Transcript
Because hackers are doing the exact same things that we're doing as researchers, but they have malicious intent and we have to be very careful. That's why in the paper, if you saw, we only published masked maps of the things we found in order for it to be something that's not just calling for hackers to try and exploit. Hello and welcome to Data Security Decoded, where we deliver actionable insights to reduce data security risk and improve cyber resilience outcomes. I'm your host, Caleb Tolan. And in this episode, I had the pleasure of sitting down with Dr. Ito Sivan-Sivilia, Assistant Professor at both the University of Maryland's College of Information and the Hebrew University of Jerusalem. He's also the founder of the Tech Policy Hub. Ito's work includes investigating cybersecurity vulnerabilities in county governments across the United States, shedding light on critical attack surfaces and local government infrastructure and how these vulnerabilities impact national security. Let's get into it. Ito, I'm really excited to speak with you about some of the work that you and your team have done on county level attack services. And the study that you and the team worked on revealed significant vulnerabilities in local government cybersecurity. Why did your team choose to focus on county governments for their digital infrastructure? Why was that the focus of your research? Absolutely. So, county governments are kind of a neglected space for cybersecurity. The industry of cybersecurity products is a very wealthy industry that needs wealthy clients. So we're talking about banks and highly capable financial institutions. They are very much able to protect themselves and we were looking to kind of study and help those who cannot. So county governments is one case study. We also apply the same approach to the health sector in Zambia through the World Bank, and also through their sponsorship. So we're trying basically to develop something that each and every organization, regardless of its resources, can use continuously and just once to be able to improve their security posture. That's kind of the vision. And then we create cyber indexes based on public methodology and public data to help organizations understand their security posture and hopefully create a race to the top when it comes to cybersecurity. Right, absolutely. And what were some of the most surprising findings as you kind of started to comb through the data in terms of finding attack vectors and the severity of these vulnerabilities? Is that an indication of what's happening to these targets? Yes, so we were very surprised to find vulnerabilities and potential exploits that can exist in networks. Those are not zero-day exploits, sorry, those are not zero-day vulnerabilities. It's not something that we as a community are not familiar with. It was very hard to discover. And we still see those open attack vectors just waiting for hackers to get in. And it wasn't enough for us just to map the attack surface. We wanted to know what is the probability of exploitation of the different vectors that we find. By various other databases that we crossed in this study. And surprisingly, you find we found 23 counties, if I'm not mistaken, with more than 95% likelihood of getting exploited. So we're talking about vulnerabilities where CISA already saw exploits of this in the wild. It's just a matter of time until hackers find it as well and will try to attack and take advantage of that open infrastructure. Right, and to get really timely with it all, how do you imagine that emerging technologies like Anthropic Mythos, their new model that is under review right now, what does this mean for vulnerability management for these kinds of organizations? So you see me referring to the Mythos model that was not published by Anthropic. So first and foremost, it means that open source software is now even more vulnerable. Because we know that those LLMs are very good at identifying problems in those open source packages. So if you're a county or any other organization running an open source infrastructure, you're more at risk because of this model. Now, it's not a coincidence, of course, that this model has not become public, but the fact that it can really help attackers doesn't mean it cannot help defenders. My concern is that because those counties, some of them at least, are very slow to respond to constantly patch cybersecurity vulnerabilities. My concern is that such tools will count these more exposed because they don't have the capacity to turn them into defensive insights that can actually upgrade their defense. And I think one of the things we're trying to do is to be as accurate as possible for these small, medium organizations who cannot afford joining this wealthy cybersecurity industry as a client, we're trying to be as precise as possible and not ask them to patch everything because we know it's impossible. According to the statistics, less than 3% of the vulnerabilities are actually getting exploited. So we're trying to be as accurate as we can, so that they do the bare minimum to keep them safe at a high enough level, given all that's going on. And that's difficult, but that's also the kind of scientific challenge we are constantly involved in. We're trying to assess counties or organizations' security posture from the outside. So no contracts, we need nothing from you, we come from the outside based on public data, in this case, passive reconnaissance, we have to do that ethically as researchers, right? We're not attacking you. And how can we be as accurate as possible from the outside to get the best picture we can on your infrastructure from the inside? That's the challenge. And since that paper was published, we keep improving that. Our efforts are now pointed towards, and hopefully if we're successful in that, again, what's going to happen, we believe a real change in the security landscape where each and every organization can either subscribe or use our methodology, which is a public methodology, where we're publishing papers, we're researchers, without paying tens of thousands of dollars to those companies. And I think it will overall increase the resilience and the security of organizations, given they can act based on the sightings. Right, right. Because so often the county governments are the ones who are most responsible for critical infrastructure, but they don't necessarily have the funding that large organizations do to invest in these sophisticated technologies. When you were doing the research, it was very interesting that you point out that about only 3% of the vulnerabilities were of high risk of exploitation. So kind of in parallel to that, what specific types of vulnerable services were most frequently identified? Because we know that county governments are operating all sorts of different services in terms of water, in terms of energy, in terms of transportation. What were the most vulnerable services that you kind of identified? Right, right. So first of all, we have to be cautious here. We don't want to arm the future county hackers and telling them what to look for when they scan those networks. Because hackers are doing the exact same things that we're doing as researchers, but they have malicious intent. In the paper, as you saw, we only published masked maps of the things we found in order for it to be something that's not just calling for hackers to try and exploit. But I can say this, we realized that there is no conventional wisdom in the scientific community on how you even measure an attack surface. It's kind of a fuzzy concept. What is more important than the other components? How do you even go about this? So we came up with kind of two ways to look at an attack surface. One is how diverse the attack surface is, meaning how many opportunities hackers have once they discover a potential service open up in the public web. And if you have remote access open with a weak password, I can take advantage of that. So the diversity of the attack surface, we look for open DNS services in the wild, open SQL servers, remote access and file sharing. These are all protocols. We don't want to be publicly available. And if they are publicly available to hackers, we want them to be properly configured with two-factor authentication and other layers of defense so they cannot get exploited. And unsurprisingly, the diversity of the attack surface is high for counties that are highly populated. So there was a clear correlation between population and diversity of attack surface. It makes sense, right? If you're a larger county, you're providing more services, you're more exposed, there are more opportunities to get into your networks. A second measure is a measure of severity, right? So instead of diversity, severity. And in this case, we are looking at specific CVEs, common vulnerabilities and exposures. And we want to see, A, what's the severity of if someone actually takes advantage of that and has the exploit and wants to take advantage of that. What is the severity that can happen to that network? What's the harm and potential damage? And secondly, what's the probability that someone already has an exploit that can take advantage of that, right? So CISA has this, what we call the KEV catalog. KEV stands for known exploitable vulnerabilities. These are vulnerabilities that CISA tells you. Again, it's not a question of if, it's a question of when, because we saw exploits, patch them tomorrow morning ASAP, right? So we highlight those KEV vulnerabilities for counties as well. We found six unique KEVs across 19 counties. You shouldn't find those at all. And back to your previous question with LLMs, not only Entropic, but any other model, they're very good at writing exploits, right? They're very good at getting a vulnerability and writing the code to take advantage of that, which is a very difficult task that states and criminals spend, you know, a lot of resources to get done. LLMs can do it much faster than we used to think about this challenge. So all in all, we were very surprised to see those KEV vulnerabilities. But going back to what we saw, we saw two equally important measures of the attack surface, diversity and severity. No one is more important than the other, depending how you configure your network, but careful attention from those county IT managers. Right, absolutely. And we've talked a lot about, obviously, like patching is the first step here. If you find these known vulnerabilities and you can do something about them beforehand, that is obviously the ideal scenario, right? But what about your analysis revealed about post-cyber attack recovery and resilience? How prepared are counties to protect data and restore services after an incident? Great question. So one of the things we can do once we have this methodology is we can map it not only once, but over time, right? So in our current studies, what we do is we take a snapshot of every month and we want to see how counties respond to problems we saw in the previous month. But you can do it on a weekly basis, on a daily basis, on an hourly basis, hourly basis. CISA, putting an alert up there, everyone who has a certain software has to patch it immediately. With this methodology, we can actually verify and check which county responded and how quickly they responded to those CISA alerts. So we can actually measure the effectiveness of those alerts once we see the attack surface in front of us on a constant and consistent basis. So you see, interestingly, you see CVEs that get a lot of attention from counties and getting patched immediately. You see CVEs that get no attention at all. So even, you know, CVE as a unit of analysis is an interesting subject of research because they get different levels of attentions from different counties across the nation. At the same time, you see counties that constantly do well and respond and counties that constantly do bad and do not respond. And this is something we're still trying to figure out. And for state-level policymakers, for federal policymakers, this first-of-its-kind visibility is super helpful because finally they can see how the attack surface looks like at the local government level. And they can maybe distribute resources accordingly. They can maybe organize teams to help them in specific incidents. And this is a visibility that is greatly appreciated by policymakers. One of the things we're doing now is after we published the papers, many counties reached out and said, you know, we want the data. We want to work with you. And it draws enough attention for state and federal policymakers to notice. We're trying to make this something that is being used across levels of policymaking because it's an important visibility that can really help facilitate better cybersecurity. Right, absolutely, absolutely. So looking at those organizations that you say that don't adopt or don't patch these vulnerabilities as quickly as some of the other more ready counties, what are three steps that you would recommend these organizations, especially those with limited resources, start doing to address those vulnerabilities? Yeah, wonderful question, right? So how do you manage with very few resources in this space? I would say I'm hoping to see more collaboration, at least between neighboring counties, right? The capabilities of counties vary. Once you have this visibility, you're hoping to create incentives and reach to the top, maybe at the state level, and see which counties are doing better than others. Let's see what's working for them. The common cybersecurity problem of information sharing is very relevant here. But here, I don't want to know if you got attacked. I just want your expertise. So I want to see some expertise sharing under the umbrella of the state between counties. I want state policymakers to kind of pay attention to areas that need more attention than usual, than others, to be able to differentiate between the cybersecurity strength of a county. Once you have that visibility, you can mobilize resources accordingly. And that's what I'm hoping to see. Because at the end of the day, you are right. This is an organizational challenge. No matter how well you map and explain things technically, you need an organizational process in place to get things done. And many counties, unfortunately, lack in that. And it's something that resources would help. And it's also something that life is not a zero-sum game. I'm hoping to see counties helping one another to achieve better security. Because once you have a weak link in your state, that's what hackers are looking for. That's their entry point. And then it's much easier for hackers to conduct some sort of a better movement or just stay in your network for a while. So everyone will be better off if all counties are more secure. And I'm hoping that that incentive structure will help them actually help one another. Right. Information sharing is huge. And to your point, if one county ends up being targeted and a vulnerability is exploited, let's say it affects their transportation or their energy grid, then the likelihood of that affecting the next county over is probably quite high because just of proximity. So it's in everyone's best interest to help each other across county borders and ensure that information sharing is taken advantage of. So I'd also like to ask you a little bit about public policy as well. And so I'd love to know, what are two inconvenient truths that you believe governments need to come to terms with in terms of securing critical infrastructure at the county level? So let me just close the circle on your previous note. I think it's absolutely accurate because one of the surprising things we currently see in the research, it's not in the paper yet, it's in an upcoming paper, is this notion of risk clusters. We suddenly saw counties, many, many counties sharing the same IP addresses. So instead of each county managing its own infrastructure, we suddenly see two or three IPs work across hundreds of counties, the same IPs. So if those IPs are vulnerable, many, many counties are affected at the same time. This is a new finding that we were not aware of before. We dig deeper and we see things like power school or educational services used by school boards across counties that became kind of the go-to educational infrastructure that many, many counties are using. And these are the ones I want to protect as much as I can. If I have to prioritize, then I have to prioritize. That's how this work works. I want to protect those that can impact many, many counties at the same time. So by mapping those risk clusters, I think we're doing a great favor, I hope, to policymakers to better understand, again, how to distribute their resources. And it brings me back to your second question. One of the things we're missing in tech policy is measurement of compliance, right? It's very hard to understand how companies, government entities like counties or other organizations or even big tech, how they comply with the various security, privacy, accountability requirements. And one of the things I'm trying to do in my research, in my lab, is to be able to develop those computational tools like we did here to measure compliance across those popular user-facing large-scale technologies. Because lack of compliance there is a disaster. And the fact that we're able to measure security in other instances, measure privacy breaches or privacy postures, this will all help us better improve those tech policy cycles, make them more meaningful. Instead of just legislate once, forget about it, we're hoping to create what we call adaptive regulations. So regulatory models that are learning, adapting, changing based on compliance rates. Currently, we have no measurement of compliance rates, unfortunately, right? We have to create those, we have to have policymakers and regulators engage in tools that actually measure compliance levels of security, of privacy. And these are fuzzy concepts, it's hard to measure them. That's why we need good research on how you measure them and then come with those insights to develop indexes, improve enforcement, and better close the policy cycles that can actually mean something after you legislate. Because after you legislate, everything just started, right? It's not the end, it's the beginning of the process. So you have to improve your visibility on how the market behaves in order to know what you need to do in order to improve and ensure the resiliency of digital infrastructures we're so much dependent on. And to the defender who's listening today, what is the single most important takeaway that you want these listeners to walk away with? I think LLMs are an opportunity for the defender. I think if you're not capable but you have access to LLMs as a defender, you can do a lot. You can do it yourself, it's not too complicated. We detail in our paper exactly what we do. The paper was written before the LLM era, now it's even easier. So use large language models for your advantage. They are really a game changer for attackers but also for defenders. Try to use LLMs as leverage of them and capitalize on them. The better at least understand your security posture and know where things might go wrong. Another advice I would say is use honeypots. So honeypots is something that organizations are not so keen of using. Honeypots are fake infrastructures who look absolutely real that you install in your domain and in your IP subnet and try to see who is trying to attack. So those are infrastructures that are designed to be attacked. And this provides another monitoring tool to understand how targeted you are and what you need to look for when you're trying to defend your networks. So use LLMs to map your security posture, and try to combine the two to provide meaningful insights for your defense posture. Wonderful. Ido, thank you so much for your time today. Thank you for your research and really look forward to seeing how it evolves over the coming years. My pleasure. Thank you so much. Your feedback really helps me understand what you want to hear more about. Thank you.
