MORRISVILLE – American businesses of all sizes must prepare for foreign and domestic threat actors when it comes to their cybersecurity, Erkang Zheng, the founder and CEO of JupiterOne, told WRAL TechWire in an exclusive interview about whether, how, and why there may now exist an elevated level of cybersecurity risk due to the ongoing conflict in the Ukraine.
Zheng, who was named the 2021 cybersecurity CEO of the year, discussed what current risk factors are at play, how companies can prepare, and the importance of collaboration within the field of cybersecurity to enable access to the best possible defenses against attacks.
A lightly edited Q&A follows.
The latest
WRAL TechWire (TW): Based on your understanding of the latest U.S.-Russia and NATO-Russia relationship(s), what are the risk factors present with regard to cybersecurity?
Erkang Zheng, the founder and CEO of JupiterOne (Zheng): U.S. businesses should be prepared for both foreign and domestic threat actors at all times, and having the proper protocols in place is paramount. The cybersecurity arm of the Department of Homeland Security, CISA, has advised all U.S. businesses to take a “Shields Up” approach to prepare for potential cyber intrusions. CISA guidance is highly prescriptive on how to prepare for resiliency in the event of damaging cyber attacks from either foreign or domestic threat actors. Organizations should be aware of hidden attack surfaces that they may not be tracking and a marked increase in phishing and malware attacks.
TW: What sectors, industries, businesses might be at risk from cyberattacks? How do we know?
Zheng: The most targeted U.S. industries last year were financial services, healthcare, public administration, and retail due to large-scale exchanges of highly valuable health, payment, and personal data, according to the 2021 Data Breach Investigations Report.
In the past, Russian threat actors have opportunistically attacked critical infrastructure, finance, and technology companies. However, when these attacks are targeted for strategic purposes, the effect can be significant and highly disruptive. Examples include a successful breach of the Ukrainian power grid in 2015, the 2017 NotPetya malware which was deployed via Ukrainian accounting software, and January 2022 attacks of the Ukrainian government and banking websites.
Organizations from all industries are at risk for opportunistic attacks, but organizations that carry symbolic or strategic value should be at the forefront of cyber preparedness. Small businesses, especially tech companies, are not immune to attacks, and many are part of the critical software supply chain that enable attacks to gain access to more symbolic or strategic targets.
Cyber warning: NC businesses will be target of cyber attacks, exec warns
How do we prepare?
TW: How can organizations prepare – where do they start?
Zheng: CISA is a good starting point for the latest guidance, resources, and recommendations advising organizations on preparing themselves for cyber attacks. Recent CISA guidance includes recommendations on how to mitigate operations that target critical infrastructure, as well as newly-released incident and vulnerability playbooks.
No two organizations are the same, and another important way for businesses to prepare is to assess their own cyber readiness and maturity. Creating a cyber asset inventory and understanding the attack surface is a critical first step since businesses must know what they have before they can protect themselves. Organizations should further focus on understanding how asset relationships, findings, and policy create vulnerabilities and prioritize a list of actions to improve their security posture.
TW: What about individuals?
Zheng: Individuals have a lot of fear and uncertainty about their personal cybersecurity risks, which is understandable given current events. I would advise individuals to use this as an opportunity to improve their personal cybersecurity hygiene:
- Make sure that your smartphone and laptop are running the latest version of the operating system by applying any updates from the device manufacturer. Update your browser, too.
- Make sure you know how to spot a phishing email (U.S. Federal Trade Commission) and how to check the URL you’re being sent to without clicking on it.
- Beware of slightly modified domain names or addresses, and consider typing in the address of the site you want to visit yourself.
- Finally, take a few minutes to update your passwords to any key personal accounts such as your primary email address, bank account, and social media accounts, especially if your passwords are easy to guess.
Updated passwords are particularly important if you’ve been in the habit of recycling the same password among multiple accounts. A password manager would make it easy to do this right. Additionally, Multi-Factor Authentication (MFA) is one of the most effective ways to reduce account takeover and unauthorized access, so enable it wherever you can.
New cybersecurity jobs coming to Triangle: European firm opens office in Raleigh
Lessons from prior attacks
TW: What have we learned from prior cybersecurity attacks originating from Russia or from within Russia?
Zheng: Russian threat actors have historically focused on impact, which can take several forms. Sources such as HBR note that Ukraine has been a cyberwarfare testing ground for Russian state-sponsored threat actors since 2015. Attacks attributed to Russian threat actors have targeted critical infrastructure such as power grids (2015), longstanding and widespread vulnerabilities (NotPetya, 2017), and recently, particularly destructive malware that had the potential to wipe data.
One important way for any organization to improve preparedness is to consider the impact of vulnerabilities in the software supply chain. In addition, incident simulations such as tabletop exercises and business continuity testing can help organizations ensure they are prepared for an actual event.
Cyber security firm JupiterOne closes on $30M in new funding, to open new HQ in Morrisville
Now what?
TW: What happens next – or what would occur that would suggest ramping up defenses or for moving down an alert level?
Zheng: The U.S. government has committed significant resources to intelligence and monitoring in light of current events. I am confident that some extremely smart people are keeping a close eye on the threat vector and will communicate need-to-know information to U.S. businesses if there is an appropriate reason to increase our defenses further.
Without having a crystal ball, it is difficult to say what will happen next and whether we can anticipate additional cyberwarfare directed toward US infrastructure or organizations. The one thing we can count on is that vigilance and continuous security improvements are necessary for organizations both today and in the future, regardless of ongoing conflicts. While I sincerely hope that the Russia-Ukraine conflict de-escalates rapidly, I think cyber vigilance will remain essential for U.S. organizations indefinitely.
TW: What else is important to note?
Zheng: I envision a world where decisions are made on facts, not fear; teams are fulfilled, not frustrated; breaches are improbable, not inevitable. Security is a basic right. We take concrete steps towards making security a basic human right by empowering every organization to protect itself, regardless of size or budget.
To win cybersecurity battles, I believe we must work together openly as a community to make products accessible to organizations of all sizes, not just the well-funded enterprises that can afford them.
Asset inventory is the first step towards a culture of cyber wellness and overcoming the expensive cycle of cybersecurity technical debt that plagues many organizations. Toward that end, JupiterOne has worked to democratize cloud-native asset inventories and a graph-based approach to security through creating open-source graph data models and a free version of our cyber asset and attack surface management solution.
Cybersecurity as a ‘basic right’: Q&A with JupiterOne’s Erkang Zheng
