10 preventative measures for cybersecurity risks in our critical infrastructure industries.
Is your company doing through a digital transformation?
The age of digital transformation is prompting businesses to examine their increased threat surfaces and cyber risk. Circadence provides tips for how to ride the cyber security wave of digital transformation while keeping practices and preparedness efforts strong.
From unifying security architecture to automating routine security tasks to building a culture of continuous cyber training for professionals, Circadence helps businesses of all sizes upskill cyber security teams to fortify the vulnerable human element of cyber security.
Targeted attacks against particular groups or entities are on the rise this year. Instead of a “spray and pray” approach, malicious hackers are getting particular about who and what they attack and how for maximum accuracy. Why? The right ransomware attack on the right data set to the right group of people can yield more monetary gain than an attack towards a general group of people at varying companies. To empower ourselves, we need to understand how cybercrime is “getting personal” and what we can do to prevent attacks like this.
Cybercriminals want to stay under the radar, so the more their attacks remain hidden from the public eye, the better chance they have to replicate that method on other vulnerable groups with lots to lose. Unauthorized adversaries target certain devices, computer systems, and groups of professionals most vulnerable to cybercrime.
Server hacking for faster monetary gain
Attacks on endpoint devices like computers and laptops are a thing of the past for evolving hackers who know that unsecured enterprise servers offer the best chances of staying undercover than device firewalls allow. Why get pennies and minimal personal information from a single laptop user when you can get millions from a few locked up servers that house incredibly sensitive data like billing information and credit cards?
The City of Baltimore experienced this firsthand with a ransomware attack that affected 14,000 customers with unverified sewer charges. Hackers demanded $76,000 in bitcoin to unlock city service computers, which impacted the delivery of water bills to local residents. While many residents might not mind skipping a payment, in the long run it’ll cause “surprise” bills when back-pay is requested.
Recently, Rivera Beach in Florida was one of the latest government entities to be crippled by a ransomware attack, and unfortunately, they paid almost $600,000 to hackers to regain access to their data.
But it’s more than a local city and state governments that are being attacked at this scale.
Multi-mass hacking for political disruption
Devices that are used by the masses are also at risk. Think about voting machines. Hacking into those machines has never been easier due to old devices and lack of security on them. To ensure the integrity of data, governments can consider using blockchain to maintain a more hardened security structure all the while, educating their election security professionals on the latest hacking methods so they can assess vulnerabilities on physical systems. The end result of voting machine hacking isn’t monetary per se—it’s much better—pure, unbridled political chaos and public distrust in election security and government operations.
Car-jacking to car hacking
Modern transportation system and vehicle attacks are on the rise too. Today’s cars are basically computers on wheels with the levels of code embedded within them. Hackers have been known to target cars to control key functions like brakes, steering and entertainment consoles to jeopardize the people in the car, as well as everyone around them on the road. In an interview with Ang Cui, CEO of Red Balloon Security, he notes “If you can disable a fleet of commercial trucks by infecting them with specialized vehicle ransomware or in some other way hijacking or crippling the key electronic control units in the vehicle, then the attacker could demand a hefty ransom.”
Cyber security professor Laura Lee notes, “The transportation sector is said to now be the third most vulnerable sector to cyber-attacks that may affect the seaport operations, air traffic control, and railways. The ubiquitous use of GPS information for positioning makes this sector especially concerned about resiliency.”
Preventing targeted cybercrime
In many of the incidences above and those not reported upon, humans are often the first and last line of defense for these companies and devices being attacked. Humans have the ability to detect vulnerabilities and gaps in security while also understanding what hackers are after when it comes to cybercrime tactics.
Our ability to handle both technical and analytical aspects of hacking means more can be done proactively to prevent targeted cybercrime like this. Specifically, in the field of training cyber security professionals, government and commercial entities should evaluate current training efforts to ensure their teams are 100% prepared for targeted attacks like these. How hackers attack changes every day so a persistent, enduring method of training would be critical to helping empower and enable defenders to anticipate, identify, and mitigate threats coming their way.
New cyber training approaches are using gamification to complement and enhance existing traditional, off-site courses. Currently, many traditional courses are passively taught with PowerPoint presentations and prescriptive video learning, often disengaging trainees who want to learn new cyber concepts and skill sets (in addition to staying “fresh” on the cyber fundamentals).
Government organizations and commercial enterprises would be smart to explore engaging ways to keep cyber team skills up to snuff while increasing skill retention rates during training.
You may have heard or read the term “bot” in the context of cyber security. Normally we hear this word in the wake of a cyberattack and relate it to breaches in computer or network security. While there are certainly bad bots, there are good bots too! So what exactly is a bot, how can you differentiate, and how do they work?
What are bots?
The term bot is short for robot and is a type of software application created by a user (or hacker) that performs automated tasks on command. There are so many variations, from chatbots to spider bots to imposter bots. Good bots are able to assist in automating day to day activities, such as providing up to the minute information on weather, traffic, and news. They can also perform tasks like searching the web for plagiarized content and illegal uploads, producing progressively intelligent query results by scouring the internet content, or helping find the best purchase deals online.
While we encounter bots like these in our everyday activities without really thinking about them, being aware of bad bots is important. Bad bots, used by adversaries, perform malicious tasks and allow an attacker to remotely take control over an infected computer. From there, hackers can infiltrate the network and create “zombie computers,” which can all be controlled at once to perform large-scale malicious acts. This is known as a “botnet”.
How do bots work?
Cybercriminals often use botnets to perform DoS and DDoS attacks (denial of service and distributed denial of service, respectively). These attacks flood target URLs with more requests than they can handle, making regular traffic on a web site almost impossible. Hackers use this as a way to extort money from companies that rely on their website’s accessibility for key business functions and can send out phishing e-mails to direct customers to a fake emergency site.
Protect yourself from bad bots
Don’t let this information scare you though! Awareness is a great first step to recognizing any potential harmful activity, whether on your own computer or on a site you visit online. Preventing bad bots from causing attacks before they start is easy with these tips:
- Ensure your antivirus software is up to date by setting it to automatically update.
- Routinely check the security options available to you for your iOS, web hosting platform, or internet service provider.
- Only click on links and open emails from trusted sources. Avoid accepting friend or connect requests, responding to messages, or clicking on links from unknown persons on social media.
Bots can be incredibly helpful, and we use them every day. Knowing how to differentiate the good from the bad while taking the necessary precautions to protect yourself against malicious bots will ensure that you only need to deal with bots when they are telling you about blue skies or saving you money on that great shirt you’ve been wanting!
Ransomware is gaining traction among hackers; emboldened by financial success and anonymity using cryptocurrencies. In fact, ransomware is now considered a tried and true cyberattack technique, with attacks spreading among small and medium-sized businesses, cities and county governments. Coveware’s recent 2019 Q1 Ransomware Report notes:
- Ransoms have increased by an average of 89% over Q1 in 2019 to $12,762 per ransom request
- Average downtime after a ransomware attack has increased to 7.3 days, up from 6.2 days in Q4 of 2018, with estimated downtime costs averaging $65,645
- Victim company size so far in 2019 is anywhere from 28 to 254 employees (small, medium, and large-sized businesses)
Let’s review how ransomware works and why it’s so effective. Ransomware is a type of cyberattack where an unauthorized user gains access to an organization’s files or systems and blocks user access, holding the company’s data hostage until the victim pays a ransom in exchange for a decryption key. As you can surmise, the goal of such an attack is to extort businesses for financial gain.
Ransomware can “get into” a system in different ways, one of the most common through phishing emails or social media where the human worker inadvertently opens a message, attachment, or link acting as a door to the network or system. Messages that are urgent and appear to come from a supervisor, accounts payable professional, or perceived “friends” on social media are all likely ransomware actors disguising themselves to manipulate or socially engineer the human.
Near and Far: Ransomware Has No Limits
Many types of ransomware have affected small and medium-sized businesses over the last two decades but it shows no limitations in geography, frequency, type, or company target size.
- Norwegian aluminum manufacturing company Norsk Hydro, a significant provider of hydroelectric power in the Nordic region, was shut down because of a ransomware infection. The company’s aluminum plants were forced into manual operations and the costs are already projected to reach $40 million (and growing). The ransomware name: LockerGoga. It has crippled industrial firms across the globe from French engineering firm Altran, and manufacturing companies Momentive, and Hexion, according to a report from Wired.
- What was perceived as an unplanned system reboot at Maersk, a Danish shipping conglomerate, turned out to be a corrupt attack that impacted one-fifth of the entire world’s shipping capacity. Deemed the “most devastating cyberattack in history,” NotPetya created More than $10 billion in damages. To add insult to injury, the cyber risk insurance company for Maersk denied their claim on the grounds that the NotPetya attack was a result of cyberwar (citing an act of war exclusionary clause). WannaCry was also released in 2017 and generated between $4 billion and $8 billion in damages but nothing (yet) has come close to NotPetya.
- On Black Friday 2016, the San Francisco Municipal Transportation Agency fell victim to a ransomware attack. The attacker demanded $73,000 for services to be restored. Fortunately, speedy response and backup processes helped the company restore systems in 2 days—avoiding having to pay the ransom. In March 2018, the City of Atlanta experienced a ransomware attack that cost upwards of $17 million in damages. The Colorado Department of Transportation fell victim, too, left with a bill totaling almost $2 million.
These headlines are stories of a digital war that has no geographical borders or structured logic. No one is truly immune to ransomware, and any company that thinks that way is likely not as prepared as they think they are. Beazley Breach Response (BBR) Services found a 105% increase in the number of ransomware attack notifications against clients in Q1 2019 compared to Q1 of 2018, as well as noting that attackers are shifting focus to targeting larger organizations and demanding higher ransom payments than ever before.
Immersive cyber ranges – Protect Yourself, Your Business, Your People
If your own security efforts, staff practices, and business infrastructure are continuously hardened every time a new breach headline makes the news, the things that matter most to you and your company will be better protected. One of the ways to consistently harden security practices is via immersive and persistent training on gamified cyber ranges. Some benefits of using cyber ranges like this include:
- Helping professionals of all skill levels learn and apply preventative measures such as: regular backups, multi-factor authentication, and incident response planning and analysis.
- Understanding what ransomware looks like and how it would “work” if it infected their company’s network.
- Cloud-based environments can scale to emulate any size digital system and help users “see” and respond to threats in safe spaces.
- Providing user assistance and immediate feedback in terms of rewards, badges, and progress indicators, allowing organizational leaders who want to upskill their cyber teams to see the skills gaps and strengths in their teams and identify ways to harden their defenses.
When ransomware does come knocking at your business door, will you be ready to recover from the costly and reputational damages? If there is any shred of doubt in your mind, then it’s time to re-evaluate your cyber readiness strategy. As we’ve learned, even the smallest vulnerability or level of uncertainty is enough for a cybercriminal to take hold.
While most of us recognize the inherent vulnerabilities of putting our personal information online, we may not think about how marginalized communities are at even greater risk of malicious attacks on the internet. The LGBTQIA (lesbian, gay, bi-sexual, transgender, queer, intersex, and asexual) community certainly understands the ramifications of sharing their lifestyles on the web, and it is of vital importance to consider how compromised online privacy can specifically impact these already vulnerable groups.
To understand the privacy risks for LGBTQIA individuals, consider how we all use the internet and create digital footprints. Here are some statistics from LGBT Tech, The Trevor Project, and a study released by GLSEN (the Gay, Lesbian, and Straight Education Network).
- 81% of LGBTQIA youth have searched for health information online, as compared to 46% of non-LGBTQIA youth.
- 62% of LGBTQIA youth have used the internet to connect with other members of the community in the last year.
- More than 1 in 10 said they had first disclosed their LGBTQIA identity to someone online.
- 1 in 4 youth said they are more out online than in person.
- 42% of youth in this community have been bullied online versus 15% of the general public.
- 27% of LGBTQIA members report not feeling safe online.
- LGBTQIA youth are almost 5 times as likely to attempt suicide from harassment and isolation compared to heterosexual youth.
The internet can be a scary place for members of the LGBTQIA community, but it is often also a lifeline. LGBT-identifying adults often need to find resources and places that will be welcoming and supportive, and mobile devices play a vital role in their day today. For many individuals who are not yet comfortable revealing their sexual identity at home or in their communities, the internet is often the first tentative step for seeking both information and community belonging.
However, when privacy is breached, intentionally or unintentionally, for vulnerable populations, consequences can be catastrophic including loss of employment, damaged familial relationships or friendships, and even threats of physical harm or death.
Back in 2013, the National Cyber Security Alliance (NCSA) launched a collaboration with the LGBT Technology Partnership to highlight safety issues and increase focus on vulnerable populations. They created a sheet of specific tips and tricks for the LGBTQIA community for staying safe online based on the slogan STOP. THINK. CONNECT. which can be found here. Many of these tips are helpful for everyone looking to stay safe online, but when reviewing them, you can see just how cautious members of this population need to be in order to feel safe.
Ensuring that every person has equal rights and access to online safety is of the utmost importance. While many walk through life taking precautions to ensure their data is protected, we must be aware of how certain communities are at more risk than others and strive to practice our own safe behavior online so as not to put anyone else’s lives at risk.
We wish members of the LGBTQIA community a cyber safe Pride Month and risk-free access to the resources they need.
To ensure everyone stays safe online, we’ve developed a few educational videos to keep everyone informed about hacking methods and how to avoid them.
Watch the video series here.
When your power goes out, you recognize just how many things you use every day rely on energy. From phones to WiFi to air conditioning and heat, our homes and offices almost entirely rest on this silo of critical infrastructure.
While we may not think of the energy sector as being a significant cyber vulnerability (we don’t read about a lot of breaches on this sector in the news media), it is not only of intrinsic importance to a functioning society but all other sectors that make up the nation’s critical infrastructure rely on electricity. According to the Council on Foreign Relations, the U.S power system has evolved into a highly complex enterprise with:
- 3,300 utilities that work together
- 200,000 miles of high-voltage transmission lines
- 55,000 substations
- 5 million miles of lines that bring power to millions of homes and businesses
There are not many documented cases of a successful power grid attack, but the first known instance occurred on December 23, 2015 in Ukraine. Hackers were able to compromise information systems of three energy distribution companies in Ukraine and temporarily disrupt electric supply to the end customers. A year later, Russian hackers targeted a transmission level substation, blacking out part of Kiev.
Although there may not be many examples of historical energy facility hacks, these kinds of attacks are no longer a theoretical concern. In 2014, Admiral Michael Rogers, director of the National Security Agency, testified before Congress that China and other countries likely had the capability to shut down the U.S. power grid. An adversary with the capability to exploit vulnerabilities within the electric utility silo may be motivated to carry out such an attack under a variety of circumstances, and it seems increasingly likely that the next war will be cyber.
Cyber Security Readiness for Electricity and Energy
So what can we do to prepare ourselves? Understanding that cyber security is the responsibility of everyone, not just CISOs or those in IT, helps ensure that everyone is participating in strengthening an organization’s cyber readiness.
Utilizing AI, persistent learning, and gamified training to upskill your team will ensure that you are prepared for any looming threat.
Electricity is of incredible importance to the country and the world, the remainder of our infrastructure would crumble without it. Building a culture of awareness and education around cyber security will help protect us from a domino effect of failing infrastructure. Continuously improving security posture is vital to defending ourselves against attacks that threaten our critical infrastructure.
The top cyber security myths CISOs and security professionals fall victim to. Empower yourself with persistent training and skill building instead.
Across the board there’s been a push from a policy perspective to get into secure cloud environments that provide organizations with the on-demand and protected availability that they need to improve business processes. Azure Government Secret is a cloud solution that delivers comprehensive and mission-enabling cloud services to US Federal Civilian, Department of Defense (DoD), Intelligence Community (IC), and US government partners working within Secret enclaves. It can also have global implications for how cyber defenders prepare for tomorrow’s threats.
The April 2019 announcement of Azure Government Secret enables Circadence to deliver Project Ares to similar defense industry partners in support of their cyber training and readiness missions. Having the power of the Azure Secret cloud infrastructure behind Circadence is necessary to deliver infinite cyber range scalability for gamified training and learning opportunities to defenders across the globe who need specialized security and scalability in training programs.
As cyber threats grow more frequent and more malicious, it is mission critical to government cyber protection teams to have the flexibility and accessibility to scale training to their needs, with limitless opportunity for enhanced cyber preparedness. The persistent, gamified training and frontier learning that occurs in Project Ares, coupled with this new level of secure cloud, enhances the protection of the nation’s most critical digital assets and will undoubtedly contribute to our overall national security.
VP of Global Partnerships Keenan Skelly tells us how it helps improve cyber training today.
“Our partnership with Microsoft Azure allows us to build infinitely scalable cyber ranges to do cyber exercises and trainings,” said Skelly.
With the help from Microsoft Azure Government Secret cloud, Circadence can continue to evolve cyber training solutions that help today’s elite, DoD cyber security professionals anticipate, prevent, and react to threats more efficiently and effectively. In doing so, we are proud to contribute to a world-class security culture that proactively protects our most critical assets and our people.