4 Cybersecurity Lessons Learned the Hard Way
2
Jun

4 Cybersecurity Lessons Learned the Hard Way


The cybersecurity landscape is dynamic. The threats are constantly evolving and today’s cybersecurity measures may not stand up to pressure tomorrow. However, time and time again we’ve seen companies and organizations slip into complacency or ignore certain processes—such as training or vetting outside tools—and pay in terms of costly cyberattacks.

In this post, we look at four of those cases, discussed below:

1. Atlanta, GA (2018)

On March 22, 2018, the city of Atlanta in Georgia was hit by a SamSam ransomware attack [1].

The ransomware attack locked municipal workers from accessing their systems. The attackers then demanded US$51,000 in Bitcoin payments in exchange for restoring access.

As a result of the SamSam attack, Atlanta was unable to effectively deliver essential services—such as processing water and sewage bills, issuing business licenses, or scheduling traffic ticket hearings—for over a month following the actual attack.

In general, ransomware attacks occur through phishing attacks aimed at fooling the user into downloading a malicious file (or clicking to a malicious website). The attack then locks the end user out of their system and, typically, the attacker will demand a ransom payment.

However, the SamSam attack does not proliferate through phishing emails, but “by exploiting vulnerabilities or guessing weak passwords in a target’s public-facing systems” [2].

Though the direct cause of the attack was SamSam, the underlying reason for it was the fact that Atlanta’s IT systems suffered from “between 1,500 and 2,000 security vulnerabilities” [3]. In addition to inherent weaknesses, Atlanta was also ill-equipped to respond to the attack.

The lesson is that not only must you regularly conduct cybersecurity assessments or audits, but to regularly identify and resolve cybersecurity risks. This would involve phasing-out outdated or insecure platforms, such as the 100 servers running on Windows Server 2003 (which Microsoft ended support for in 2015). A solution would have been to expedite the move to the cloud and leverage the provider’s commitment to maintain the latest security standards [4].

It is a costly practice, but given how the city spent US$2.7 million in emergency contracts a month following the attack (with the total cost slated to reach as much as US$17 million), Atlanta was not spared from the expense either way. Instead, the Atlanta had found itself in the news for all the wrong reasons, which will not help the city or its government from a PR standpoint [3, 5].

2. British Airways (2018)

In September 2018, British Airways announced that it suffered from a breach that affected as many as 429,000 of its customers and their credit card numbers. The breach, which had gone unnoticed for two weeks, effectively required affected patrons to cancel their credit cards [6].

RiskIQ, a security vendor, assessed the situation and determined that the breach was a result of attackers injecting malicious code into British Airways’ online payments page [7]. RiskIQ concluded that the attack was specifically aimed at British Airways, making the airline a victim of a targeted and sophisticated attack. It is not clear how much the attack will cost to British Airways.

It appears that the attack exploited third-party code on British Airways’ website. This isn’t an easy issue to deal with considering how many businesses rely on the same third-party code to enable payments, show ads, and other user-centric services.

In fact, the challenge of this security breach was that you or your managed IT services provider(s) might have setup a solid cybersecurity system, but as cyber expert Dr Alan Woodward put it (via the BBC), “You can put the strongest lock you like on the front door, but if the builders have left a ladder up to a window, where do you think the burglars will go?” [8].

In this respect, the lesson for companies and organizations is to heavily vet and test any and all third-party codes (e.g., tools, scripts, plugins, etc.) they are bringing into their system. Moreover, it would also be good practice to regularly monitor or audit those for irregular activity.

3. eBay (2014)

In May 2014, eBay announced that it had suffered a major data breach affecting upwards of 145 million of its customers. Besides usernames, the breach was thought to have compromised user emails, real names, home addresses, phone numbers, and birthdates [9]. In effect, millions of eBay users were at risk of identity theft or fraud as a result of the breach.

The breach—which had forced eBay to lower its annual sales target by US$200 million and report lower revenue for that year—was likely initiated through a spear-phishing attack [10].

In spear-phishing attacks, hackers craft sophisticated emails that look as though they are from a trusted source, such as a colleague, manager, vendor, or customer. The goal is to manipulate or fool end users into an action they wouldn’t take if they knew the reality of that email.

For example, a hacker masquerading as a vendor could trick the user into sending money to the hacker in response to a fake invoice. Alternatively, someone posing as a manager could get the user to give password information or click on a malicious link/attachment.

Though technical measures, such as sandboxing affected PCs and filtering traffic from high-risk sources, help, the solution is to train and educate your staff. Your employees should have both the knowledge to recognize phishing attempts and report such issues, not fall for them. In fact, training is relatively a low-cost, quick way of getting high-impact cybersecurity gains.

4. RSA Security (2011)

In 2011, RSA, a multifactor authentication company, reported that it was struck by two spear-phishing attacks. Besides resulting in a cost of US$66 million, the attacks also pulled RSA into the focus of the US government because the company’s SecureID tokens—which were compromised—were in use by Lockheed Martin, a marquee defense vendor [11].

The spear-phishing attack posed as a company-wide email discussing that year’s recruitment roadmap. An employee not only took that email out of their Junk/Spam folder, but opened the attached Microsoft Excel file, which contained a zero-day exploit of a vulnerability in Adobe’s Flash platform and, in turn, released a variant of the Poison Ivy Trojan [12].

As with the eBay hack, there were combinations of issues at play, such as the failure of RSA’s threat identification and sandboxing as well as lack of cybersecurity training. In fact, the gap in this case was severe enough that the malicious email was already filtered out, but the employee did not understand why and opted to retrieve and open it anyways.

In each of these four cases, there are two major lessons.

First, the cost of recovering from a cyberattack—be it in fiscal terms or reputation—is higher than the cost of preparing for it in advance.

Second, the root cause for an attack could occur despite solid cybersecurity efforts due to the end user’s lack of knowledge or awareness.

Thus, businesses and organizations must address their cybersecurity issues from every angle—that is, regular auditing, vulnerability scanning, automated response systems (e.g., sandboxing high-risk or unrecognized software), training, and response processes (e.g., disaster recovery).

Final Thoughts

In this post, we looked at four notable cybersecurity attacks. Though the cybersecurity industry has made strides in countering threats, the threats themselves keep evolving. This back-and-
-forth will keep businesses of all sizes on edge, forcing them to invest in understanding these threats and the solutions emerging to stop them.

About the Author:

Jeremy Stevens has spent over half a decade working in the tech industry. Besides learning new things about software and IT, one of his passions is writing & teaching about technology. He is working with Power Consulting and helps produce and edit content related to IT, covering topics such as hardware & software solutions for businesses, cloud technology, digital transformation, and much more.

Disclaimer: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of EC-Council.

Sources

  1. https://www.symantec.com/security-center/writeup/2016-030211-4046-99
  2. https://www.wired.com/story/atlanta-ransomware-samsam-will-strike-again/
  3. https://statescoop.com/atlanta-was-not-prepared-to-respond-to-a-ransomware-attack/
  4. https://solutions.pcmcanada.com/advantages-of-cloud-computing-for-business
  5. https://www.cnbc.com/2018/11/28/doj-indicts-two-iranians-for-samsam-ransomware-that-hit-atlanta.html
  6. https://www.telegraph.co.uk/news/2018/09/07/british-airways-hacking-customers-cancel-credit-cards-airline/
  7. https://www.riskiq.com/blog/labs/magecart-british-airways-breach/
  8. https://www.bbc.com/news/technology-45446529
  9. https://www.bbc.com/news/technology-27539799
  10. https://www.usatoday.com/story/tech/2014/05/21/ebay-security-breach-passwords-spear-phishing-attack/9399235/
  11. https://www.theregister.co.uk/2011/07/27/rsa_security_breach/
  12. https://www.theregister.co.uk/2011/04/04/rsa_hack_howdunnit/
Editor's Note:
Reviewed by Kris Thomas, Cybersecurity Risk Advisor, Deloitte and Vince Peeler, Sr. Manager, Cyber Intelligence Services at UnitedHealth Group.
get certified from ec-council

1 Response

  1. Pingback : URL

Write for Us