The day following the news of the ransomware attack, New River Computing’s service manager Mark Phillips had the presence of mind to see what was up over at Colonial Pipeline’s website. Mark stumbled upon this darkly humorous job posting:
Colonial Pipeline was clearly trying to hire an experienced cyber security manager for at least thirty days before the breach. Cyber security hires have a literal negative unemployment rate - There are vacant seats in desperately needed cyber security positions across business, government, NGOs and nonprofits. That leads us to Takeaway #1: Our educational system is not producing enough cyber security experts. This is also followed close on the heels by Takeaway #2: Colonial Pipeline was not offering a generous enough compensation package to attract talent that could have prevented this attack. Could they have hired? Almost certainly, and I bet the leadership team is kicking themselves for not getting the position hired at a premium cost. I’ll also bet that the Board of Directors is kicking the leadership team, too.
Even if Colonial Pipeline had promptly filled this position, would it have made a difference for this attack? I think the answer is a firm "maybe." Let's dive a little into the attack to find out why the answer is "maybe." Originally, speculation about the attack surrounded an unpatched server. According to more recent reports, the attack was conducted via a malicious email, so the breach was caused by a successful phishing attempt. An email came through whatever email filtering package was in play (if any) and a user did something they should not have, and their computer was under control of a bad actor. Once a single machine was compromised, the entire business unit was compromised by lateral movement of the threat actor. That means there were at least two opportunities to prevent this attack. First, a single user in the finance department clicked on a link that set off the chain of events that led to the shutdown of the pipeline. How do we prevent users from clicking on a malicious email? Consistent, constant training. Anti-phishing training is a must for all organizations that use email. What does this phishing training look like? One of the best ways is to phish your own users, and if someone clicks on the bait, redirect that user to a website with some materials describing why they should not have clicked on the bait as well as tips for identifying questionable emails. Takeaway #3: Periodic phishing tests and security training are an essential part of every company’s security posture.
So, training will never be perfect. What is the next line of defense? Preventing lateral movement of a threat actor. Let me explain: A properly set up network will have safeguards in place that will keep the bad actor from moving from device to device, computer to server, and server to server. By all appearances, Colonial Pipeline did not have these commonsense precautions in place, probably because the company lacked the talent or management buy-in to institute reasonable security measures. Takeaway #4: Commonsense technological controls must be in place to prevent a compromised computer from bringing the whole network down.
Let’s take a quick look at why Colonial Pipeline shut down shipment of fuel. The attacker did not, as some supposed, take control of the pumps, valves and systems that control the pipeline. Rather, they took away the ability of the company to bill their customers for the fuel they were consuming. Accordingly, Takeaway #5: Had this been a true emergency, fuel could have kept flowing, Colonial Pipeline could have taken a huge financial hit, but the gas shortage could have been averted. But they chose not to for financial reasons. I cannot fault that decision too heavily but just wanted to emphasize that the distribution system was capable of delivering supply and this attack was not on the physical infrastructure but rather the company’s back office.
Finally, we should note the fallout from this attack: Through a concerted law enforcement and political pressure on nations harboring the villains, the bad actor’s operations apparently have been rolled up. Further, the bad actors had to decrypt other organizations undergoing similar attacks and basically are out of a job, at least for now. Considering what happens to Russians who draw unwanted attention to their government, I reckon the perpetrators are fleeing the country and watching their backs. The final, and most important takeaway I have is Takeaway #6: Government can punish the perpetrators of these attacks but lacks the will (and perhaps budget) to punish all but the most visible attacks. And that must change.
If you are interested in having your organization phish tested, preventing lateral movement of bad actors, or just having a talk about security please reach out to us.
On May 12th, President Biden signed an Executive Order to improve the nation’s cybersecurity and protect federal government networks. Recent cybersecurity incidents such as SolarWinds and the Colonial Pipeline incidents are sobering reminders that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals. These incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents.
This Executive Order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States' ability to respond to incidents when they occur. It is the first of many ambitious steps the Administration is taking to modernize national cyber defenses.
Specifically, the Executive Order the President signed will:
Did you that the Firefox web-browser was originally named after a red panda, whose nickname is firefox? This has caused some confusion about whether the animal on the Firefox logo is a fox or a red panda. Thankfully, Firefox put an end to the Internet debate by confirming the logo is a fox hugging the globe, via their Twitter account.