Tag Archive for: Ransomware

If You Build It, They Will Come: The Top Four Cybersecurity Threats for Manufacturing Companies

Manufacturing companies face increasing risk from cyberattacks. As noted by IBM’s Security Intelligence blog, ransomware incidents rose more than 150 percent across the manufacturing sector from Q1 2019 to Q1 2020. Other recent survey data found that two-thirds of manufacturing firms believe their data breach risk has increased over the past two years.

There’s no single cause for this upward threat trajectory — the combination of always-on connected devices with growing cloud computing use and the increasing need for big data analysis in production planning and management all play a role in the evolution of manufacturing attacks.

Here’s a look at the underlying causes, possible impacts, and potential remedies for the top four manufacturing cybersecurity threats.

The Impact of Industry 4.0 on Manufacturing

Industry 4.0 changes the way manufacturing companies conduct day-to-day operations. From the use of always-connected sensors and devices that make up the industrial Internet of things (IIoT) to the integration of “smart devices” capable of proactively predicting maintenance needs, the digitization of Industry 4.0 represents a significant leap forward for manufacturing firms.

Unlike its operational predecessors — mechanization (1.0), mass production (2.0), automation (3.0), and globalization (3.5) — Industry 4.0 represents a substantive move into the world of always-on, always-connected devices. While this provides a wealth of data to help companies make better-informed manufacturing decisions, it also introduces significant risk. Frameworks such as industrial control systems (ICS) and supervisory control and data acquisition (SCADA) solutions that were historically cut off from external Internet connections are now part of a larger integrated ecosystem. Often, this ecosystem lacks the security controls and oversight necessary to identify and eliminate risks.

What the Cloud Means for Manufacturing

Cloud computing also plays a significant role in the shift to Industry 4.0 as firms look for ways to connect disparate tools and systems across both local facilities and global operations. The result is significant spend by manufacturing firms on robust cloud services. Recent data suggests the cloud market for manufacturing will grow by more than 15 percent year-over-year for the next five years.

But increasing cloud adoption also comes with a concern: complexity. As more applications and services are added to existing IT infrastructure, it’s easy for teams to lose track of what’s been deployed, where, and why. Consider the addition of public cloud services to help bolster computing resources and the storage of big data. Traditionally, these functions reside on-site, making it easy for teams to monitor operations. But as functions shift into the cloud, IT staff must contend with multiple layers of network connection and communication. As a consequence, teams find it harder to see exactly what’s going on — which potentially exposes key data to cybersecurity risk.

The Top Four Cybersecurity Threats

For manufacturing firms, four cybersecurity threats are now common: Data exfiltration, ransomware, phishing, and insider attacks. Let’s break down each in more detail.

1. Data Exfiltration

Data exfiltration occurs when attackers compromise manufacturing networks and then steal data to share or sell. Exfiltration often starts with malware — malicious actors may use legitimate-seeming emails that convince users to click links or download attachments, which then deploy malware to infiltrate network-connected storage systems. Personnel, product, or financial data is then in the hands of hackers, who may sell it on the dark web or threaten its release unless companies agree to pay for its return.

Take the example of Titan Manufacturing and Distributing. The company’s network was compromised by data exfiltration malware for almost a year, during which time attackers stole the names, billing addresses, and payment card details of more than 1,800 customers.

2. Ransomware

Another major threat to manufacturers is ransomware. This threat vector sees attackers infecting systems with programs designed to encrypt critical manufacturing data, rendering it inaccessible for companies. Then, they demand payment for decryption keys and threaten to delete or sell the information if their demands aren’t met.

Ransomware was responsible for the 2019 attack on Norwegian aluminum company Norsk Hydro, which has manufacturing operations in more than 40 companies worldwide. While the company didn’t pay the ransom, removing malicious code and remediating the damage — combined with lost revenue — cost the company almost $75 million.

3. Phishing

Phishing attacks happen when cybercriminals attempt to convince corporate users that they’re legitimate business contacts or members of the organization itself. In some cases, the intent of phishing attacks is to have users supply login credentials as part of a fake “reset” or “verification” process. In other situations, attackers attempt to compel specific — and costly — action. For example, attackers masquerading as C-suite executives may try to trick users into transferring funds into foreign bank accounts or request detailed HR data about specific employees. If staff can be convinced these emails are authentic, they often comply with requests immediately rather than double-checking because they don’t want to risk a management-level rebuke.

This was the case for aircraft parts manufacturer FACC. Attackers were able to convince multiple users that the CEO wanted money transferred into foreign accounts. The result was a loss of $61 million and civil prosecution of both the former CEO and chief financial officer for failing to detect and stop the fraud before it occurred.

4. Insider Attacks

Insider attacks may be the result of malicious action or accidental misuse of networks and data by employees. In either case, however, the results are the same: Manufacturing data is exposed, and corporate operations are put at risk. As noted by Industry Week, manufacturing firms now rank among the top five industries with the highest number of insider threats, and the average cost of an insider threat for a single manufacturing firm is more than $8.8 million.

Best Practices to Address Cybersecurity Concerns

To reduce the risk of manufacturing cybersecurity threats, firms need to follow three critical best practices.

Improved Visibility

As cloud and IIoT connections become more complex, it’s easy for teams to lose network visibility. This often creates a situation that sees companies acting based on what they think their network looks like rather than its actual structure. As a result, improved visibility is the first step on the road to enhanced cybersecurity.

Enhanced Agility

Agility is also critical. With cyberattacks on the rise, it’s now a matter of when not if firms will be attacked. Consequently, organizations must be prepared to respond ASAP if threats or vulnerabilities are detected across their networks.

Increased Access Control

As the number of public-facing connections and services increases, companies need granular access control to ensure that the right people are accessing the right data at the right time. Additionally, they must have processes to flag potential malicious actors are flagged and refuse access.

Making the Most of Comprehensive Cybersecurity

Making the most of cybersecurity starts by recognizing the risk: Threats such as data exfiltration, ransomware, phishing, and insider attacks are now commonplace and costly.

Firms must also account for the increasing attack surfaces created by cloud-enabled Industry 4.0 deployments. From unintentional exposure to public-facing Internet connections to previously undiscovered vulnerabilities, the move to modern infrastructure comes with a commensurate threat increase.

What can organizations do to protect themselves? To mitigate the impact of evolving threats, companies need security solutions capable of delivering improved visibility, enhancing overall agility, and increasing access control. Only then can organizations fortify themselves against threats and protect their growth and profitability.

Ready to get started? Find more information here or sign up for a live demo of RedSeal for manufacturers.

Lock Up Your Jewels: Reducing Exposure and Limiting Risk in a Ransomware-Riddled World

Ransomware is on the rise. That’s an often-repeated statement in the headlines — but what does it really mean for companies?

Data tells the tale. According to Tech Republic, attacks surged 57 percent between October 2020 and March 2021, while Purple Sec’s 2021 Cyber Security Trends Report notes that ransomware attacks have grown 350 percent since 2018. What’s more, the average ransomware payment rose by 82 percent to $570,000, with the largest single ransom demand coming in at $100 million.

Now that attackers have successfully breached some business networks, companies are understandably worried about the risk of data exfiltration leading to downtime or revenue losses. As Security Boulevard points out, companies now spend almost $2 million to recover after an attack and, on average, suffer 21 days of downtime. Even more worrisome? Paying up doesn’t guarantee the return of encrypted data. Attackers may decide to keep or destroy data or return for another round of attacks once they know payment is possible.

What’s the bottom line? Reducing exposure and limiting risk requires more than recognizing that ransomware is on the rise. To combat these attacks and safeguard what matters, companies need solid strategies backed by advanced cybersecurity solutions.

Ransomware Attacks in the Headlines

Although attackers often target smaller businesses to reduce the risk of getting caught, that hasn’t stopped some groups from prioritizing bigger payouts. Case in point: The Colonial Pipeline attack. On May 7th, 2021, staff found a digital ransom note saying that attackers had already exfiltrated data from Colonial’s network. The company immediately suspended both IT and operations, leading to sudden interruptions in fuel delivery along the East Coast. Within a day, Colonial paid the $5 million ransom and began getting their systems re-secured and back online.

Also making the news were attacks using the REvil ransomware-as-a-service (RaaS) suite. According to the Department of Justice, a Ukrainian national was arrested in conjunction with attacks spanning the last three years, including the July 2021 attack of information technology company Kaseya. While Kaseya says it didn’t pay the ransom demanded, it took the company ten days to recover from the attack and bring their software-as-a-service (SaaS) servers back online.

Why is Ransomware on the Rise?

So what’s driving the rise of ransomware? Several factors are converging that make ransomware attacks easier than ever before.

Enhanced RaaS Tools

Taking a cue from legitimate businesses, some capable coders have created ransomware-as-a-service (RaaS) platforms that sell both basic and customized attack tools to interested parties. The result is a win-win for hackers: They take money up-front from buyers while simultaneously reducing their risk since they’re not actually carrying out the attacks. Many RaaS marketplaces now resemble more familiar eCommerce offerings. Attack designers offer promotions, sales, and even customer support to keep clients coming back.

Expanded Attack Surfaces

Ransomware is also on the rise, thanks to expanding attack surfaces. With more potential avenues of attack — via mobile connections, internet of things (IoT) networks, or open-source software deployments — attackers can pick and choose their preferred compromise method. This reality is forcing IT staff to look to secure multiple points of potential compromise.

Evolved Work Environments

With remote and hybrid work here to stay, businesses now face the challenge of securing networks both in the office and at a distance. For many, however, the abrupt initial shift to remote work created insecure frameworks that remain in use but lack proper protection.

What are the Common Attack Vectors?

The constant evolution of technology means that attackers are always exploring new avenues of compromise. For example, the rise in open source software and application programming interfaces (APIs) has changed how businesses design and develop new services while simultaneously expanding the attack surface.

Despite occasional boundary-pushing, however, most attackers prefer to stick with tried-and-true ransomware vectors.

Remote desktop protocol (RDP)

The remote desktop protocol makes it possible for administrators to access servers and desktops anywhere, anytime. But RDP also opens the door to ransomware attacks. If malicious actors steal legitimate account credentials, they can leverage RDP to access networks, install ransomware, and leave without detection.

Phishing

In 2020 alone, bad actors created almost seven million phishing emails and scam pages. Using promises of COVID vaccines or masquerading as instructions from C-suite executives, these emails create a compromise point for ransomware. If attackers can convince users to click on malicious links or provide account information, they can infiltrate networks and deploy ransomware.

Software vulnerabilities

Open-source software tools and APIs make it possible for companies to streamline software development and put them at risk of unknown or zero-day vulnerabilities. If attackers compromise unreported issues, they can gain network access and encrypt data before teams have a chance to respond.

DDoS attacks

Distributed-denial-of-service (DDoS) attacks are now being used in concert with ransomware. In some cases, cybercriminals hit companies with DDoS attacks and demand ransom for restoration of services. In others, DDoS efforts are used as a distraction while ransomware is deployed.

Combatting the Rise of Ransomware Attacks

To combat the rise of ransomware, companies are best served with a multi-step approach designed to reduce both the initial risk and overall impact of ransomware threats.

Step 1: Identify Your Assets

First, pinpoint what you need to protect on your network. Think of the most critical assets as the “crown jewels” of your organization. Where are they located, and how are they currently defended?

Step 2: Prioritize Your Vulnerabilities

Next, conduct a security assessment — either in-house or using a third party — to determine where your risks lie. While on-site IT teams have greater familiarity with your network, using in-house personnel may be a security drawback because they may not recognize potential vulnerabilities. By contrast, third-party evaluators can often attack your network in unexpected ways to discover new or undiscovered weaknesses.

Step 3: Secure Your Workforce

Without a secure workforce, efforts at ransomware reduction won’t be effective. Addressing this issue requires the use of tools such as virtual private networks (VPNs) to protect connections and data. You should also deploy zero-trust security solutions that require two (or more) factor authentication and include robust identity and access management (IAM).

Step 4: Reduce Your Response Time

When attacks occur, you need to react ASAP. This rapid response requires the use of advanced cybersecurity solutions that help unify infosec response with end-to-end visibility that empowers teams to react in real-time.

Keep it Secret, Keep it Safe

Ransomware isn’t going anywhere. Attackers are constantly looking for new ways to compromise systems or leveraging tried-and-true methods to slip past IT security. Add in the risk of RaaS, increasing attack surfaces, and hybrid work, and it’s clear that companies need defensive strategies capable of finding, detecting, and defeating ransomware attacks no matter what form they take and no matter what vector they use.

Ready to ramp up your ransomware defense? Click here and see how Red Seal can help.

State and Local Cybersecurity Threats in 2021: Weathering the Storm

Recent pandemic pressures have created the perfect storm for state and local cybersecurity breaches. With some staff still working from home, state and local agencies face the challenge of deploying defense at a distance over networks, connections, and applications that are often insecure, unencrypted, and in many cases unapproved. What’s more, ransomware has surged — a significant problem since less than 40 percent of state and local staff members have received training on how to prevent cyberattacks.

The result is an increasing volume of local and state government cybersecurity threats, which are occurring across the country. For example, GovTech reported that an issue with third-party software exposed more than 38 million health records across states, including Texas, Indiana, Maryland, and New York. Another case reported by Healthcare IT News detailed a smaller-scale breach in California caused by a single employee that occurred over ten months and exposed both patient and employee data.

With hybrid work here to stay and cyberattacks on the rise, government organizations need to improve cybersecurity practices. They must focus on protecting against breaches that can compromise data, impair operations, and cause significant expenses.

Identifying the Biggest Barriers in Effective Defense

Before agencies can deploy better cybersecurity measures, they must identify critical vulnerabilities and threat vectors. And while every state and local government faces unique data handling and security challenges, three barriers to effective defense are common: visibility, accessibility, and resiliency.

Visibility

Traditionally, state and local governments have been behind the curve when it comes to technology adoption. As noted by research firm Deloitte, however, evolving citizen expectations around access and ease of use “will require uprooting outdated systems and practices and replacing them with new models.” As a result, agencies are now looking to expand their agility to streamline service availability and improve collaboration. To meet these goals, many have integrated and deployed cloud-based software, platforms, and infrastructure.

While these solutions offer improved agility and efficiency, they introduce significant new security risks. IT teams can not keep track of every app and service in use, which reduces visibility while simultaneously expanding the total attack surface.

Accessibility

For most state and local governments, the problem here isn’t too little access for employees that require it — it’s too much for those that don’t. One common example of excessive access occurs when staff complete one project and move to another. In many cases, their existing permissions aren’t revoked. Instead, new access is simply layered on top of the old, which creates a security risk. And with insider threats often more challenging to detect than their external counterparts, it’s now critical for agencies to identify, control, and correct for excessive access.

Resiliency

Most state and local governments have familiar security controls such as firewalls and antivirus scanners in place to catch potential threats. However, many lack the tools and tactics required to remediate issues when they occur, mitigate the amount of damage done and get services back up and running.

The result is IT environments that are primed to respond but struggle with resiliency. To effectively manage evolving threat landscapes, state and local governments need security plans and policies covering all aspects of an attack — from initial compromise to identification, isolation, remediation, and restoration.

Exploring the Issue of State and Local Breaches

So what do these breaches look like in practice? Let’s explore the impact of three recent scenarios.

1) New York State, January 2020

In January 2020, New York state officials found themselves up against a massive cyberattack that disabled access to databases used by the state’s civil service, environmental department, and police force. Likely the work of foreign actors, the hack went unreported for months, even as officials looked to restore critical access.

As noted by Security Today, the state received word about a potential flaw — and available patch — for its Citrix-based systems in December 2019. Unfortunately, the state did not install the patch in time to prevent the issue. As a consequence, more than 80,000 state devices were vulnerable to malware compromise. While it appears attackers didn’t access any citizen data, the state had to cover the costs of a three-week forensic investigation of more than 40 servers.

2) Multiple Municipalities, June 2021

Local government cybersecurity teams often look to save time and money by using the same services as other municipalities. It makes sense: They’ve been proven to work with government systems and generally have a track record for reliability.

However, if service providers become compromised, the results can be far-reaching. As reported by ZDNet, that’s what happened across dozens of municipalities in the US when a Massachusetts software provider used misconfigured Amazon S3 buckets. As a result, more than 1,000 gigabytes (GB) of data and 1.6 million files were exposed. Compromised data included email addresses, physical addresses, and driver’s license information, along with deed and tax records.

3) Oldsmar, Florida, February 2021

A cyberattack on Oldsmar, Florida in 2021 didn’t compromise data access or expose files. Instead, it nearly poisoned the town’s 15,000 residents. On February 5th, a plant operator at the local water treatment facility received an alert that someone had gained remote system access. The attacker opened multiple applications and services and then increased the concentration of sodium hydroxide — also called lye — to 100 times its normal level. Fortunately, operators were able to retake control and cancel the change quickly and prevent disastrous consequences.

Grant Funding for State and Local Governments

The good news is some new help is on the horizon for local and state government cybersecurity, thanks to the $1.2 trillion infrastructure package. The plan includes $1 billion in cybersecurity grants to help local and state governments boost their defense. If approved, the new program would offer $200 million worth of grants in 2022, $400 million in 2023, $300 million in 2024, and $100 million in 2025. In addition, the plan funds creation of a response and recovery fund at the Cyber and Infrastructure Security Agency (CISA), which would give an additional boost to cybersecurity efforts.

Mitigating the Impact of Cybersecurity Threats

Mitigating the impact of local and state cybersecurity threats depends on a strategy of defense in depth. In practice, this requires a three-step approach: Identification, evaluation, and implementation.

Identification focuses on finding potential threats in current cyber defenses — such as those tied to open source software, authorized apps, excessive access, and unintended exposure to the Internet. Evaluation includes internal and external assessment of existing security policies to see what’s working, what isn’t, and what vulnerabilities state and local governments need to prioritize. Finally, implementation looks to deploy security solutions that directly address key concerns, such as comprehensive cloud security services that provide visibility into public, private, and hybrid stacks simultaneously to empower threat detection and response.

Battening Down the Hatches

State and local governments now face a trifecta of security challenges: remote work, ransomware, and worker education. The combination creates ideal circumstances for malicious actors. By taking advantage of ideal compromise conditions, attackers can breach government networks, access critical services, and exfiltrate citizens’ data.

The result is a growing need to batten down the digital hatches by creating and implementing an in-depth strategy to help build robust, reliable, and resilient security infrastructure. To prevent risks and a host of unwanted outcomes, state and local governments need to prioritize cybersecurity.

Ready to boost cyber resiliency and better weather the storm? Click here to see a demo of RedSeal’s cloud security solution in action.

Join us!

Hear from Shannon Lawson, CISO, City of Phoenix, how the state and local agency leaned toward hardening their environment from attacks, recognized exposures, secured infrastructures, mitigated risks, and stayed compliant. The live webinar is January 18, 2022. Register now and don’t miss out!

Petya: Recommendations for defense and remediation

The CyberWire | June 29, 2017

What can enterprises do, now, to protect themselves against Petya and the other, similar attacks soon to follow? This won’t be a one-time thing: WannaCry wasn’t, and it’s reasonable to expect fresh ransomware campaigns to keep coming, hard and fast. The attackers get a good return on investment from repurposing tools and exploits. There’s no reason to expect them to stop.

For your coverage of Petya, Ray Rothrock, CEO of RedSeal, said in an email, “It’s happening again. This time in a slightly different form and name, but it’s the same. A new strain of Petya malware is going after unpatched Windows systems via EternalBlue, the same stolen NSA tool exploited by WannaCry.”