In the past few years, hackers have repeatedly demonstrated just how fragile many system architectures are. Ransomware attacks, phishing waves, and supply-chain attacks have become increasingly common. In addition to the attacks on the Colonial Pipeline and the University Hospital in Düsseldorf, the most significant examples include the recently discovered zero-day vulnerability Log4Shell in the Java logging framework Log4J – whose true extent will only become apparent in several years. But one thing is already clear: Five industries are particularly attractive to hackers, and should protect themselves accordingly. The Center of Internet Security (CIS) offers a robust framework for this. They help your company to compare its own network security with best practices and to identify optimization potential in IT security.
Which five industries are hackers focusing on? Quite simply: Those storing valuable, particularly sensitive, or other strictly-regulated data – this is where the highest profit beckons in the event of a successful attack. In addition to the financial and healthcare sectors, these include (perhaps a little surprisingly) the construction industry, the ICT sector, and small and mid-sized enterprises (SMEs). Of course, the latter is not an industry in the strict sense, but – as will be shown – it rightly belongs in the top five targets.
Finance
The financial sector has been a traditional focus of cybercriminal activities. As a rule, the attacks are financially motivated. In the worst case, attackers gain direct access to the capital of bank customers and investors. In addition, financial institutions also manage vast amounts of sensitive data that is highly lucrative for attackers: personal financial data, confidential and business-critical information, and data sets for data analytics.
To further complicate matters, the financial sector is currently undergoing a dynamic, if not disruptive, transformation in the course of digitalization: An agile swarm of aggressive young “fintech’s”, the so-called challenger banks, are increasingly attracting new customers by offering innovative digital services, thus forcing the established providers to digitize at full speed, as well. This increases the dependence on technology and data throughout the industry, and the larger attack surfaces also increase the risk of a breach.
Healthcare
For many years now, the healthcare industry has been another top target of cybercriminals. After all, the most sensitive and strictly-regulated data in the world is stored on the servers of healthcare providers – and this data, of course, has enormous value.
According to NTT’s Global Threat Intelligence Report 20215, the healthcare sector saw a 200percent increase in cyberattacks in the first year of the pandemic alone. Web application and application-specific attacks accounted for the lion’s share of malicious activity, at 97 percent. This is probably due to the more frequent use of remote access: To enable telemedicine, both staff and patients are increasingly connected to central resources. This improves patient care, but also creates additional points of attack.
In addition to identity theft and ransomware extortion, such as at University Hospital Düsseldorf1, cyber espionage also plays a growing role in healthcare and health research. This is illustrated, for example, by the attack on the European Medicines Agency (EMA), where unknown persons illegally accessed vaccine documents. Besides regulatory authorities, espionage also affects universities and pharmaceutical companies, as documented by attacks on the vaccine supply chain.
Construction
According to recent studies, e.g., Hiscox Cyber Readiness Report 20202, more than half the companies in Germany’s construction industry have already been victim of a cyber-attack. A closer look at the figures reveals the above-average proportion of phishing attacks. This could be an indicator for insufficiently-trained employees and a lack of security awareness.
Even if the construction industry has been very reluctant to digitize so far, according to many experts, more and more business processes are now shifting to the IT world. As always, caution is advised: Anyone working with construction plans, project bids, evaluations, trade secrets, and infrastructure plans must exercise due diligence to avoid damage and financial losses.
The potential for damage in this industry is enormous, as shown by the French construction company Ingérop: In 2018, around 65 gigabytes of data were stolen from the company via a German server, including many documents from critical infrastructure facilities such as nuclear power plants and nuclear waste repositories, high-security prisons and tram networks, not to mention the personal data of over 1,200 employees.
Information & communications technology (ICT)
The cloud and digitalization boom of the last few years has made the ICT industry much more powerful, but also more complex. In the survey Digital Trust Insights 20223 by PwC Germany, 82 percent of German executives described the complexity in their companies as too high. 60 percent assume that cybercrime will increase in 2022 – especially via the mobile, IoT, and cloud vectors.
Numerous studies support this assessment: With the rapid increase in mobile endpoints, smart IoT devices, and open APIs, the amount and value of data processed worldwide will increase many times over, and companies’ attack surface will also continue to grow. ICT companies must ensure that they not only continue to develop their products and infrastructures, but also continuously optimize their security stack.
Small and mid-sized businesses
The digitalization push of the past few years has not bypassed SMEs. To maintain business operations during the pandemic, they needed to make extensive investments in new digital equipment – keyword: teleworking. These changes could not be postponed, and were often flanked by government digitization programs. However, digitization projects rarely went hand-in-hand with similarly ambitious security investments. As a result, most SMEs face a huge security deficit.
While most large companies today employ dedicated staff – sometimes entire departments – to maintain cyber security, SMEs are often inadequately protected: Only about half employ in-house security experts. For attackers, unprotected SMEs naturally represent an attractive target as the “path of least resistance”.
Even without a budget for large-scale security initiatives, SMEs are well-advised to minimize their entry gates as much as possible. To be prepared for the worst-case scenario – a successful attack – it is also important to inhibit lateral movements through the network.
PAM provides a higher level of security
As different as these five industries are, most cyber-attacks follow the same pattern. First, the attackers gain access to the network with stolen or socially engineered credentials. Next, they move laterally from system to system, escalating their access rights, until they find the company’s most valuable data. This is then stolen, encrypted, or destroyed – depending on what promises the highest profit.
The best protection against such attacks is a consistent strategy that focuses on protecting privileged accounts: PAM, or privileged access management. A core component is the “least privilege principle”: Authenticated users receive only the minimum number of privileges – those needed to complete their current task – for a limited period. A robust PAM solution also includes multi-factor authentication (MFA) as well as a consistent password management strategy, for example automatic password updates for network accounts, and storage in secure vaults. This way, critical data such as infrastructure accounts, DevOps access, or SSH key pairs remain reliably protected. For optimum protection, “red team” exercises, advanced audits, and dedicated employee training sessions make companies resistant to social engineering.
CIS Controls as guideline for consistent PAM
Many companies already use some PAM components, but they often lack a comprehensive strategy that addresses the issue holistically and offers full protection. It is precisely this holistic approach that the non-profit Center for Internet Security (CIS) now provides with its CIS Controls (formerly known as Critical Security Controls) 4 – an 18-point framework that companies can use to test every aspect of their cyber security. Particularly relevant for CRITIS-regulated companies: In the current eighth version, the topics “Access Control Management” and “Privileged Access Management” come into much sharper focus. Many of the recommendations for action refer either explicitly or implicitly to PAM and underline the high importance of protecting privileged accounts. With the CIS Controls, companies in all affected sectors receive a clear guideline for reviewing and continuously optimizing their own IT security.
We at iC Consult are happy to support you in planning and implementing a customized PAM solution that meets the CIS recommendations and ensures end-to-end protection for your systems. We invite you to take advantage of our free pre-workshop. Simply reach out to our contact form or visit ic-consult.com/en/solutions/privileged-access-management-solutions/ for more information.
We also invite you to browse our series of articles on the PAM Journey.
References
1 IT-Ausfall an der Uniklinik Düsseldorf, Universitätsklinikum Düsseldorf, 17.09.2020, https://www.uniklinik-duesseldorf.de/ueber-uns/pressemitteilungen/detail/it-ausfall-an-der-uniklinik-duesseldorf (accessed 2022-02-16, only available in German)
2 Hiscox Cyber Readiness Report 2020, Hiscox Ltd, 2020, https://www.hiscox.co.uk/sites/uk/files/documents/2020-06/Hiscox_Cyber_Readiness_Report_2020_UK.PDF (accessed 2022-02-16). For the most recent report, please see https://www.hiscox.co.uk/cyberreadiness-report
3 Digital Trust Insights 2022, PwC Germany, https://www.pwc.de/de/im-fokus/cyber-security/digital-trust-insights.html (accessed 2022-02-16, only available in German)
4 CIS Controls, Version 8, Center for Internet Security, https://www.cisecurity.org/controls/cis-controls-list (accessed 2022-02-16)
5 Global Threat Intelligence Report 2021, https://services.global.ntt/en-us/insights/2021-global-threat-intelligence-report