Nuclear site hackings, ransomware, and wiper attacks, along with other cyberstories from 2017 like ongoing attacks against the power grid, there are definitely some wider messages for all of organizations regarding needed protective actions. What lessons can the public and private sector learn from recent events and to prepare for the future? Most experts believe that the worst is yet to come in cyberspace, so after providing a brief recap of top stories, I want to focus on seven actions that state and local governments need to be addressing right now.
1) Back to Basics — The government reports on recent cyberattacks described hackers writing targeted email messages containing fake resumes for control engineering jobs and sent them to the senior industrial control engineers. The fake resumes were Microsoft Word documents that were laced with malicious code to steal credentials and access. Also, the hackers compromised legitimate websites that they knew their victims frequented with malware — called a watering hole attack. In other cases, they deployed what are known as man-in-the-middle attacks in which they redirected their victims’ Internet traffic through their own machines. Security needs to be back to basics of “security blocking and tackling” for many, and consider even traditional cyberthreats, attacks that have been occurring for many years.
2) Do Your Homework — After understanding what threats are happening in these high-profile online attacks like WannaCry and NotPetya, we should ask ourselves what network alert tools we have to tell us about ongoing attacks? What cybermetrics are we compiling ? Do we have a dashboard? Also, do we have contacts with law enforcement and the Information Sharing & Analysis Centers (ISACs) in your industry?
3) Re-examine Critical Infrastructure Is Protected — Many of the recent attacks are specifically going after critical infrastructure. Do we know what data is most critical? Are you working with private-sector partners in these areas? Many industrial control systems are vulnerable to targeted cyber attacks and cyber espionage campaigns. However, because the systems were not designed with security in mind, they are largely unequipped to deal with these attacks. The first step we need to take is to review one of the available ICS Cyber Security Frameworks, e.g. the, ‘NIST Guide to Industrial Control Systems (ICS) Security’ or ‘CPNI — Security for Industrial Control Systems Framework.’ to assist in better understanding the challenges, requirements and responsibilities with regards to Governance, Risk, Managing ICS Life Cycle, Education and Skills, etc.
4) Cyber Assessments and Audits — One good place to start is with current audit findings and known security vulnerabilities, especially in areas such as patching known cybervulnerabilities for critical systems. Instead of fighting the auditors to win points, it is suggested to focus on the National Institute of Standards and Technology (NIST) Cybersecurity Framework to make your case. The framework includes five core functions: identify, protect, detect , respond and recover.
5) Partnerships — The theme of partnerships, especially in gaining actionable threat intelligence, is a constant theme but has never been more important than now with foreign nation-state attacks and the need for help rising globally. One of the new priorities in 2017 is addressing vulnerabilities in voting machines and registration databases. We should ask who are our partners in the public and private sector? Have we practiced responding to incidents together in cybertabletops? Who can you rely on in federal, state and local governments — including law enforcement? What vendors do you rely on?
6) Prepare for Ransomware or Not? — Addressing ransomware needs to be a priority, and the same cyberdefense tactics that are general best practices can help with ransomware. These actions include ensuring backups are performed and tested and other good cyberhygiene is applied enterprisewide. You should ask: What is your incident management plan? Are you ready for ongoing attacks, with clear levels of response? Also, examine your current plans for cyberpriorities and potential federal funding .
7) Cybertraining — Health IT News highlighted the importance of end-user training again this week . New attacks keep popping up using legacy apps. One of these is exploiting Powershell, or .LNK files to run malicious code and serve up ransomware including Locky. Then there’s the newfound threat inherent to PowerPoint that may run malicious code merely by hovering over a malicious URL with one’s mouse pointer. End users may not be thinking about background checks for detecting insider threats during the hiring process or even checking for resumes that are infected with malware. However, updated training can help in these related areas. Keep in mind that phishing and other social media attacks are evolving, so improved end user awareness training is a quick win — like in Missouri.
Amid all of these ongoing cyberheadaches, I never cease to be amazed by companies and governments that still say, “It won’t happen to us.” Or “We’re all set, we have a cyberprogram.” Yes, there have been many calls to government action on cybersecurity over the past decade, but the first half of 2017 shows that those calls were definitely needed. We need to walk away saying that it is time to act now on cyber, whatever their role.