The Most Dangerous Thieves in the World
Protecting Yourself Against the Growing Threat of Cyberterrorism
A recent cyberattack that shut down the largest gasoline pipeline in the United States forced internet security experts around the world to sit up and take notice. Spanning 5,500 miles and transporting 2.5 million gallons of fuel per day, the company acted quickly and ceased operations to contain the threat and avoid what could have prompted a nationwide shortage. But this incident sheds light on the growing threat to operational technology, illustrates how cyberterrorists are finding their way in, and raises questions regarding how companies can protect their systems and data.
The most obvious and immediate question might be: With all the advances in cyber security, why is this still happening? Are the companies who fall pray to these hackers simply unprepared?
The first thing you have to understand is these aren’t “hackers” in the way most people think of them. They’re not a bunch of amateurs in metal band t-shirts trying to break into systems while they wolf down pizza. These are highly educated scientists and engineers who are part of large organizations, syndicates or foreign governments. They’re professional criminals who’ve chosen cyberterrorism as a lucrative career.
So, I don’t believe it’s a matter of companies being unprepared or failing to do their best. But new vulnerabilities are being released every minute of every day and these terrorists are alerted to them at the same time your IT team is. Even if you inspect all your systems today, there will be new vulnerabilities tomorrow. And you may have to rely on manufacturer software to develop a patch before it can be fixed, so it’s a hard cycle to keep up with. These criminals are very well organized and well-funded. No matter how many people you employee in IT, they have twice as many ready to hack into your system and deploy ransomware.
Size Doesn’t Matter
Are large companies more attractive to cyberterrorists or more susceptible to system violation? No. There are all types of cybercriminals and they’re going after everyone. The smaller for-profit groups and solopreneurs are going after individuals like your mother because they’re low-hanging fruit. They don’t want to go after big companies because they know they’ll get caught. They’re getting their encryption off the internet.
Government-based entities go after things that could hurt other countries. When you force the shutdown of a 5,500-mile pipeline that ships 2.5 million barrels of fuel a day, that not only has the potential to raise gas prices but cripple whole segments of the economy that rely on the transportation industry. So, government sponsored terrorism usually targets major industry players – like oil, financial institutions and airline companies.
Syndicates live up to their name because they’re a lot like the old-world mafia. But instead of pushing drugs, they’re pushing data and holding it hostage. They focus on crimes of opportunity, but it must be worth their money. Because syndicates and governments pay some of the smartest people in the world to build their own encryption programs. These guys earn millions of dollars a year and drive Maserati’s. They won’t use the same encryption tech twice and the encryption algorithms are very complicated.
Put it all together and every external IP is being scanned for vulnerability an average of once every seven seconds. Every single IP in the world. Every seven seconds.
Most importantly, these sophisticated cybercriminals are attempting to steal more than just our data; they’re out to destroy our way of life. And that makes them the most dangerous thieves in the world.
If nobody is safe – if there’s a cyber-criminal for everyone at all levels – it’s easy to presume that it’s just a matter of time before your number comes up. But while every system is being scanned, the reality is that still takes time. So, one solution is to ensure you’re not easy-to-pick, low-hanging fruit. You want to create multiple layers of security that require time and progressive learning for these criminals to penetrate.
Imagine you’ve got 26 different companies represented by the letters of the alphabet. These cyberterrorists don’t just hack away at the first company indefinitely until they make it all the way through. They start with Company A and go as far as they can until that company patches their vulnerability. Then they take what they’ve learned and move on to Company B to push through to its limitations. Then they repeat the process with Company C, Company D and so on.
Successful hackers may have been through 200 companies with specific vulnerabilities by the time they’re finally able to break all the way through a point where they can do real damage. It’s like a cybercriminal version of Grand Theft Auto or any other video game. You just keep trying to get to the next level by reapplying your learnings.
The Myth of Hacker-Proofing
With security software becoming increasingly more effective, it’s comforting to believe there may come a day when our systems could become completely “hacker-proof.” But while that’s possible, it’s not likely. Because as our solutions become more sophisticated, our adversaries do, too.
Sticking with the Grand Theft Auto theme, think about how criminals used to steal cars. They’d just walk around looking for unlocked vehicles and then hotwire that vehicle. When everyone started locking their cars, they started using wire coat hangers and Slim Jims. Then technology came along to make it easier to track, so they started learning how to disable those systems. We’re chasing after persistent cybercriminals who are constantly checking all the doors and bypassing all the security features. They’re perfecting their craft on very specific packages, so it’s critical that we keep developing increasingly complex solutions.
The Most Effective Solution
Given the progressive process the most sophisticated hackers employ, the most effective solution for preventing a breach is to consistently implement multiple layers of compatible security. If you live in a nice house and want to protect your family, a lock on the front door isn’t enough. You put two locks on all the doors and might also invest in a security system. If that’s not enough, you add motion-activated lighting or cameras, move into a gated community or pay for active patrolling.
The same thing goes for corporate security. If your company and mine both have the same tech, but I have two or three additional layers of protection, I’ve increased the odds that thief will eventually hit something impenetrable and move on to the next “house.” Then I’m just one company in a long line of companies that will be abandoned through trial and error on their way to finding a more easily picked lock. It’s not just about replacing one firewall with another; it’s about instituting multiple layers of security.
And that protocol needs to be evaluated and repeated frequently. We can barely see 3-5 years down the road in terms of cyber-security. So, you should be evaluating your cyber security – hardware and software – at least every two years.
Develop Your Plan
Of course, with new vulnerabilities being released on a daily basis, there measures your company should also be taking every day. Aside from the obvious imperatives of real-time monitoring and regular patching, I’d also recommend development of a strong, structured Vulnerability Management Program; one that includes your own scanning, your own patching, and your own risk ratings. You’ve got to perform a cost/benefit analysis because risk ratings and rankings are going to be different for every company.
For example, on the NVD scale of CVSS Scores from 1 to 10 – where 10 is Critical – a certain compromised vulnerability could have a score of just 5. So, it wouldn’t qualify as “critical” to some companies. A lot of organizations look at the ratings and decide they’re only going to patch critical vulnerabilities with a rating of X or greater. So, a company can be on the right patch cycle, but if it’s not a critical vulnerability, they might not patch it and cyber criminals may still be able to compromise it.
Having a vulnerability management program that also accounts for risk rankings sets expectations and allows your organization to make key decisions in moments of crisis. But layering security helps you avoid them.
Obviously, developing a formal vulnerability management plan takes a little time. But one thing you can do today is review your cyber liability insurance policy – and whatever you’ve agreed to. Every cyber liability policy includes terms, conditions and requirements; all of which you need to fulfill if you expect that insurance company to pay.
The problem is no one pays attention to what the insurance company says you need. If you said you’d patch every 10 days and you only patch every 30 days, your insurance company isn’t going to pay. Most companies call their cyber liability carrier first – before they call the FBI or anyone else – and one of the first things that carrier will do is have a forensics expert come in to ensure you did everything you were supposed to.
So, make sure you have enough coverage, make sure you’re doing what you need to and if you are the victim of cyberterrorism, make sure you do your own forensics before you call anyone else.
That said, instituting multiple layers of compatible security is still the best insurance money can buy.