Symantec’s recent Internet Security Threat Report (ISTR), Volume 22, reveals that 2016 was a banner year for cyber criminals whom achieved extraordinary attacks against governments, cities, banks and other organizations.
“Cyber criminals caused unprecedented levels of disruption by focusing their exploits on relatively simple IT tools and cloud services,” said Kevin Haley, director of Symantec Security Response.
Government cybersecurity and cybersecurity in general are being discussed far, wide and often. All the third party reports are now recognizing cybersecurity as the number one threat, noted Jennifer Nowell, national director for state and local government business at Symantec. Nowell sat down with Gov1 to give municipal governments the backstory on the firm’s latest findings and to share advice on government cybersecurity.
Obstacles to Government Cybersecurity
Symantec boasts the world’s most comprehensive database, which has recorded 88,000 vulnerabilities over 78,900 products developed over two decades. The firm also monitors the security of 1/3 of the world’s email traffic, more than 2 billion messages.
On the government side, funding has been the number one challenge, Nowell said. Usually, cybersecurity costs fall under emergency management budgets. But, “it’s a bigger problem than we think it is,” she said.
New vulnerabilities presented by the Internet of Things and movement of data and operations to the cloud and software as a service (SaaS) are two areas that open up a multitude of pathways for hackers.
The 2016 ISTR report found that chief information officers have lost track of how many cloud applications are used inside their organizations. Most respondents said they have up to 40, “when in reality the number nears 1,000,” Nowell said, noting as an example, Sales Force might be counted as one IT application. But the SaaS actually has numerous interconnecting underlying applications, she said.
Also, when governments create proprietary apps for their citizens to use -- such as snow plow trackers or tools like Cincinnati’s Heroin Tracker -- they can also be used to breach cybersecurity, raising the need for ‘shadow IT’ in order to observe how the tool is being used.
“This has become trickier, there aren’t any perimeters anymore,” she said. “And that’s challenging.”
Who, Why & What’s Next?
Probably when you think of a hacker you think of the lone wolf sitting in an unsuspecting or seemingly abandoned location. But Nowell said Symantec’s 22 years of research has shown it’s more groups now. In tracking various groups, the last five years of activity has revealed different motivations.
In short, “There is income to be had,” she said.
Cybersecurity crimes are typically characterized as fraud, with with money being lost, or data breaches of personal information. Presumably the hacker is retrieving for a person or organization that wants to do something with the data it’s paying to get.
In 2016 ransomware continued to escalate. The ISTR identified more than 100 new malware families -- along with a 36 percent increase in ransomware attacks worldwide. The United States is a number-one target. Symantec found 64 percent of American ransomware victims are willing to pay a ransom, compared to 34 percent globally. Size of ransoms spiked 266 percent. A key defense is backing up data so there is no reason to pay the ransom, said Nowell.
But like any other crime, attackers employ methods that might go out of fashion, only to resurface later. For example, a particular Trojan virus recently reappeared attacking cyber resources in Saudi Arabia after five years of not being used, Nowell said.
Cybersecurity needs to be baked into an organization’s processes, she said.
It’s Too Easy to Get In
“Email is the weapon of choice,” Nowell said. Symantec found that 1 in 141 emails in the public sector, and 1 in 131 emails in the business sector, contain a malicious link or attachment. It’s the highest rate the cybersecurity company has seen in five years.
Also Business Email Compromise schemes, which rely on little more than carefully composed spear-phishing emails, scammed more than three billion dollars from businesses over the last three years, targeting over 400 businesses every day, according to Symantec.
A third point of entry is when a user accepts Microsoft document macros -- they easily enable a cyber attacker’s entrance without being noticed.
Thus, vigilance over messaging gateways is critically important, because once they are in,
They are living off the land,” Nowell said.
Hackers no longer have to build their own access tools -- command line tools like Powershell -- are installed on most PCs. Once they are in , they can use the computer’s tools to facilitate the cyber attack.
How to Get CyberStrong
#1 Be Careful - Cautious - Thoughtful
“We forget how much social engineering plays into these threats,” said Nowell. People naturally want to be helpful when presented with a query, so when it comes to “pushing back, it’s not in our DNA.”
That’s been especially true for phishing scams. An employee of Janesville, Wisc., received a falsely branded letter from a legal vendor containing ransomware, and unaware, forwarded it on to colleagues.
Training leads to greater fitness to be cyberstrong, Nowell advised.
What kinds of training have worked?
Nowell suggested a ‘click bait’ tactic that automatically enters workers that fall for it into a brief training module, like Anti-Phishing Phyllis by Wombat Security Technologies. Symantec also offers government cybersecurity training solutions.
The 6 Cybersecurity Questions City Managers Should Ask Before a Hack
#2 Follow Nowell’s ISTR 2016 Government Cybersecurity Actions Checklist
Finding: Targeted attacks shifted from economic espionage to politically-motivated sabotage and subversion. Actions:
- Set up alerts for new vulnerabilities and threats across vendor platforms and patch known vulnerabilities
- Implement and enforce a security policy where all sensitive data is encrypted at rest and in transit – the same should be done for customer and constituent data. This can help mitigate the damage of potential data leaks from within an organization
- Attackers frequently use stolen or default credentials to traverse a network. Ensure passwords are strong. Important passwords, such as those with high privileges, should be at least 8-10 characters long (and preferably longer) and include a mixture of letters and numbers
Finding: The frequency of ransomware attacks is up by 36 percent, and the average ransom has gone up from $294 to $1,077. Actions:
- Always keep your security software and operating system up to date to protect against ransomware. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers
- Backing up important data is the single most effective way to combat a ransomware infection. Attackers gain leverage over their victims by encrypting valuable files and leaving them inaccessible. Backing up files regularly allows victims to restore their files once the infection is cleared
- Cloud services help mitigate ransomware infection, since many retain previous versions of files, allowing users to “roll back” to the unencrypted form
Finding: Attackers are using the same tools already installed on users’ systems to covertly hack data. Actions:
- Educate employees on the dangers posed by spear phishing emails, including exercising caution around emails from unfamiliar sources and opening attachments that haven’t been solicited
- Also educate employees to be wary of any Microsoft Office email attachment that advises them to enable macros to view content
- Be picky about your plugins. The software you use to manage your website may come with vulnerabilities too. The more third-party software you use, the greater your attack surface, so only deploy what’s absolutely necessary
Finding: Cloud and IoT hacks are on the rise, with IoT devices being compromised within two minutes of connecting to the Internet. Actions:
- Research the capabilities and security features of an IoT device before purchase
- Perform an audit of IoT devices used on your network
- Change the default credentials on devices. Use strong and unique passwords for device accounts and Wi-Fi networks. Don’t use common or easily guessable passwords such as “123456” or “password”
- Many devices come with a variety of services enabled by default. Disable features and services that are not required
- Disable or protect remote access to IoT devices when not needed
- Use wired connections instead of wireless where possible
- Regularly check the manufacturer’s website for firmware updates
Access a webinar on the 2016 ISTR results.
Learn more about setting up an onion strategy for government cybersecurity.