[BreachExchange] To defend cities from cyberattack, think like a hacker

Audrey McNeil audrey at riskbasedsecurity.com
Mon Apr 9 21:00:44 EDT 2018


https://www.msn.com/en-us/news/technology/to-defend-
cities-from-cyberattack-think-like-a-hacker/ar-AAvCTds

Our cities are under attack. In the past two months, two major cyberattacks
have targeted urban critical infrastructure and services. In February,
Colorado’s Department of Transportation had to shut down 2,000 employee
workstations after an attack. The department website reported issues for
more than a week after the attack. In late March, 8,000 city employees in
Atlanta resorted to using pen and paper for work after a cyberattack
compromised their computers. Both attacks caused havoc.

Public agencies are perfect targets for hackers. Why? Hackers are known for
taking the path of least resistance when staging a major attack. Some
companies spend millions of dollars a year on security technologies and on
hiring difficult-to-find talent in cybersecurity to help defend their
networks. Our public systems do not have the financial means to procure
such security software or talent. Thus, public agencies become the
low-hanging fruit for hackers to target and disrupt. That’s why the
Defensive Social Engineering Team at the Massachusetts Institute of
Technology is working on developing a toolbox of nontechnical defenses
against cyberattacks for cities.

The most prevalent form of attack against public agencies is social
engineering. This involves tricking a civil servant into clicking on a link
or email attachment that installs malware. Because public agencies do not
have the budget to invest in expensive technical security solutions, they
should look to the hackers for inspiration and complement technical tools
with less expensive social defense tools. My team suggests using defenses
called Defensive Social Engineering.

Here’s what happens in a cyberattack.

Ransomware is the malware of choice for hackers against public agencies.
Many public agencies post email addresses of department personnel online so
the public can contact them. It is not difficult for attackers to quickly
collect addresses and disseminate emails containing the malicious software
that, when activated, encrypts all the files in the computer and demands a
ransom. Until the ransom is paid, the infected system is unusable.

When the Police Department in Swansea, Mass., was hit in 2013 with a
ransomware attack, the city decided to pay the $750 ransom so that it would
not lose valuable records.

When the Cockrell Hill Police Department in Texas was hit in 2016 with a
ransomware attack, the department refused to pay the ransom — and lost
eight years’ worth of police evidence that was important for pending court
cases.

How do we protect our public agencies from these attacks?

Some organizations focus any and all funding they have on developing a
strong backup program. This way, if hackers try to blackmail a city,
services can be restored without having to pay the ransom. While backups
are essential in these scenarios, it still takes time to reboot all the
systems. For example, in 2016, the San Francisco Municipal Transportation
Agency was ransomwared, where the hackers demanded 100 bitcoin or about
$70,000 at the time. Because of the attack, the agency took the
precautionary measure of shutting down all fare payment systems. In doing
so, passengers were allowed to use the SFMTA system for free during the
downtime, which cost the SFMTA $50,000 in lost fares. The systems were shut
down when the ransomware was detected, and three days later, the backups
were installed. This was a terrific case of cyberresilience by a public
agency, however, it clearly takes time for backups to be deployed.

In addition to using backups as technical defenses, one cyberdefense is
conducting a misinformation campaign. For example, if a hacker steals your
passwords, your organization should issue a press release indicating that
the hackers actually stole a decoy data set. This action can devalue the
stolen data set. Further, your organization can leak fake passwords that
can further confuse hackers about which passwords are valid. These actions
will make the stolen information considerably less valuable because buyers
of the information on the Dark Web will not know which passwords are
authentic.

Another defensive social engineering tool is proactive defensive signaling.
A public agency can use this by announcing its policy for dealing with
hackers and specific repercussions for potential attacks. For example, a
public organization can proactively announce it will not pay ransoms. This
could potentially deter a hacker, leaving agencies that do not have a clear
payment policy for ransoms as a more inviting target.

Many once thought the only social strategy to defend against cyberattacks
was to develop an employee cybersecurity awareness campaign that could help
reduce the effectiveness of social engineering attacks. These are useful,
but public agencies need to start taking a page out of the hacker playbook
and seek less expensive and high impact strategies to defend their computer
networks and systems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180409/58a745ef/attachment.html>


More information about the BreachExchange mailing list