How do you protect yourselves from cybercriminals that plan to hold your organization for ransom? These criminals are intelligent, extremely computer literate, and know that production facilities, the utility sector, and mainly the power sector are ripe for ransom threats.
The criminal hack organization known as DarkSide created a malicious computer code that resulted in the recent Colonial Pipeline shutdown. Hackers gained entry into Colonial’s network through a Virtual Private Network (VPN) account by using compromised credentials obtained on the dark web, and once in the network, hackers installed ransomware. DarkSide operates what’s known as a “ransomware as a service” business model. The hackers develop and market ransomware tools and share them with other criminals, who then carry out the attack. The ransomware encrypts files on a device or network that results in the system becoming inoperable, and the hackers demand a ransom payment—typically cryptocurrency—in return for restoring access.
For years, the Federal Bureau of Investigation (FBI) has advised companies not to pay when hit with ransomware. Doing so, officials have said, would support a booming criminal marketplace. So how do we protect ourselves and our sector from being targeted in this way in the first place? As cybersecurity experts, we need to start sharing our knowledge to get ahead of hackers.
President Joe Biden signed an executive order in mid-May to strengthen U.S. cybersecurity defenses, a welcome move that follows a growing series of sweeping cyber-attacks on private companies and federal government networks over the past year.
Traditional security measures tend to focus on external threats (and rightly so). However, not as much attention is given to internal threats. One reason is that organizations are not always capable of identifying internal threats emanating from inside the organization. If we unpack what happened to Colonial Pipeline Co., we can identify two distinct attacks: credential stuffing (leaked VPN credentials) and ransomware.
The second attack would not happen without the success of the first one. The first attack is very much connected to internal threats. There is no doubt that internal threats are of significant benefit to the hackers, making their life easier to gain access to organizations. But how do we identify internal threats?
Let’s start with another question: How much do you know about your employees?
Types of Internal Threats
There are three distinct types of internal vulnerabilities, and all are related to your employees’ behavior: malicious, clueless, and careless. The line between them can be blurry because any malicious attempt can be dismissed as clueless or careless. Let’s examine them:
Malicious: A “malicious” vulnerability involves an employee who maliciously and intentionally abuses legitimate credentials, typically to steal information for financial or personal incentives. For example, an individual who holds a grudge against a former employer or an opportunistic employee who sells secret information to a competitor. “Malicious” insiders have an advantage over other attackers because they are familiar with the security policies and procedures of an organization, as well as its vulnerabilities.
Clueless: A “clueless” vulnerability typically involves an employee with knowledge or understanding of cybersecurity hygiene or organizational policies in cybersecurity. The clueless employee doesn’t take the cautionary measures typically dictated by security policies. For example, they fail to change passwords in accordance with simple security processes.
Careless: “Careless” vulnerabilities involve employees that do not pay sufficient attention to avoid harm or error and are not worried about it. Careless employees do things that they are not supposed to do. For example, employees who click on an insecure link, infecting the system malware).
Malicious, Clueless, Careless Vulnerabilities Benefit External Threat Actors
When protecting your organization and implementing best practices, start by performing a risk assessment of your organization business processes to pinpoint weak links associated with people, policies, and procedures in their relation to IT/OT systems. You need to know where to focus and prioritize your mitigation resources and budgets to mitigate internal and external threats.
By implementing these simple basic best practices, you will be well on your way to securing your organization against malicious cyberattacks.
Training. Train all staff using computers in your organization on what to do and not to do and how to use the malware tools set in place.
Cyber Hygiene. Insist on periodic password changes and work backups, and install preventive software.
Solid Backups. Regular scheduling of offsite data backups of organization hard drives may make reinstalls easier after an attack.
Policies. Create and regularly review cybersecurity policies for the organization.
Preventative Software. Install cybersecurity software on all computers and regularly review them.
Least Privilege Access. Set up “The Principle of Least Privilege” (PoLP). Give users minimum levels of access—or permissions—needed to perform their job functions.
Segmentation Network. Set up network segmentation within your organization. By splitting a computer network into subnetworks, each being a network segment, you will boost performance and improve security
Continuous Monitoring. Continuous security monitoring (CSM) will automate monitoring of information security controls, vulnerabilities, and other cyber threats and support organizational risk management decisions.
Not only is it important to implement these simple best practices to protect your organization, but it is vital to remember to do the following: Perform a risk assessment, identify external, and internal threats, and set up policies and procedures.
—Steven Seiden is the president of Acquired Data Solutions, a company that has more than 20 years of experience providing technology solutions for the engineering life cycle to government agencies and the commercial sector. Leighton Johnson, CISSP, CISM, CMMC-AB Provisional Assessor L-3, is a senior cybersecurity engineer at Acquired Data Solutions and has over 40 years of experience in computer security, IT, and cybersecurity. Dr. Tony Barber, CSEP, RMP, is a system engineering executive at Acquired Data Solutions and has over 20 years of experience in system engineering, cybersecurity, and IT. Djenana Campara is president of KDM Analytics. She has more than 30 years of experience in software and security.