Author: Derek Nugent, Vice President Sales, Marketing & Customer Success at Difenda
It’s been a strange year to say the least.
Recently, a hacking group known as DarkSide managed to take down a major U.S. pipeline. That isn’t unusual — cyberattacks targeting critical infrastructure are frighteningly common these days.
What’s odd is the fact that the group apologized for doing so.
One might expect that given the damage caused by the attack, it would be complex or sophisticated. But it wasn’t.
The hackers used the same tried-and-true tactics we’ve seen time and time again.
How Did the Colonial Hack Happen?
The same thing that happens in 99% of cyberattacks, DarkSide used social engineering to break into a single user’s desktop. Specifically, they used a phishing email laden with ransomware representing their namesake.
And despite this, it still happened.
Now, before blaming Colonial Pipeline, take a moment to consider: a business targeted by cybercriminals needs to prevent or mitigate every single hacking attempt. Meanwhile, cybercriminals only need to succeed once.
And they know this. They understand that when attacking an organization, they can take their time, study the environment, and find the ideal weakness to exploit. More often than not, even in otherwise secure organizations, that weakness is its people.
Here’s a simple example: In a company with 1,000+ employees, 7% of employees will open that phishing email, and only one needs to download it. That’s all it takes for a cybercriminal to establish a foothold within a company. And this is exactly what happened at Colonial Pipeline.
How Will This Latest Ransomware Attack Impact Canada?
Let me start by saying this recent attack speaks to several disconcerting trends in the cybersecurity space. Although this attack targeted U.S. infrastructure, Canada is just as vulnerable and could face similar attacks.
Here’s what you need to understand.
Critical national infrastructure is under threat. From electrical networks to water treatment to oil and gas pipelines, we are incorporating Internet access into more and more of our critical systems.
We live in an era of cyberwarfare. War now takes place in four dimensions — air, land, water, and cyber. The Colonial hack, like similar attacks, can be seen as a proof of concept to demonstrate that anyone, anywhere in the world, can gain direct access to a nation without regard for physical boundaries.
What we are doing isn’t working. This attack will lead to rapid adoption of the latest cybersecurity solutions. Although, cybersecurity products aren’t enough when all it takes is one person, one email, and one phishing attempt to bring it all down.
The real problem is how we are implementing recognized frameworks. Frameworks only work if they are applied in their entirety and monitored by the businesses using them.
Cyber Hygiene Isn’t Optional Anymore—It’s Table Stakes
The path to better security posture is neither blind spending nor blind ignorance. It’s the enforcement of basic cybersecurity hygiene. Many businesses and governments included, likely already have the necessary components for this in your environment.
It’s time to accept the failures of both IT and OT. We need to reassess the foundations that cybersecurity programs are built on. And that means taking a deep look into the basics—the people, processes, and policies guiding these programs and the software they rely on.
And more importantly, it means that businesses and governments of all sizes need to accept that they could be targeted at any time.
But what does it take to implement an effective cyber hygiene program? It takes a proactive approach built upon a strong foundation.
It starts with understanding your threat landscape, modelling threats you face, understanding who may target you, and why.
Next, you need to define your assets and map out security controls for your asset categories. Accept that you can protect everything, and instead, focus on establishing security controls and organizing assets by priority. In most cases, you may already have these security controls in place and simply need to start enforcing them.
The final step is to focus on long-term sustainability. Cybersecurity is a continuous process, and hygiene is only the first step.
Build a Sustainable Cybersecurity Program Before It’s Too Late
Look at the last ten major security breaches and consider what all of those businesses had in common. Each and every one of them had best-in-breed cybersecurity products in place. And those products did nothing to prevent a breach from happening.
The lesson here is simple. Basic, properly implemented, and hygienic, security controls offer more protection than poorly implemented advanced security products. If you look at the Colonial breach as simply justification for going out and buying a shiny new piece of software, you’re taking away the wrong message.
Don’t go out and buy another product to add to your existing stack of poorly maintained tools.
Start by assessing your current situation and leverage what you already have in place first. If, at that point, you still need additional software, you can purchase it then.