Guest Blog: Simple Solutions for a Complex Threat

December 17, 2020

By Scott Algeier, IT-ISAC Executive Director

The IT-ISAC is happy to support National Cyber Security Awareness Month once again. For more than 15 years, National Cybersecurity Awareness Month (and before that, National Cybersecurity Awareness Week), has encouraged end users to take appropriate steps to secure their devices. Thanks to this consistent messaging, people have become more aware of basic cyber hygiene practices, even if these practices are not always implemented.

Much has changed during this time. The cyber threat is more complex and severe than ever. The risks to organizations of all sizes, and home users, has never been greater. One way to motivate people to action is to help them understand the gravity of the threat. In that spirit, as we close out the month, we want to bring more awareness to the cyber threat and by doing so enable users to be ‘cyber smart.’

Threat Landscape

Today’s threat landscape is shaped, in part, by the following:

Cyberattacks are cheap and have devastating consequences.

The economics of cybersecurity favor the bad guys. The amount of time and money it takes for an attacker to hack a network is vastly less than what it takes to defend a network or recover from an attack. For example, according to this Cisco report, 43 percent of midmarket organizations and 57 percent of enterprise organizations spend $250,000 to $999,999 on security. 50 percent of large enterprises (10,000+ employees) spend $1 million or more on security. In total, it is estimated the private sector alone spent more than $103 billion on cybersecurity in 2019. Granted, these numbers are estimates and hard to quantify. But the fact is defending against attacks is expensive.

Additionally, the “cost-benefit” analysis for the attacker heavily favors the “benefit.” In most attacks, the attackers do not face consequences for their actions. Despite the best attempts of law enforcement, identifying, charging, and prosecuting attackers is difficult. For example, the U.S. recently indicted six officers from Russian intelligence for a series of cyberattacks dating to 2015. Among the attacks they are accused of launching is the Not Petya Ransomware attack, which has been described as the most destructive ever, infecting over 200,000 computers across the globe. While this indictment is important and demonstrates impressive work by our law enforcement and intelligence services, there is little likelihood that these individuals will ever be handed over to U.S. officials for prosecution.

It is not just corporate information at risk. Unfortunately, your individual information is also valuable for attackers. The tools needed to launch an attack to gain your information are relatively cheap. According to Top10VPN, it only costs a cybercriminal just under $1200 to compromise your entire online identity. Hackers then sell access to your individual compromised accounts to others. The more accounts you have, the more the attacker makes. Top10VPN details this underground economy effectively in this graphic.

COVID-19 caused a mass transition to remote work, impacting the cyber threat.

We are more than seven months into the new COVID-19 “work from home” reality. As we continue to navigate these unparalleled times, cybersecurity professionals are grappling with new security challenges. To ensure business continuity, organizations have been forced to implement and deploy new technologies, with limited planning and end user training. The rapid, unplanned integration of work and home environments vastly expanded the attack surface.

The pandemic has pushed employees from corporate networks to less secure home networks. Employees’ home devices–including personal devices, school computers, and home routers, are now potential gateways into corporate networks. As a result, network administrators and IT teams have decreased network visibility. One result of this migration are increased attacks on cloud infrastructure and credentials associated with them.

While it is unclear how permanent work from home policies will become, securing devices at home and in the office will remain a high priority for the foreseeable future. Global Workplace Analytics predicts that the longer people are required to work from home, the more likely it is that they will adopt this practice for the long-term. They estimate that 25-30% of the workforce will be working-from-home multiple days a week by the end of 2021.”With this in mind, it is crucial to take every precaution to secure devices in the office and out.

Technology has evolved, and the bad guys have become more skillful.

In the same way that a car mechanic shares tips with co-workers in the shop, cyber criminals and other threat actors share their skill sets and tools with others. They are not only learning from each other, but they often sell their skill sets and work in teams. Cyber criminals also leverage leaked tools that are developed and utilized by nation-state actors.

This is demonstrated quite clearly in a 2019 report released by the Department of Homeland Security’s Public Private Analytic Exchange Program. The report notes, in part, that the tools made available to nation-states and non-state actors are enabling espionage and surveillance capabilities that have never been seen before. It states that the “proliferation of cyber tools” makes it easier for bad actors to attack, and will continue to pose threats to national security, the commercial sector, and civilians, especially vulnerable civilian groups. Capabilities that once only state actors had are now available to non-state actors, who are using them to attack a wide range of victims, including small businesses and home users.

Many companies get complacent thinking they do not have information that would be of interest to an attacker. These companies should reconsider this position. While some attacks are targeted to specific organizations, many are random, with the attacker recycling tactics that are known to work with the simple goal of finding new victims. Being a victim of such attacks can be a death knell for a business. It is reported that 60 percent of small businesses who suffer a cyber attack go out of business within six months. Even those that manage to recover, face significant financial challenges. In 2019, Security Intelligence reported the average cost of a data breach to be $3.92 million.

Type of Attacks

The techniques that attackers use are vast and multiplying. Anything that is connected to the internet is potentially vulnerable and should be secured. But it is important to note that most cyberattacks repeat techniques that are known to be successful. It is easier to deploy tools and repeat attacks that are known to work than to create something new that may not work. With that in mind, it is worth highlighting a couple of common attacks and methods being widely deployed by attackers.

Phishing

Phishing attacks are effective ways for an attacker to gain access to a computer or network. Phishing attacks are often used to get into a computer or network and deploy malware. They trick the victim into opening an email that contains a malicious link or attachment. Once the victim clicks on the bait, malware is installed on their machine. To entice the victim to open the document, the email header or text often contain information relating to current events or other topics of interest.

For example, when President Trump was diagnosed with COVID-19, we saw attackers try to capitalize on this. They launched email messages that appeared to be coming from legitimate sources that downloaded BazarLoader malware on unsuspecting victims. By using subject lines such as, “Recent materials about the president’s illness,” “Newest information about the president’s condition,” and “Newest info about President’s illness,” they enticed people to open these malware-laden messages.

Ransomware

One example of a widely used attack is Ransomware. Companies of all sizes, as well as individual users, should be aware of these attacks. In a ransomware attack, the attacker gains access to a victim’s machine, or network (often through Phishing) and locks the hard drive with encryption. The attacker provides the victim with instructions on how to pay a ransom, generally in bitcoins, in exchange for the key to unlock the encryption. These attacks are popular because they are effective.

Some recent examples of successful ransomware attacks include:

● A large healthcare company recently experienced an apparent ransomware attack that forced many hospitals to manually file paperwork with pen and paper, according to NBC News.

● A Virginia school district experienced a data breach in September. Hackers posted the information of students and employees on the DarkWeb.

● A French shipping giant suffered a ransomware attack, forcing the company to temporarily close their website and applications.

● A public university in Utah was hit with a massive ransomware attack which cost the university $450,000. The compromised data included student and employee information. In 2019, nearly 90 universities, colleges, and school communities were victims of ransomware attacks.

Be Cybersmart
Combating these threats requires a coordinated national effort. We can all contribute to the solution by taking some basic precautions. While cybersecurity is in part a technology problem, it is also one that people can help solve through their actions. While no defense is foolproof, there are actions you can take to secure your information. These include:

Ensure your software and applications are updated. Ensuring your devices are updated reduces the window an attacker may have to compromise unpatched systems. Most software and applications enable automatic security updates. It is important that automatic updates are enabled.

Create strong passwords. Passwords should be as complex and long as possible. Avoid using common dictionary words. Having separate passwords for individual accounts is an excellent security measure. Tools such as password managers can help manage passwords for each account.

Set up multi-factor authentication. Multi-factor authentication requires you to confirm your identity multiple times–once with a password and then with additional methods. As such, if a hacker were to gain access to your password, your account would still be protected. Multi-factor authentication typically relies on something you have (phone/hardware token) and something you know (password).

Keep an eye out for phishing attacks. Always check the email address of the sender and specifically look at the domain name of the sender. Often attackers spoof or typosquat a domain, by changing the name slightly to trick the victim into thinking it is from a legitimate domain. Do not click on links or attachments sent from people you don’t know. If the email or attachment looks strange, go with your instinct–don’t open it.

Secure your home network and use a VPN if working on a public network. Take steps to protect your home network such as setting up password protection and avoiding default passwords on routers. Some prefer to make their WiFi network name invisible to outsiders. VPNs encrypt your connection to the internet and at the very least, should be used when making payments online.

Treat USBs with caution. USB devices such as thumb drives can be a significant security threat. Such devices can spread malware among machines it connects to. It’s also easy to lose a thumb drive and the information on it. As such, USB devices should always be scanned for threats before they are opened, and it is best to encrypt the device with a third-party program. This way, the drive’s data cannot be read if lost or stolen.

Utilize encryption to safeguard your information. Make sure to use end-to-end encryption services when sending emails, especially from public networks. If using a laptop, encrypt its contents so that data cannot be read if it is lost or stolen.

Back up your data. Be sure you have copies of your files. This way, if you were to become a victim of ransomware or another attack that corrupts your data, you will still have access to your important personal and business data. You can backup your data to the cloud or on another device that is not connected to your network.

Conclusion

The cost of defense is increasing. The attack surface is larger than ever. Criminals have a near endless set of tools at their disposal. This is not a good combination for network defenders. Therefore, everyone who accesses a network should consider themselves a network defender. Please help secure your part of cyberspace.

Do your part. #BeCyberSmart!

Join the Rethink Cybersecurity Community click here