In the latest edition of FICPA CEO Conversations, FICPA President & CEO Shelly Weir sits down with Christophe Reglat, the CEO of Coaxis. Shelly and Christophe discuss the importance of cybersecurity, the threats faced by CPAs, and the value of penetration testing, otherwise known as "ethical" or "white-hat" hacking. Click on the player above to enjoy the conversation, and scroll down to read more about the value of ethical hacking from our Strategic Partners at Coaxis.
The best defense is a good offense. Whether on the battlefield or football field, successful leaders from George Washington to Bill Belichick have deployed this combat principle to gain a strategic advantage. And, make no mistake, organizations today are under attack by cybercriminals like never before.
State of the industry
A deep dive into cybersecurity data and trends impacting the digital landscape reveals we are losing the battle against the growing number of cyber-threats targeting both industry and government, according to Forbes. Consider this alarming statistic: In 93 percent of cases, cybercriminals can breach an organization's network perimeter and gain access to local network resources. The finding is based on a penetration testing project conducted among financial organizations, fuel and energy organizations, government bodies, industrial businesses, IT companies and other sectors.
In the past few months alone, active threats have ranged from attacks aimed at the U.S. healthcare system to legal and financial organizations. They include:
- The U.S. Department of Health and Human Services (HHS) cautioned against ongoing Royal ransomware attacks targeting healthcare entities. The group relies on social engineering to trigger the infection by deploying a variety of methods to obtain access to a targeted environment. They range from malicious ads and fake forum pages to phishing emails that lead to rogue installer files for legitimate apps like Microsoft Teams or Zoom. To-date, payment demands have ranged from $250,000 to $2 million.
- A hack-for-hire group called Evilnum is responsible for a broad campaign targeting legal and financial investment institutions. The attacks involve malware that leverages legitimate services like WordPress and YouTube as “dead drop resolvers” to host a target’s command and control infrastructure. This approach gives the bad actors greater resiliency since they can dynamically update and switch between a list of servers when the original one is taken down.
Conventional cybersecurity protections
Defending against the threat of cyber-attacks requires a multi-pronged approach.
1. Network security – Organizations must secure their IT infrastructures against both physical and cyber threats. This typically includes protecting both hardware and software assets such as end-user devices, data center resources, networking systems and cloud resources.
2. Employee training, policies and procedures – With employees considered the weakest link when it comes to cybersecurity, staff training and technology must go hand in hand. An organization can have the gold standard in IT infrastructure protections but still be vulnerable if an employee falls victim to social engineering and inadvertently clicks on a malicious link or responds to a fraudulent email.
3. Annual cybersecurity audits – These are designed to provide an in-depth assessment of an organization’s posture to defend against cyberattacks – from policies and procedures to security controls and action plans – and detect vulnerabilities that can pose a threat.
4. Business continuity and IT recovery plan – Whether it’s a ransomware attack or natural disaster, once catastrophe strikes, it’s too late to start planning. A proactive business continuity plan ensures an organization’s critical services can be delivered and essential operations continue to function.
5. Cybersecurity insurance – Also called cyber liability insurance, this is a policy that protects against a wide range of losses an organization may suffer directly, or cause to others, due to a cyber incident. It can include costs arising from data destruction and/or theft, extortion demands, hacking, denial of service attacks, crisis management activity related to data breaches, and legal claims for defamation, fraud and privacy violations.
“Unfortunately, all these layers of protection and responsive measures fall short if you are not validating their effectiveness,” warns Christophe Reglat, co-vice chair of the Florida Technology Council and CEO of Coaxis Hosting. “The only way to know if your cybersecurity practices and policies are working is to validate them through penetration testing.”
Ethical hacking: A proactive layer of protection
Today’s hackers can remain undetected in an organization's network for more than 200 days, on average, according to SXIPHER, a leading ethical hacking company that helps organizations shift from a defensive cybersecurity posture to an offensive one. “Given this unsettling statistic, it is impossible for organizations to know if their network is compromised,” explains Gabriel Reglat, SXIPHER’s managing partner. “As hackers become more brazen and lay dormant in networks, organizations must make a fundamental shift in how they ensure their network security.”
Penetration testing, commonly known as ethical hacking, involves an authorized attempt to gain unauthorized access to a computer system, application or data. The goal of these “white hat hackers” is to duplicate the strategies and actions of malicious attackers to expose and remedy weaknesses in an organization’s IT infrastructure.
Monthly penetration testing provides a proactive element that complements annual security audits. It typically encompasses four types of environments:
1. Network Penetration Testing – The most common method of penetration testing involves intelligence gathering, threat modeling and completing a series of network tests. Once a threat actor obtains access to a network, 90% of the obstacles are removed. A pentester will conduct internal and external network exploitations that mimic a successful hacker penetrating a network’s defenses. This enables them to explore all facets of an organization's security posture.
2. Cloud Penetration Testing – Public cloud services have become increasingly popular for computing, networking and data storage, making it a prime target for hackers. But the ease of cloud deployments comes with complexities such as handling security and legal obstacles. Many public cloud providers take a hands-off or shared responsibility approach to security, forcing organizations to take responsibility for their own cloud security.
3. Application Penetration Testing – In this testing, the simulated attack is designed to expose the deficiencies of an application’s security controls by identifying vulnerabilities and risk. While firewalls and other monitoring systems are used to protect an infrastructure’s security, this testing focuses on situations when traffic is allowed to pass through the firewall.
4. Physical Penetration Testing – Social engineering is one of the most prevalent ways threat actors use to infiltrate an organization’s IT environment. This penetration testing often involves the pentester deceiving or manipulating employees in order to obtain physical access to the facility.
Conclusion
A 2022 benchmarking study “Cybersecurity Solutions for a Riskier World” reveals that cybersecurity has reached a critical inflection point with 40% of chief security officers acknowledging their organizations are unprepared for a rapidly changing threat landscape. The highest percentages of unprepared organizations were in critical infrastructure industries: healthcare (35%), the public sector (34%), telecoms (31%), and aerospace and defense (31%).
Over the next two years, security executives expect an increase in attacks as nation-states and cybercriminals become more prolific. They anticipate the attacks will target weak spots caused primarily by software misconfigurations, human error, poor maintenance and unknown assets.
As cyberattacks grow in both number and sophistication, organizations are increasingly under the gun to protect themselves from compromise. Identifying in advance the network and security vulnerabilities that can enable an attack is an important weapon to block or limit these cyber threats.
Christophe Reglat is CEO of Coaxis Hosting, Inc., a managed data hosting services provider delivering network solutions designed to curb the demands of information technology infrastructures, remove the complexities of federal and industry compliances, and greatly minimize the threat of cybercrime.
Gabriel Reglat is the managing partner of SXIPHER, a leading ethical hacking company that supports clients in shifting from a defensive to an offensive posture by going beyond the annual security audit and providing in-house penetration tests. The testing deploys current methods and tactics used by bad actors and are highly effective in determining if an organization’s IT infrastructure can withstand a similar attack in real life.
Topics
