Teresa Shea, Vice President of Cyber Offense and Defense at Raytheon Intelligence and Space, talks to Security about her journey through security and how to stay on top of security threats. She discusses the overlap between national and enterprise threats and offers ways to avoid cyberattacks.
Security magazine: As VP of cyber offense and defense, identifying emerging security threats is key. Tell me about how to identify these threats early on?
Shea: The thing that I think we all need to acknowledge is that we all have bad actors in our network, so you have to assume you’ve been hacked. Understanding both the threat actors, their intentions, what their motivations are — because there’s a numerous suite of motivations and it’s good to understand whether they’re there for espionage, criminal activity, to make money, to have some sort of political influence. All of these are intentions and understanding that intention really helps you to better protect against those kind of attacks or, assuming you’ve been attacked or you have a bad actor in there, trying to contain that attack. Raising the bar on the bad guys [and] making it harder for them, that’s really what you want to set out to do.
[Also], keeping up with this ever-increasing attack surface. As you know, with the emergence of the high speed 5g/6g networks and the interconnectivity of just about every device you can imagine, you are going to have so many attack vectors available to cyber actors and it is just too easy for them to find a vulnerability because software is inherently vulnerable. The President had issued an executive order to try and address some of these things at their core, and that’s moving in the right direction, but as we’ve seen this year in particular, we’ve had a very bad year with attacks on our supply chain. Supply chain attack vectors in particular provides access to multiple other vectors. It’s like a front door into [a] multitude of other vectors. So protecting against supply chain attacks in our commercial software that we use every day? That's really hard for us as users to be able to do. We really are relying a lot on the commercial industry to step up their game and do more in in protecting against those attacks.
The other one I wanted to mention, with the Colonial Pipeline attack and what’s happening in that space in terms of the ratcheted up attacks against our critical infrastructures. What you’ve seen from that is that can spill over into everyday life for individuals and cause a nationwide response in terms of concern and panic. Sometimes I think we forget where that originated from — we all need to be constantly vigilant and always be reminding everyone, “Don't click on that link.”
Security magazine: Let’s talk about the difference between national threats and enterprise threats? Are there different methods when dealing with each type?
Shea: That’s an interesting question because there is this overlap between the two. I think when you say national threats, you may be talking about nation-state attacks for a variety of reasons — we’ve seen nation-state attacks with disinformation, we saw that in our presidential elections, we’ve seen that work successfully for the adversary. Those are national attacks that then have an effect on us as a nation and are very concerning, but spilling over into these enterprise threats.
As we get more and more interconnected, it’s going to be hard to distinguish between the two in the future…Because those attack vectors, once they’re out there, became more and more publicly available for every individual that’s got access to the internet.
Security magazine: When do national security threats become enterprise security risks and vice versa? What kind of like implications are we talking about at the enterprise level?
Shea: Serious implications. If you think about how we just take our critical infrastructures for granted — turn on your water, you expect water to come out, right? You turn your lights on, you expect your lights to come on. We were just talking about our aviation supply chain and how vulnerable that is. Hopefully soon, we’ll all be getting in planes again without much of a worry about the pandemic, but then you still always have this concern about, “How secure is this?” There’s an overlap between the physical and cyber space here, because cyber can have an effect on the physical outcome. You can’t really have safety without security and that security, what is now becoming fundamental, is the cybersecurity. Everything not connected today, soon will be in some way, shape, or form.
…[Then] it’s much broader and the attack vectors continue to grow.
Security magazine: What are some ways to avoid or defend against emerging threats?
Shea: Assume that you have been attacked. Just behave like you’ve got a bad actor in your network and constantly be vigilant about trying to know who’s accessing your data and what devices [you’re] connected to. Do you care and is there something you need to be doing about that? Is there some action you need to be taking?
What we constantly are pushing is this idea of, “You must have resiliency.” Yes, it’s good to have that awareness of understanding the threat landscape at a high level, but in terms of getting down to all multitude of possibilities of how you could be attacked, you need to do some basic things to protect yourself: use two-factor or multi-factor authentication; always make sure you’re installing the latest operating system; make sure that your supply chain [and] commercial vendors that you’re using are patching when the known vulnerabilities come out; keep yourself trained up on what the latest attacks are with these phishing schemes and how they’re even taken advantage of.
The above transcript has been edited for clarity.
To hear much more from this conversation, listen to The Security Podcast with Teresa Shea here.