The goal of the data and cybersecurity exposure assessment to be published in October, 2022, by Cyber Intel Matrix, is to give an objective picture of current detected vulnerabilities, and through it a sectoral overview of typical vulnerabilities, weaknesses, and possible future threats. The study examines eight main perspectives of each company’s infrastructure:
- Account Takeover analysis
- Domain name analysis
- Surface analysis
- Dark Web / Pastebins / Hacking forums exposure
- Adversary activity
- Federated search evaluation
- File exploration
- Operational Technology risk assessment
A score has been assigned to each category, displayed alongside a final referential score for the particular category.
The standard for quantification is the CIM IVSS (Cyber Intel Matrix Industrial Vulnerability Scoring System), based on the cyber-industry standard CVSS (Common Vulnerability Scoring System) and IBM’s 2022 Global Cost of a Data Breach report.
The damage caused by ransomware attacks barely exceeds the damage caused by data breaches, which apparently pose a (slightly) lesser threat, but are still the second largest liability-related threat: “The average total cost of a ransomware breach is $4.62 million, slightly higher than the average data breach of $4.24 million”
Based on data breach numbers (The average per record (per capita) cost of a data breach increased by 10.3 percent from 2020 to 2021), there are no signs that these numbers will decrease in the near future, so data breaches as such are still the most harmful and costly source of danger, especially in sectors related to healthcare.
The pharma sector is in the crosshairs of cyber warfare for the 10th consecutive year now; this sector suffers the highest ransomware costs and the highest numbers of cyberattacks.
Every point can be an entry point for an adversary, therefore every surface, website and sharing point must be unhackable. Yet, every network we examined is filled with vulnerable points.
We have found a complex and vertically large network infrastructure in each pharma company, a large portion of which contains unmaintained legacy services.
All pharmaceutical companies hold valuable and sensitive data, making them a prime target for adversary activities.
The network infrastructure of pharma companies relies on a large amount of third-party maintainers, contractors, developers and software. The amount of potential exposure menacingly increases with the size of this infrastructure.
Pharma companies are seemingly trying to adopt state-of-the-art and secure cloud-based solutions and data management, while in many cases forgetting their parallel legacy frameworks, which run on outdated and vulnerable software (and firmware).
Critical IoT and IIoT remains vulnerable and exposed in many cases. One of the most astonishing IoT scan discoveries was a network of industrial printers that could be accessed on a public IP address. The printing queue of documents and their titles were made public. The printers’ incoming IP connections and AD (Microsoft Active Directory) usernames were also visible. What is more, the devices could be shut down and documents could be added to the printing queue from a single browser anywhere in the world.
We recommend IoT vendors and pharma companies recruit a Development and Data Integrity Official, a full stack programmer who assesses documentation to be published and oversees the corporate online presence in case it contains sensitive network or technical information that can be used by cybercriminals. Many publicly available technical manuals for example provide too much information as is reflected by numerous professional forum discussions by third-party or corporate developers.
The problems of legacy systems are generally underemphasized in most sector analyses and this proves to be a blind spot for cybersecurity specialists as well.
Be sure the receive the full report when it comes out in October.