What Went Wrong: Recent Successful Cybersecurity Attacks and How to Prevent Them
DETROIT–The unfortunate reality is, most companies will eventually experience some kind of security incident. And most will not be prepared. Knowing what to do when such an attack happens could mean the difference between staying in business…and not.
An emerging cybersecurity threat is ransomware, in which an attacker locks up or encrypts the files on a victim’s computer, then demands payment to restore access. In the past several years, more than 100 U.S. companies experienced ransomware attacks; recently, a massive ransomware attack focused on the City of Atlanta, a situation that was not resolved for days and involved reportedly tens of millions in dollars.
“Ransomware is extortion, plain and simple,” said Thomas Dryden, chief information officer with Berkadia, Horsham, Pa., here at the Mortgage Bankers Association’ Technology Solutions Conference & Expo. “Chances are you unintentionally installed it yourself because you were a victim of ‘phishing’ or ‘spoofing’ and thought you were clicking on a valid link.”
And, “it’s getting nastier and nastier, Dryden said. “It used to be that if you paid up, you got your data back,” he noted. “Because ransomware frequently takes advantage of vulnerabilities and compromises a lot of systems, there isn’t a lot of ethical behavior involved.”
Ransomware examples such as WannaCry are particularly troublesome. “Once on your system, it searches for other vulnerable systems,” Dryden said. “Typically, if there’s one un-patched device on the network, there’s plenty more to infect.”
To protect against ransomware attacks, Dryden encouraged companies to back up data frequently–“at least daily,” he said–and invest in endpoint/malware protection that is frequently updated. “The other thing you need to prepare for is that it is going to happen. You need to decide if you are going to pay; how much you are going to pay; and have in place a cybersecurity insurance that aligns with your cost tolerance.”
Phishing is the gateway to ransomware, Dryden said; recently, Berkadia experienced an “onslaught” of phishing attempts, including an alleged email that came from the company CEO. “You need to educate your employees so that they are the first line of defense, instead of the last,” he said.
John-Thomas Gaietto, executive director of cybersecurity services with Richey May Technology Solutions, Englewood, Colo., outlined a case study in which a regional commercial and residential real estate company started experiencing an increased series of attacks involving wire transfer fraud emails that appeared to originate from the email accounts of key members of the executive leadership team, including the CEO and CFO. The attack had actually started earlier, when the attacker discovered, and began using, a password compromised from another website that the victim used personally that also happened to be the same password that the victim used for business purposes.
Over time the attacker monitored the victim’s email account and identified a number of potential deals and transactions. The attacker then used that information to send targeted emails from the victim‘s email account to a number of different parties requesting that money be wired to an account controlled by the attacker. The victim company was eventually notified of the suspicious activity by one of the recipients of those targeted emails.
Gaietto said many such attacks can be thwarted with tools such as Multi-Factor Authentication and Domain-based Message Authentication, Reporting and Conformance [DMARC]. “It’s also a good idea to keep your domain name as simple as possible,” he said. “The longer your domain name, the easier it is to compromise it, by simply adding or subtracting a letter.”
With wire fraud, “more and more companies are simply eliminating wire transfers,” Gaietto said. “They are establishing specific business processes for wire transfers that exclude use of email.” He also recommended prior to an incident, get to know local and federal law enforcement teams and learn how to report wire fraud and other suspicious activity.
At a high level, the defining characteristics of a cyber-prevention model include Preparation; Detection & Analysis; Containment, Eradication & Recovery; and Post-Incident Activity.
“What we see is a lot of lack of preparation,” said Tom Clerici, cyber security practice director with Arraya Solutions, Plymouth Meeting, Pa. “What we also see are a lot of companies in a reactive mode, because they didn’t prepare for an attack they didn’t think was going to happen.”
There’s compliance, Clerici added, and then there’s security. “You still have to perform the regulatory compliance tasks, but you also have to prepare the security procedures that makes compliance possible,” he said.
“One of the things we’ve done badly is develop a means to determine if we’ve been breached,” said William Klumper, consultant with FirstStep Software Systems, Dallas. “Mortgage companies have a lot of static data, which makes detection difficult.”
In another case study, a document management company with 150 employees had not invested substantially in IT, despite having many customers. The incident started with an undeliverable message received by a user in accounting for an email the employee did not send. An IT person in the company examined email logs and discovered the inquiry came from a foreign country, who had sent out a phishing email to clients to change their billing information. Financials in the user’s email were compromised and money exceeding $500,000 was wired to the bad guys.
“The first thing they should have done was find the source of the email,” said Bob Orkis, principal with RKO Technical Services, Dallas.
“In the response stage, there are several things taking place at the same time,” said Colin Richard, associate with Jones Day, Washington, D.C. “You have to find out what is implicated-customers, employees, etc. The advantage of having an advance playbook is that you can mobilize a response team that can contain the situation and formulate a response.”
“It becomes very important to know exactly how your systems are put together,” Klumper said. “If you know the data flow, you can determine whether your breach involves just one or two systems, or if your entire system is compromised. In many cases, you’re not going to discover how bad things are until 90 or more days have passed.”
In this particular case, Clerici said, the company panicked, holding several high-level meetings, before engaging with Clerici’s third-party security company, which initiated a recovery plan, including password changes and multi-factor authentications for all email accounts and other security measures.
“The learning phase is an important consideration after an incident,” Richard said. “Putting new plans in place; evaluating those plans; revising employee training and implementing policies and procedures–it’s important to learn from successful and unsuccessful events.”
“You need to have someone take charge of this process,” Klumper said. “Security is an iterative process. Just because you’ve taken certain steps now doesn’t mean you’re finished. Security is really data safety; you have to have confidence that if you are putting your data in a hostile environment–the internet–you have to make sure people are adequately trained so that you are building a security program, which will enable you to be effective and protect your operations.”
In another case study, a company received the “Blue Screen of Death.” A financial systems software company with 100 employees started experiencing attacks in which servers and PCs got an unexpected blue screen and had to be physically rebooted. Work came to a standstill; the company’s data center was rendered virtually useless.
“Speed is essential in this case, Orkis said. “You need to isolate the attack, establish areas that are immune to attack and formulate an action plan.”
A third-party security company was brought in to break the company’s online structure into dozens of different pieces. Complicating the process was that the malware mutated as it was detected, launching new attacks. The security company installed advanced malware protection across all the company’s machines, rebuild directories and upgrade the company’s firewall. All in, the process took more than a week and cost more than $700,000.
“If they had just put multi-factor authentication in place, they could have avoided this,” Clerici said.