In January of 2022, the FBI issued a warning about a well-known international cybercrime group, FIN7, that was mailing Universal Serial Bus (USB) thumb drive sticks secretly loaded with malware to companies. The packages containing the USB sticks were made to look like they were mailed from a trusted source. This was not a new tactic, as USB sticks have been dropped to look like premiums at trade shows and certainly used as tools for insider threats. However, this and other external device incidents highlighted that anything connected to a network implicitly cannot be trusted.
The process of identifying what may be connected to your network, known and unknown, fits perfectly in the risk management approach of Zero Trust. Earlier this year, the US federal government, via executive order, required that its agencies adhere to a Zero Trust approach and architecture. The order requires authentication and authorization of all hardware and software connected under the mantra of “never trust and always verify”. According to The Department of Defense’s Zero Trust Reference Architecture, “The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access.”
Zero Trust Risk Management Approach
Zero Trust is rooted deeply in principles of access and identity management and the demand for visibility of everything in the inventory, including physical layer threats. The USB stick incident demonstrated how hackers will often choose the path of least resistance to drop malicious code and instigate a breach. That is why visibility is so important to be able to know what may have been planted to exfiltrate data or corrupt your business network. Visibility certainly needs to be a fundamental part of any company or organization’s Zero Trust risk management approach.
The tools that hackers can use are not only USB sticks, but can be other rogue devices, such as Raspberry Pis, phone chargers, cables, small computers such as a BeagleBone Board, or other devices that will not be visible on a cursory scan of inventory. The rogue devices need to be considered along with software, firmware, hardware, and data threats posing risks to both IT and OT operating systems.
Rogue devices are often used to spy, but their purpose can be more nefarious. Through rogue devices, hackers can download and infect networks and endpoints with ransomware that exfiltrates and encrypts data to extort payments in cryptocurrencies. In 2021, 37% of all businesses and organizations were hit by ransomware. Ransomware attacks are continuing at unprecedented levels and hackers will continue to use rogue devices to spy and/or employ ransomware.
Physical Layer Threats
The reality is that in today’s connected landscape, physical layer threats have already merged with digital threats and adversaries are taking advantage. Knowing the tactics and tools used for both physical and digital security need to be prioritized from a risk management perspective.
A device that maliciously operates in your enterprise may even be part of Internet of Things (IoT) innocuously installed; it may be part of the office system; or connected via an employee. Often, IoT hardware can be more accessible to hackers or insider threats than standard PCs. By 2025, it is expected that there will be more than 30 billion IoT connections, almost 4 IoT devices per person on average and that also amounts to trillions of sensors connecting and interacting on these devices. State of the IoT 2020: 12 billion IoT connections (iot-analytics.com). According to The McKinsey Global Institute, 127 new devices connect to the internet every second. That is a lot of devices to keep track of in a network and each device connected starts with identifying it with implicit risk to be verified.
In 2022 we will be facing a new and more sophisticated array of physical security challenges, and cybersecurity threats pose significant risk to people, places, government, and commercial networks. According to the Allianz Risk Barometer, cyber perils are the biggest concern for companies globally in 2022. Companies worry over the threat of ransomware attacks, data breaches or major IT outages even more than business and supply chain disruption, natural disasters or the COVID-19 pandemic. Cyber risks top worldwide business concerns in 2022 – Help Net Security
In today’s digital landscape, everyone and anything connected is a target. The global threat actors targeting your company might be state actors, organized criminal gangs, hacktivists, or a former disgruntled employee seeking to cause damage.
HAC-1 Simply Visibility
There are remedies to rogue device threats. Sepio is the leader in Layer 1 (Physical Layer) visibility and a first stop for planning and implementing risk management. Sepio’s HAC-1 is the only security solution that can provide security teams with complete visibility into their hardware assets and their behavior in real-time. Sepio does this by leveraging a combination of physical fingerprinting technology together with device behavior analytics that continuously monitor and protect infrastructure and networks. Through complete asset visibility, Sepio equips companies with Hardware Access Control by enhancing policy enforcement.
Addressing the 2022 cyber-threat landscape requires incorporating a better and more calculated risk awareness and management security strategy by both the public and private sectors. Additionally, the HAC-1’s Layer 1 visibility enables a Zero Trust Hardware Access approach – a logical pathway to discover gaps and employ a compilation of tools and tech to remedy them, including the hidden threats of rogue devices.