Seven Cyberactions for States

Nuclear site hackings, ransomware, and wiper attacks, along with other cyberstories from 2017 like ongoing attacks against the power grid, there are definitely some wider messages for all of organizations regarding needed protective actions.  What lessons can the public and private sector learn from recent events and to prepare for the future? Most experts believe that the worst is yet to come in cyberspace, so after providing a brief recap of top stories, I want to focus on seven actions that state and local governments need to be addressing right now.

1) Back to Basics  The government reports on recent cyberattacks described hackers writing targeted email messages containing fake resumes for control engineering jobs and sent them to the senior industrial control engineers. The fake resumes were Microsoft Word documents that were laced with malicious code to steal credentials and access. Also, the hackers compromised legitimate websites that they knew their victims frequented with malware — called a watering hole attack. In other cases, they deployed what are known as man-in-the-middle attacks in which they redirected their victims’ Internet traffic through their own machines. Security needs to be back to basics of “security blocking and tackling” for many, and consider even traditional cyberthreats, attacks that have been occurring for many years.

2) Do Your Homework — After understanding what threats are happening in these high-profile online attacks like WannaCry and NotPetya, we should ask ourselves what network alert tools we have to tell us about ongoing attacks? What cybermetrics are we compiling ? Do we have a dashboard? Also, do we have contacts with law enforcement and the Information Sharing & Analysis Centers (ISACs) in your industry?

3) Re-examine Critical Infrastructure Is Protected — Many of the recent attacks are specifically going after critical infrastructure. Do we know what data is most critical? Are you working with private-sector partners in these areas? Many industrial control systems are vulnerable to targeted cyber attacks and cyber espionage campaigns. However, because the systems were not designed with security in mind, they are largely unequipped to deal with these attacks. The first step we need to take is to review one of the available ICS Cyber Security Frameworks, e.g. the, ‘NIST Guide to Industrial Control Systems (ICS) Security’ or ‘CPNI — Security for Industrial Control Systems Framework.’ to assist in better understanding the challenges, requirements and responsibilities with regards to Governance, Risk, Managing ICS Life Cycle, Education and Skills, etc.

4) Cyber Assessments and Audits — One good place to start is with current audit findings and known security vulnerabilities, especially in areas such as patching known cybervulnerabilities for critical systems. Instead of fighting the auditors to win points, it is suggested to focus on the National Institute of Standards and Technology (NIST) Cybersecurity Framework to make your case. The framework includes five core functions: identify, protect, detect , respond and recover.

5) Partnerships — The theme of partnerships, especially in gaining actionable threat intelligence, is a constant theme but has never been more important than now with foreign nation-state attacks and the need for help rising globally. One of the new priorities in 2017 is addressing vulnerabilities in voting machines and registration databases. We should ask who are our partners in the public and private sector? Have we practiced responding to incidents together in cybertabletops? Who can you rely on in federal, state and local governments — including law enforcement? What vendors do you rely on?

6) Prepare for Ransomware or Not? — Addressing ransomware needs to be a priority, and the same cyberdefense tactics that are general best practices can help with ransomware. These actions include ensuring backups are performed and tested and other good cyberhygiene is applied enterprisewide. You should ask: What is your incident management plan? Are you ready for ongoing attacks, with clear levels of response? Also, examine your current plans for cyberpriorities and potential federal funding .

7) Cybertraining — Health IT News highlighted the importance of end-user training again this week . New attacks keep popping up using legacy apps. One of these is exploiting Powershell, or .LNK files to run malicious code and serve up ransomware including Locky. Then there’s the newfound threat inherent to PowerPoint that may run malicious code merely by hovering over a malicious URL with one’s mouse pointer. End users may not be thinking about background checks for detecting insider threats during the hiring process or even checking for resumes that are infected with malware. However, updated training can help in these related areas. Keep in mind that phishing and other social media attacks are evolving, so improved end user awareness training is a quick win — like in Missouri.

Amid all of these ongoing cyberheadaches, I never cease to be amazed by companies and governments that still say, “It won’t happen to us.” Or “We’re all set, we have a cyberprogram.” Yes, there have been many calls to government action on cybersecurity over the past decade, but the first half of 2017 shows that those calls were definitely needed. We need to walk away saying that it is time to act now on cyber, whatever their role.

The Encryption Debate

A seminal 2015 paper argues that if you leave a key under the doormat, a burglar eventually finds it. When law enforcement argues it needs a “backdoor” into encryption services we need to ask whether we should entrust a key to someone who gets robbed, perhaps frequently?

In March, WikiLeaks released nearly 9,000 documents exposing the CIA’s hacking arsenal. More so-called Vault 7 secrets trickled out as recently as this week. And then there’s the mysterious group or individual known as the Shadow Brokers, which began sharing purported NSA secrets last fall. April 14 marked its biggest drop yet, a suite of hacking tools that target Windows PCs and servers to devastating effect.

The fallout from the Shadow Brokers has proven more concrete than that of Vault 7; one of its leaked exploits, EternalBlue, facilitated last month’s WannaCry ransomware meltdown. A few weeks later, EternalBlue and two other pilfered NSA tools helped advance the spread of Petya, a ransomware outbreak that looks more and more like an act of cyberwar against Ukraine.

“If a hacker were to compromise a significant encryption platform, we could see something much worse than the WannaCry ransomware attack,” says Mitnick. WannaCry froze up hundreds of thousands of computers; WhatsApp, which uses Open Whisper Systems’ Signal Protocol, has well over a billion users with default, end-to-end encrypted chat. The implications come into even sharper relief when you consider countries where access to encrypted chat provides the best defense against oppressive regimes.

More information: