Government cybersecurity has been a concern for decades, especially at the federal level. The attention it has received in the past few months, however, is an order of magnitude higher than in recent history. Recent cybersecurity threats (on two different fronts) have managed to capture much of the attention not devoted to pandemic response.
The first attack was the Russia-backed SolarWinds hack that was first detected by FireEye in late 2020. This has since been revealed as the most expansive government network breach in history. At least nine federal agencies were breached, including the Departments of Treasury, State, Commerce, Energy and Homeland Security. Private companies were also not spared; major providers of hardware to the government had their networks breached, and some of Microsoft’s source code was stolen. The attack was so vast that we’ll likely never know its full impact.
While SolarWinds captured plenty of attention in DC, it was the Colonial Pipeline attack that got the public’s attention. That attack shut down a pipeline supplying nearly half of all gasoline to many eastern US states for several days, leading to panic buying and eventual outages at gas stations across seven states.
Part of what made this ransomware attack so jarring is that, had the pipeline stayed open, the ransomware attack itself would have been a non-story. Colonial isn’t an unusually large (or small) target for ransomware, and the $5 million ransom they paid wasn’t an unusually large sum. Ransomware is now so prevalent that major infrastructure providers are becoming collateral damage. The hacking group who shut down Colonial’s network claimed they didn’t intend to “[create] problems for society” and has since gone into hiding.
A New Type of Threat
The SolarWinds attack is a great example of how state-sponsored hacking groups are still taking advantage of software and network configuration flaws to steal sensitive government data. But for government agencies, the Colonial hack represents a new and even bigger threat. The Colonial Pipeline attack didn’t need a government sponsor, because it was highly profitable. And after laying low for a while, the perpetrators will likely reinvest those profits into malware development so they can breach more victim networks.
Unlike government-sponsored hackers, profit-motivated hackers aren’t aiming to transfer stolen data to an adversary’s network for analysis and safekeeping. When profit-motivated hackers breach agency networks (as they have many times in 2021 already) agencies are treated just like any other target.
When agencies don’t pay, the hackers make money by selling the data to the highest bidders – many of whom are trying to find a way to make money off of the data themselves. Sometimes they’ll also make the stolen data publicly available to “encourage” future targets to pay the ransom. In these cases, hackers will selectively leak data that exposes PII, uncovers internal investigations and creates scandals.
And, of course, paying a ransom doesn’t guarantee anything. There’s nothing to keep hackers from retaining, leaking or selling the data even if they’re paid.
US adversaries can still acquire data stolen in a profit-motivated hack by buying the data from the hackers, stealing it from the hackers, or getting lucky and receiving it for free. But unlike a state-sponsored attack, there’s no telling how many other bad actors gain access to the stolen data over its lifecycle.
If You Can Protect Yourself, Protect Yourself
Of course, agency IT teams are bearing the brunt of this new reality, working overtime to protect agencies in a fast-changing threat landscape. The odds are high that they’re in charge of many network security policies, like how often passwords must be changed on the agency network and whether any physical authentication is required to log on to agency machines.
But that doesn’t mean you can’t help defend your investigative agency’s data, too. In fact, some of the best security measures rely on individual employees to protect their own credentials. Here are five ways your agency employees can defend themselves from many of the attacks in-use today by both state-sponsored hacking groups and profit-seeking hackers.
#1 – Always enable MFA
Most malware attacks can be prevented by requiring multi-factor authentication (MFA). This is a fancy name for the six-digit codes that you receive on your smartphone when you login to an account. That code confirms that it’s you that is really attempting to log in, not someone else using your stolen credentials. Even if hackers manage to acquire a user’s username and password, they’re not likely to also have access to their phone, so this blocks the attempted login.
Most government agencies have implemented MFA for as many system logins as they can. Many have made MFA mandatory. Unfortunately, hackers need to find only one user (on one system) not using MFA in order for them to gain a foothold – and once they’re in the network, they can spend months working to gain wider access.
Block any users who don’t have MFA enabled on each system that allows this option. And if you have any software can’t do this, it’s time to start thinking about replacing it.
#2 – Don’t Use the Same Password on Two Accounts
One of the riskiest cybersecurity mistakes that many people make is using an identical (or nearly identical) password across all their accounts.
When a website with millions of users is breached (which happens, at a minimum, several times each year) a list of that website’s user credentials eventually ends up on the dark web. Most of these hacks don’t include credit card data. In fact, most users haven’t even given their credit card number to companies like Yahoo, Quora or MyHeritage.
But hackers still buy the lists of usernames and passwords. They buy them because they can attempt to use those credentials at websites that do have credit card numbers. People re-use passwords so frequently that those same username and password combinations will provide hackers with access to bank accounts, email providers and employer networks.
One way to address this is by subscribing to a dark web monitoring product, which compares usernames and passwords on your domain against those on Dark Web lists to ensure there’s no overlap. When this software does detect a compromised password that’s in use, it can alert system administrators and users that they need to change that password immediately.
The best defense against this threat, however, is to educate users on the dangers of re-using passwords. Even if this doesn’t end up preventing a breach on your network, it can prevent your employees from spending months dealing with their own headache in the form of ID or financial theft.
This is the first of two posts on the importance of cybersecurity. An upcoming post will cover additional ways to protect your investigative team from cyberattacks orchestrated by state and non-state actors.
To learn how CMTS can help your agency close cases more effectively and securely, call us at 855-667-8877 or email us at Team_CMTS@securecasemanagement.com.