Microsoft warned months ago that Nobelium would strike again, and it did.
This time, the group responsible for last year’s high-profile attacks on SolarWinds targeted 140 organizations in the global IT supply chain, compromising at least 14. While organizations like Nobelium are becoming more sophisticated and have the scale to continue being disruptive, what’s most concerning is that the group’s latest exploits were met with some fleeting headlines and barely a shrug. Too many companies still don’t take cybersecurity seriously enough.
Instead of waiting for the next attack from Nobelium or another group, we need to be asking ourselves why these attacks continue to happen and what we can do to prevent it.
Here are four things to think about:
1. Let’s stop using passwords
iPhones long ago encouraged users to replace passcodes with biometrics – first their thumbprint, then their face. We would all be wise to make the same moves away from passwords.
Nobelium used “phishing emails and a technique known as password spray, which involves trying commonly used passwords such as Password1 or 1234 against multiple accounts before moving on to try a second password,” CNBC reported.
Hackers would be a lot less successful if they needed a face or fingerprint (and another method of authentication) instead of a password that’s easily guessed or cracked. Biometrics like facial recognition and fingerprints in conjunction with multi-factor authentication offer a path away from passwords.
2. Remove the human element
It’s not just a software problem and it’s not just a password problem. It’s a people problem.
Human error is always going to be a factor in security.
Remember when a con man impersonated Richard Branson in the aftermath of Hurricane Irma and stole $2 million? The person sounded like Branson, the billionaire entrepreneur, and duped one of his friends.
Technology is continuing to improve, and deep fake videos and voice mimicry will only grow more common. Already you might think you’re having a phone conversation with a friend or your boss when really you’re talking to a computer that’s gathering sensitive information.
Deep fakes aren’t the only way bad actors are putting human error to the test. Phishing scams are getting smarter and harder to detect, and all it takes to put your company at risk is one person catching up on emails between meetings and not paying close attention to the link they’re clicking.
Security awareness training can help reduce human errors, but see where you can eliminate humans from the equation entirely or ensure any slip ups are contained so they don’t affect your entire network.
3. Proactively hunt down your vulnerabilities
Many infrastructure companies with malware on their systems have no idea it’s there. That malware is just sitting and waiting for the right time.
Every company needs to be proactive in seeking out malware and other vulnerabilities waiting on their systems. Use scripts and applications to better police your systems and uncover threats before they’re exploited. Bring in managed detection and response (MDR) to stay ahead of attackers.
Spending money on MDR, threat detection, and backup and recovery can feel like spending money on insurance. That’s the point. You don’t need to use your insurance until you need to use it. Spending on security is no different, and spending up front can save you a lot of trouble (read: money) down the line.
4. Don’t be afraid of the cloud
The latest Nobelium attack centered on software and cloud service resellers, which prompted the classic question about cloud security: Is it safe to store so much data in the cloud?
The answer to that question is yes, as long as you’re taking the right steps. Encryption in transit and at rest, strict access controls using the concept of least privilege, and endpoint protection all keep your critical data safe.
In fact, cloud backups are one way businesses stay up and running through ransomware attacks. They simply fail over and continue operations in the cloud. Immutable cloud backup should be standard for any organization.
The bottom line
As the latest Nobelium attack has shown, a lot of people are numb to the countless attacks occurring daily. Without starting to take security more seriously and invest in the proper controls and tools to prevent, mitigate, and recover from attacks, no one should be surprised when an even more widespread and damaging attack arrives.