Last week, on the Tuesday before Thanksgiving, state auditors released a report detailing “significant risks” within the Baltimore Country School District’s computer network. The next day, the school district was hit with a ransomware attack that shut the school down until Wednesday of this week. Because of the increase in COVID-19 cases, the district had just shifted online. However, the ransomware attack put a stop to remote learning and gave over 115,000 students an extra week off school.
The state auditor’s report, released just the day before the attack, details the findings of an investigation into the security of the district’s computer systems that was conducted between May 2019 and February 2020. One of the major findings of the report showed that 26 publicly-accessible severs were located within the districts internal network, rather than segregated in external networks. This increases the risk of a user accessing the district’s internal systems via the public servers. In addition, the report that the district did not have adequate protections in place to secure personally identifiable information, there was no detection system in place to catch unwanted traffic, and students even had “unnecessary network-level access to administrative servers.”
The district has said it is too early to tell whether the attack was related to the vulnerabilities found in the auditor’s report. However, it is certainly possible the lack of network segmentation could have possibly made it easier for the ransomware to spread across systems and devices. The district has also not said whether any personally identifiable information was compromised in the attack.
Despite the district’s tight lips surrounding the specifics of the attack, they did ask all students and staff to perform a “confidence check” on school-issues devices, which potentially sheds light on some of the details. Specially, the district is asking students and staff to look for .ryk file extensions on their devices. This file extension likely points to an increasing common form of ransomware called Ryuk. Ryuk is a form of ransomware that encrypts data within the network. This may be a relief to school officials, given the recent trend in ransomware where attackers actually steal and leak sensitive data rather than just encrypt it within the network.. However, Ryuk is also infamous for its ability to quickly spread across devices connected to the network, including back-ups. This makes the state auditor’s findings potentially highly relevant to the scope and impact this attack has caused so far.
The Baltimore School District’s ransomware attack is unfortunately not entirely surprising. In the past few years, attackers have started targeting public agencies and schools. Because public entities often don’t have the budget or personnel for sophisticated cybersecurity defense and their services are essential for many people, attackers see these as juicy targets for ransomware attacks.
This doesn’t mean, however, that public agencies need to be sitting ducks. If the district had intrusion detection system in place, for instance, it’s possible they could’ve caught attack before it even started. The fact that students also had access to certain administrative servers is also a big problem, and could be easily fixed with simple access control measures put in place. Lastly, while you can’t always prevent these attacks from happening, segregating networks and devices can go a long way towards limiting the impact of ransomware. This will not only help prevent the spread of the attack throughout the network, but, if back-ups are routinely tested and stored offline, could allow organization’s to easily restore their systems to a pre-attack state without paying a ransom. The attack against the Baltimore School district is a stark example of the importance of creating not just a cyber-secure, but also a cyber-resilient online environment.
By now, most everyone has heard about the threat of misinformation within our political system. At this point, fake news is old news. However, this doesn’t mean the threat is any less dangerous. In fact, over the last few years misinformation has spread beyond the political world and into the private sector. From a fake news story claiming that Coca-Cola was recalling Dasani water because of a deadly parasite in the bottles, to false reports that an Xbox killed a teenager, more and more businesses are facing online misinformation about their brands, damaging the reputations and financial stability of their organizations. While businesses may not think to take misinformation attacks into account when evaluating the cyber threat landscape, it’s more and more clear misinformation should be a primary concern for organizations. Just as businesses are beginning to understand the importance of being cyber-resilient, organizations need to also have policies in place to stay misinformation-resilient. This means organization need to start taking both a proactive and a reactive stance towards future misinformation attacks.
Perhaps the method of disinformation we are all most familiar with is the use of social media to quickly spread false or sensationalized information about a person or brand. However, there are a number of different guises disinformation can take. Fraudulent domains, for example, can be used to impersonate companies in order to misrepresent brands. Attackers also create copy cat sites that look like your website, but actually contain malware that visitors download when the visit the site. Inside personnel can weaponize digital tools to settle scores or hurt the company’s reputation — the water-cooler rumor mill now can now play out in very public and spreadable online spaces. And finally, attackers can create doctored videos called deep fakes that can create convincing videos of public figures saying things on camera they never actually said. You’ve probably seen deepfakes of politicians like Barak Obama or Nancy Pelosi, but these videos can also be used to impersonate business leadership that are shared online or circulated among staff.
With all of the different ways misinformation attacks can be used against businesses, its clear organizations need to be prepared to stay resilient in the face of any misinformation that appears. Here are 5 steps all organizations should take to build and maintain a misinformation-resilient business:
1. Monitor Social Media and Domains
Employees across various departments of your organization should be constantly keeping their ear to the ground by closely monitoring for any strange or unusual activity by and about your brand. Your marketing and social media team should be regularly keeping an eye on any chatter online about the brand and evaluate the veracity of claims being made, where they originate, and how widespread is the information is being shared.
At the same time, your IT department should be continuously looking for new domains that mention or closely resemble your brand. It’s common for scammers to create domains that impersonate brands in order to spread false information, phish for private information, or just seed confusion. The frequency of domain spoofing has sky-rocketed this year, as bad actors take advantage of the panic and confusion surrounding the COVID-19 pandemic. When it comes to spotting deepfakes, your IT team should invest in software that can detect whether images and recordings have been altered
Across all departments, your organization needs to keep an eye out for any potential misinformation attacks. Departments also need to be in regular communication with each other and with business leadership to evaluate the scope and severity of threats as soon as they appear.
2. Know When You Are Most Vulnerable
Often, scammers behind misinformation attacks are opportunists. They look for big news stories, moments of transition, or when investors will be keep a close eye on an organization in order to create attacks with the biggest impact. Broadcom’s shares plummeted after a fake memorandum from the US Department of Defense claimed an acquisition the company was about to make posed a threat to national security. Organization’s need to stay vigilant for moments that scammer can take advantage of, and prepare a response to any potential attack that could arise.
3. Create and Test a Response Plan
We’ve talked a lot about the importance of having a cybersecurity incident response plan, and the same rule is true for responding to misinformation. Just as with a cybersecurity attack, you shouldn’t wait to figure out a response until after attack has happened. Instead, organizations need to form a team from various levels within the company and create a detailed plan of how to respond to a misinformation campaign before it actually happens. Teams should know what resources will be needed to respond, who internally and externally needs to be notified of the incident, and which team members will respond to which aspect of the incident.
It’s also important to not just create a plan, but to test it as well. Running periodic simulations of a disinformation attack will not only help your team practice their response, but can also show you what areas of the response aren’t working, what wasn’t considered in the initial plan, and what needs to change to make sure your organization’s response runs like clock work when a real attack hits. Depending on the organization, it may make sense to include disinformation attacks within the cybersecurity response plan or to create a new plan and team specifically for disinformation.
4. Train Your Employees
Employees throughout the organizations should also be trained to understand the risks disinformation can pose to the business, and how to effectively spot and report any instances they may come across. Employees need to learn how to question images and videos they see, just as they should be wary links in an email They should be trained on how to quickly respond internally to disinformation originated from other insiders like disgruntled employees, and key personnel need to be trained on how to quickly respond to disinformation in the broader digital space.
5. Act Fast
Putting all of the above steps in place will enable organizations to take swift action again disinformation campaigns. Fake news spreads fast, so an organizations need to act just as quickly. From putting your response plan in motion, to communicating with your social media follow and stake-holders, to contacting social media platforms to have the disinformation content removed all need to happen quickly for your organization to stay ahead of the attack.
It may make sense to think of cybersecurity and misinformation as two completely separate issues, but more and more businesses are finding out that the two are closely intertwined. Phishing attacks rely on disinformation tactics, and fake news uses technical sophistications to make their content more convincing and harder to detect. In order to stay resilient to misinformation, businesses need to incorporate these issues into larger conversations about cybersecurity across all levels and departments of the organization. Preparing now and having a response plan in place can make all the difference in maintaining your business’s reputation when false information about your brand starts making the rounds online.
For any of us who have lost hundreds of pounds over the years through multiple yo-yo diets will tell you, willpower does not produce lasting change. That’s because willpower requires consistently high motivation over time. Unfortunately, motivation is rarely consistent and certainly not over long periods of time. Willpower is dynamic and episodic. Relying on motivation can perhaps get you started, but not to stay on the path.
Security Awareness programs that focus on punitive approaches to digital behaviors, basically stating that “the beatings will continue until the morale improves” are demonstrating the mirror side of change via motivation, which is intimidation. Like motivation, intimidation is not static, but is dynamic and often yields unintended consequences that damage not only the individual but the enterprise.
Instead, look to increase your ability around the behavior you want to change. Begin by making it easy to do. Help people feel good about themselves when they do it. Build it into their routine.
If you don’t ask for promises, you won’t get pretense. Instead, you will get results.
The recently announced anti-trust suit against Google is not about privacy, per se. It is about leveraging monopolistic power to secure a dominant position on mobile devices. One of Google’s claims is that it provides a free service to consumers so there is, in the end, no harm caused by their actions.
In fact, Google is not offering their services for free; they provide us their capabilities in return for our information and our behavioral tendencies. That data is pumped into their algorithms that predicts our behaviors and tendencies and then sold to third parties.
What will be interesting is how much of this will be exposed during the case. Google’s use of data has historically been opaque. It will also be interesting if this case opens more eyes to the importance and value of privacy. Are we perfectly happy giving away our privacy in return for free search, or do we have no other choice because Google has so much dominance it permeates our digital worlds whether we want it or not.
In the end, of course, there is no free lunch (or lemonade). It’s just at what price are we willing to pay?
Behavioral economics teaches us that we are more fearful of immediate losses than future gains. Conversely, we are also tend to choose immediate gains over protecting ourselves from future losses. Especially when the type of loss is too foreign to us or is ever changing.
We do have available to us a tool that doesn’t require a lot of tech to use but perhaps can do more to both enhance and protect our organization than any piece of software or hardware we might have: our imagination.
When things are changing, you can’t rely on static measures or processes designed to defend against what today’s threats. Because the use of technology as a business enabler is ever changing as is the nature of cyber threats, businesses need to take a dynamic approach to risk mitigation and transfer strategies and constantly imagine both the opportunities and the risks they may face tomorrow.
As a report from the UC Berkeley’s Center for Long-Term Cybersecurity and Booz Allen Hamilton states, “….failures of cyber defense in some cases — possibly the most important ones — [are] not necessarily a failure of operational rigor but equally or more so a failure of imagination.”
There are a number of tangible ways businesses can leverage the use of imagination in addressing the cyber risks that they may face. One is through an incidence response simulation. Get your team around a table. Imagine a ransomware event has occurred. What do you do? Do you pay the ransom? How long will your systems be down? How much business do you stand to lose? Brainstorm other scenarios, focusing on ones that could take you out. Risks that cause you to be shut down for an extended period of time or do irreparable harm to your ability to serve your customers or to your reputation.
Not only do these types of simulations help you be better prepared to respond if they occur, it also helps you better define what risks you might face and what defenses to build to mitigate those risks. This can therefore become the basis for your risk assessment (which, if you are simply focused on compliance you generally have to do anyway).
We often think of creativity when it comes to innovation and growth that are critical our long term success. In the ever-changing world of cyber threats, we need to be equally creative when it comes to imagining and addressing risks what are crucial for our long term viability.
We do need to make sure that we are using strong passwords, but guidance has changed on the need to continually change those passwords. The National Institute for Standards and Technology (NIST), which codifies best practice cybersecurity controls, has updated their guidelines around digital identity. Instead of forcing individuals to change their passwords frequently and/or require a special characters or passwords which are more gibberish, they recommend creating long passwords out of pass phrases, such as “NIST passphrases make passwords easy!”. Long pass phrases are difficult to crack and yet memorable enough for the user.
Still, remember not to use the same password twice (use of a log in manager can help you here). Also, enable multi-factor authentication for applications which may have sensitive information (where you have to both key in a password and enter a code from your smart phone, as an example).