

Another reason for the devastating effectiveness of phishing is the fact that employees have different susceptibilities that can be leveraged by cybercriminals in many ways. This means there’s no one-size-fits-all solution to phishing – companies must be capable of offering personalized phish training that accounts for different personality traits, levels of knowledge, and learning styles. This is particularly important as cybercriminals increasingly use AI to launch highly targeted phishing attacks at scale. 

 

By personalizing cybersecurity awareness training, companies ensure that educational content is highly relevant to each individual, which improves engagement and information retention. Personalized phish training also generates invaluable data about security gaps, holds employees and security leaders accountable, and helps companies keep pace with new threats. These are just a few of the reasons why CISOs and their companies will prioritize personalized phish training in 2024. 

 

Meeting the individual needs of learners

 

Relevance is a core component of CSAT – training must cover real-world cyberattacks and provide actionable information to employees. At a time when human beings are involved in nearly three-quarters of successful breaches, it’s vital to capture and hold employees’ attention with hyper-relevant training content. There’s one especially high-resolution form of relevance that CISOs and other security leaders must focus on: individual employee traits. 

 

Employees should never be treated as if they’re interchangeable with one another. They have different skills, personalities, and learning styles, which means phish training must be designed to maximize the value of the educational experience on the basis of these variables. When phishing training is capable of identifying employees’ strengths and weaknesses, engaging them on a personal level, and tracking individual progress, the collective security of the entire organization will improve dramatically.

 

Employees have many psychological vulnerabilities – like fear, obedience, greed, opportunity, sociableness, urgency, and curiosity – and these vulnerabilities vary from person to person. If one employee has a propensity to click on malicious content sent by an authority figure (obedience and fear) while another is more inclined to fall for fake investment schemes (greed and opportunity), training content should be customized based on this information. Effective phish training should build adaptive behavioral profiles which account for different psychological risk factors, levels of knowledge and performance, and attack vectors. 

 

When companies create training programs around individual behavioral profiles, they won’t just address specific vulnerabilities – they will also keep employees engaged and improve retention of the most critical concepts. By personalizing phish training, security leaders will provide the information that is most relevant to individual employees while preserving the flexibility to change course as circumstances demand. 

 

Personalized training and the evolution of phishing

 

The average cost of a phishing breach hit $4.76 million in 2023, and phishing is the most common initial attack vector (along with stolen or compromised credentials, which are often obtained through phishing). This means phishing is by far the tactic of choice for cybercriminals when they want to gain access to secure accounts and networks – a long-term trend that’s likely to pick up momentum. 

 

One reason phishing attacks will become increasingly common and destructive is the growing role of AI in these attacks. Generative AI tools like large language models (LLMs) and deepfakes give cybercriminals the ability to launch highly sophisticated and targeted phishing attacks on a vast scale. The key to guarding against these attacks is training employees to identify malicious content that is becoming far more difficult to distinguish from legitimate content. This process begins with personalized phish training that teaches employees how cybercriminals can hack their minds and use their psychological weaknesses against them. 

 

Unlike traditional phishing schemes which rely on a high volume of messages to hook a handful of victims, AI allows hackers to collect large quantities of data on potential targets and create focused messages that exploit their unique psychological weaknesses. AI also drastically improves the quality of the messages themselves, fixing the spelling errors, strange syntax, and other mistakes that were once red flags (GPT-4 supports 26 languages, which gives many more hackers the ability to launch phishing attacks internationally). 

 

Phishing has been among the most significant cyberthreats for years, but companies still aren’t able to stop employees from clicking on dangerous content. With the advent of AI-enabled phishing, this problem is about to get a whole lot worse – which is yet another reason why personalized phish training is a must-have. 

 

Simulated phishing generates crucial data and engagement

 

According to Gartner, global end-user spending on security and risk management is projected to reach $215 billion this year – up 14.3 percent from 2023. This means CISOs must be capable of making a strong case to their boards for the cost-effectiveness of any cybersecurity initiative, and personalized phish training meets this standard in several ways. 

 

An essential element of personalized phish training is the consistent evaluation of employees to pinpoint their susceptibilities, reinforce what they’re learning, and assess the organization’s overall security posture. Simulated phishing confronts employees with tests that mirror the latest social engineering tactics, which gives companies an accurate idea of how they would behave in real-world scenarios. This allows CISOs and other security leaders to identify the most at-risk employees, as well as the exact psychological and behavioral traits that make them vulnerable to attack. The company can then use this data to measure performance over time, engage with employees about their progress or areas for improvement, and close security gaps. 

 

There are three central pillars of successful awareness training: relevance, engagement, and accountability. Because personalized phish content is tailored to each employee’s behavioral profile and learning style, it’s far more relevant than any one-size-fits-all solution and it provides much more actionable data. Individual attention will also keep employees engaged – especially at a time when large-scale skills disruption is imminent and employees are demanding professional development opportunities. Cybersecurity awareness is one of the most important skills employees can cultivate, which is why CISOs should present personalized phish training as a chance to prepare for the workplace and economy of the future. 

 

Simulated phishing helps CISOs demonstrate the value of personalized training programs in a rigorous and consistent way. By aggregating individual employee performance, security leaders will have a clear view of the company’s overall level of security. This allows them to proactively improve their cybersecurity posture by addressing vulnerabilities as they arise, implementing constructive and engaging educational interventions, and empowering each employee to defend the company from phishing attacks. 

The post How personalized phish training can thwart evolving cyberattacks appeared first on Cybersecurity Insiders.

What are the most important areas for a CISO to focus on?  When speaking to Aman Sood, it becomes clear that the job of a CISO encompasses every aspect of a business.  Aman is the Head of Cyber Security with Jimdo, a website building platform that helps small businesses start, grow, and ultimately thrive online.  […]… Read More

The post CISO Interview Series: The thinking of a CISO at the front end of the cyber threat landscape. appeared first on The State of Security.