Last week there was a joint advisory issued by multiple National Security Agencies in response to the ongoing rise in cyber-attacks globally. The document:
It’s not the first time a joint announcement like this has been made, and it’s becoming more common. These collaborative advisories are in part as a result of respective governments’ agencies working collectively to combat common adversaries. From a practicality point of view, too, they assist the many organisations that are seeking to protect their operations across the multiple jurisdictions with an enterprise-wide security strategy.
As a result, on April 28th a document agreed between the security agencies of the United States, Australia, Canada, New Zealand, and the United Kingdom was published. Specifically:
Clearly the content provides vital cyber security threat intelligence and extensive advice; see links and highlights below.
But what can we deduce from it more broadly?
There was a similar publication (US-only) in January 2022 (see here) and a more recent one focussed on the increasing cyber security tensions around the conflict in Ukraine and Russian-sponsored and criminal cyber threats against US and other Critical Infrastructure sectors (on 20 April 2022, here).
Government agency security advice, and even guidance to critical infrastructure providers and other specific sectors, has tended to operate within jurisdictional silos. These more recent advisories are certainly much more joined up than in the past and potentially more suited to the organised nature of what are, after all becoming, common adversaries.
For defence supply chain cyber resilience the US has its CMMC programme, the UK has DEFSTAN 05-138 and DISP in Australia; which closely relate to the compliance/assurance schemes like Essential 8 in Australia and Cyber Essentials in the UK.
The unification of these advisories might be a longer term, or even a utopian dream; but as anyone who has come from any other sector will attest: international standards authorities generally resist any other interpretation than their own, when it come to a particular requirement. The fact remains, however, that often these standards, while differing in organisation, structure and origin are indistinguishably similar.
This convergence or overlap is not really surprising. Each agency is working to defeat increasingly common adversaries and so the publication of joint threat announcements and advisories is to be encouraged. Confirmation of this growing level of harmonisation of security standards and assurance is the fact that NCSC Cyber Essentials and ACSC Essential Eight frameworks, are both acknowledged as meeting the good cyber hygiene requirements for Levels 1-3 compliance of the latest CMMC framework.
On ransomware, specifically, there is very little divergence between the recommended mitigations strategies contained in the NIST IR8374 guidance, the NCSC mitigation guidelines and the ACSC Essential 8 framework.
In a world where organisations are seeking to coordinate their cyber resilience efforts across all geographies, the fact that security recommendations across various jurisdictions are aligned is helpful. It makes for standardised processes across the organisation which assist in the overall management of cyber security and the cost effectiveness of the IT governance efforts.
Lastly, it is worth noting that when you look at the content of the current advisory, the vulnerabilities are carefully categorised – they start with the most frequently used in attacks. The message is clear, if they are that common and presumably damaging, it’s a good idea to take pre-emptive measures to mitigate them before they impact your business.
A review of the mitigations and recommendations in the advisory make it clear that they all fall under the heading of “cyber hygiene” – foundational, universally accepted security controls that should be ubiquitous; and are simply, good practice. So, an ability to measure and manage the security hygiene of your enterprise using one framework is likely to reflect very similar cyber posture levels when using a similar framework from another jurisdiction.
Paraphrasing the recommendations slightly, the list is as follows:
It’s no coincidence then, that these recommendations above overlap absolutely with other sources of information on how to mitigate ransomware and malware, for example from NIST, NCSC and ACSC. So, while detailed requirements can vary across security standards and frameworks the effectiveness of security controls can be measured by the adequacy of good cyber hygiene or posture in any language.
This advice, although not new, is particularly important. In the context of the most common attack types it is brought into renewed focus through advice of the various agencies which can be found here: ACSC Essential 8 framework, NCSC ransomware risk mitigation guidance and NISTs advice on ransomware defence in IR 8374
The advisory itself can be found at: https://www.cisa.gov/uscert/ncas/alerts/aa22-117a
Huntsman Security’s Essential Eight Auditor and SmartCheck for Ransomware solutions are assessment tools that enable organisations that are worried about the state of their security controls and ransomware risk, to obtain visibility of their situation. They automatically assess the organisation’s cyber security posture and maturity levels; reporting the state of security control effectiveness for both operational and senior executive oversight.Read More
In late November 2021 an APRA Insight report noted that it expected boards to have the same level of confidence and capability in reviewing IT cyber security issues as any other business issue. It also noted that during the preceding period, described by the Australian Cyber Security Centre (ACSC) in their Cyber Threat Report 2020-21 as having seen heightened complexity and sophistication in cyber attacks, an APRA survey had confirmed a definite need for boards to improve their oversight of cyber resilience.
The APRA survey sought to assess the availability and understanding by boards of the cyber security information and controls necessary to improve cyber resilience. Banks, superannuation and insurance organisations were included in the pilot survey. The observations were that boards need to play a more active role in:
APRA found that there was little evidence of boards actively reviewing and challenging cyber information provided by management. Sometimes the information was not fit-for-purpose or easily accessible. On other occasions, key information about the operation and effectiveness of security controls was not available at all.
To improve board performance APRA suggested a set of questions for boards to review and better challenge the security information provided to them, including:
These questions are undoubtedly instructive but, in an environment where the cyber threat landscape can change overnight, the effective communication and interpretation of cyber security information needs to be clear, accurate and timely. A cyber security report prepared for the board some weeks ago is a report about another time; and results of an annual audit conducted months or more ago are largely irrelevant.
In the mid-90s, the Kaplan and Norton’s Balanced Scorecard (see summary) enabled business strategy to be transformed into a management process with the use of performance measurement and reporting dashboards. KPIs were established and changes in those measures were used to support systematic management review and decision making. Today, with evidence-based decision-making being a part of everyday business activities, it is time that organisations use similar style scorecards to quantitatively measure and inform the management of cyber security; with the empirical measurement of KPIs, gaps in security controls and mitigation efforts, trends over time and a summary of residual risk for risk management and resilience efforts.
The ACSC Essential 8 cyber security framework can help here. The Essential 8 is an easily accessible and acknowledged international security standard that incorporates answers to many of the key technical questions that directors need to ask about the effectiveness of their cyber security strategy and their security controls.
Figure 1.0 The ACSC Essential 8 Cyber Security Framework
Equally important is that information about these technical controls can be automatically measured and reported in a scorecard format to visualise the state of each security KPI and so drive evidence based cyber security risk management decision making and board oversight. A standardised scorecard format quickly informs the key cyber security KPI scores, provides traffic light metaphors for performance and informs trending for the timely management of cyber resilience. It also highlights to executives and boards matters of concern or weakness that might require urgent clarification or intervention.
ACSC in their Cyber Threat Report 2020-21, made the important observation that “the increasing frequency of cybercriminal activity is compounded by the increased complexity and sophistication of their operations”. This highlights the increasingly dynamic nature of the cyber threat environment and the increasing need for more timely risk measurement, reporting and board decision making.
It’s true that dialogue with management to challenge and review cyber security information is an important task of director oversight but increasingly the success of resilience efforts depends firstly, on the accuracy, timeliness and relevance of the available security information and secondly, the rigour of decision-making. Reflective of the fact that cyber security circumstances can change overnight, there is a growing demand in some sectors for near real-time cyber security reporting and decision-making. The Securities and Exchange Commission (SEC) in the US, for example, is currently considering mandated on-going cyber security disclosures for public companies.
There is an unquestionable need for increased frequency of information updates on cyber security controls and levels of resilience. As any security engineer will tell you, the day after “patch Tuesday” is “exploit Wednesday” when a new set of vulnerabilities is revealed to the very real concern of security and risk teams. All stakeholders need to understand that reality – there is no such thing as set and forget in cyber. Additional questions and rigour in the collection and analysis of the information provided to boards is important but the accuracy and currency of that information are key determinants of the effectiveness of a cyber resilience program.
The APRA survey revealed that not only was key cyber security information not available for some boards to adequately interpret and understand, but information on “measures” of controls like testing of data backup and incident response programs, was limited. More than 1/3 of respondents (a term which still suggests a degree of subjectivity in the survey) admitted to not testing data backups for more than 12 months. Again, APRA suggests that: Boards should enquire as to the status of back-up and recovery testing and their adequacy.
As with technical security controls, metrics about the extent and frequency of staff cyber security training, and the data back-up and incident recovery programs, can easily be added to a cyber security type scorecard and provided as part of a broader report verifying the effectiveness of each security control. Scorecards that include both technical and non-technical cyber security controls and their effectiveness are already available for senior managers and directors to assess their preparedness for a ransomware attack.
Figure 2.0 A scorecard measuring the effectiveness of 12 key security controls for resilience against ransomware
The final concern raised in the APRA survey was that organisations should ensure that information about security controls is effectively communicated across supply chains. The interdependence between organisations in the finance sector is already significant and will only grow as increasing numbers of customers access the greater innovation, competition and productivity offered, for example, by Open Banking. The security implications for the financial sector are significant: increased attack surfaces, securing APIs that enable access between systems and ongoing protection of sensitive data, will challenge 3rd party service providers and the overall resilience of the sector.
Financial institutions and their downstream 3rd party service providers need assurance that trust between parties and cyber security maturity levels are being maintained. It’s now, however, just as important that your high priority 3rd party suppliers undertake similar quantitative security assessments and share those results between supply chain participants. Any lack of rigour in the measurement of the effectiveness of cyber security controls of 3rd party providers puts the resilience of all stakeholders at risk. APRA noted that the heavy reliance by many organisations on self-assessments and questionnaires by their service providers limits the ability of organisations to verify the adequacy of their cyber security posture.
Again, the use of the ACSC Essential 8 security framework and regular measurement and scorecard reporting, as part of the broader communication of security information and resilience, will alert the board of any matters needing attention.
In their November 2021 Insight, APRA recommended that boards review and challenge security information on cyber resilience. It encouraged entities to test the effectiveness of their data backups and business recovery plans, and to ensure verifiable security information is available to participants across the supply chain.
These are the ambitions of regulators everywhere. The question, however, is how is this best achieved by professional boards very familiar with the assessment and management of risk, but often not the persistent nature of cyber security risk. Risk committees and advisors can always assist but it’s paramount that cyber security risk and resilience management information is timely, couched clearly and accurately, in the familiar lexicon of risk. Familiar graphical reporting, key performance indicators and trends against internationally acknowledged markers can inform on the quantitative status of resilience efforts. They can also prompt enquiry and investigative rigour by boards as they guide the management and oversight of an, as yet, unfamiliar but significant risk to the digital enterprise.Read More
Cyber security insurance used to be like any other risk management tool. Manage it by building internal expertise, outsource it to a specialist provider; or lay it off to an underwriter or insurer. Cyber insurance has been seen as an effective risk management option to protect against loosely defined operational risks for many years.
Things are changing. Right now, cyber insurance is becoming increasingly difficult and costly to procure. It’s at the point where you need to verify your ability to manage the security risks in order to be eligible to insure them.
Pricing cyber risk is proving to be an imperfect science for insurers. Cyber risks emerging from some digital transformation initiatives, the explosion of ransomware claims and the massive increase in loss ratios for insurers has fundamentally changed the market. Insurers now want evidence that cyber security controls are in place and that the effectiveness of cyber risk management efforts can be substantiated.
They want to know that there is:
They also need a high level of confidence that technical risks too, are being managed in line with a recognised security risk management framework – for example, ACSC Essential Eight, ISO 27001 or NIST.
Cyber security has shown itself to be one of those risky areas where things can go wrong, and it’s too late after the event. An insurance proposal can now take months to prepare with involved questionnaires and supplementary queries after that. Even then, when the specific technical requirements of the insurer are met, you may still find significant premium increases, coverage limits, exclusions and retentions. Improved quality of cyber security risk data is now a priority for all stakeholders in the insurance process – with insurers seeking assurance of a stated posture and those seeking insurance being able to verify just that.
For those seeking cyber insurance in 2022 they can expect more of what occurred in 2021:
Insurers are now effectively setting the table stakes for security controls as international security agencies confirm the importance of those very same prevention, containment and recovery mitigation strategies. There is now some real clarity around the security steps organisations need to improve their cyber resilience. Putting in place a system that measures the effectiveness of each of these safeguards is a foundational step in the success of any cyber risk management process.
Whether it’s to meet the pre-conditions of an insurer, or to improve your cyber resilience or comply with tightening cyber regulatory requirements – organisations should adopt a security framework and maintain compliance processes against the relevant cyber security controls. A set of safeguards that can be regularly measured and any variance reported for risk management purposes. Those controls should include both technical as well as “softer” cultural controls, for example: staff cyber security training and awareness programs. These KPIs need to reflect the adoption of a cyber security culture within the organisation from the top down; at both technical and business levels.
With appropriate cyber risk management systems in place, poor performance of any one of your controls can be quickly identified and the security gap closed. With the increasing volatility of security operating environments, time is of the essence, so the more responsive the security risk management process the more cyber resilient the enterprise.
In fact, supported by systematic empirical measurement the security and risk teams, as well as senior executives, can promptly make evidence-based decisions about the state of their cyber security preparedness.
The latest joint ACSC, NCSC, FBI, NSA and CISA cyber security advisory, reminds organisations that it is vital to maintain an active awareness of their cyber posture in the current hostile risk environment. Organisations should ensure that they have effective measures in place, to inform their security and risk, as well as their executive, teams of the security posture of the enterprise. Cyber security is no longer a set and forget activity – so having regular visibility of the state of your security controls is now a base-line security requirement.
As noted above, the recommended controls as per latest joint advisory are closely aligned with the “mandatory” mitigation efforts being sought by cyber insurance underwriters everywhere.
The good news is that cyber insurance policies are still being written; it’s just their terms have tightened. The successful management of adequate security controls across your organisation will deliver two important outcomes:
Neither of these can be ignored, if as forecast, cyber insurance is to become an increasingly important part of managing the risks associated with digitalisation.
From the perspective of both insurers and international security agencies, organisations are not as well protected as they should be. This low level of protection makes the risk of attack higher, and given the nature of the threats, the impacts more severe. That also affects insurance premiums.
So, if you’re starting out it’s a good idea to focus attention on improving low cost, but high value controls. Often some of these are inbuilt into your IT systems and yet maybe not appropriately configured. The improvement of high value security controls can significantly improve your insurability. The costs of some of these efforts need not be prohibitive.
For example, prompt and rigorous patching of systems and fully testing backups are fundamental steps in a good cyber hygiene regime.
Human error has been blamed for as much as 90+% of cyber security breaches so again it provides good scope for high value security controls.
The first and most cost-effective initiative is to improve staff training and cyber awareness. Reducing the risk of someone clicking a malware attachment or installing unauthorised third-party applications can pay big dividends.
Second, managing the way privileged accounts are assigned and used. Minimising who has access, for how long and for what purpose can be a significant risk mitigation strategy.
Thirdly, when it comes to building or configuring systems, IT and security team members need to be aware of the key role they play in secure code development and application security. Proactive security practices and cultural awareness can impact significantly on improving your overall cyber posture.
You can also do a lot to ensure that if an incident occurs you have sound processes and plans, and an available expert service in place.
It may not reduce your actual premium but it will almost certainly reduce the overall cost of an incident.
This is part the process – the last line of defence. Defining a plan, testing it and having the tools and mechanisms at your disposal if and when you need them. In the case of ransomware, for example, backups are a major part of any recovery plan. Having backups that have been tested as suitable to reinstate business operations, are a significant fall back in that they provide more options for resolving your situation.
Where once a back to base alarm or dead locks would ensure an insurance premium rebate; in the cyber insurance market, equivalent security controls are merely the cost of entry. While the improvement of some controls can provide greater benefits than others; ultimately good cyber posture with verifiable assessment artefacts is now a condition precedent for cyber cover.
As insurers challenge your answers to mandatory questionnaires and insurance proposals and interrogate your security team for evidence, it’s important to be prepared. Tightening your controls, managing your staff awareness and incident plans will confirm your intent. Having an easy-to-understand report on the state of each of your security controls for all stakeholders, their effectiveness and ultimately your cyber maturity level will also help. It will provide the audit artefacts that insurers and regulators are increasingly seeking.
Trying to “game the system” is no longer an option. If you want to participate in one of the increasing number of industries that require minimum levels of cyber security compliance you need a security risk management system that easily and quickly reports your cyber security posture and any vulnerabilities requiring your attention.Read More
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable.
This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the mini-bar – this is a multi-purpose tool that can fix just about anything.
The advantage of a penknife, aside from the fact that it folds up for safe storage, is that it’s like having a small “tool box” in your pocket. You can reach for one device to very effectively solve a multiplicity of problems.
The main benefits are that it is easy to use and highly adaptable with each blade designed to control and quickly mitigate a particular issue – whether it’s manicuring a nail or removing a fish-hook. Farmers, adventurers and even international frequent flyers won’t leave home without one.
These wistful reflections of outdoor and even urban survival with a penknife remind me that Huntsman Security’s SmartCheck for Ransomware technology too, as a multi-purpose security tool, can assist with a surprising number of cyber security issues. From the consultancy community that is seeking to provide relevant mitigation advice, to enterprise executives worried about their readiness for a ransomware attack (which right now is every executive).
Just the term “Swiss Army knife” conjures up thoughts of reliability, versatility, practicality and function. SmartCheck for Ransomware, delivers the same multi-purpose authenticity and dependability when it comes to staying on top of your cyber security controls. One tool, multiple uses.
SmartCheck for Ransomware verifies 12 different controls spread across the ransomware/cyber-attack kill chain (prevention, containment and recovery) – giving detailed status reports and clear visibility of any weaknesses of a control, plus clear performance measures of each of the three phases and an overall aggregate KPI display.
If you want to whittle a tent peg, remove a splinter and then have a beer (these activities could be linked) you need a penknife. If you want to check OS and application patching, verify Active Directory policy settings for application and macro controls, and then verify administrative account settings you need SmartCheck for Ransomware. Better than the penknife, it can perform each task in parallel!
The penknife is the ultimate portable tool or gadget.
The “go-anywhere” security assessment tool
SmartCheck for Ransomware is a compact, user-driven application too, that can be installed on a laptop and taken to site by a consultant or installed on an enterprise system by an in-house security manager. It can even be used to gather information about the security status of a third-party supplier. The data collected can be analysed for reporting locally or sent back for central analysis from anywhere in the world.
In short, it can be easily taken to where the data is, where the user is, or where the report needs to be. Whichever is easiest; it’s absolutely portable.
A penknife is a useful gadget whatever you are doing and wherever – it is a highly versatile solution to many everyday problems. SmartCheck for Ransomware is similarly versatile with its ability to identify potential security vulnerabilities and inform their mitigation.
SmartCheck for Ransomware provides similar flexibility.
Let’s look at some examples of where SmartCheck for Ransomware’s versatility is so important:
Lastly, the “Swiss Army knife” name and brand carry a lot of weight. Yes, there are other brands of penknives, but none are as prestigious as a Swiss Army knife – it embodies trust, reliability and quality.
SmartCheck for Ransomware has defence pedigree
Likewise, Huntsman Security has been providing customer security monitoring, automation, analytic and risk/control measurement solutions to defence, government, criminal justice, enterprises and managed security service providers for over 20 years. These are organisations where security really matters, where knowing the state of your defences is important because the consequences of a security failure can be serious. For these types of organisations, quality and reliability matter.
In addition, the controls that SmartCheck for Ransomware measures and reports against include ACSC Essential 8 framework, the NCSC ransomware risk mitigation guidance and NISTs advice on ransomware defence in IR 8374.
So, with a trusty Swiss Army knife or Huntsman Security’s SmartCheck for Ransomware, you can be sure you are well prepared to mitigate almost every risk.Read More
In light of recent world events, many governments are strongly advising organisations to monitor for cyber-threats and take steps to enhance their cyber security posture. In Australia, this advice has come in the form of the latest ACSC advisory dated March 4th 2022. It outlines the increasingly hostile malware attacks, ransomware environment and the state-sponsored targeted attacks on network devices.
Links are also provided to CISA and NSA publications for guidance on securing networks, other ACSC and Partner reports as well as a comprehensive Appendix that details common cyber attack and mitigation techniques in a handy threat taxonomy aligned to the MITRE ATT&CK® matrix.
The advice is intended for entities to take the appropriate action to protect their systems and networks. It is drawn from observations in the field and the approaches and techniques currently being used by attackers. In summary the Tactics are:
The advisory reminds readers to review their detection, mitigation and response measures in the current threat environment.
Helpfully, it also contains a lengthy Appendix that identifies particularly concerning MITRE ATT&CK® Tactics and their corresponding Techniques categorised by industry sector and malware type. Readers will note that this is a significant and lengthy list of considerations, particularly as each technique may have several alternate or complementary mitigation procedures, that a defender might institute.
An important consideration is, irrespective of the level of defence in place, how do you incorporate the monitoring of these threats and visualise attacks, as they are happening, as part of your Security Operations?
Some SIEM technologies have moved to quickly integrate the significant benefits of the MITRE ATT&CK® knowledge base into their detection, mitigation and response capabilities. For example, in the latest Huntsman Enterprise SIEM (V7) the associated detections of events and alerts are automatically visualised on MITRE ATT&CK® heatmap displays to show the tactics and techniques currently detected across the monitored environment and their progress towards their malicious objective.
Huntsman MITRE ATT&CK® Heatmap
Each cell is colour coded, to highlight the scale, number or volume of observations. With this sort of information at hand, it can quickly be used to gain an understanding of what attacks are being experienced, how far they are along the “kill chain” and importantly the relative importance of a specific response.
Of course, monitoring alone isn’t enough. Controls need to be in place and operating effectively to defend systems against attacks too. This means configuring in-built security settings as well as deploying prevention, containment and recovery controls to enhance your cyber security posture.
The ACSC advisory also reminds organisations to remain vigilant against ransomware attacks and the importance of good cyber hygiene in those efforts. Again, this has been a major focus of the new Huntsman Security SmartCheck for Ransomware solution which measures and reports on the effectiveness of 12 key security controls to enhance your cyber posture and combat ransomware, one of today’s most prevalent threats.
SmartCheck for Ransomware control report screenRead More
The ransomware scourge of 2021 hasn’t abated in 2022. At a state level, there are numerous reports of renewed attacks against government systems in Ukraine. In business, memories of JBS Foods were sparked when UK snack food producer KP found itself victim to disruptions to supplies and deliveries following a ransomware outbreak.
Governments and national security agencies have published standards and guidance in the past, such as the Australian Essential 8 Framework and the UK’s ransomware mitigation guidance. The problem persists, and so last week a joint advisory was issued by the security agencies from Australia, UK and the US. It raises the latest observations about ransomware threats, and what to do about them. It particularly talks to “sophisticated, high-impact ransomware incidents against critical infrastructure organizations”.
The advisory observes the following attacker behaviours from recent ransomware cases:
Those familiar with the mechanics of a ransomware attack, will not be surprised; although the persistence of attacks shows that organisations still have more work to do in putting security controls in place and ensuring their effective operation
The advisory is not a short document, it contains a good deal of detail and explanation. The key steps to take, however, echo previous publications and research. We published a series of blogs on ransomware prevention, containment and recovery in response to attacks last year. They remain relevant.
The advice in this advisory includes:
Mitigations to reduce the likelihood and impact of ransomware incidents:
More specific steps to limit an attacker’s ability to learn about your enterprise and move within it:
While this might seem to be a significant list, the majority of these mitigation steps should be familiar to you. The first set of mitigations are not new, are foundational controls, and constitute “cyber hygiene”. They are broadly accepted as good security practice.
The challenge for businesses, in many cases at least, is not knowing “what” to do. This latest advisory is useful, in putting the importance of controls in context and it’s hard to ignore. Especially, when it is issued by multiple international agencies.
The problem still lies in “doing” the right things, “making” the necessary changes and “managing” the key controls. This is where oversight and governance come in. To have a robust control environment it is important to understand what the status of controls is – the cyber security posture – and to be able to monitor for any shift over time to track improvements or identify and mitigate weaknesses before they put the organisation at risk.
The status of controls, and of overall ransomware defences, is increasingly being scrutinised by regulators, managers, 3rd parties, customers and cyber-insurers; and it is bound to happen more often. It is vital to get a clear picture of the operating effectiveness of your defences so you can know your weaknesses and hence improve your ransomware readiness.Read More
With the recent past focussed on COVID-19, and lockdowns now starting to end around the world (certainly in the UK, Australia and the US), for many it’s time to turn their attention to one of the biggest retail events on the calendar. This year, in fact, it may even determine whether you get that Christmas gift for someone special or end up emailing an apology because it’s still clearing customs!
Traditionally, “Black Friday” and “Cyber Monday” are the focus of as much retail activity as shops can generate and shoppers can bear. In 2020 for example, despite COVID-19, there were an estimated 100 million on-line shoppers searching for bargains. In only a few short years it has become a pre-Christmas phenomenon, globally. Friday and Monday span the US Thanksgiving weekend, and with it being close to the last pay period before Christmas, they are now as important to traditional stores as they are to online retailers.
Despite the disruption (and frustration) from the pandemic, this year Black Friday could become the touch paper that sets consumer driven economies back up and running up. The only possible cloud on the horizon is the ongoing and significant supply chain issue which is creating shortages in just about everything, everywhere.
Hopes are certainly high that Black Friday and Cyber Monday will meet expectations. There’s already a buzz. People want to be able to shop for deals, and they want bargains. After two years of disruptions, you can’t blame them for wanting to get their Christmas shopping done early – like shopping for gifts and even starting to get hold of the other things they plan to celebrate with – alcohol, food, treats, Christmas jumpers etc.
What we’ve also seen this year, however, is an increase in high profile ransomware attacks. Colonial Pipeline was forced to shut-down its pipeline systems which resulted in petrol shortages on the US east coast. JBS Foods suffered processing disruptions that led to food deliveries being delayed.
Ransomware has shown its ability to seriously disrupt businesses and the services they provide; increasingly vulnerable organisations are now being targeted for maximum impact. We have seen DDoS attacks used to impact companies at critical times, such as major sporting events and peak shopping periods. A cyber disruption to the finance sector in two weeks’ time would not be helpful – impacting retail momentum and re-enforcing the anxiety that has emerged during an unprecedented year of ransomware attacks.
For this reason, all parts of the supply chain need to maintain a level of diligence during the Black Friday/Cyber Monday season. Many retailers have already hedged against fulfilment concerns but with hopes of a bumper sales season, all supply chain participants should assess their risks and make a contingency plan where necessary.
Ahead of any peak trading period or highly critical time window, organisations take steps to ensure everything goes well: DDoS protection, the ability to scale bandwidth, extra delivery slots, warehouse space, additional inventory for sale products and staff overtime rosters.
Ransomware is a business risk – it can affect your business at any time, but especially at times when a disruption to activities would be most damaging. So, if the Black Friday/Cyber Monday sales are important to you or your business, it’s important from a cyber perspective to assess any potential risks ahead of time, and put safeguards in place as part of your risk management plan. The time is now!Read More
The challenge of 2021 for security professionals is undoubtedly ransomware. It has, of course, been around for some years – but really gaining notoriety when the WannaCry and NotPetya attacks affected the NHS in the UK and the global shipping giant Maersk.
More recent attacks have cemented this malware genre at the high end of the risk spectrum; with recent examples being the Colonial Pipeline attack in May that led to fuel shortages and impacted US gas prices, the subsequent JBS Foods outbreak that caused food supply chain disruption, the continued attacks on healthcare in Ireland and New Zealand and even an attack on the insurance giant AXA SA.
The problem with ransomware is the level of disruption it causes. When you’re faced with encrypted and inaccessible data it doesn’t just mean that you can’t open files; on some systems the loss of that data stops many more important things from working. If, for example, it’s a domain controller or database the IT team will try to contain the spread of the infection by turning systems off, quarantining systems or even disconnecting the Internet.
This means that parts of the business that are otherwise unaffected can also lose the ability to operate. We saw this with Colonial. The billing system was affected by ransomware, but the pipeline systems were impacted (and deliberately isolated) by the response to it.
Additionally, the recovery process itself might not go entirely to plan. Colonial paid the ransom but found the decryption tool was too slow, so they had to revert to backups anyway. In the case of a food distribution business, getting data back and systems running again may not be quite as time dependant, but the concentration of food producers could quickly create a single point of failure. In healthcare the stakes are even higher, where interruption to IT medical systems can have immediate and fatal implications. Sadly, it’s for this reason that cynical ransomware attacks on healthcare systems are so prevalent. The implications of ignoring the threat are too high; and criminal groups know that.
Everyone is concerned about ransomware and they are right to be; but in the critical infrastructure sector the problem of loss of data and availability of systems is acutely felt, and not just by the company. Depending on the victim it can affect every one of us.
The problems come when the services and supply chains affected are time critical or they have the potential to impact our wellbeing. Petrol supplies can run low or be rerouted before there are major issues, food supply chains likewise, but in sectors like healthcare substitution is more difficult. Yes, you can postpone operations or treatment but that may lead to life threatening consequences.
If water supplies are disrupted, the power goes out, gas supplies are cut, or telecoms are down the effects are much more immediate and widespread. If people can’t heat their homes, cook food, or access clean water – these things impact our wellbeing and quickly take their toll. The threat of ransomware attacks in these types of business are of most concern because of their potential to have major ramifications for our society, much more severe than even the worst scenarios we have seen so far in 2021.
Initially the threat models that were contemplated and planned for in these sectors were intrusion by skilled and malicious hackers intent on disrupting service delivery – someone who would gain access and subvert systems to disable pumps, alter flows, disable control systems or destroy machinery.
The concerns were that the attacks would be focussed on the industrial controls systems (ICS) themselves or SCADA equipment. Defending against ransomware in the wider IT environment as it spread across the more traditional (and less important) platforms, and progressively turn systems into an encrypted logjam, was a priority.
It was these more sector focussed attacks on ICS/OT/SCADA that were front of mind when initiatives like the NIS directive was instituted by the EU back in 2016 and when the US National Protection and Programs Directorate (NPPD) was set up in 2007 (and its successor CISA in 2018).
More recently, the NCSC in the UK has published guidance on mitigating ransomware, ACSC in Australia likewise and the Whitehouse issued a “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems” on 28 July 2021 (read it here) which followed hot on the heels of “Executive Order on Improving the Nation’s Cybersecurity” in May (read that here).
In Australia things are moving quickly. A new Critical Infrastructure Bill (CIB) seeks to (i) expand the sector beyond traditional utilities and, (ii) in consultation with participants, agree a regime of enhanced cyber security safeguards for the sector. Following the Colonial and JBS attacks, Australia has seen the risks of cyber attack on infrastructure targets as so urgent they have sought to accelerate legislation by splitting the CIB. Part 1 of the CIB, currently before Parliament, seeks to quickly give the government last resort powers to “step in” to assist an organisation during a cyber attack. Part 2 of the Bill which includes the definition of protective risk management programs, yet to be agreed to by each industry, will then follow.
As its variants continue to yield worsening consequences for victims, ransomware sits menacingly between specialist SCADA and OT controls systems and the wider IT network security environment. The implications of an attack, therefore, can be highly disruptive either in the IT or OT environments and even worse if it impacts the provision of critical services to customers.
The recent events confirm, absolutely, that critical infrastructure providers need to avoid ransomware at all costs. This means that while they can contemplate specific detection systems and malware controls, they also need to focus on the basics of cyber security protection across both the OT and IT environments. Defending risk vectors with acknowledged security controls that can measure and report effectiveness levels to cyber risk management teams is vital.
The aforementioned guidance from Australia’s ACSC sums up the best approach concisely:
“Investing in preventative cyber security measures, such as keeping regular offline backups of business-critical data and patching known security vulnerabilities, is more cost effective than the comparative costs incurred when attempting to recover from a ransomware incident.”
Ransomware Readiness means having controls to:
Prevention is obviously vital, but Containment is especially critical for CI organisations where the knock-on effects, regulatory pressures, and affected parties can quickly become overwhelming.
A commercial business might have no qualms about closing off parts of its systems and slowing its ability to take orders for a few days. A power company, however, cannot shut off electricity supplies in the same way.
From what we’ve discussed, the logic is simply:
For boards and senior managers of CI organisations it is important to have confidence that security controls are in place and operating effectively.
There are numerous Information Security Management Systems standards and frameworks that operate effectively across the sector. What is most important in the CI sector, however, is that operations and senior management teams can quickly gain visibility of the state of their security control effectiveness, on-demand, from a baseline set of quantitative KPIs. If shortcomings are identified in any of the controls they can then be quickly mitigated and the risk of a security breach effectively managed.
If the best policy is to prevent impacts – through stopping initial infection, containing the spread and recovering data – these controls must be managed just like safety critical systems are in OT environments. This is where risk management comes in: you might have controls, but you can’t wait until they fail to be alerted to their potential for failure. If there are vulnerability gaps, they need to be quickly identified, and mitigated and corrective actions taken. Accurate reports need to clearly evidence the state of security maturity.
Lack of understanding and adequate oversight are arguably two of the biggest challenges when it comes to effective security management. The presence of basic security controls, like patching, must be confirmed and their effectiveness measured so that any deficiencies can be quickly identified and fixed. Failure to mitigate these weaknesses are the gaps that attackers search for; and so systematic risk assessments can improve your intel and reduce the risk of ransomware attack.Read More
There has recently been a prominent example of how damaging a serious IT outage can be. The hours-long interruption in service that Facebook (and its other platforms Instagram and WhatsApp) suffered recently, made news around the world. It cut off social networks, friends, relatives, lovers and businesses. Only Twitter saw the funny side.
The root cause is still the subject of some speculation and we have no information on that, beyond what’s been published on the Internet. What was clear, however, is how disruptive and damaging an outage can be, howsoever it was caused. Facebook became the news as its share price fell almost 6%, leaving Mark Zuckerberg an estimated $7billion out of pocket. Now that’s a sizeable amount, but already the price has partly rebounded; so, he’s unlikely to starve!
The prevailing theory is that the outage was caused by a remote administrator updating the BGP routing configuration. The change meant that routing was disabled as the old configuration was removed – but the new configuration couldn’t be configured because it was being done remotely. As a result, Facebook’s application servers and DNS hosts became unreachable and, being remote, they couldn’t connect in to fix it. Reportedly someone who knew what they were doing had to physically get to site and reconfigure the settings on the routers to bring the environment back up.
Ignoring the frailty of IT systems to human error, and the difficulties and vulnerabilities of routing configurations and DNS, what can the rest of us learn from the disruption caused by the outage of such critical social infrastructure?
A worst case scenario for many businesses, not just Facebook, is a complete loss of service. Facebook’s business model is totally reliant on online access and the Internet. Many other businesses don’t consider themselves to be as exposed to that kind of failure, but the reality is that in a digital world even a small outage can have a hugely disruptive effect.
This can be caused by misconfiguration or human error (as was perhaps the case for Facebook), an oversight, a physical failure or a deliberate act. The cause, as always, is much easier to pinpoint after the fact.
We have seen similar implications in non-IT businesses too – oil pipeline operators, food manufacturers and healthcare providers who businesses have suffered major outages as a result of ransomware attacks. Their reliance on IT, even though they trade in the physical world, meant that services and their delivery were similarly affected. This shows that no company can afford an IT outage – no matter how it is caused. Network misconfiguration is just one cause of failure; and ransomware another which has over recent times become more common than the calamitous events we saw in the social media world last week.
What the Facebook event shows is not how to avoid downtime, outages and blackouts –instead, it shows how small episodes that can seem almost trivial can give rise to such enormous consequences.
You can’t avoid all risks. Whether it’s a network administrator changing routes or a user with a malicious email attachment, people make mistakes. If, as the mathematician Lorenz proposes, a butterfly flapping its wings can result in a tornado, it’s important that early signs of risk are acknowledged as part of your risk management process.
We can learn about the risks of changing BGP configurations from Facebook; or when it comes to ransomware, learn how to reduce the risk of becoming infected. In both instances, however, effective mitigation strategies that prevent a risk or contain its impact are key to lessening the potential effect across an entire enterprise.
Maybe a backup router configuration strategy might’ve helped Facebook (if they had been easily accessible). Although, to be fair, massive on-line businesses like Facebook typically have huge backup data centres available to provide resilience and mitigation against catastrophic events.
For many other failure scenarios, however, backups are an important part of a Plan B. Loss or corruption of data can render even a fully working, internet connected, server inoperative. In the event of hardware failures, ransomware, theft, deliberate misuse or vandalism – it’s often the presence or absence of that make the biggest difference.
In some ransomware attacks, where the decryption process has been absent, unworkable or too slow, backups have provided the road to recovery. Colonial Pipeline found that; and so did Maersk when they were hit by NotPetya. They only managed to get their systems back because of a single domain controller, located in a remote Nigerian office and unaffected by the broader network outage. Incredibly, it was this only copy of the user and system Active Directory (which was ultimately flown back to head office) that enabled the recreation of the Maersk windows domain.
We’ve seen lots of significant systems outages in the past, resulting from numerous causes, and Facebook is just the most recent high profile “victim”. We also know that such disruptive events can stem from something as small as a butterfly flapping its wings.
Effective risk management means dealing with these, and where they can be foreseen, having controls in place. Every company can learn something about network support and administration from the Facebook experience, and in the same way every company can learn something about ransomware from Colonial Pipeline and about the importance of backups from Maersk.
You do have to sweat the small stuff!Read More
After the ransomware attack on the Waikato District Health Board (DHB) in May 2021 the New Zealand Privacy Commissioner John Edwards, warned all 20 NZ DHBs that if any DHB was found to not have adequate security (to protect patients’ information), compliance notices may be issued under the Privacy Act 2020; and if necessary, prosecutions would follow .
Clearly the time has come for boards and executive teams in New Zealand’s DHBs to be ransomware ready. Concerns were raised in Australia too, when the Office of the Australian Information Commissioner’s (OAIC) Notifiable Data Breach Report for Jan-Jun 2021 confirmed that the health care sector was most vulnerable to ransomware attack. 
Meanwhile, in this climate of growing attacks globally, PwC observed that less than 50% of health sector CISOs were likely to increase their cyber budgets in 2021. Almost 75% of those executives surveyed believed they would still be able to improve their levels of cyber posture through cost containment and judicious spending.
According to the OAIC, in Australia, ransomware was up 24% since the last reporting period. Recent local health care attacks in both Australia and New Zealand are a wakeup call for boards and executive teams. It’s time to take cyber security and resilience very seriously. Despite the optimism of those surveyed by PwC, in an industry notorious for systems vulnerabilities and cyber security under-investment, it is imperative that health care organisations embrace a stronger cyber culture and seek expert advice to tighten their cyber security controls.
The recent IBM Cost of Data Breach Report 2021 confirmed that, for the 11th year in a row, the healthcare sector had the highest average cost of a data breach. This year, US$9.23m per breach and that excludes the lives potentially put at risk as a consequence of an attack.
In Brisbane, a ransomware attack on UnitingCare’s internal IT systems forced its hospitals and nursing homes to resort to manual back up processes. While in Waikato, the ransomware outage affected all clinical services across all 5 regional hospitals. Patient appointments and surgeries were severely impacted, causing large backlogs for these important services.
The loss of modern diagnostic capability, and the speed of computer communication, meant it took twice as long to treat urgent patients. Having to resort to manual back-up systems caused major stresses for both patients and staff. The loss of radiology services severely impacted a number of seriously ill cancer patients who had to be transferred to other North Island hospitals. The then medical director of the Cancer Society of New Zealand stated that “it’s hard to understate how disruptive the loss of an IT system is on a hospital”.
In NZ, the government’s refusal to pay the ransom resulted in sensitive patient data being released to the media with some patient data permanently lost. IT systems took more than 4 weeks to fully recover.
The impacts of a ransomware attack on health care facilities cannot be underestimated. Financial losses, reputational damage, loss of productivity and business continuity and the risk of potential legal liabilities emerging as a result of interrupted patient health care. The disruption and loss of technology in a clinical setting can impact patient outcomes and potentially cost lives.
As if the loss of medical services isn’t enough for healthcare victims of cyber attacks. The potential theft of patients’ sensitive medical information and accompanying personally identifiable information adds insult to injury. Stolen information can include research data, patient records, billing information, insurance claims and social security numbers (a full set of identity records); all of which is highly prized on the dark web.
These costs to healthcare victims can be overwhelming, particularly at a time in their lives when many are at their most vulnerable. It’s for this reason that we need to identify and resolve some of the factors that make the sector so attractive to attackers:
Fortunately, these drivers of cyber attack in the healthcare sector point to some possible solutions to this scourge. There are, for example, a number of cost-effective mitigation strategies or controls that can be relatively simply initiated across healthcare organisations to improve their cyber security maturity and as a result, reduce their risk of cyber attack.
As noted above, accountabilities are strengthening so boards and senior executives need a clear picture of their cyber security posture. Active security risk management processes that regularly measure and inform management of the state of their cyber controls are increasingly being expected by regulators everywhere.
Being able to monitor and assess your cyber risk against a simple set of cyber security KPIs, like the Australian Cyber Security Centre Essential Eight framework, need not be costly, but it can ensure that your organisation stays on top of its cyber security to maintain effective oversight.
The good news is that highly effective automated technologies are now available to instantly measure and enable you to manage the health of your key security controls. Huntsman Security’s Essential Eight solutions can quickly measure and clearly report cyber security posture to relevant stakeholders.
With a clear picture of the state of its prevention, containment and recovery strategies the board can regularly assess and address any shortcomings that may expose the organisation or its patients to poor cyber security outcomes.
 https://www.privacy.org.nz/publications/statements-media-releases/privacy-commissioner-calls-on-dhbs-to-address-it-vulnerabilities/ ; May 26 2021