The news has been swirling with reports of ransomware attacks; of course, the ransomware attacks did not begin with the Colonial Pipeline attack, the attack that shut down oil and gas delivery to the East Coast. Colonial Pipeline, as part of the critical national infrastructure, is responsible for delivering about 45 percent of the fuel the East Coast uses; this includes gasoline, diesel, heating oil, and aviation fuel, which is about 100 million gallons of fuel a day.
The after-action report (AAR) will no doubt highlight the cause or entry point of the ransomware attack. The expectation is that the impending AAR will describe how the exploit took advantage of the company's poor cyber-hygiene , meaning the company’s systems were out of date, poorly configured, they were using poor passwords, there was a lack of segmentation, and so on.
Recall that the SolarWinds hack in 2020 was mainly due to poor password control. The use of "solarwinds123" as the password, in use since 2017; it was no out-of-control intern, it was a lack of standards and oversight.
In 2012, Congress struggled to pass legislation directing the Secretary of Homeland Security, owners and operators of critical infrastructure, the Critical Infrastructure Partnership Advisory Council, federal agencies, and the private sector to assess cybersecurity risks; designate critical infrastructure; develop risk-based cyber performance requirements; and implement cyber response and restoration plans. This was the watered-down version of the original bill. The bill was attacked by the U.S. Chamber of Commerce, the operators of critical infrastructure, and some of the private sector companies. The reason for the pushback was it was going to cost too much, it was over-regulation, it was burdensome when these entities were enacting industry best practices.
This brings to mind the great automobile seat-belt battles of the 1970s and 1980s. Today getting in your car and putting on a seat belt is almost a subconscious act. Today seat belts and airbags are standard, like a car radio and air conditioning. Though seat belts were first developed in the 1890s, it took until 1968 when the Federal Motor Vehicle Safety Standards (FVMSS) went into effect, requiring all vehicles to be fitted with a lap belt. The subsequent enforcement battles at both the state and federal levels pitted the automobile manufacturers, business organizations, and legislatures against the FVMSS as over-regulation -- costly, intrusive, burdensome, and un-American. Today, someone not using the standard three-point seat belt is considered irresponsible; today, you cannot buy a new car without seat belts and airbags; and of course, by miles driven, driving a car has never been safer.
There is hardly a week that now goes by without some report of a cyber-attack against a business or government agency. The Colonial Pipeline attack is not unusual; government agencies are also attacked. A medium-sized police department was attacked twice in the last few years; the second attack was a ransomware attack initiated through an employee downloading malware-infected email. This resulted in the exfiltration of police records and other personally identifiable information, as well as the encryption of other department data. When the police department did not pay the ransom, the exfiltrated data was released on the dark web for all to see. The release of the data then is another cascade of problems and issues.
Despite the efforts of industry associations, business organizations, and individuals, cybersecurity requirements are going to be the rule, not the exception. Secondly, these regulations will bring along the requirements for certification, meaning someone will check your work. The self-attestation model has proven to be less than successful. For the most part, cyber-hygiene , which is the basic level requirement, is like putting on your seat belt. These are simple things that most can do without a high degree of skill.
The baseline for good cyber-hygiene is things like making sure your system software is up to date; for this, you can turn on the automatic update function. Ensuring you have antivirus software, and that it is turned on, automatically updated, and periodically scans your system. Other actions are long, complex passwords, which means ten or more combinations of characters, letters, and numbers. There should be the separation or segmentation of data access; there should be no universal access to anything. Another one is multifactor authentication (MFA); this too is an extra step, like putting on a seatbelt. The adage is to prepare for the worst, and that would be to have a backup for your system that is air-gapped -- meaning the backup is not connected to your system; it is disconnected, it is air-gapped. In this way, if there is an attack, you may lose all of your data. However, you will recover from the air-gapped backup; you will only lose the data that was not on the drive.
As we all know, people are resistant to change or anything new, even when it is in their best interest -- think of seat belts. The cost to invoke layers of cybersecurity and system security protections has been the main reason for pushback. After these attacks and the massive costs of recovery, the expense in prevention has been demonstrated to be less than the cost for recovery. The advice is to then begin putting into place the basics of good cyber-hygiene .
With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at firstname.lastname@example.org.