The fourth and final blog in our series as part of National Cyber security Awareness Month (NCSAM) focuses on the theme of protecting critical infrastructure. Most of the time, we don’t notice critical infrastructure until a disruption happens. The recent hurricanes have highlighted the frustrations that occur when cell phone service, roads, electricity, and water service are unavailable, even in small portions of the country. While these disruptions are localized, the impact is magnified because of the effect on life and property.
The disruptions caused by natural disasters are usually quickly fixed by using the business continuity plans in place to limit impact to the community and the environment. These plans are key for all organizations when the threat comes from the cyber security domain. The effects can be the same without the news flow that generally surrounds a natural disaster. Business continuity plans are necessary and focus on ensuring the core business function is repaired. Cyber security incident response plans are specialized instances of those plans, but many times the cyber security aspect of these plans seems to focus specifically on the technology and leave out the core business function.
Regardless of whether a disruption is caused by rising water or ransomware, the focus needs to be on restoring service. The public is not interested in the details, just an estimated restoration time. Exercising these incident response plans (which is a control under NIST SP 800-53r4 and other control frameworks) allows the players to understand the threats facing the critical infrastructure at an appropriate level and bring them together to assess the plans, make improvements, add or remove participants, develop checklists, and improve response.
We mentioned above that cyber security issues don’t typically make the news cycle like natural disasters. One recent exception was the ransomware attacks on local governments, with the March attack on the city of Atlanta being the highest profile. Ransomware has been especially problematic of late. The most recent Verizon Data Breach Investigation Report (DBIR) noted that ransomware was the top malware variant, accounting for 39 percent of malware incidents reported in 2017.
Multiple lines of defense are necessary to counter the intrusion when dealing with ransomware or any other malware. The first line of defense is user training, with the largest focus being on phishing email recognition. Reporting suspicious emails and not clicking on unknown links reduces the impact of phishing emails on an organization. However, without additional technical controls in places, it only takes one click to affect an entire network (and we all know that one person who will click on an email no matter how much training they get).
When looking at additional technical controls, antivirus is the first stop. While antivirus only focuses on known signatures, it is effective, low cost and easily maintained. The next step is to remove local administrator access from machines. Not having the ability to run malware will make an attacker’s job more difficult and is a simple administrative step to take. The last technical control is vulnerability patching. This is one of the most overlooked issues that has plagued networks since the beginning of networking and something I will go into more deeply because of its importance to protecting networks that support critical infrastructure.
Proper vulnerability scanning and patching is a process that must be performed regularly as vulnerabilities are discovered and patched on a regular basis. Most have minimal impact, but there are some that require immediate attention, such as EternalBlue. Even though it was revealed in March 2017, EternalBlue has been present on every penetration test I have participated in over the past year and has provided a vector to compromise our target. Additionally, it was the vulnerability exploited by the “WannaCry” and “Petya” ransomware attacks earlier in 2018. Microsoft even released patches that covered the unsupported Microsoft XP and Window 2003 Server operating systems for EternalBlue. The reason for those special patches was that despite being past their end-of-life date, many of those systems are still in use. While the EternalBlue vulnerability affects Windows platforms, vulnerabilities also need to be patched on critical infrastructure systems.
STUXNET was major news in 2010 when it was revealed that it was malware targeted specifically at the Iranian uranium enrichment program that carried four Windows zero-day exploits. While the zero-day exploits gained attention, other exploits included in the malware involved attacking an unpatched Siemens vulnerability. The STUXNET additionally used vulnerabilities in Siemens equipment to gain access to the systems and exploit them. In the aftermath, it took Siemens almost two years to issue patches for the exposed vulnerabilities. While this was high-profile, it highlights the importance of knowing your systems (hardware and software, CIS Top 20 Controls 1&2) and performing regular vulnerability patching on all your networked systems.
As the 2018 NCSAM comes to a close, make sure you’re practicing good cyber hygiene and looking critically at your security practices. Delta Risk offers a range of assessment services including penetration testing, controls assessments, phishing assessments and table-top exercises to assess your ability to protect your infrastructure, detect and respond to malicious activity and recover from an incident.