Some of the best software coders in the world are criminals, and industry security experts know they are getting even smarter.

One of the most potent ransomware programs seen to date is GandCrab, not just because it has been remarkably effective in targeting Windows-based systems with popular infection vectors, but its malicious programmers have shown great agility in fixing code bugs and responding to blocking attempts.

At the RSA Conference in San Francisco this month, McAfee Chief Scientist Raj Samani described how he was traveling by car to a meeting one morning in February when a client called him seeking the latest GandCrab protection kit, which had been released earlier that day. By the time he got back in his car, the criminals had already issued a bypass of the new protections, according to Samani.

This example highlights the arms race that security professionals are engaged in as they must deal with a world where the bad actors are as nimble and advanced as they are. It is an increasingly greater challenge, because software coding is just one of the many threats confronting the tech community today. Of perhaps even greater concern is the rapid growth of internet-connected devices, which are designed to communicate with networks, despite having little or no security.

“All of these systems that were conceived to be standalone are now starting to communicate,” said Elisa Costante (pictured), senior director of industrial and operational technology innovation at Forescout Technologies Inc. “We’re looking at threats this can bring and what we can do to defend the customer.”

Costante spoke with Jeff Frick (@JeffFrick), host of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the RSA Conference in San Francisco. They discussed how Forescout manages security vulnerabilities across a wide range of technologies, the challenges of protecting legacy systems, and the importance of having visibility throughout the connected enterprise. (* Disclosure below.)

This week, theCUBE features Elisa Costante as its Guest of the Week.

Threats move to the edge

Forescout is focused on device visibility and control, an increasingly important area as the cybersecurity threat “perimeter” has moved to data in edge internet of things devices. The company’s technology addresses the marriage of information technology with operational technology while guarding the connected services that support both.

An example of this can be found in the application of IP camera security solutions. For several years, the Insecam project has provided a directory of 73,000 unsecured IP cameras in 256 countries. Reolink Digital Technology Co. Ltd. has published a breakdown of the cameras available in the directory by country and manufacturer, including a list of usernames and default passwords. (Hint: “admin” and “1234” are very popular.)

With this kind of unsecured vulnerability for only one device, it’s no wonder that companies need technology for access management whenever an IP camera is connected to a network. When a camera is attached, Forescout creates rules to manage the camera’s internet access and ensures that the customer’s operations team is properly alerted.

“IP cameras should do one thing — record stuff,” Costante said. “There could be leverage to turn the camera against the owner. We enter into a network and give full visibility of all the IP devices that are there.”

Vulnerable legacy systems

The many layers of IT and OT infrastructure can get messy, especially in large organizations. This is particularly true in the presence of legacy systems, where outdated technologies that have not been correctly patched with the latest software could result in significant security vulnerability down the line.

Legacy system weakness can often be an open door for hackers. WinRAR, a popular Windows archiving tool, was recently found to have a vulnerability that existed for 19 years. The flaw, which was discovered by Check Point Software Technologies Ltd. and has since been corrected, allowed attackers to extract malicious files and gain access to Windows-based personal computers.

Legacy flaws can have even broader implications, such as an impact on national defense. A report issued last year found that U.S. missile defense data centers had numerous cybersecurity issues, including an unpatched vulnerability initially identified in 1990.

“On top of these legacy systems that have been developed without security in mind, you [allow] the IT systems … to have remote access and remote control,” Costante explained. “This is where things can go wrong.”

Bypassing IT security

A recent SANS Institute study found that a third of surveyed OT devices were now directly connected to the internet, essentially bypassing any security measures on the IT side. This kind of vulnerability is a growing concern for many security experts. A prime example of how an OT flaw can be successfully exploited is playing out in the spread of Triton, sophisticated and dangerous malware designed to shut down industrial plant safety systems.

The malware was discovered in a Saudi Arabia petrochemical plant. Security researchers believe that Triton was initially installed on a workstation that communicated with the plant’s industrial safety systems.

This lack of visibility or understanding inside an organization’s operational infrastructure is the kind of situation where Forescout’s executives believe the company’s technology is most needed. “We basically bring light to the dark side of the network,” Costante said.

Costante recently concluded a Forescout-led 18-month research project designed to test building automation security. The company built a lab with temperature and lighting control systems made by various vendors and then analyzed performance from a security standpoint after attacking the technology with malware.

Results found significant misconfigurations on one workstation that managed building automation systems that would allow an attacker to have administrator privileges. Another finding was that malware could open user credentials based on a flaw in a programmable logic controller. Forescout’s team found nearly 8,000 devices that were vulnerable to this kind of attack.

The research team’s budget was a mere $11,000, pocket change for most nation-states. “The main message is that this is something that can be done easily and is not even that expensive,” said Costante in an interview at the time of the study’s release.

The other message is that cybercrime pays and return-on-investment appears to be on the rise.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of the RSA Conference. (* Disclosure: Forescout Technologies Inc. sponsors theCUBE’s coverage of the RSA Conference. Neither Forescout nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE