Back to basics: Some data breaches: Questions, Consequences and Learnings

“War is inevitable, so be prepared for it." Idea from Sun Tzu.

IMHO, Applying the above idea from Art of War to security is apt. Sun Tzu heavily emphasizes the importance of being prepared for conflict and advocates for thorough planning, understanding your enemy, and achieving victory with minimal bloodshed – all suggesting a world where war is a constant possibility. Applying this to Cyber, Planning for the inevitable is a duty for all of us practitioners.

I have been following many data breaches with lot of curiosity and the lesser-known consequences. I will mention a few below and the lesser-known consequences.

1.?????? In May 2021, a ransomware attack forced the Colonial Pipeline, the largest fuel pipeline in the US, to shut down. This caused fuel shortages and panic buying on the East Coast, highlighting the vulnerability of critical infrastructure to cyberattacks.

?“Although the investigation is on-going, we believe the attacker exploited a legacy virtual private network (VPN) profile that was not intended to be in use.”- Charles Carmakal, SVP and CTO Mandiant during congressional hearing, a Colonial Pipeline employee -- who was not publicly identified during the hearing -- likely used the same password for the VPN in another location.

Fearing gas shortage, people even filled plastic bags with gasoline. This triggered a U.S Consumer Product Safety Commission alert, warning consumers to only use containers meant for fuel.

2.?????? Hackers infiltrated Caesars Rewards, stealing millions of customers' Social Security numbers and driver's licenses. To make matters worse, Caesars allegedly paid $15 million to stop the data leak and regain control of their systems.?

3.?????? A single phone call, impersonating an employee, bypassed MGM's defenses and handed them access. Attackers often target human vulnerabilities, not just computer systems. Even casinos like MGM and Caesars, with top-notch security (think advanced malware detection, email scanners, and dedicated vulnerability hunters), fell victim. Younger hackers (Scattered Spider) target casinos like MGM. Their trick? Social engineering. A single phone call, impersonating an employee, bypassed MGM's defenses and handed them access.?

4.?????? Change Healthcare touches approximately 33% of patients in the U.S. Attackers may have gained initial access through vulnerabilities in Remote Desktop Protocol (RDP), a common way for unauthorized access. They were in Change Healthcare network for a week.3 This story is continuously changing, with another ransomware group RansomHub claiming that it has 4TB of data including medical and dental records, payment and claims information, patient personal identifiable information (PII) – including social security numbers – and PII of active U.S. military personnel. The group also claims to have more than 3,000 source code files for Change Healthcare’s software solutions. According to American Hospital Association survey, Ninety-four percent of hospitals were experiencing a financial impact from the Change Healthcare cyberattack4. "A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure," a company spokesman said. A BlackCat hacker ("Notchy") claimed the group kept the ransom money from Change Healthcare ($22 million) without providing decryption keys or deleting stolen data. Wow looks like cybercriminals can't even trust each other ??

5.?????? Now to the small Texas county which thwarted the Ransomware. “….IT department gets calls about strange behavior on Lubbock County’s 1,300 computers all the time. But this time, it was different. The file icons on a county employee’s computer were changing before their eyes…”

“…he rushed to unplug the ethernet cable from the computer that operates the water system…”

The above two statements capture the attack on Lubbock County and an Admin’s alertness prevented a potentially devastating ransomware attack, highlighting the importance of human intervention in cybersecurity.

The WSJ article by Larry Ellison and Seema Verma, titled "It's Time to Hand Cybersecurity Over to the Computers," seems like a catchy headline, but likely an oversimplification.? A truly effective approach requires a comprehensive strategy that includes people, security products, and well-defined processes as seen from the above Texas county incident.

My Opinions

The ethical and strategic implications of paying ransoms are a complex issue. Though paying ransom is a business decision, As Organizations pay the ransom it will only create a breeding ground for future attacks.

How did regulators allow Change Control to become a monopoly in payment processing?

Traditional warfare often involves physical destruction. However, cyberattacks can achieve similar disruption by targeting critical infrastructure like healthcare systems (Change Healthcare) or power grids.

These attacks can cripple economies, sow panic, and erode public trust in essential services.

Data Breach Defense 101: Essential Practices to Safeguard Your Information

The cybersecurity landscape is undergoing a seismic shift. CXOs are at the forefront of securing organizations in a world of quantum computing, hybrid cloud, and evolving AI threats. I'm a big believer in keeping things simple! IMHO, By focusing on the following basics of cybersecurity, we can tackle most threats without overcomplicating things.?????????????

Prioritize Backups and Implement a Recovery Plan:

Regularly back up critical data to a secure, offsite location, completely isolated from your main network. This ensures you have a clean copy to restore from in case of an attack and test the recovery.

Develop and test a comprehensive incident response plan that outlines clear steps for detection, containment, eradication, and recovery in the event of a ransomware attack.

During the MGM cyberattack, the perpetrators exploited weaknesses in the organization's security posture. Comments made by the attackers point to deficiencies in both monitoring and incident response protocols, which could have significantly limited the impact of the attack.

While mock exercises are essential for preparedness, most of the victims from data breaches say, no simulation can fully capture the grueling reality. To bridge this gap, we need someone who excels at worst-case scenario planning, who can design mock exercises that deliberately inject fatigue and stress. Think long hours, relentless pressure, lack of sleep, and unexpected hurdles - these simulated conditions can push our team to their limits and expose areas where our incident response protocols might need additional reinforcement.

Patch Systems and Update Software Regularly:

Hackers often exploit known vulnerabilities in software to gain access to systems. By promptly applying security patches and software updates, you significantly reduce the attack surface for vulnerabilities.

Enforce Strong Passwords and Multi-Factor Authentication (MFA):

Implement strong password policies that require complex passwords and regular changes. Multi-factor authentication is a must and adds an extra layer of security, requiring a second verification step beyond just a password to access systems.

Educate Employees on Cybersecurity Awareness:

Train employees to identify suspicious emails, phishing attempts, and social engineering tactics. Educate them on best practices for secure browsing habits, password management, and reporting any suspicious activity.

Implement Zero Trust Security, segment your network and implement Access Controls:

Shift from a perimeter-based security model to a zero-trust approach. This assumes all users and devices are potentially compromised and require verification before granting access to resources.

Combine this with granular access controls (like least privilege) to restrict access to data and systems based on job functions and user roles.

Divide your network into segments to limit the potential damage if a breach occurs. Implement access controls (like least privilege) to restrict access to data and systems based on job functions and user roles.

Utilize Security Tools and Monitoring:

Use antivirus, anti-malware software, and endpoint detection and response (EDR) tools to proactively identify and contain threats and let us not forget vulnerability scanning and penetration testing. Continuously monitor network activity for suspicious behavior that might indicate a potential attack.

As technology advances, attack vectors increase. Even the most sophisticated prevention measures cannot cover every single ingress, as new methods consistently pop up and groups such as Scattered Spider take advantage of social engineering.

Hackers are like businesses (evil) now, with experts & R&D. Businesses cannot chase and keep implementing every tool. Balance is the key. Stop attacks early, not just buy tools. Invest in people, processes, and basics for real security.

In a dynamic cybersecurity landscape, mastering the basics is essential. The above core principles provide a robust foundation that organizations can build upon to address both current and future threats.

References:

1.?????? “CYBER THREATS IN THE PIPELINE: USING LESSONS FROM THE COLONIAL RANSOMWARE?ATTACK TO DEFEND CRITICAL INFRASTRUCTURE” ?- Congressional hearing https://www.govinfo.gov/content/pkg/CHRG-117hhrg45085/html/CHRG-117hhrg45085.htm

2.?????? https://getnametag.com/newsroom/hacking-mgm-took-10-minutes-and-your-business-is-vulnerable

3.?????? https://www.csoonline.com/article/2094609/authentication-failure-blamed-for-change-healthcare-ransomware-attack.html

4.?????? https://www.aha.org/news/news/2024-03-15-aha-survey-change-healthcare-cyberattack-having-significant-disruptions-patient-care-hospitals-finances

5.?????? https://www.wsj.com/articles/how-one-texas-county-stopped-a-ransomware-attack-11567169059

6.?????? https://www.wsj.com/articles/its-time-to-hand-cybersecurity-over-to-the-computers-healthcare-industry-94858f48