On 24 October, we at Metacompliance wrapped up European Cyber Security Month (ECSM) 2016 with a discussion of how users can defend against mobile malware. ECSM 2016 might be over, but that doesn't mean users can't learn more about how to strengthen their digital security. Not if another user awareness campaign has anything to say about it.
As October gives way to November, we cast our gaze to the United States and to the closure of National Cyber Security Awareness Month (NCSAM) 2016. The fifth and final week of the U.S. initiative emphasizes the need to build resilience in critical and national infrastructure. Towards that goal, it's important that we understand how digital attacks pose a serious threat to our national infrastructure.
Here are five incidents to help give us an idea.
On 23 December 2015, a group of actors target the Western Ukraine power company Prykarpattyaoblenergo. Their attack leverages a malicious Excel document to drop BlackEnergy malware onto the power company's computer network. The malware comes equipped with "KillDisk," a component which allows the malware to delete or overwrite data files. It's KillDisk that provides a sufficient level of interference at the plant that allows the attackers to turn off power for the region.
In early February, staff members at the Hollywood Presbyterian Medical Center in southern California identify suspicious behavior on the IT system. The hospital subsequently decides to temporarily suspend its computer system, which causes several departments to shut down. Without the ability to treat all of its patients, Hollywood Presbyterian diverts some of its in-patients to other hospitals for treatment. In the meantime, it processes all remaining registrations/log-ins via paper and fax. The shutdown ends once the hospital agrees to a $17,000 ransom payment to resolve a ransomware infection.
In March 2016, Verizon confirms it worked with the Kemuri Water Company (KWC) following a digital attack against the water utility. The campaign began when hackers exploited a vulnerability in the payment application web server. The actors then obtained the internal IP address and admin login credentials for a dated IBM AS/400 system used to monitor the water utility's OT devices. With access to that system, the attackers gained control over the ability to control water flow and the amount of each chemical dumped into the water. They tried to manipulate the systems on four separate occasions, but systems at the utility detected and eliminated those suspicious changes.
Hackers infiltrate the Democratic National Convention’s computer network and steal opposition research on Republican presidential candidate Donald Trump. After monitoring the network for suspicious activity, security firm CrowdStrike determines in an investigation that two hacker groups closely aligned with the Russian government perpetrated the hack. Many analysts widely believe the Russian government subsequently handed over those documents to WikiLeaks after it hacked into one of the mainstays of the United States' election infrastructure.
Yukiya Amano, director of the International Atomic Energy Agency (IAEA), confirms a digital attack affected a nuclear power plant. By no means was the attack a worst-case scenario. It wasn't destructive to the point it destroyed data, prevented employees from accessing certain parts of the computer network, and potentially caused physical damage to the plant itself, and it didn't have anything to do with hacking a nation's nuclear command and control centers. Instead it just caused some disruption without affecting the plant's operations.
As we all know, many organizations today act as suppliers to governments for the creation and maintenance of both national and critical infrastructures. That means a digital attack against those organizations could potentially allow bad actors to gain unauthorized access to infrastructure upon which hundreds of millions of citizens rely.
To help protect our nation's infrastructure, it's imperative that all government suppliers and contractors emphasize information security staff awareness training at the workplace. They can do so cheaply and easily by investing in off-the-shelf third-party awareness training software.
Does this arrangement sound of interest to you?