Right-of-Breach Mentality Leads to Cyberattacks on Critical Infrastructure

The dust is still settling from the latest in a series of highly publicized cyberattacks affecting critical infrastructure in the U.S. Two Fridays ago, Colonial Pipeline – the single largest provider of natural gas across the Eastern U.S – experienced a ransomware attack and announced that it was shutting down all 5,500 miles of its main pipeline, running from Houston, TX to Linden, NJ.

The news prompted a fearful response from consumers. Because Colonial Pipeline supplies 45% of gas, jet fuel and diesel across the East Coast, prices soared above $3.00 a gallon in some places, and gas stations experienced shortages as customers piled up to buy as much as they could. Since then, the pipeline has resumed operations and the cost of gas has slowly gone back down.

In retrospect, things could have been much worse.

According to Colonial Pipeline, the cyberattack affected its business networks rather than the industrial control systems connected to its delivery infrastructure. And thanks to a reserve supply, wholesalers serving retail customers did not report any shortages before the pipeline resumed operation. Even so, this incident serves as a stark reminder of the cyber war that is unfolding all around us and the risk it poses to national security.

Ransomware Attacks on the Rise

In August of 2020, CISA warned of a rise in cyberattacks against critical infrastructure and advised operators to take immediate action. Since then, their predictions have materialized in at least two major security incidents, including the SolarWinds breach in December and the breach of a Florida water treatment facility in February. According to one source, ransomware attacks rose by 62% in 2020, with ransom demands rising 225%.

Why is this happening? For one thing, bad actors are becoming more sophisticated. According to analysts, the Colonial Pipeline attack was an instance of “ransomware-as-a-service”. DarkSide – the Russia-based hacking group who claimed responsibility for the incident – provides its code to lower-level hackers and helps with execution in exchange for a cut of the profit.

But more importantly, organizations are not applying CISA’s recommendations until it is too late. They aren’t taking inventory of their assets, implementing a robust cybersecurity plan or enforcing access rules that would prevent a majority of attacks from succeeding.

Right of Breach Mentality

While the cause of the Colonial Pipeline attack has not yet been disclosed, recent high-profile security breaches have precipitated from notoriously bad cybersecurity practices. For instance, a SolarWinds update server was protected by a weak password (Solarwinds123); meanwhile, the Florida water facility lacked any user authentication mechanism to prevent unauthorized remote access.

But this does not prove that organizations are incapable of better cybersecurity practices. According to a study from Ponemon Institute, companies that experience a security breach are 26% less likely to experience another breach in the future. This research proves what we already know: organizations react “right of breach,” waiting for the worst to happen before they act to prevent it.

Until then, they cheat regulations in dozens of tiny ways that add up to a weak overall cybersecurity position, from skipping double authentication to creating loopholes in their own remote access rules. Many assume they are either too big and sophisticated to fail, while others assume they are too small to fall under an attacker’s radar. Both are mistaken.

Nobody is Safe

In 2020, 1,600 security breaches were reported to the North Carolina Department of Justice, and most of them were not large enough to make any headlines. During the SolarWinds attack, over 18,000 organizations were infiltrated, including 425 companies on the Fortune 500 list. Victims ranged from federal, state and local governments to critical infrastructure entities and small businesses.

Today, there is a bad actor for every organization, and all are looking for a niche. Some are motivated by geopolitics, and some are in it for the money. Others are simply agents of chaos looking for any opportunity to cause destruction. At the end of the day, every organization will eventually fall victim to a cyberattack: it is not a matter of “if,” but “when.”

These organizations should take the threat of a breach seriously for the good of their customers, shareholders and employees. Federal contractors and critical infrastructure entities have an additional burden: they must do it to protect national security and the American way of life.

Preparing for Ransomware Attacks: CISA’s Advice

Following the Colonial Pipeline breach, CISA has once again issued a warning to critical infrastructure operators in publication AA21-131A, titled: ‘Best Practices for Preventing Business Disruption from Ransomware Attacks’. In the following paragraphs, we summarize the most important recommendations:

Reducing the Risk of a Breach

Organizations can reduce the likelihood of a successful ransomware attack by applying security controls that protect against common attack vectors.

  • Prepare for phishing attacks – phishing and spearphishing are among the most common methods of hacker reconnaissance. Train your employees to recognize and avoid compromised emails through simulated attacks; enable strong SPAM filters to prevent phishing emails from reaching them.
  • Protect against bad connections – block traffic from known bad IP addresses, and protect against malicious entry attempts by restricting remote desktop protocol (RDP) access. Additionally, block traffic from TOR exit nodes and other anonymization services.
  • Prevent unauthorized execution – prevent unauthorized programs from running on organization computers by disabling macro scripts in Microsoft office files (PDFs, documents, etc.); use allowlisting so only trusted apps and dependencies can operate.

Protecting Business Functions

Should a ransomware attack occur, the following protections and redundancies will ensure that critical business functions can continue.

  • Segment IT/OT networks – regulate communication between operational technology (OT) and information technology (IT); minimize network connectivity to industrial control systems (ICS) and Supervisory control and data acquisition (SCADA) devices.
  • Prepare for manual control – ensure you can switch to manual operation if necessary. Find and disable IT dependencies in the event of a cyberattack; conduct exercises to test manual controls on a regular basis.
  • Conduct regular backups – regularly back up system data and store it separately from the rest of your network. Create backup images of critical systems so they can be rebuilt from scratch if necessary.

Worst Case Scenario

If the worst should come to pass, have an emergency plan to protect the rest of your organization and mitigate damage from attackers.

  • Isolate infected system – immediately identify infected devices, power them down and remove them from your network.
  • Disable devices – power-off and segregate unaffected systems that are on the same network as infected devices. Do not allow them to communicate.
  • Secure your backups – your backups are your last line of defense. Make sure they are offline and secure; scan to ensure they have not been compromised by attackers.

In the hours after a data breach is discovered, an organization’s actions are critical. For more preparation and emergency response strategy, see our blog post: How to Survive a Data Breach: 14 Disaster Response Tips.

Harden Your Organization

While it appears that Colonial Pipeline made several mistakes leading up to the recent ransomware attack, the company did one thing right: it reacted quickly by taking critical systems offline and partnering with a third-party firm to investigate the incident and prevent future attacks.

Moving forward, critical infrastructure operators cannot afford to ignore the threat of ransomware. As cyber-actors advance, your organization is a target. With years of ICS expertise trusted by the U.S security community – including DoD, DHS and the U.S Cyber Command – Securicon can harden you against today’s risks and prepare you for tomorrows threats. Contact us to learn more.

 

How Local Governments Can Help Their Remotely Employed Cybersecurity Teams

cybersecurity checklist
cybersecurity checklist

When the COVID-19 lockdowns began many months ago, experts in the cybersecurity industry knew what was coming next. As we have established in past articles, hackers are opportunistic: eager for any chaos to exploit in pursuit of their goals. A society-wide shut down which left many online for much longer than usual was the perfect opening, especially for high-value targets like local governments, who experienced a 100% increase in site traffic immediately following the stay-at-home orders.

Now six months later – though restrictions have eased throughout the U.S and malicious cyber-activity has reduced from the fever pitch it reached at that time – there are still threats to contend with. This time, cybersecurity teams are working away from the office, and they are facing complex and unprecedented situations. Remote employment is a complicated affair in general, but for cybersecurity teams and operations centers (SOCs) it presents a number of unique challenges.

While 98% of the population says it would “like to work remotely,” no less than 89% of cybersecurity professionals say they are facing increased job difficulty because of stay-at-home policies, according to a recent study. This shocking disparity suggests the obvious: it’s hard for cybersecurity teams to do their jobs properly outside their organizations.

In this article, we’ll look at several reasons why this is the case, and how local governments can help their vitally important cybersecurity personnel to succeed as remote employees.

Insecurity of Remote Endpoints

The first problem is that cybersecurity professionals aren’t the only ones working from home now: their coworkers are doing the same thing, shifting the perimeter that the former are obligated to monitor and protect. In June, only 26% of the U.S workforce were still working in their physical business premises.

When targeting an organization, attackers seek any endpoint that may be attached to it. Those endpoints have expanded to include devices, systems and equipment across a large geographic region. Notoriously vulnerable IoT and mobile devices in employee homes provide the perfect bridge to their work computer and enforcing security measures are tough.

Remote endpoints also offer an increased opportunity for credential theft, which is the main culprit behind 80% of hacking related breaches. While most of these are the consequence of phishing schemes (which have also increased under lockdown), they can easily result from an insecure or keylogged work computer as well. Attackers with stolen credentials are much harder to fend off, since they look like legitimate users.

Protecting Off-Premise Devices

Taking work-devices off-premise has always been a security concern, but it has never occurred at this scale before. Fortunately, there are ways to reduce their vulnerability:

  1. Increase monitoring for suspicious activity on business networks indicating an attempt by a “legitimate” user to elevate their own privileges (new privileged users on network hosts, requests to a domain controller, memory dumps from authentication processes, etc.)
  2. If feasible, recommend that off-premise employees segment the networks in their home office by using dual routers, one for work, and one for personal use. This provides a physical barrier against attacks propagating from vulnerable devices.
  3. Above all, enforce cybersecurity training for all personnel, specifically emphasizing recognition of phishing attacks, the danger of IoT and other non-essential, connected devices.

While none of these measures can guarantee protection from attacks through remote employees, they will definitely diminish the opportunity.

Strained Security Resources

During the lockdowns, local governments and other organizations have experienced a dramatic rise in IT support tickets to troubleshoot problems with business software and home office equipment. Accordingly, nearly half of cybersecurity professionals said they had been shifted to an IT role, leaving their colleagues with double the workload.

Little wonder, then, that in the middle of a cybersecurity talent gap, many have considered leaving their current jobs for calmer waters where they can practice the profession they trained for. This is a loss that local government agencies can ill afford – and fortunately, it’s mostly unnecessary.

Reducing Work Strain

To this day, upper management often considers cybersecurity a mere function of IT when they are actually distinct.

  • Avoid hemorrhaging your security resources by clearly defining the domain of IT and the domain of cybersecurity. Allow the former to handle implementation and troubleshooting made necessary by the transition and consider outsourcing or new hires if they are necessary.
  • Provide adequate resources for your cybersecurity team; maintain communication through HR and ensure that they are not overburdened during a time when they are needed most.

In the hectic and sometimes experimental transition to remote employment, it’s easy for any business to become disorganized and leave people behind in the shuffle. Preventing this is an utmost priority.

Communication Problems

Effective cybersecurity requires a constant stream of communication between different operatives, and often communication between departments, especially when problems need to be resolved in real time. But while it is possible to remain in communication while working remotely, that does not mean it is easy.

As vCISO at Dubai Expo 2020 Dr. Grigorios Fragkos notes:

When you work with your team throughout the day, you can discuss, coordinate and brainstorm on-the-fly, but it takes way more time to have these micro-communications over virtual mediums, phone-calls and emails, compared to a brief face-to-face catchup.

Therefore, remote employment brings delays to the communications process, and important communications may even be lost in the noise.

Ensure Communication

There are several ways to make sure your cybersecurity professionals can stay in touch:

  • Invest in collaboration software and lightweight communication channels that bring together your IT, cybersecurity, HR and business teams
  • Even if channels are provided, engagement with those tools may be low, simply because old habits die hard. Ensure regular team check-ins, and make those channels a fundamental part of the new work process.
  • Segment critical channels from more general ones so your cybersecurity team knows how to prioritize their response to incoming information.

Your security professionals are frequently inundated with data – especially in a SOC environment – that may require intense and focused attention. Ensuring they have the tools they need to quickly communicate and get back to work is essential to their success.

Conclusion

In our free infographic checklist, we step through all the ingredients of an effective remote cybersecurity team including:

  • Crucial security strategies for remote endpoints
  • Key points of effective cyber hygiene for your entire organization
  • What every remote cybersecurity professional needs to succeed

cybersecurity checklist

Remote employment is far from impossible, even in the domain of cybersecurity, but the process of establishing a balanced workload, communication and effective strategies for securing remote endpoints requires proactivity from everyone involved, especially those at the top.


Securicon provides information security solutions to public and private sector organizations. Our expert cyber security teams help our clients manage and secure their Information Technology (IT) and Operational Technology (OT) environments by providing vulnerability and penetration testing/assessments; governance, risk and compliance services (GRC) and security architecture review and design services.  Contact Us to learn more!

Why A Compliance-Based Approach to Cybersecurity is Not Enough

compliance, cybersecurity
compliance, cybersecurity

The RMS Titanic was carrying 2,224 passengers and crew when it sank one April night in 1912, killing over 1,500 people. Since then, many have wondered why the ship was not carrying enough lifeboats to save all the souls on board.

There’s a simple answer: the designers of Titanic had followed the British Board of Trade by equipping it with 20 lifeboats, and even threw in four more than the regulations required. Since then, the story of Titanic has served as a grim reminder that regulatory compliance does not guarantee safety or security.

Today government contractors and organizations working with the federal government are required to implement a host of regulatory security controls from National Institute of Standards and Technology (NIST) to Federal Information Security Management Act (FISMA) and Defense Federal Acquisition Regulation Supplement (DFARS). But not all organizations are equally secure: in 2019, 80% of companies were expecting to experience a data breach. But what set them apart from the 20% who were confident that their cybersecurity program would succeed?

The Problems with Compliance

At least part of the answer to that question lies in the difference between a compliance and a risk-based mindset. While government regulations provide a minimum standard of security to businesses, these truly only satisfy a lowest common denominator of security controls. The best security officers and IT administrators know that their organization needs more. When it comes to cyber risk, a compliance-based mindset can actually make organizations significantly less secure for the following reasons:

  • Regulations lag behind technical threats – today technology is advancing at a faster pace than ever, and as it does, threat actors find new ways to penetrate organizations and leverage their weaknesses. By the time regulations are updated, they may be weeks behind the latest attack vector, leaving compliant businesses vulnerable.
  • Compliance is NOT security – to ensure that security controls are followed, they must be meaningfully contextualized by a broader security strategy that is understood by everyone throughout an organization. Unfortunately, compliance often devolves into a list of boxes that must be checked off which obscure the reason behind each control.
  • Compliance is expensive – gone are the days when companies could conduct self-audits or track their IT infrastructure without the assistance of expensive products and solutions. The more a company struggles to comply with regulations, the more it will spend in that effort with no clear guidance to prioritize expense.
  • Compliance is siloed – a compliance strategy is usually carried out from a centralized position which assigns security controls to every department in an organization. Rather than helping them to work together and share data, compliance efforts are limited by silos that don’t communicate with one another.

But the number one problem with a compliance-based cybersecurity mindset is this: compliance is only a basic foundation – even most regulators will admit that the requirements imposed by security regulations are a bare minimum standard for organizational security. Although it may cite cost, capability or time as a reason for stopping at mere compliance, an organization that has not taken the steps to move beyond mere compliance by building on top of its unique needs and circumstances has not seriously considered the responsibility it bears to its clients and shareholders.

What is Risk-Based Cybersecurity?

Although the Titanic was built to the British government’s specifications, one prescient observer noticed its flaws. Civil safety officer Maurice Clarke advised that “the ship needs 50% more life-boats,” and that advice was ignored. While the Titanic’s owners were thinking from a compliance-based perspective, Clarke was thinking from the perspective of risk.

The basic contours of risk and risk-based approaches to security are spelled out in NIST SP 800-37, which lays out a Risk Management Framework (RMF) for government organizations and businesses to follow. This document provides a useful way to talk about risk. In short, risk is:

  1. The likelihood that a threat event will happen
  2. The impact if it does

Organizations that take a risk-based approach to security are looking at it with the goal of protecting their most valuable assets, the safety of their customers, and the security of their information. They proactively search for weaknesses in their IT architecture through risk assessments and seek to continually improve their position.

Benefits of a Risk-Based Mindset

At first glance, risk-based security might seem like a significant time investment: it requires preparation, strategy, and continuous monitoring. But while it is not as linear as compliance, those who adopt it will quickly find that it is not only less resource-intensive, but also provides many benefits:

  • Stay ahead of threats – when organizations pay attention to risk, they quickly discover new and developing threats long before they are reflected in legislation. This allows them to protect their organizations from attackers at their most powerful and gives them a competitive edge.
  • Prioritize security efforts – by revealing areas of high vulnerability, a risk-based strategy helps organizations to continually improve their cybersecurity position with time while effectively protecting their customers and most vital assets.
  • Cost-optimized – a risk-based mindset enables organizations to allocate resources more efficiently, spending the greatest amount of money and manpower on the areas which need it most. Greater overall security and reduced labor leads to lower costs.
  • Integrated cybersecurity strategy – by embedding cybersecurity goals within their overall enterprise risk management strategy, organizations connect cybersecurity concerns with business goals, bringing together all departments and personnel to protect its assets.

Ultimately, a risk-based mindset reduces “check-the-box” routines that obscure the real purpose of cybersecurity from an organization’s people. It helps executives and decision makers to reflect on cybersecurity with every choice they make and empowers everyone else to make a meaningful contribution to the reduction of risk.

Risk vs. Compliance: Better Together

While a risk-based approach to cybersecurity fills many of the gaps in a compliance-dominated organization, they are better together. Firstly, compliance offers a simple foundation that all organizations should be able to meet before they look for ways to improve. Secondly – due to the impact of a failed audit – lack of compliance is itself a risk which should be accounted for in any risk management strategy.

Today all federal contractors and an increasing number of businesses in the private sector are being asked to comply with federal security regulations. But newer standards like the Cybersecurity Model Maturity Certification (CMMC) recognize the limits in a traditional approach to compliance, and demand that businesses think about risk. Organizations who don’t start today won’t be prepared tomorrow. Contact us to learn more!

The Hacker’s Perspective: Risk as Opportunity

When the Cybersecurity Model Maturity Certification (CMMC) goes into effect this year, the defense department will be holding its contractors to a higher standard than ever before. But whether or not they’re ready for the change remains to be seen: in the past, DoD partners were required to comply with regulations like NIST 800-171. In reality, many fell behind due to the leeway they had in implementation.

With CMMC, the DoD hopes to foster a “culture of cybersecurity” throughout the federal government, and a big part of that involves an emphasis on risk. While the traditional mindset of compliance is based on a checklist of one-size-fits-all security controls, a risk-based mindset invites every business to find its weakest spots and prioritize them effectively.

Now, bidding contractors will be required to demonstrate adequate levels of security before a contract can even be awarded. But while the CMMC provides plenty of guidance, contractors will find its standards difficult to meet unless they take responsibility for their own unique risks. In this blog, we will examine what that effort entails, especially from the perspective of an organization’s worst enemies.

What is Risk?

According to the Risk Management Framework (RMF) published by the National Institute of Standards and Technology (NIST), “risk” is a combined measurement of two factors:

  1. The likelihood that a vulnerability will be exploited
  2. The impact of such an event

In some ways, this fits with a common sense notion of risk, and in other ways it does not. For instance, hackers are not counted as a risk by this definition, but “risk” does include everything which hackers and other adversaries may use to their advantage.

Incidentally, what proves advantageous to a hacker is also the most serious kind of risk. And while certain oversights in security may not seem like a big deal from the organization’s perspective, this mistake is less easy to make from the opposite side of an attack.

How Hackers See Risk

When conducting a cyber hunt, Securicon often uses red-teaming to find less obvious vulnerabilities in an organization’s network. While a “blue” team works to defend the network from attacks, the “red” team works to bypass them using a combination of techniques.

These two perspectives could not be more different: while the blue team takes a hierarchical and organized view of the technology they are defending, the red team is opportunistic. It works to find any trigger that allows it to cause chaos or otherwise subvert normal operating conditions.

For hackers, “risk” therefore translates into “opportunity”. And although individual hackers differ in their overarching goals, all of them look for three basic opportunities:

  • Access – establish an initial and persistent presence within the target organization for further activity
  • Concealment – hide activity by evading detection, which means bypassing normal safeguards, disguising malicious activity as legitimate or creating a diversion elsewhere in the network
  • Escalation – gain privileges and therefore greater control over a system

The greatest risks to an organization’s security center around these goals and should be prioritized accordingly. Common examples include:

Wide Area of Attack

In a past article, we talked about the importance of minimizing attack area in the context of industrial control systems (ICS). This principle applies more broadly: networks become increasingly less secure with every new access point such as routers and IoT devices. Partners up or downstream also represent potential targets which hackers can use to gain a foothold.

Useful Idiots

Despite how far technology has come, hackers still use social engineering during the reconnaissance phase of an attack. Untrained personnel may be persuaded to divulge sensitive information which can be used for access, concealment or escalation. They may also compromise their organization by clicking malicious links containing malware or phishing scams.

Blind Spots

Robbers do not come in through the front door: likewise, the most sophisticated hackers seek an entry-point that is not well-monitored or protected to conceal their presence. Thanks to the Internet of Things (IoT), organizations are now flooded with a host of devices – from printers to coffee machines – that may contain significant vulnerabilities and require protection.

Lack of Security Controls

Overlooked security controls – such as two-factor authentication (2FA), network passwords and encryption – represent one less obstacle for hackers to overcome during an attack, and they will use such oversights to their advantage. On the other hand, even controls that seem redundant can prevent an attack from succeeding at a crucial stage.

Using a Hacker’s Mindset

The best form of security is proactive security, and proactive security starts by finding risks and remediating them before they are ever exploited. As this risk-based approach becomes essential to meet federal standards for compliance, organizations will benefit from thinking about their systems like an outsider.

In 2020, consider investing in a professional risk assessment. With years of experience in a DoD context, our trained experts can offer something that automated solutions cannot rival: human intelligence, creativity and a deep understanding for the way real hackers think.


Securicon is poised to support industry partners in preparing for CMMC through Gap Analysis and Assessment of security practices and procedures. Contact us for more information.