The Key to Good Cybersecurity: You

Transformer Fire

Did you know that your organization and you can be a cyber criminal’s target even if you do not have much valuable information?  Imagine that it is the morning of February 3rd, 2020.  Frigid temperatures extend as far south as Texas and are expected to stay in place for at least the next 6-8 days.  As you are getting ready for work you hear the local fire company’s siren begin to wail.  A few seconds later your whole house goes dark.  You pull out your phone to turn on the flashlight app and it starts wildly chirping and buzzing.  There is an alert from the Federal Emergency Management Agency (“FEMA”) advising everyone of a nearly nation-wide blackout and recommending that everyone stay off the streets and at home while emergency crews work to assess and address the situation. 

Your Wi-Fi is out, so try connecting your laptop to the Internet via your phone but the phone has trouble keeping you online.  So, you E-mail your office that you will try again in a bit when the power comes back on, then change into warmer clothes and settle in on your couch armed with a heavy blanket, a book, and the old AM/FM radio that you found buried at the back of your closet.

By noon the news begins reporting that the blackout was the result of a coordinated attack.  The attackers created malicious software (malware) that overwhelmed the protective switches, called relays, which are used by power companies to keep their electrical distribution equipment from being damaged.  The malware kept the relays from working properly, causing transformers and other equipment to overheat and, in some cases, to catch fire.  Officials are still assessing the damage, but they are warning that although there is some inventory of spare parts and equipment, much of the equipment will need to be newly manufactured which could take months.

As the day progresses you accept the fact that the power will be out a while and that the fire-and-blanket approach is not a long-term strategy.  You are about to hop in the car to buy a generator when your phone rings.  It is the CEO of your company.  The FBI called her moments ago and told her that they traced the problem back to an individual E-mail account at your company: your account.  Foreign agents gained access to your E-mail account and used it to send infected E-mails to select customers of your company.  These infected E-mails allowed the foreign agents to gain control of other systems, and to eventually work their way up to a company that has access to the electrical grid.  From there, they were able to infect the grid and cause the nation-wide blackout.  The FBI assured the CEO that they will not publicly name your company, but cautioned that given the scope of the damage and the number of agencies involved it may not be long before the company’s name, your name, and your collective role in the blackout are leaked.  You hang up and collapse onto your couch, your head spinning at the thought that your world has forever changed.

Could This Really Happen?

While this scenario may sound far-fetched, cyber criminals target victims for a variety of reasons, and most aspects of this scenario have already occurred.  For example, according to the Wall Street Journal, agents of the Russian government gained access to an excavating company’s E-mail systems in 20181.  They exploited the excavating company’s trusted relationship with its customers and moved up to larger, more sophisticated companies, eventually gaining access to the US electrical grid.  “They got to the point where they could have thrown switches” and disrupted power flows, said Jonathan Homer, chief of industrial-control-system analysis for DHS2.  “Some companies were unaware they had been compromised until government investigators came calling, and others didn’t know they had been targeted until contacted by the Journal.”  Thankfully, investigators from the FBI and DHS were able to stop the foreign agents before damage could be done to the US electrical grid.  Otherwise, the US may have suffered the same fate as Ukraine in 2018, when an attack on its electrical grid caused massive equipment failures and lengthy power outages3.

To help keep this from happening to you, follow our Top 7 Tips for Reducing Individual Cybersecurity Risks. Click Here to download a PDF version of this document, along with our Top 7 Tips for Reducing Individual Cybersecurity Risks.

1 – https://www.wsj.com/articles/americas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112

2 – https://www.wired.com/story/hackers-gain-switch-flipping-access-to-us-power-systems/

3 – https://dragos.com/wp-content/uploads/CrashOverride-01.pdf

CMMC Version 0.4 Released 4-SEP-2019

The United States Department of Defense published Version 0.4 of the CMMC on September 4, 2019. The publication includes some new insights into the DoD’s plans for the CMMC, including:

    Reinforcement of the January 2020 target date for the release of CMMC 1.0 and the June 2020 target date for incorporation of the CMMC in all RFIs;
    A softening of the target date for incorporation of the CMMC as a mandatory requirement for all acquisitions to “Fall 2020” (this had previously been September 2020);
    A commitment for a second daft of the CMMC which is due in November 2019;
    They are actively pushing to streamline the CMMC and are seeking public comments on how the requirements should be reprioritized and/or reassigned, as well as whether certain requirements should be removed or added;
    The DoD is aware that small and medium businesses may be more severely impacted than large government contractors and is trying to factor SMB concerns into the CMMC;
    The DoD is stressing process maturity, not merely the implementation of certain pieces of technology (which they refer to as “practices”) and asserts that such maturity can help make up for shortcomings in technical control implementations.
  • As illustrated in Figure 1, below, the CMMC defines eighteen (18) different cybersecurity-related domains, from Access Control to Systems and Information Integrity. Every domain is comprised of capabilities, and each capability is comprised of both practices and processes.
  • Figure 1

  • The CMMC defines two sets of maturity metrics: one for technical practices (i.e., whether certain controls have been implemented), and one for processes (i.e., how well the organization has documented not only its plans for implementing the controls, but also monitoring how well it is performing/implementing the controls). The practice maturity levels are:
    1. Basic Cyber Hygiene;
      Intermediate cyber Hygiene;
      Good Cyber Hygiene;
      Proactive; and,
      Advanced/Progressive.
  • The process maturity levels are:
    1. Performed;
      Documented;
      Managed;
      Reviewed; and,
      Optimized.
  • Each organization’s maturity will be assessed against all eighteen domains, and the assessment will look at at both the practices and processes. Organizations, especially small and medium organizations, frequently do not prioritize documentation of processes, therefore it can take months, and even years, for organizations to obtain process maturity level 2 or beyond. We strongly encourage organizations to start documenting their processes now, before CMMC 1.0 is released. We recognize that this process can be intimidating for even sophisticated organizations. Contact Fathom Cyber today to learn more about how we can help your organization prepare for CMMC 1.0.
  • Subscribe to our newsletter for more details about the DoDs Cybersecurity Maturity Model and other business-oriented cybersecurity news and information. To view CMMC Version 0.4, visit https://www.acq.osd.mil/cmmc/draft.html

    Department of Defense CMMC Update

    American Flag

    We attended a presentation in early August by Katie Arrington, who is spearheading the Department of Defense’s (“DoD”) efforts to increase the role cybersecurity plays in acquisitions. At that time, Ms. Arrington mentioned that Version 0.4 of the DoD’s Cybersecurity Maturity Model Certification (“CMMC”) would be released on August 30, just before the long Labor Day weekend. The DoD’s Office of the Under Secretary of Defense for Acquisition & Sustainment announced late last week that “Due to the impending holiday [the office] will release the Draft CMMC 0.4 once it clears review by DoD Public Affairs”. This is disappointing for the hundreds of thousands of Defense Industrial Base (“DIB”) contractors who are waiting for additional clarity from the DoD before kick-starting their maturity assessment and improvement processes. DoD is currently targeting a January, 2020 release date for CMMC Version 1.0, with June and September roll-outs for mandatory inclusion of the CMMC in all RFIs and acquisitions, respectively. We recommend that all contractors perform a pre-assessment now so that they have as much lead time as possible to make any necessary changes or improvements.

    Outsourcing Comes with Risks

    Many companies are considering “moving to the cloud” and other forms of outsourcing because the costs are lower and they assume the outsourcing provider is going to properly handle all of the associated issues, including security. Some outsourcing providers take security seriously and for small and medium businesses who do not have the resources to handle security well themselves, outsourcing to those providers can help significantly reduce their overall risk.

    But outsourcing also brings with it its own risks, and many small and medium businesses are rushing to adopt the cloud and other outsourcing without really understanding the risks. Just ask the 400 dental offices around the country who relied on The Digital Dental Record (TDDR), a provider of practice management and patient information storage solutions for dental offices. TDDR was the victim of a ransomware attack last week, and although there are reports that the company has access to a third-party decryption program, the restoration process has been very slow. In fact, only about 1/4 of the impacted dental practices have come back online over the course of the week. In the meantime, the impacted practices have had to cancel appointments and turn away patients because they do not have access to the patients’ records and other information. Some of the impacted practices may not survive if they are unable to treat patients soon.

    According to TDDR’s public statements on the issue, it will likely take several more days, and possibly weeks, before their data recovery efforts will be complete. In some cases, the third-party decryption tools are not entirely successful, which means that some of the practices may permanently lose some or all of their patient data.

    In addition, since some criminals masquerade their data exfiltration efforts as ransomware attacks, TDDR is not yet certain whether a HIPAA violation or other data breach has occurred. Many states have strict notification and response laws, especially when healthcare information is stolen or otherwise released without authorization. TDDR and its dental practice customers will need to carefully monitor the situation to ensure they meet both their state and federal obligations.

    The data restoration and potential data breach response costs will be significant for TDDR. Depending on its contracts with its clients, TDDR may also be responsible for their lost revenue, any additional data breach response costs, potential penalties, and other costs. Many outsourcing contracts limit the contractor’s liability to a multiple of the fees paid, and it will be interesting to see if TDDR’s customers will come close to being made whole. Of course that also assumes that TDDR will continue to be in business long enough to pay any such claims, and that TDDR’s insurance will cover any shortfall given the number of customers and patients whose data is involved.

    Outsourcing can be a lifesaver for small and medium businesses, giving them access to tools and resources that would otherwise be unreachable. However, it is important to carefully define and assess the risks that go along with outsourcing before an accurate cost/benefit analysis can be performed.

    A proper risk analysis is a core part of a defensible IT and cybersecurity strategy because it allows the organization’s executives to agree how the risks should be addressed, i.e., through acceptance, avoidance, transfer/insurance, mitigation, or even enhancement. For those risks where risk transfer through insurance makes sense, a risk analysis allows the organization to ensure the insurance properly covers the risks. For those risks where mitigation is the chosen option, the risk analysis allows the organization to create well-structured mitigation policies and procedures, as well as corresponding incident response plans.

    Organizations of all sizes benefit from a risk-based, defensible cybersecurity program. Unfortunately for TDDR’s customers, it may be too late. Has your organization conducted a thorough cybersecurity risk assessment and, if so, are you confident in the resulting policies, procedures, and plans? Are you confident that your insurance properly covers your risks? Have you tested your incident response plans?

    At Fathom Cyber, our Defensible Cybersecurity Strategists know that cybersecurity and data privacy are more than just an IT issues: they are vital to our customers’ survival. That is why we don’t offer cookie-cutter approaches to cybersecurity and data privacy. Instead, we help organizations analyze their risks so they can make business-intelligent cybersecurity and data privacy decisions.

    Contact Fathom Cyber to learn more about how we can help your organzation create a Defensible Cybersecurity Strategy.

    What Constitutes an Act of War?

    We have discussed in the past the thorny issues associated with attributing a malicious act, like a cyber attack, on a nation-state actor. In particular, some insurance companies have attempted to avoid payment of large data breach claims when the claims arose from acts which were attributed to nation states. A recent decision by the U.S. Ninth Circuit Court of Appeals will make it harder for insurance companies to make that claim going forward.

    In 2014, NBC Universal began filming a television show called “The Dig” which was to take place in, and be filmed in, Jerusalem. However, shortly after filming ended for the pilot episode, Hamas began attacking the city and NBC Universal was forced to move production to other locations. NBC Universal had purchased production insurance, and filed a claim with its carrier to offset the cost of the production changes. The carrier, OneBeacon Insurance Group, claimed that an “act of war” exclusion in the policy applied, and a US District Court agreed. The Ninth Circuit disagreed, arguing:

    Both ‘war’ and ‘warlike action by a military force’ have a specialized meaning in the insurance context and the parties had, at the least, constructive notice of the meaning[.] … The district court erred when it failed to apply that meaning. Under that specialized meaning, both ‘war’ and ‘warlike action by a military force’ require hostilities between either de jure or de facto sovereigns, and Hamas constitutes neither[.] … Hamas’ conduct consisted of intentional violence against civilians[,] conduct which is far closer to acts of terror than ‘warlike action by a military force[.] ” In this instance, “De jure” refers to ‘”existing in law.”

    In many cases, cyber breaches are attributed to groups affiliated with different nation-states (e.g., Fancy Bear, APT38, Clever Kitten, etc.), but which have not been formally tied to a particular nation. The actions are more akin to acts of terror than warlike action by a military force, and thus insurance companies will face a much higher bar when claiming that a cyber attack is the result of an act of war.

    The Week in which Domestic and International Regulators Flexed Their Collective Muscles

    This week saw European regulators impose stiff fines on both Marriott (equivalent to $123 million USD) and British Airways (equivalent to $229 million USD) for violating Europe’s General Data Protection Regulation (GDPR). Although the fines are far from the four percent (4%) of the companies’ annual revenue that was possible under GDPR, they still signal an intent by European regulators to force companies to pay more attention to cybersecurity and data privacy.

    Many companies in the US have paid only passing interest to these stories because they take place on foreign shores where the companies do not conduct regular business. However, even in the US things are starting to get more interesting. The Washington State Attorney General’s Office announced late last week that it had successfully entered into a consent decree with Premera Blue Cross, the largest health insurer in the Pacific Northwest, over a data breach it suffered. As the Attorney General’s office stated:

    “Premera had an obligation to safeguard the privacy of millions of Washingtonians — and failed[.]”… “As a result, millions had their sensitive information exposed. Premera repeatedly ignored both its own employees and cybersecurity experts who warned millions of consumers’ sensitive health information was at risk.”

    Premera will have to pay $10 million in fines (or roughly $1 per impacted individual), which is still well below the per-person fines imposed on Marriott ($4.10 per impacted EU citizen) and British Airways (almost $460 per person impacted). More significant than the fines, however, is the fact that Premera agreed to a multi-year program of regulatory oversight and audits, and that it agreed to make significant management changes to bring about a more security-focused culture throughout the organization.

    The fines agreed to under the consent decree are also in addition to any damages assessed as part of a class action suit that is also pending. Those damages are reportedly approaching nearly $75 million USD.

    Organization creating defensible cybersecurityTM programs can demonstrate that they have been taking risk-appropriate steps to protect the information with which they are entrusted. This helps organizations reduce, and even eliminate, costly fines and penalties. To find out more about how your organization can benefit from defensible cybersecurity, contact Fathom Cyber.

    Are Your Marketing People Creating Cybersecurity-Related Risks?

    We are seeing an up-tick in enforcement actions from the Federal Trade Commission regarding vendor cybersecurity claims. The FTC’s recent settlement with D-Link, a major vendor of networking equipment and cameras, is just the latest example (a link to the settlement agreement appears below). The FTC charged the company with “participat[ing] in deceptive acts” when the company advertised that its equipment included top-of-the-line security measures Although D-Link will avoid paying any fines, it must fundamentally overhaul its engineering and development processes. The company must also submit to an independent third-party review of all of its development processes and code.

    Vendors need to be wary of the claims they make on their sites. Superlative phrases such as “100% secure”, “unhackable”, and “top-of-the-line” security carry with them significant risks, yet marketing people still love to use these phrases, creating risks for their companies. At the same time, mature buyers know there is no such thing as 100% security or an unhackable device. So why bother using these phrases?

    https://www.ftc.gov/enforcement/cases-proceedings/132-3157/d-link

    Low-Cost Goods and Services May Cost More in the End

    We have written before about the importance of good vendor selection and vendor risk management processes or companies. The article below helps reinforce this. As research conducted by Finite State and ReFirm Labs shows, many low cost devices, including network equipment, mobile devices, and IoT devices, include flaws in their firmware (the low-level software that controls how the equipment operates) that can allow an attacker to take complete control over the equipment. When reported to the vendors, in some cases the vulnerabilities are allowed to persist, and in other cases they are simply moved to other parts of the firmware, suggesting that these are intentionally planted.

    Some organizations may feel that their internal data is not worth a criminal’s time, and that the risks associated with the low-cost goods may be acceptable. However, it is important to recognize that most organizations have partner and customer data, such as business plans, buying habits, intellectual property, and the like. This information is often the criminals’ ultimate goal, not merely the data belonging to the organization itself.

    As your company evaluates new equipment, it is important to understand that price alone should not be the determining factor. In some cases, low-cost goods can wind up costing you more by introducing vulnerabilities that ultimately lead to cybersecurity incidents and data breaches.

    https://breakingdefense.com/2019/07/hunting-huaweis-hidden-back-doors/

    Patch…and Verify

    tldr: If you use Microsoft Outlook for your E-mail client, whether for home, school, or work, please make sure you have applied all of the latest patches. Want to know more about why? Read on.

    Almost all computer software contains bugs. Many bugs are, at least from a security perspective, benign, such as using a wrong mathematical formula or marking words as spelled improperly when they aren’t. However, some bugs create significant security problems. Take, for example, the bug described in the article below. In this case, an attacker can send malicious E-mails to a user and, because of a flaw that was discovered in Microsoft Outlook in 2017, the attacker can gain control over the victim’s machine and use that as a launching point for future attacks.

    Like many companies, Microsoft responded quickly to the news that Outlook had a bug that made it vulnerable to attack and issued a “patch”, or updated version of Outlook, that addressed the security issue. Now here’s the rub: despite being available for nearly two years, many organizations and individuals have not applied the patch. In fact, things are so bad that the US Cyber Command, the group in the Department of Defense that is responsible for securing the US cyberspace, has issued a warning that reminds everyone to apply the patch or update to a newer version of the software.

    If the patch has existed for nearly two years, why are there still so many vulnerable computers? Well, one reason is a lack of awareness. Many organizations and individuals simply aren’t aware that the patches are even available (despite notices in the software). Another reason is that some are afraid that the patch will break something else (“if it ain’t broke, don’t fix it”). Regardless of the reason, though, the fact is that the vulnerabilities fixed in most patches are real and being actively exploited by criminals and nation-state actors all the time and good patch management is the only effective way to address the risks.

    Of course, it is important not only to ensure that patches are regularly run, but also to ensure that they were effectively applied. Sometimes patches fail, such as when the file or application being updated is in use, and it is important to review the patching logs or notices after the patching process completes so you can be sure the patch was properly installed. In some cases, additional assistance may be needed. For example, we recently identified and solved a problem at a client where one machine had been regularly trying to apply a patch for the past 18 months.

    Organizations and individuals should get in the habit of allowing automatic updates to their computers, including the operating system and any software that runs on it. If there are logical reasons not to allow automatic updates, then regular (e.g., weekly or at most monthly) review and application of existing patches is critical to ensuring good cybersecurity.

    Good patch management is also a key part of a defensible cybersecurityTM program. Contact Fathom Cyber and subscribe to our newsletter to learn more about defensible cybersecurity.

    To our security community friends: we didn’t pick the image in the picture, so please don’t blame us for the cliché and blatantly incorrect use of the “hoodie hacker”.

    Travel tip: do not use public USB chargers

    Developing good cybersecurity requires a mindset change and awareness of the risks around you. Take, for example, charging your phone while on the go. Did you know that it is relatively easy for criminals to build USB charging stations that look like those provided by cell phone companies and other legitimate providers and plant them in shopping malls, airports, or other public locations? It is also easy for criminals to modify existing USB devices, including charging stations, alarm clocks, radios, and TVs in hotel rooms, so those devices steal your data or infect your device with malware.

    What can you do? Carrying your down charger and use it by plugging it directly into an electrical outlet is the safest way to charge your phone. Or, carry your own USB cable and a USB Data Blocker.

    For more information, see the article below. Enjoy your trip and stay safe!

    https://www.rd.com/advice/places-never-charge-phone/