Originally published by the Journal of Commerce in January 2017
The Senate Armed Services Committee hearing on January 5, 2017 was an opportunity to learn what the intelligence community determined regarding cyber-attacks related to the 2016 Presidential election. For those of us having to deal with the potential consequences to our businesses, it was the 13 page unclassified report which the Department of Homeland Security and the Federal Bureau of Investigation jointly published that provides the most relevant information.
It has long been understood there are three (3) primary reasons hackers seek access to a system: criminal intent, corporate espionage or state actors. In the case of the Presidential election hacking, as has been widely reported in the mainstream press, the intelligence community is sure it was state actors, the Russian intelligence services (two distinct programs run by different parts of the Russian government) which conducted the hacking, especially directed at one political party, and did so to influence the outcome of the election. What makes the topic timely for businesses is the tips and recommendations contained in the Joint Analysis Report (JAR).
The JAR begins by explaining how the hacking occurred, and in that sense, the only news is the identity of the hackers. The methods and means disclosed are all widely-used! The JAR also reiterated that government organizations, critical infrastructure entities, think tanks, universities, political organizations and corporations are constantly under threat of having information stolen. In this case, third party identities were taken on by the hackers who hid behind false online personas so as to cause the victim to incorrectly attribute the source of the attack, and those efforts continued even after the election!
The information which starts on page 6 of the JAR is of most interest to the private sector. DHS and the FBI have put together a recommended list of mitigation steps: “A commitment to good cybersecurity and best practices is critical to protecting networks and systems”.
The JAR goes on to list questions companies should ask about their cybersecurity programs:
Backups: Do we backup all critical information? Are the backups stored offline? Have we tested our ability to revert to backups during an incident?
Risk Analysis: Have we conducted a cybersecurity risk analysis of the organization?
Staff Training: Have we trained staff on cybersecurity best practices?
Vulnerability Scanning and Patching: Have we implemented regular scans of our networks and systems? Do we appropriately patch known system vulnerabilities?
Application Whitelisting: Do we allow only approved programs to run on our networks?
Incident Response: Do we have an incident response plan? Have we practiced it?
Business Continuity: Are we able to sustain business operations without access to certain systems? For how long?
Penetration Testing: Have we attempted to hack into our own systems to test the security of our systems and our ability to defend against attacks?
These questions are followed by a list of “Top Seven Mitigation Strategies”, supposedly able to prevent up to 85% of cyber-attacks. For most companies the list is all too familiar, but according to DHS, these basic measures are not being followed by an alarmingly large number of companies, even today!
- Patch applications and operating systems – Vulnerable applications and operating systems are the targets of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker. Use best practices when updating software and patches by only downloading updates from authenticated vendor sites.
- Application whitelisting – Whitelisting is one of the best security strategies because it allows only specified programs to run while blocking all others, including malicious software.
- Restrict administrative privileges – Threat actors are increasingly focused on gaining control of legitimate credentials, especially those associated with highly privileged accounts. Reduce privileges to only those needed for a user’s duties. Separate administrators into privilege tiers with limited access to other tiers.
- Network Segmentation and Segregation into Security Zones – Segment networks into logical enclaves and restrict host-to-host communications paths. This helps protect sensitive information and critical services and limits damage from network perimeter breaches.
- Input validation – Input validation is a method of sanitizing untrusted user input provided by users of a web application, and may prevent many types of web application security flaws, such as SQLi, XSS, and command injection.
- File Reputation – Tune Anti-Virus file reputation systems to the most aggressive setting possible; some products can limit execution to only the highest reputation files, stopping a wide range of untrustworthy code from gaining control.
- Understanding firewalls – When anyone or anything can access your network at any time, your network is more susceptible to being attacked. Firewalls can be configured to block data from certain locations (IP whitelisting) or applications while allowing relevant and necessary data through.
The JAR can be found here: https://www.documentcloud.org/documents/3248532-DHS-FBI-JAR-16-20296-Grizzly-Steppe-Russian.html. Every IT administrator in every company should review this report, in order apply the indicators of compromise listed to his or her company’s computer system. Those interested in cybersecurity should also reach out to their local Secret Service office and become a member of the Service’s Electronic Crimes Task Force, which provides a good deal of its private sector members, including hash data and IP addresses which have been compromised.
If you think your system has been infiltrated or you otherwise want assistance, the JAR provides contact information where you can get assistance: “DHS NCCIC (NCCICCustomerService@hq.dhs.gov or 888-282-0870), the FBI through a local field office or the FBI’s Cyber Division (CyWatch@ic.fbi.gov or 855-292-3937) to report an intrusion and to request incident response resources or technical assistance”.
It is not difficult to quickly come up with ways in which every company’s computer system could be used to provide valuable and compelling information to those wanting to benefit from corporate espionage, especially since so much of American critical infrastructure is in private hands. Of course, we should not forget about the Internet of Things, and how little cybersecurity is actually installed on medical devices, smart watches and similar devices!