You may have seen news reports on the Colonial Pipeline malware attack. The main questions I’ve heard from family and friends are “How did something like that happen?” and “Why couldn’t they stop it?” In my opinion, there are many reputable news agencies and other organizations that have weighed in and done very good work at explaining the intricacies of what happened. I would encourage the technically curious to do a little research for a deep dive, which I won’t be providing here. My goal is to give a high level summary of what happened and try to provide some suggestions to any reader that may be looking for takeaways.
Most likely, a “phishing attack” was successful with someone checking email from the pipeline network. In my world, the term phishing is ubiquitous, I read or hear the term daily, but just in case you’re reading this and you don’t run in the same circles I do, I’ll try to explain: a phishing attack is basically someone trying to get you to click on a link in an email that could do bad things to you. Some of the most common attacks that I’m aware of are links that:
- Take you to a copy of a login website you’re familiar with, and when you put your credentials in, that web page sends your name and password to someone, then forwards you along to the real web page and passes in that name and password, and you are none the wiser.
- Download a file that you’re convinced you need to read, but in actuality is a program that infects your machine when you open it.
Once someone on the pipeline network fell victim to the phishing attack, the attackers either had credentials to access the network or had a program running on the network that would give them access. With that access, they could have run software inside the network that probed the network for security flaws that they could take advantage of, installed “key loggers” or other programs to collect more usernames and passwords, and any number of other techniques to gain further access to sensitive data that they could then send to themselves.
As soon as they had enough data, they could start their extortion tactics.
Step 1 – Run Ransomware - with the access they obtained, they were able to encrypt all the files they had access to (which is a means of scrambling data that requires a password to unscramble, or decrypt - so it’s useable again) and charge a ransom for that password.
Step 2 – Threaten Publication – with the sensitive files they now had a copy of, they were able to threaten to publish that information to any number of dangerous entities (other countries, terrorist groups, etc.) unless they pay that ransom.
How would that impact the flow of oil in a pipeline? In this day and age of automation and computer dependency, Colonial Pipeline’s computers run pressure sensors, thermostats, valves, pumps, and even inspection robots from a single centralized system. Once that system was compromised, employee and public safety would require stopping all operations until they were able to ensure there was no outside influence before turning it back on.
And…why couldn’t they stop it?
Although technology provides a vast selection of security products, at the end of the day, it is us fallible humans that are using that technology. We are often the weakest link in a well-protected network.
I remember a company I used to work for that would hire a security firm to occasionally (without any notice) test the security. They would walk in, act like they belonged there and try to get access to a computer. It worked not once, but multiple times. I think as a society we all tend to believe in the good of the average person around us, but we shouldn’t forget to be wary of those that would take advantage of that good faith. After the employees were told what they unknowingly allowed to happen, only then did they start asking people they didn’t recognize for more information or who they were there to see.
From spam phone calls, to messages from a prince from a foreign land, to an email that looks like it’s coming from your boss (but doesn’t seem quite right); More than ever, we need to be on guard for people trying to take advantage of us to get access to our company’s networks.
Here’s what I think we can take from this:
- Hackers use multi-layered and multi-faceted attacks, so our security must follow a similar approach. We should definitely keep up with our technical protections like firewalls, network access control lists, and other security, but we can’t ignore our processes, procedures, and user training.
- Make some time to think like a hacker and imagine how you could get into the network from the outside. Seriously, make an appointment on your calendar for yourself or a group & try to think about where you might be exposed. Maybe turn the lights off, get some energy drinks and play some bad techno to get in the mood!
- Commit to creating (and updating) disaster recovery plans in case you lose your data.
- Commit to creating (and updating) incident response plans in case you find evidence of a security breach.
- Consider the cost of losing access to all your data against the cost of getting a security assessment and having a professional team that does this every day make some recommendations.
- I think it’s a good idea to have a security assessment vendor be separate from your security remediation vendor to avoid a conflict of interest – this is extremely common, and don’t let anyone try to convince you otherwise. You can always switch off each year between two vendors to make the most of the vendor relationships and let them both try to out-do the other in what they find or fix.
- Assess – address – assess again – don’t do it once, see if you can get a discount for a regularly scheduled assessment, and after following any recommendations, get another assessment to validate everything was taken care of.
- Every user with a company email is on guard duty. Every user should use caution with every click. Easier said than done when you’re just trying to get through the day, but here are some recommendations I can make. Although it might add an extra step or two, if they become habits, you’ll never be the person that got taken advantage of.
- Try to be skeptical when reading email. If you get a daily report with a link that comes at the same time every day, that should be safe. If you get a report from a co-worker or customer that doesn’t usually send reports to you, be cautious!
- When being cautious, try just putting the mouse over the link (without clicking) and looking at the bottom of the screen. In many email clients, the REAL website that you’re about to be taken to will be displayed there, even if the text in the email shows something else.
- Another method is to type in the website you want to go to manually instead of clicking on a link (or use a bookmark/favorite that you already have saved).
- Look at the ACTUAL email address that the email came from, not just the display name. You might see something like From:Peter Parker(email@example.com) if it doesn’t look right, that is a big clue that it’s not from who you’re expecting. If your mail client doesn’t show you the email address, try to google how to change your settings.
- Training & testing should be more common
- There are numerous service offerings to send out safe phishing “tests” to employees to see how many people click on the link and get an idea of how vulnerable you are.
- These can be a wonderful opportunity to inform users about some of the things to look for in a real-world example.
- What makes someone good at something? Practice! The more of these test phishing emails are put in front of people, the more cautious users will be, and the more likely they’ll be to catch the real thing.
- Keep up with updates
- Each piece of your technology is likely supported by a vendor that is regularly releasing updated software or firmware to remediate security vulnerabilities.
- Make sure you have a plan to regularly check and update (or hire a managed service provider to do it for you 😊 ).
- If you have devices or software that are old enough to not get security updates, seriously consider replacing them.
- Use DNS Protection
A. Without going too deep into what DNS is, it’s essentially the internet’s phone book so when you type in “google.com” your computer knows you want to talk to the IP address “18.104.22.168”.
B. OpenDNS will protect home and small business users from going to the bad sites they know about (and they’re constantly updating what’s bad) by displaying a warning instead of going directly to the dangerous site, and all you have to do is point your external DNS to them at 22.214.171.124 and/or 126.96.36.199. Believe it or not, as one of the world’s leading DNS service providers, it could even speed up your internet experience.
C. Cisco Umbrella helps larger organizations provide DNS protection to all of their organization’s devices whether they’re in the office or in a coffee shop.
The whole idea here is to lessen the attack vectors available to malicious jerks. There are many more security products and services available. We must accept the fact that cyber criminals are making money, so they will continue to push the boundaries and find new ways to take advantage. With today’s technology, it’s easier than ever for those with ill intent to write a script to automate various attacks. They then play a waiting game while flooding their would-be victims with a plethora of attempts until a small percentage of them work. Finally, they swoop in and punish individuals and companies for not being prepared enough. Let’s fight back!
It just so happens that LookingPoint offers multiple security services if you’re interested. We can configure the monitoring and alerting for you and work with you on security assessments. If you’re interested or want more information, give us a call! Please reach out to us at firstname.lastname@example.org and we’ll be happy to help!
Ryan Alibrando, Managed Services Team Lead