Flyfishing in Colorado rivers is a spring/summer delight, whether or not the fish bite. A license for in-state residents (of a certain age) is equivalent to two venti lattes and practicing wrist-flicks is a pleasant relief from tapping a keyboard. ‘Tis the season for fishing tournaments for those seeking a monetary return on investments in gear. The low-level cost of entry for the new angler is in the $300 to $500 range—about what a hacker could expect to pay for phishing and ransomware kits, and less than the going rate for engaging with a RaaS (ransomware-as-a-service) agent.
The Colonial pipeline ransomware attack startled businesses and individual consumers by revealing just how interdependent our supply chains have become. As individuals, we might not think of ourselves as being vulnerable to supply chain disruptions (Covid-related toilet paper shortages are easily forgotten), but manufacturing companies are frequently reminded that their net revenue can be seriously compromised. Ransomware—more typically related to a preliminary, social engineering attack than it is to a sophisticated network attack—results in the encryption and/or extrusion (theft) of corporate data, followed by a demand to pay for the necessary decryption key to “release” the data and make it available. Potential collateral damage includes an ineffective decoder key, loss of data (some ransomware destroys rather than encrypts files), or the posting of stolen company-proprietary data to a public-facing website.
With ransomware activity on the rise (2020 saw a 150% increase over 2019) and ransom payments following suit (2020 saw a 300% increase over 2019), what are the steps a manufacturer should take to be (1) less attractive to attackers and (2) less beholden to attacker demands?
Tips for Avoiding Capture
- Use camouflage. Change default settings and passwords for all systems like routers, switches, and equipment. Deactivate chatty or inquisitive protocols like geo-tracking or Bluetooth (except when really needed). Require unpredictable/unguessable passwords that are long (at least 12 characters), not shared, and unique to each individual account.
- Know your stream. Articulate and deploy a comprehensive system security plan (SSP). Components of the plan should include an information asset inventory that describes devices, equipment, personnel, physical access components—and who has control over what; a network diagram that describes how information flows into, throughout, and out of the organization (this includes supply chain partners and IT service providers); business impact risk analysis that captures the priorities associated with system elements. For the latter, this should include an understanding of what the organization must have to survive and how long it can survive with that particular asset.
- Map an escape route. Define, communicate, and practice an incident response plan (IRP) that incorporates detection, evaluation, and reporting techniques as contained in NIST SP 800-61r2.
- Identify artificial lures. Train your employees to recognize phishing or other social engineering attack efforts.
- Avoid angling hotspots. Protect your company and its employees from phishing danger zones by limiting software downloading (using whitelist or blacklist controls) and configuring firewalls and routers to deny traffic by default and allow by exception.
Tips for Getting Away (without paying)
- Don’t take the bait. The FBI and others all recommend that companies “just say no” to ransomware demands. It rewards bad behavior and can make the company appear vulnerable to further attacks. That being said, there are circumstances in which payment is deemed necessary to promote social welfare (as in the case of hospitals and Colonial’s $4.4M ransom payment).
- Limit your weight. Security experts predict that any given company will likely be attacked. Reduce the impact of a theft by encrypting key, company-proprietary information so that it is not usable or attractive to attackers. Let would-be ransom collectors know that the cost of capture is not worth the presumed payoff.
- Shake off the hook. Use early detection (whether based on policy, process, or technology) to identify anomalous system performance and contain an attack before the loss or encryption of data spreads throughout the organization.
Manufacturers are susceptible to attack. The industry sector, as a whole, ranks second or third as a hacking target. By integrating object lessons gleaned from those who share their phishing tales into solid security improvement plans, however, manufacturers can count themselves among the ones who got away.