A

You're listening to the Cyberwire Network powered by N2K. We don't want to arm the future county hackers and telling them what to look for when they scan those networks, because hackers are doing the exact same things that we're doing as researchers, but they have, you know, a malicious intent and we have to be very careful. That's why in the paper, if you saw, we only published mass maps of the things we found in order for it to be something that's not just calling for hackers to try and exploit.

B

Hello and welcome to Data Security Decoded, where we deliver actionable insights to reduce data security risk and improve cyber resilience outcomes. I'm your host, Caleb Tolan, and in this episode I had the pleasure of sitting down with Dr. Ido Savon Seviglia, Assistant professor at both the University of Maryland's College of Information and the Hebrew University of Jerusalem. He's also the founder of the Tech Policy Hub. IDO's work includes investigating cybersecurity vulnerabilities in county governments across the United States, shedding light on critical attack surfaces and mobile government infrastructure, and how these vulnerabilities impact national security. Let's get into it. Ido, I'm really excited to speak with you about some of the work that you and your team have done on county level attack services and some the study that you and the team worked on reveale significant vulnerabilities in local government cybersecurity. Why did your team choose to focus on county governments for their digital infrastructure? Why was that the focus of your research?

A

Absolutely. So governments are kind of a neglected space for cybersecurity. Right. So the industry of cybersecurity products is a very wealthy industry. Right. That needs wealthy clients. So we're talking about, you know, banks and highly capable financial institutions. They are very much able to protect themselves. And we were looking to kind of study and help those who cannot. So county governments is one case study. We also apply the same approach to the health sector in Zambia through the World bank, so for the their sponsorship. So we're trying basically to develop something that each and every organization, regardless of its resources, can use continuously and at just once to be able to improve their security posture. That's kind of the vision. Right. So think about you have various economic indexes for nations, Right. Can we create cyber indexes based on public methodology and public data to help organizations understand their security posture and hopefully create a race to the top when it comes to cybersecurity?

B

Right, absolutely. And what were some of the most surprising findings as you kind of started to comb through the data in terms of finding attack vectors and the severity of these vulnerabilities, do you have any indication what's happening to these targets?

A

Yes. So we were very surprised to find vulnerabilities and potential exploits that can exist in networks that, you know, those are not zero day vulnerabilities. It's not something that we as a community not familiar with. It's not something that it was, you know, very hard to discover. And we still see those, you know, open attack vectors just waiting for hackers to get in. And it wasn't enough for us just to map the attack surface. We wanted to know what is the probability of exploitation, the different vectors that we find, and those are well ranked by various other databases that we crossed in this study. And surprisingly you find we found 23 counties, if I'm not mistaken, with more than 95% likelihood of getting exploited. Right. So we're talking about vulnerabilities where CISA already saw exploits of this in the wild. It's just a matter of time until hackers fight it as well and will try to attack and take advantage of that open infrastructure.

B

Right. And you know, to get really timely with it all. How do you imagine that emerging technologies like Anthropic Mythos, their new model that is kind of under under review right now, what does this mean for vulnerability management for these kinds of organizations? And what does it mean for the attackers who can use a tool like this to identify those vulnerabilities even faster?

A

Right, so you're, I see me referring to the Mythos model that was not published by Entropic. So first and foremost it means that open source software is now even more vulnerable. Right, because we know that those LLMs are very good at identifying problems in those open source packages. So if you're a county or any other organization running an open source infrastructure, you're more at risk because of this model. Now it's not a coincidence, of course, that this model has not become public, but the fact that it can really help attackers doesn't mean it cannot help defenders. My concern is that because those counties, some of them at least, are very slow to respond because they have organizational constraints, because of organizational processes, and because it's hard to constantly patch cybersecurity vulnerabilities. My concern is that such tools will count is more exposed because they don't have the capacity to turn them into defensive insights that can actually upgrade their defense. And I think one of you know, one of the things we're trying to do is to be as accurate as possible for those counties or for these small medium organizations who cannot afford, you know, joining this wealthy cybersecurity industry as a client. We're trying to be as precise as possible and, and not ask them to patch everything because we know it's impossible. Right. According to the statistics, less than 3% of the vulnerabilities are actually getting exploited. So we're trying to be as accurate as we can. So how, you know, making sure they do the bare minimum to keep them safe at the high enough level, given all that's going on. And that's difficult. But that's also the kind of scientific challenge we are constantly involved in. We're trying to assess counties or organizations security posture from the outside. Right. So no contracts, we need nothing from you. We come from the outside based on public data. In this case, passive reconnaissance reacted ethically. As researchers, we're not attacking you. And how can we be as accurate as possible from the outside to get the best picture we can on your infrastructure from the inside? That's the challenge. And this since that paper published, we keep improving that and that's where kind of, you know, our efforts are now pointed towards and hopefully if we're successful in that again, what's going to happen? We believe a really change in the security landscape where each and every organization can either subscribe or use our methodology, which is a public methodology. Right. We're publishing papers, we are researchers to better understand their security posture without paying tens of thousands of dollars to those companies. And I think it will overall increase the resilience and the security of organizations given they can act based on the findings.

B

Right, right. Because so often the county governments are the ones who are most responsible for critical infrastructure, but they don't necessarily have the funding that large organizations do to invest in these sophisticated technologies. So I'm kind of curious too. As you were doing the research, it was very interesting that you point out that about only 3% of the vulnerabilities were of high risk of exploitation. So kind of, kind of in parallel to that, what specific types of vulnerable services were most frequently identified? Because we know that county governments are operating all sorts of different, different services in terms of water, in terms of energy, in terms of transportation. What were the most vulnerable services that you kind of identified?

A

Right, right. So first of all, we have to be cautious here. Right. We don't want to arm the future county hackers and telling them what to look for when they scan those networks because hackers are doing the exact same things that we're doing as researchers. But they have, you know, a malicious intent. And we have to be very careful. That's why in the paper, if you saw, we only published masked maps of the things we found in order for it to be something that's not just calling for hackers to try and exploit. But I can say this. We realize that there is no conventional wisdom in the scientific community on how you even measure an attack surface. It's kind of a fuzzy concept. What is more important than the other components? How do you even go about this? So we came up with kind of two ways to look at an attack surface. One is how diverse the attack surface is, meaning how many opportunities hackers have once they discover a potential service open up in the public web. It doesn't mean that the service has to be vulnerable, it means that it might be misconfigured. And if you have remote access open with a weak password, I can take advantage of that. The diversity of the attack surface, we look for open DNS, services in the wild, open SQL servers, remote access and file sharing. These are all protocols. We don't want to be publicly available. And if they are publicly available to hackers, we want them to be properly configured with two factor authentication and other layers of defense so they cannot get exploited. Right? And unsurprisingly, the diversity of the attack surface is high for counties that are highly populated. So there was a clear correlation between population and diversity of attack surface. And it makes sense, right? If you're a larger county, you're providing more services, you're more exposed, there are more opportunities to get into your networks. A second measure is a measure of severity, right? So instead of diversity severity, and in this case we are looking at specific CVEs, common vulnerabilities and exposures. And we want to see a what's the severity of if someone actually take advantage of that and has the exploitation and write status take advantage of that, what is the severity that can happen to that network? What's the harm and potential damage? And secondly, what's the probability that someone already has an exploit that can take advantage of that? So CISA has this, what we call the KEV catalog. KEV stands for known exploitable vulnerabilities. These are vulnerabilities that CISA tells you. Again, it's not a question of if, it's a question of when. Because we saw exploits patch them tomorrow morning asap. Right? So we highlight those KEV vulnerabilities for counties as well. We found six unique KEVs across 19 counties. You shouldn't find those at all. And back to your previous question. With LLMs, not only anthropic but any other model, they're very good at writing exploits, right? They're very good at getting a vulnerability and writing the code to take advantage of that, which is a very difficult task that states and criminals spend a lot of resources to get done. LLMs can do it much faster than we used to think about this challenge. So all in all, we were very surprised to see those KEV vulnerabilities. But going back to what we saw, we saw two equally important measures of the attack surface diversity and severity. No one is more important than the other, depending how you configure your network, and both require careful attention from of those county IT managers.

B

If you like what you're hearing so far and interested in learning more about forensics behind an attack targeting critical infrastructure, check out our episode with Daniel DeSantos from Forescout about a honey pot his team set up mimicking a water treatment plant. Now back to the interview. And we've talked a lot about, obviously like patching is the first step here. If you find these known vulnerabilities and you can do something about them beforehand, that is obviously the ideal scenario. Right? But what about your analysis revealed about post cyber attack recovery and resilience? How prepared are counties to protect data and restore services after an incident?

A

Great question. So one of the things we can do once we have this methodology is we can map it not only once, but over time. Right. So in our current studies, what we do is we take a snapshot of every month and we want to see how counties respond to problems we saw in the previous month. But you can do it on a weekly basis, on a daily basis, on an hourly basis. Hourly basis. Imagine CSAP putting an alert up there. Everyone who has a certain software has to patch it immediately. With this methodology, we can actually verify and check which count they responded and how quickly they responded to those CISA alerts. So we can actually measure the effectiveness of those alerts once we see the attack surface in front of us on a constant and consistent basis. So you see, Interestingly, you see CVEs that get a lot of attention from counties and getting patched immediately. You see CVEs that get no attention at all. So even CVE as a unit of analysis is an interesting subject of research because they get different levels of attention from different counties across the nation at the same time. You see counties that constantly do well and respond and counties that constantly do bad and do not respond. And this is something we're still trying to figure out. Right. And for state level policymakers, for federal policymakers, this first of its kind visibility is super helpful because finally they can see how the attack surface looks like at the local government level and they can maybe distribute resources accordingly. They can maybe organize teams to help them in specific incidents. And this is a visibility that is greatly appreciated by policymakers. One of the things we're doing now is after we published the papers, many counties reached out and said we want the data, we want to work with you. And and it draws enough attention for state and federal policymakers to notice we're trying to make this something that, that is being used across levels of policymaking because it's an important visibility that can really help facilitate better cybersecurity.

B

So looking at those organizations that you say that don't adopt or don't patch these vulnerabilities as quickly as some of the other more ready counties, what are three steps that you would recommend these organizations, especially those with limited resources, start doing to address those vulnerabilities?

A

Yeah, wonderful question. Right. So how, how do you manage with. With very few resources in this space? I would say I'm hoping to see more collaboration at least between neighboring counties. Right. The capabilities of counties vary. Once you have this visibility, you're hoping to create incentives and bring it to the top. Maybe at the state level you and see which counties are doing better than others. Let's see what's working for them. The common cybersecurity problem of information sharing is very relevant here. But here I don't want to know if you got attacked. I just want your expertise. So I want to see some expertise sharing under the umbrella of the state between counties. I want state policymakers to pay attention to areas that need more attention than usual than others to be able to differentiate between the cybersecurity streng county. Once you have that visibility, you can mobilize resources accordingly. And that's what I'm hoping to see because at the end of the day, you are right. This is an organizational challenge. No matter you know how well you map and explain things technically, you need your organizational process in place to get things done and many counties unfortunately lack in that. And it's something that resources would help and it's also something that, you know, life is not a zero sum game. I'm hoping to see counties helping one another to achieve better security. Because once you have a weak link in your state, that's what hackers are looking for, that's their entry point. And then it's much easier for hackers to conduct some sort of movement or just stay near the network for a while. So everyone will be better off if all counties are more secure. And I'm hoping that that incentive structure will help them actually help one another.

B

Right. Information sharing is huge. And to your point, if one county ends up being targeted and a vulnerability is exploited, let's say it affects their transportation or their energy grid, then the likelihood of that affecting the next county over is probably quite high because just of proximity. So it's in everyone's best interest to help each other across county borders and ensure that information sharing is taken advantage of. So I'd also like to ask you a little bit about public policy as well. And so I'd love to know what are two inconvenient truths that you believe governments need to come to terms with in terms of securing critical infrastructure at the county level.

A

So let me just close the circle on your previous note. I think it's absolutely accurate because one of the surprising things we currently see in the research, it's not in the paper yet, it's in an upcoming paper, is this notion of risk clusters. We suddenly saw counties, many, many counties sharing the same IP addresses, right? So instead of each county managing its own infrastructure, we suddenly see, you know, two or three IPs work across hundreds of counties, the same IPs. Right. So if those IPs are vulnerable, many, many counties are affected at the same time. This is a new finding that we, we were not aware of before. And we dig deeper and we see things like, you know, power school or educational services used by school boards across counties that became kind of the go to educational infrastructure that many, many counties are using. And these are the ones I want to protect as much as I can. Right? If I have to prioritize and I have to prioritize, that's how this works, works. I want to protect those that can impact many, many counties at the same time. So by mapping those risk clusters, I think we're doing a great favor, I hope to policymakers to better understand again, how to distribute their resources. And it brings me back to your second question. One of the things we're missing in tech policy is measurement of compliance, Right. It's very hard to understand how companies, government entities like counties or other organizations or even big tech, how they comply with the various security, privacy, accountability requirements. And one of the things I'm trying to do in my research in my lab is to be able to develop those computational tools like we did here, to measure compliance across those popular user facing large scale technologies. Because lack of compliance there is a disaster. And the fact that we're able to measure security and in other instances measure privacy breaches or privacy postures, this will all help us better improve those tech policy cycles, make them more meaningful instead of just, you know, legislate once, forget about it. We're hoping to create what we call adaptive regulation. So regulatory models that are learning, adapting, changing, based on compliance rates. Currently we have no measurement of compliance rates, unfortunately. Right, we have to create those. We have to have policymakers and regulators engage in tools that actually measure compliance levels of security of privacy. And these are fuzzy concepts. It's hard to measure them. That's why we need good research on how you measure them and then come with those insights to develop indexes, improve enforcement and better close tech policy cycles. That can actually mean something after you legislate. Because after you legislate, everything just started, right? It's not the end, it's the beginning of the process. So you have to improve your visibility on how the market behaves in order to know what do you need to do in order to improve and ensure the resiliency of digital infrastructures we're so much dependent on, right?

B

And to the defender who's listening today, what is the single most important takeaway that you want these listeners to walk away with?

A

I think LLMs are an opportunity for the defender. I think if you're not capable, but you have access to LLMs as a defender, you can do a lot of, and even, you know, even though the government does not provide you with, you know, computational tools to map your space, you can do it yourself. It's not too complicated. We detail in our paper, exactly what do we do? The paper was written before the LLM era. Now it's even easier, right? So you use large language models for your advantage. They are really a game changer for attackers, but also for defenders, right? If you struggle, and most of you are struggling with resources when it comes to cybersecurity governance, try to use LLMs as kind of leverage on them, capitalize on them to better at least understand your security posture and know where things might go wrong. Another advice I would say is use honeypots. So honeypots are fake infrastructures who look absolutely real but hold no sensitive information that you install in your domain and in your IP subnet. And try to see, okay, who is trying to attack, right? So those are infrastructures that are designed to be attacked. And this provides another monitoring tool to understand how targeted you are and what you need to do to look for when you're trying to defend your networks. So use LLMs to kind of map your security posture. Use honeypots to understand the threat and try to combine the two to provide meaningful insights for your defense posture.

B

Wonderful, wonderful. What a great sentiment to end on and what great advice to end on as well. Ido, thank you so much for your time today. Thank you for your research and really look forward to seeing how it evolves over the coming years.

A

My pleasure. Thank you so much.

B

That's a wrap on today's episode of Data Security Decoded. If you like what you heard today, please subscribe wherever you listen and leave us a review on Apple Podcasts or Spotify. Your feedback really helps me understand what you want to hear more about. If you want to reach out to me about the show, email me directly at data-security decoded2k.com thank you to Rubrik for sponsoring this podcast. The team at N2K includes producer Liz Stokes and executive producer Jennifer Ibin. Content strategy by Mayan Plout Sound designed by by Elliot Peltzman Audio mixing by Elliot Peltzman and Trey Hester Video production support by Bridget Krikey Wilde and Sorel Joppi. Until next time, stay resilient.