Navigating the Cyber Sea & Tips to Protect You
Lindsey Fiske Thompson, Director of Strategy & Resources, Partner | Sally Eisenberg, Operations Associate | July 29, 2021
Cyberattacks continue to evolve in terms of sophistication, pervasiveness, and impact. Back in 2018, our team blog scratched the surface of big data, analytics, implications for information sharing, and data compromise. Each cyber-attack, targeted or unleashed, has created not only serious disruption and headaches but true opportunities for professionals and individuals to have their information security at front of mind in all daily activities. Changes since the 1988 Morris Worm include increases in cyberwarfare, government espionage, corporate espionage, ransomware attacks and hacktivism. Stolen email addresses and credentials impacted millions, including Adobe, Yahoo, and Sony. Early large scale financial and credit card data breaches included Equifax, Target, and Mastercard. With COVID-19, we saw a shift to remote work, as well as more online commerce, only increasing the information security breach vectors of both businesses and individuals.
In 2021, we’ve seen cybercrimes’ basis shift to supply chains. Data security executives note that the fall out of the late 2020 early 2021 Solar Winds highly sophisticated data exfiltration event may take months or years to be fully realized (Gately, 2021). This breach of national security exposed vulnerabilities in global software supply chains, affecting government as well as private systems.
Got gas?
In early May 2021, the ransomware attack on the US Colonial Pipeline showed us how a single password although complex, naked of the protection of multifactor authentication, could result in the compromise of a critical infrastructure network managed by a private company. Fuel shortages at airports and filling stations coupled with panic buying brought rapid national attention; often with raised eyebrows on other critical infrastructure vulnerabilities (water, electric grids). Russian operatives such as Darkside intend to capitalize monetarily on security vulnerabilities, oftentimes staying less detected via cryptocurrency payments.
National Security, trust me.
In Mid-May 2021, as the Colonial Pipeline attack unfolded, US President Biden prioritized Cybersecurity efforts at the federal level (White House, 2021). His Executive Order on Improving the Nation’s Cybersecurity addresses policy, removing barriers to sharing threat information, modernizing federal government cybersecurity, enhancing software supply chain security, the establishment of a cyber safety review board, standardizing the federal government’s playbook for cyber vulnerabilities and incident response; threat detection improvements on federal networks, improvements in the federal government’s investigative and remediation capabilities, and national security systems. The “zero trust architecture**” (NIST’s set of standards) serves as a fundamental pillar of the security strategy outlined in the executive order.
Where’s the Beef?
Another ransomware attack targeted at JBS Foods in June 2021, with the potential of prolonged food supply chain disruption across 100 countries. Similar to the Colonial Pipeline, cybercriminals are preying not only on government operations and wallets, but on the nation’s individuals’ psyche… our level of trust in economic players to protect information, resources, and infrastructure, and ultimately our safety.
3rd Party 4th of July Party
Over July 4th weekend, the US saw how a point of compromise for businesses (and individuals!) is often times the trust between a vendor (software provider) and a client (you and me). The Kaseya ransomware attack was yet another zero-day attack (an instance where a newly discovered software vulnerability is exposed, but an exploit occurs prior to the developer’s release of a patch). Because this attack targeted MSP (Managed Service Providers), this is the stuff that small business nightmares are made of. As small, mid, and large businesses often contract their managed services (I.e IT, network management, etc) to third parties, it makes complete sense that hackers would target this large vector.
Geopolitical efforts to collaborate on defensive and proactive strategies to combat the growing threat landscape are constantly adapting. This whitepaper from 2020 details certain global efforts and entities working towards holistic threat defenses. While certain nations adopt data privacy regulations, the border-less-ness of internet content traffic and information sharing can make collaborative approaches especially challenging.
Understandably, when the world sees a DDOS event (distributed denial of service) that pulls down websites like Fedex, UPS, Delta, etc.., we first think there is a bad actor involved. In the recent Akamai Edge service outage, however, the company stated it was related to an intentional update that caused the disruption, which was resolved by rollback within an hour.
Impacts on Businesses, Families
Economic impacts of supply chain cyberattack have immediate and long-term impacts on companies’ and individuals’ bottom lines. In general, we see a shift towards security-focused investments by businesses. The investment in security can come with a high up front price tag, forcing small businesses and individuals to make calculated risks in choosing not to update their systems and devices. While businesses sometimes choose to purchase data-breach or cyber insurance, it oftentimes affords the business just enough to cover the cost of forensics and remediation after an actual event.
Families as well as business are having the cyber conversation more than ever. The hack on San Diego Unified’s systems in 2018 uncovered how lower funded municipal services’ systems are especially at risk. With the shift to remote learning during the pandemic, our vulnerabilities as families widens, as information sharing in public academics now includes children ages 5+ in our county. Gamers, students, Moms, and Dads alike have to think like businesses; similarly, businesses need to think like families. With information sharing comes great responsibility.
Navigating the Cyber Sea
Per current events, it is an unfortunate truth that cybercrime is an ongoing threat that continues to evolve and impact our lives. As much as we want to prevent it entirely, cyber security isn’t an absolute. You aren’t either insecure or totally secure. There is a gradient, and it pays to ensure that you are striving to be on the “most secure” end of the spectrum. Below are 7 tips to help smoothly sail the cyber sea.
- Second check before you click & slow down before you share. Although it may sound a bit extreme- trust NO ONE (online). Phishing emails often look as though they have been sent from a legitimate organization or someone who knows the end target (you), to entice clicks on malicious links or attachments. If you are ever unsure, pick up the phone to verify the validity of the email in question.
- Do not duplicate passwords across accounts. When you use the same password for multiple accounts you open yourself up to a cyber-attack known as credential stuffing. All a hacker needs is your information from one poorly defended site and suddenly, they can access any other account where you use the same login information (“Are Your Passwords,” 2020). Length is the primary strengthener when creating a robust password. We suggest a minimum of 10 characters and have found that using a sentence is a great way to create a long password that you will not forget!
- Keep your software updated. Running outdated software is an open invitation for cyber criminals to exploit known flaws and gain access to your system. Software companies regularly push out new updates to patch identified errors, making them (and you) less likely to become a target of cybercrime. The best way to ensure your software is current is to enable automatic updates on your system(s).
- Back up your data. Perform frequent backups of your system and important files and verify your backups regularly. If a ransomware infection were to occur, you can restore your system to its previous state (sans ransomware) using your recent backup(s). Store your backups on a separate network or device such as the cloud or an external hard drive. Ensure that these backups are secured with the utmost protection such as MFA (#5).
- Encrypted/Protected External Hard drive: These allow for fast data transfers and large storage capacities. Look for ones that are encrypted and require a padlock password.
- Cloud: iCloud, Google Drive, and Dropbox, are some of the most well-known cloud-based services. Many of these come with limited free storage space and a paid option for additional storage if needed.
- When choosing a cloud-based storage, ask; Do they have privacy and security settings I can adjust? Do they use encryption to protect my data?
- Enable Multifactor Authentication (MFA) whenever available. MFA adds an additional layer of protection to the sign-in process and is widely available for many of your most sensitive logins. When accessing your data, you will be required provide additional identity verification(s), such as scanning a fingerprint, answering personalized questions, or entering a code received by phone. Use of anything beyond a password significantly increases the work for attackers to access your data, lowering the risk of you getting hacked in the authentication process!
- Insist on Information Security (Infosec). It is essential to ensure that when working with anyone who has your personal information (SSN, date of birth, acct #s, etc), that they will not misuse or disclose it to outside parties. Be certain that these professionals can and will safeguard your personal identifiable information (PII) to best of their ability. Take the initiative and inquire what secure method(s) they use for the bi-directional exchange of information. Some common examples include encrypted emails, secure portals (Weatherly’s preferred method), or password protected documents.
- Upgrade your upgrade process. Your devices (laptops, tablets, cell phones) contain more information than you may think! Whether it be financial or personal, before disposing of your old electronic devices, it is important to delete your information from the hard drive so that it does not end up in the wrong hands. Before letting go of your old devices:
-
- Back up your information (#4)
- Sign Out of Accounts, Disconnect Devices, and Erase Your Hard Drive
- After you have saved your personal information (cloud, external hard drive, etc), sign out of all your online accounts. It is also best to un-pair your computer from Bluetooth devices (mouse, keyboard, wireless display, etc.)
- Erase your computer’s hard drive and reset it to factory settings.
- Safely Dispose of your device
- Most devices contain hazardous materials that do not belong in a landfill. Instead consider keeping it green, and recycling or donating your old electronics. Check out the Environmental Protection Agency’s Electronics Donation and Recycling page to learn about recycling or donating your computer.
When it comes to cybercrime the most harmful thought you can have is, “it won’t happen to me”. Cybercriminals don’t discriminate, so in a way, fighting cybercrime is everybody’s responsibility. At Weatherly we consider it our obligation to not only uphold our own best practices, but to be a resource for those joining the fight against cybercrime. Please do not hesitate to reach out to our team with any questions.
Sources:
Gately, E. (2021, July). Kaseya VSA Ransomware Attack, SolarWinds Hack share many similarities. Channel Futures. Security. Retrieved from https://www.channelfutures.com/security/kaseya-vsa-ransomware-attack-solarwinds-hack-share-many-similarities
Ruhl, C. et al. (2020, February). Cyberspace and Geopolitics: Assessing Global Cybersecurity Norm Processes at a Crossroads. Carnegie Endowment for International Peace. Retrieved from https://carnegieendowment.org/files/Cyberspace_and_Geopolitics.pdf
POTUSA- Biden, Joseph (2021, May). Executive Order on Improving the Nation’s Cybersecurity. Presidential Actions. Briefing Room. Retrieved from https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
Are Your Passwords Putting You at Risk for a Cyber Attack? (2020). Retrieved from https://www.atsg.net/blog/passwords-risk-cyber-attack/
Vocab/Acronyms
CIS- Center for internet security
ATP – Advanced persistent threat
DdOS – Distributed denial of service attack
IOC –Indicators of Compromise
RAT – remote access trojan
MFA – Multi Factor Authentication
PII (Personal identifiable information) – defined as any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means
**Zero Trust Architecture
a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained. The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources based on the combination of sever