By Jennifer Kazy, WaterISAC
This month marks the 14th annual National Cyber Security Awareness Month (NCSAM, #CyberAware Month), a program co-founded by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS). The theme for National Cyber Security Awareness Month is Our Shared Responsibility. This theme centers on one of the most important facets of cybersecurity in every organization: people.
As cyber attackers have shifted from hacking computers to hacking humans, people have become one of the biggest threats to an organization. Just ask a hacker. According to one of the world’s most notorious hackers, Kevin Mitnick (now “Chief Hacking Officer” at KnowBe4), it is easier to get someone to reveal something than it is to hack into their system.
To trick employees into providing valuable details about themselves and their organizations, malicious actors employ social engineering. Social engineering is subtle. At its core, it takes advantage of the trust we have placed in people and brands. Social engineering is a psychological strategy that defies technology controls, including email filters and firewalls, and that is why there are so many compromises, data breaches, and fraudulent transactions. With credentials and other information they collect, malicious actors are able to compromise business and operational technology systems, as well as personal accounts.
One very familiar social engineering method is phishing. Malicious actors devise convincing phishing lures to instill emotion – often urgency or curiosity – to elicit a response. Cyber threat actors are motivated by various interests. Financial gain is a factor for many. Other threat actors want to make a political or ideological point, as when attackers defaced a water utility website in 2015 with Islamic State propaganda. Of greater concern are threat actors supported by a nation-state, such as Russia and North Korea, that have demonstrated the capability to infect networks with malware that can sabotage infrastructure and information systems. The worst-case scenario imagined by some security experts would be a nation-state disabling water or wastewater services in metropolitan areas for extended periods of time. Such an attack would be reminiscent of the 2015 and 2016 infrastructure attacks that disabled parts of the electric-grid in the Ukraine. Regardless of motivation or intent, many threat actors rely on simple, yet convincing phishing emails to gain a foothold within an organization.
Targeted phishing attempts, called spear phishing, are used to impersonate someone we trust. Business Email Compromise (BEC), CEO Impersonation, and fake job applicants are commonplace lures that impersonate someone we deem to be legitimate and trustworthy, often someone in a position of authority, like a CEO. Also, phishing and spear phishing emails typically contain a website address or attachment designed to harvest information or install malware onto computers. According to a PhishMe report, 90% of phishing emails in 2016 contained a ransomware attachment designed to disrupt operations by locking (encrypting) or deleting valuable data files.
Not all phishing requires sending suspicious emails with a malicious website address or attachment. Some phishing attempts are physical, non-electronic methods like vishing, piggybacking, and shoulder surfing. Vishing and piggybacking are frequently used as part of “tech support” scams where individuals pretend to be technical support personnel to obtain credentials or physical access. Public places like cafés, airports, kiosks, and ATMs are likely locations for attackers to shoulder surf an intended target for confidential data. Another common social engineering tactic is strategically “dropping” USB flash drives loaded with malware where they are likely to be picked up and inserted into devices. More than one utility has used the dropped-USB drive tactic as a training tool with unsuspecting employees, demonstrating that indeed some employees will take the bait.
Some notorious breaches have occurred due to a lack of employee awareness surrounding social engineering tactics. Investigations consistently reveal that greater proactive employee awareness would stop the majority of data breaches. Cybersecurity starts with people, from the breakroom to the boardroom. When employees are not involved in cybersecurity, not only can vulnerabilities and threats go unnoticed, but employees often become the path of least resistance through which attacks are executed, making this a behavioral problem, not a technology problem.
The respected SANS Institute, in its monthly security awareness newsletter OUCH!, contends that common sense is the best defense in detecting and defeating social engineering attacks.
If you think someone is trying to trick you into revealing valuable information, immediately report the incident to your cybersecurity team or help desk, and be vigilant for these common social engineering attack scenarios (courtesy of OUCH!):
- Someone creating a tremendous sense of urgency. They are attempting to fool you into making a mistake.
- Someone asking for information they should not have access to or should already know, such as your account numbers.
- Someone asking for your password. No legitimate organization will ever ask you for that.
- Someone pressuring you to bypass or ignore security processes or procedures you are expected to follow at work.
- Something too good to be true. For example, you are notified you won the lottery or an iPad, even though you never even entered the lottery.
- You receive an odd email from a friend or coworker containing wording that does not sound like it is really them. A cyber attacker may have hacked into their account and is attempting to trick you. To protect yourself, verify such requests by reaching out to your friend using a different communications method, such as in person or over the phone.
The implications of a cybersecurity compromise are serious. First, there are costs to investigate and remediate the incident by hiring cyber forensic experts, replacing equipment, and upgrading applications. This is in addition to funds that may have been lost through extortion, if the organization has paid a ransom to unlock encrypted files, or other fraud. In many cases, compromised organizations have also spent significant sums to resolve customer lawsuits over the loss of personal information. Finally, there is the erosion of hard-earned consumer confidence – a critical asset for any organization with a public health mission such as a water or wastewater system.
To help bolster education and awareness to protect water and wastewater systems organizations from social engineering and other cyber threats, the Water Information Sharing and Analysis Center (WaterISAC) provides a rich clearinghouse of information about cybersecurity, as well as physical security and emergency response. Among these is the 10 Basic Cybersecurity Measures: Best Practices to Reduce Exploitable Weaknesses and Attacks, developed in partnership with the Department of Homeland Security, the FBI, and the Information Technology ISAC (IT-ISAC). In addition, WaterISAC conducts monthly Water Sector Cyber Threat Briefings with ICS-CERT and other cybersecurity organizations for Pro-level members. WaterISAC also urges water and wastewater systems to access the American Water Works Association’s Cybersecurity Guidance and Tool, which recommends courses of action to reduce vulnerabilities to cyber attacks.