About two weeks ago, one of the largest physical infrastructure cyberattacks perpetrated against the United States hit the Colonial Pipeline. That pipeline, responsible for nearly 50% of the East Coast’s fuel, had to be shut down for a significant period of time before the company capitulated and paid the ransom demand to regain access to their critical files. It was a stunning breach of a critical infrastructure system and highlighted a host of issues at both the macro level as well as the micro. Here’s what you need to know:
Ransomware comes for us all
Ransomware is a large and growing threat for, well, basically everyone. The most common version of a ransomware attack occurs when a hacker / hacking group gains access to a company’s or government agency’s IT systems, encrypts all the files within that company or governmental organization’s system, and then demands monetary payment in order to decrypt the files so the company or governmental agency can regain control of their systems (usually paid in Bitcoin or some other cryptocurrency).
This is the course that the Colonial Pipeline ended up taking — a ransomware group some suspect to be ‘Darkside’ encrypted all of Colonial’s files, and as has been reported, Colonial ended up paying ~$5MM in order to regain control of their system:
Ransomware is a particularly malicious form of cyberattack because A) it can completely incapacitate your systems, B) can be very costly to undo and C) there’s no true guarantee that you’ll regain control of your system even if you do pay the ransom. And it’s proliferating, according to Wired:
The Colonial Pipeline shutdown comes in the midst of an escalating ransomware epidemic: Hackers have digitally crippled and extorted hospitals, hacked law enforcement databases and threatened to publicly out police informants, and paralyzed municipal systems in Baltimore and Atlanta.
The problem in the U.S. cybersecurity defense apparatus
One of the huge takeaways from the Colonial Pipeline hack is that the U.S. cyberdefense is woefully inadequate for the threats its facing today. The primary problem? Jurisdiction.
According to NBC News, there is no one true federal agency with power and responsibility for our cyberdefenses:
Against this largely foreign threat, the U.S. government leaves it to the private sector to protect itself. The National Security Agency collects intelligence about cyberattacks, the FBI investigates them after they happen and the Department of Homeland Security tries to protect government computers. But no federal agency is in charge of defending the American public against hackers, be they criminals or intelligence operatives.
…The secondary role of federal agencies was on stark display Tuesday, when the acting head of the Cybersecurity and Infrastructure Security Agency, a unit of DHS known as CISA, acknowledged that five days after the attack on the company was first reported, Colonial Pipeline had yet to share with his agency the technical deals of the hack. Colonial never notified CISA of the breach — the FBI did that, acting Director Brandon Wales said.
So even when massive hacks occur, private companies — who run much/most of our critical energy infrastructure — don’t have to report the details of any attack to any federal agency if they don’t want to. Likewise, there’s no federal agency really protecting our companies from this large and growing foreign threat.
What it means for the future (and for you)
To combat some of these problems so readily highlighted by the Colonial Pipeline hack, President Biden signed a new Executive Order seeking to plug some of these holes. You can read the full text here, but the bullet points are:
- Remove Barriers to Threat Information Sharing Between Government and the Private Sector
- Modernize and Implement Stronger Cybersecurity Standards in the Federal Government
- Improve Software Supply Chain Security
- Establish a Cybersecurity Safety Review Board
- Create a Standard Playbook for Responding to Cyber Incidents
- Improve Detection of Cybersecurity Incidents on Federal Government Networks
- Improve Investigative and Remediation Capabilities
While these improvements at the federal level, and ostensibly at the nexus between public and private entities, might do wonders for our country’s cyberdefense, the truth of the matter is that lasting change will require bipartisan, congressional action (which, as you’re probably aware, but be a liiiittle tricky to come by in our current political climate). That said, there are some important things you can do to help keep your own business safe.
When it comes to keeping your business safe, the Small Business Administration has a 14-point plan for warding off ransomware:
- Implement an awareness and training program. Because end users are targets, employees should be aware of the threat of ransomware and how it is delivered.
- Enable strong spam filters to prevent phishing emails (an attempt to obtain sensitive information electronically) from reaching employees and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
- Scan all incoming and outgoing emails to detect threats and filter executable files (used to perform computer functions) from reaching employees.
- Configure firewalls to block access to known malicious IP addresses.
- Patch operating systems, software, and firmware on devices. Consider using a centralized patch management system.
- Set anti-virus and anti-malware programs to conduct regular scans automatically.
- Manage the use of privileged accounts based on the principle of least privilege: no employees should be assigned administrative access unless absolutely needed and those with a need for administrator accounts should only use them when necessary.
- Configure access controls—including file, directory, and network share permissions— with least privilege in mind. If an employee only needs to read specific files, the employee should not have write access to those files, directories, or shares.
- Disable macro scripts (tool bar buttons and keyboard shortcut) from office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full office suite applications.
- Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.
- Consider disabling Remote Desktop protocol (RDP) if it is not being used.
- Use application whitelisting, which only allows systems to execute programs known and permitted by security policy.
- Execute operating system environments or specific programs in a virtualized environment.
- Categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational units.
But what if you’re not in a position or don’t possess the technical acumen to put all of these into play yourself? That’s where we come in. Managed IT service providers handle all 14 points of that for you so that you don’t have to worry about what happens in the case of a ransomware attack. We’re the experts in ensuring uninterrupted up time for our clients; you focus on your work, we focus on your technology.
If you’d like to learn how we can help you manage your cybersecurity risk, give us a call today!