By Heather L. Meadows
It is a common misconception that cyberattacks are instant, that if you have been attacked, it happened in that moment. It is violating enough to imagine someone breaking into your home, but I want you to imagine it. This time the criminal is not in your home for seconds, minutes, or hours. This time the criminal is in your home for days, weeks, or months, stealing what is yours, stealing what is your family’s, stealing what your friends and neighbors left behind and trusted you with, items for which you feel responsible. These criminals are in your home accumulating all the belongings they can, and the only way you find out they have been in your home is because they have now locked you out. They have not only locked you out, but they are forcing you to pay to get back in. This is the reality of many cybercrimes today.
Cybercrime is on the rise. The FBI Cyber Division has seen a 400 percent increase in complaints since Covid-19 began. There are numerous reasons leading to an increase, but most of them involve these cyber criminals capitalizing on our human nature and the additional stress factors Covid-19 has forced upon us. We want things fast. We want things easy. Good grief, we just want to remember what our password is! Colonial Pipeline’s attack this past summer is an excellent example of cyber criminals capitalizing on just that – our human nature and the pain points of cyber security this pandemic has put additional pressure on. The world has been forced even more so into the digital age, and it requires organizations to reflect on whether they have taken the actions needed to protect themselves.
Cybercrime: Colonial Pipeline
It was 5:00 a.m. on May 7, 2021 when a ransom note demanding cryptocurrency appeared on a control room computer at Colonial Pipeline. It was immediately reported to the operations supervisor, and the company prepared for the next critical steps. By 6:10 a.m. that morning, just one hour and 10 minutes after this discovery, the entire pipeline was shut down. In its nearly 60-year history, Colonial Pipeline had never shut down the entirety of its gasoline pipeline. While steps to mitigate risk of the attack were happening retroactively, what that supervisor and Colonial Pipeline did not know at the time was that the criminals had been in the system for more than a month. The criminals got access to Colonial Pipeline’s network on April 29, 2021, and they had done so with just one single compromised password on an inactive remote employee’s account. That’s right – the largest fuel pipeline in America, the one that caused fuel shortages throughout the East Coast, was shut down due to one compromised password.
The Colonial Pipeline account that was accessed by these cyber-attackers using a single compromised password was done through a remote network account – a remote network account that should have been disabled prior to the attack because the employee was no longer with the company. Consider what policies and procedures you have in place for when an employee is no longer with the company, especially those for deactivating and monitoring their accounts within your network. Overlooking such simple security policies cost Colonial Pipeline millions of dollars.
Security Solutions Should Be Proactive
Luckily, there are steps companies can take to be more proactive in their security posture, steps that even small companies can employ now to close gaps in their current networks. As most sports fans know: a good defense can be the best offense. Taking proactive measures now can save your company significantly in risk, frequency, and severity. Fighting the battle retroactively can have a critical impact on your company’s finances and reputation. While nothing is foolproof; we now live in an age of not if but when you are cyberattacked. The goal should be to be as proactive as possible in planning for an attack.
One of the biggest errors in Colonial Pipeline’s internet technology security, beyond not deactivating the unused employee account, was the lack of two-factor authentication on their accounts. Two-factor authentication works by adding an additional layer of security to your accounts, whether that is your email, financial, vendor, or social media accounts. Two-factor authentication requires additional login credentials beyond just the username and password to gain account access. Getting that second credential requires access to another device (most commonly a cell phone) or another account (such as a different email account). If two-factor authentication had been employed at Colonial Pipeline, it would have made it almost impossible for the cyber criminals to gain access that day because they would have needed access to the additional device or account. It is also important to note that most cyber security insurance policies are requiring two-factor authentication be implemented on your network.
Dark Web Monitoring
Another preventative measure Colonial Pipeline should have taken is using dark web monitoring. Dark web monitoring is the process of searching for and keeping track of personal information found and leaked for sale on the online illegal marketplace. In the wake of the Colonial Pipeline attack, it was discovered that the former employee whose account was attacked had their information exposed on the dark web. This is something that is all too common; it is estimated that compromised passwords are responsible for 81 percent of hacking-related breaches, with 48 percent of workers using the same passwords for dozens of their personal and work accounts.
The dark web is how Colonial’s Pipeline’s former employee’s credential information was most likely obtained. While no one company can 100 percent guarantee the ability to monitor the dark web, this is a great tool to strengthen your company’s security posture and receive notifications if you or someone at your company has had their credentials shared on the dark web. Think of this invaluable service as your canary in a coal mine, letting you know there is trouble ahead and to take proper steps to protect your company.
Password Best Practices
Password complexity, policy, and education are also vitally important. Employees often use the same passwords for multiple accounts. It is important to be aware of the dangers in doing so. Enforcing password standards within your network through an active directory can also save you in the long run. Active directory, commonly referred to as AD, is a database and set of services that connect users with the network resources that are needed to do their job. The directory contains critical information about the work environment. This includes what users and computers there are and who is allowed to do what. This also allows network administrators to set rules about complexity, length, and expirations for user passwords. While no one likes having to remember a new password, it is important that simple policies like these are utilized across the entire company. As evidenced by Colonial Pipeline, a single unprotected password was all that was needed to shut down the whole company.
Social Media Vigilance
Security Awareness Training
It is also important to note that these phishing attacks can occur over various mediums (email, text, social media, etc.) and that these criminals do not hesitate to impersonate people or brands in doing so. The most impersonated brands today are Microsoft, Netflix, Facebook, FedEx, and Google, brands everyone uses. Therefore, proactive training is another requirement being added to cyber security insurance policies. It is directly related to the fact that 91 percent of the breaches today are facilitated via well-meaning employees just trying to do their jobs. Knowledge and education are the foremost tools in the frontline defense, and we need to be more cognizant of the information we are giving away freely.
I have seen firsthand how proactive training has saved companies and employees from falling victim to phishing campaigns. Phishing attacks are the most common method that cybercriminals use to gain access to an organization’s network. Phishing is the fraudulent practice of sending emails purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers. Scammers take advantage of human nature to trick their target into falling for the scam by offering some incentive (free stuff, a business opportunity, threats, etc.) or creating a sense of urgency or fear. Some key steps in avoiding becoming prey are:
- Do not trust unsolicited emails.
- Do not send any funds to people who request them by email, especially not before checking with leadership.
- Do not click on unknown links in email messages – If the email has a link, stop and think!
- Configure your email client properly.
- Install firewalls, and keep them up to date.
- Beware of email attachments. Verify any unsolicited attachments with the alleged sender (via phone or other medium) before opening it.
Prior to being ransomed for $4.4 Million, Colonial Pipeline had been looking to assess their risk. This is an excellent resource for verifying your security posture and one if they had made it sooner would have cost them significantly less than their ransom. Risk assessments should be done regularly and proactively. Most risk assessments will give you prioritized steps and outlines to better protect your company and remediate risk. A good risk assessment should include the following:
- Assets – Data Type, Critical Components, and Impact
- Vulnerabilities – Third-Party Access, Likelihood of Exploit, Attack Vectors
- Remediation – In-Place Controls and Governance
- Risk Levels – Calculated Exposure, Current State, and Future State
IT Governance Policies
While it has become unavoidable, working from home can prove to be a risk to the company network. Keeping good policies and governances for such work is critical. Here are some things to keep in mind when considering guidelines:
- Remote workers must have up-to-date company-mandated security solutions on cell phones, tablets, and laptops.
- Work devices are only for the authorized user and for authorized uses. This means family use and unrelated work cannot be done on company-provided devices.
- Strong home security on their networks and/or the use of VPNs (Virtual Private Networks)
- If using video-teleconferencing, you should use a platform that ensures meetings are private, either with passwords or controlling access from a waiting room. The platform should also provide end-to-end encryption.
- Consider having the ability to remotely wipe devices in case they are lost or stolen. Mobile device management platforms can perform most or all of these services, allowing remote workers to continue to use their own devices while ensuring the safety of company data.
Additional measures to take to layer your defense against attacks include:
- Anti-virus – Designed to detect and destroy computer viruses
- Anti-malware – A type of software program created to protect information technology systems and individual computers from malicious software, known as malware. Anti-malware programs scan a computer system to prevent, detect, and remove malware.
- SPAM Filtering – Detects unsolicited, unwanted, and virus-infected email, and stops it from getting into email inboxes
- DNS Filtering – Blocking access to certain sites for a specific purpose, often content-based filtering
- Backing Up Data – Making a copy of computer data taken and stored elsewhere so that it may be used to restore the original
We now live in a world where the threat of cyber war is ever-present and a world that contains overseas businesses dedicated to perpetrating cybercrimes. These businesses have developed Ransomware as a Service, which is now a viable option to criminals that do not even have the technical savvy to infiltrate a company’s network on their own. Ransomware as a Service is a subscription-based model that enables affiliates to use already-developed ransomware tools to execute ransomware attacks. Hackers develop these products and then split the profits of the ransom with the laymen executing these attacks. These laymen do not need to know how to write a single line of code in these pre-packaged solutions and can encrypt some networks in as little as five minutes.
Ransomware as a Service is an adaptation of the Software as a Service (SaaS) business model. Cybercrime has become a very profitable business. This development of Ransomware as a Service has created an explosion in exploiting personal and business networks, as well as overseas countries creating safe havens for cybercrime. These crimes have become so pervasive and underhanded that even if you back up your data and have a good recovery plan in place, these criminals are threatening to leak it without payment. This gives you very little option but to be complicit when attacked. Taking even the smallest steps of two-factor authentication or proactively training your staff on the dangers of cybercrime can save you from financial and reputational ruin.