Local Cyber Experts Weigh In on Top Threats and Tips for Keeping Employees Aware
By Angela Blue
Phyllis Matthews*, an accounting manager in Newport News, received an email from a client she’d just been corresponding with the day prior. The subject line read, “Re: charge on my credit card” and, since she deals with charges and invoices daily, she opened the email.
A dialogue box appeared on her screen with the message, “This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?”
It didn’t matter which option (yes or no) Matthews selected because by this point, her system had already been code injected, corrupting all of her Microsoft Office documents. Microsoft Excel is a program that Matthews uses daily to keep track of expenses, employee hours, etc., so not being able to access certain files made it impossible to do her job. The more files she opened, the more files she was corrupting.
Following the popup was a ransomware note, alerting her that her files had been encrypted and that she could recover them by paying 1,000 bitcoins. (The value of one bitcoin is equal to $3,849.09, so essentially, they were demanding a ransom of $3,849,090.) She was given a time limit of 30 days.
Upon closer inspection of the malicious email, Matthews realized it hadn’t come from the person she thought it did. The first name was the same, but a letter in the last name had been changed.
Matthews immediately contacted her company’s IT department. After a week, they were able to locate the encryption key and prevent any further corruption from happening, but the documents that Matthews had already opened were gone forever.
The experience has taught her to be more vigilant in inspecting emails before she opens them, but it’s also made her skeptical. “I don’t want to open anything anymore,” she says. “In that way, it’s scary.”
*Name has been changed.
Not If But When
Situations like this are becoming more frequent.
“In recent years, cyberattacks have become more common, sophisticated and harmful,” says Dr. Hongyi Wu, Batten chair for cybersecurity at Old Dominion University and director of the Center for Cybersecurity Education and Research. He adds that 2017 was ‘a record year for stolen data,’ according to digital security provider Gemalto, which reports 1,765 data breaches in 2017 with a total of 2,600,968,280 compromised data records.
Stephanie Butts, executive director of the Institute for Cybersecurity at Regent University, acknowledges how familiar the following phrase has become when discussing cyberattacks: It’s not a matter of if but when.
“There’s no such thing as a 100 percent secured environment, computer or system,” she states. “It just doesn’t exist. The goal in cybersecurity, always, is to bring yourself in an acceptable level of risk,” she continues. “Know what’s important to have lighter or tighter security controls on in order to determine your acceptable level of risk and availability if a cyber breach were to occur.”
What are the most common trends in cyberattacks occurring right now? Ransomware continues to climb, as does software supply chain attacks (compromising a software application either during or after its development). But the most common form of cyberattack is phishing.
“Adversaries are getting more sophisticated, culturally, about how they fashion phishing emails,” Butts says. “Phishing scams often contain odd characters in the email address or grammatical errors. Employees get so busy in their daily work that they become a bit complacent in looking to make sure that it’s legitimate.”
Industries At Risk
Butts says the state of cybersecurity right now is that cyber criminals will steal an estimated 33 billion records in 2023, with half of those data breaches globally to occur in the United States. “The impact to the global economy with cyber crime is about $450 billion with $100 billion of that in the U.S. alone.” She says the U.S. is number one in targeted attacks because we have a rich economy.
There are specific industries and businesses in Coastal Virginia that make our region especially vulnerable for an attack, including defense, finance, government, healthcare, transportation and manufacturing. Wu lists some of the largest targets: “Naval Station Norfolk, the world’s largest naval station; Newport News Shipbuilding, the only U.S. shipyard that currently builds and refuels nuclear aircraft carriers; Port of Virginia, the fastest growing port on the East Coast; Langley Air Force Base; NASA Langley Research Center; and numerous federal facilities, as well as 164 international businesses representing 28 countries, many of which are defense contracting.”
Wu explains that this significant infrastructure represents a mosaic of assets and makes Coastal Virginia an increasingly attractive target and, accordingly, particularly vulnerable to cyberattacks. “The need for a large, competent cybersecurity workforce in this region is pressing,” he says.
“Attackers are trying to steal personal data—banking industry, healthcare industry—or trying to disrupt the economy, so attacking the nation’s critical infrastructure,” Butts explains. “These are like the power grids, the water dams, the rail system, the transportation systems. All of that has an economic impact, not just to the Hampton Roads area, but we do a lot of import/export by various methodologies, so something very serious could buckle or cripple this area that could lead to a larger economic problem.”
Kevin Esser, executive vice president and chief business officer with G2 Ops, a Virginia Beach-based cyber and IT company, lists finance and healthcare industries as being at risk. “Any organization that is responsible for financial transactions, storage of money, record keeping related to wealth management are targets,” he shares. “The healthcare industry has been notoriously poor at protecting patient information. Healthcare organizations have financial information, but they also have medical record information. They have information on historical information that’s of value to people—all the places you’ve lived or worked, your insurance information, which opens a whole other portal of information.”
As devastating as a cyberattack can be on a large corporation, it can be catastrophic for a small business. Butts notes that 60 percent of small companies that suffer a cyberattack are out of business within six months.
“The human element in cybersecurity is often the greatest one,” Butts shares. Information can easily be compromised from a disgruntled employee seeking to harm the company as well as from an employee who accidentally clicks a bad link or opens a malicious email.
“A phishing email or getting someone to go to what’s called the ‘watering hole’ to download a bad application, all of those things feed on poor user habits,” Esser explains. “There are ways for a hacker to get around common cybersecurity defenses, and that’s why they’re so effective and why they continue to climb in popularity.”
Butts warns against common practices that can lead to decreased cybersecurity. “Don’t share your password, don’t put in CDs, don’t use a thumb drive. If you get an email that says, click on this link, call IT. Train the behavior of people, and that changes a culture.”
“Good cyber hygiene has got to become a core part of how we educate people,” Esser says. “This is only going to become a more sophisticated and complex problem. It doesn’t get any easier; it only gets harder.”
One option for determining how versed employees are in cybersecurity is hiring a vendor to create a mock phishing scam only for employees in the company. “It’s harmless, but it gives you a baseline of how aware your culture is in your organization,” Butts explains. If 50 percent of the organization falls for it by clicking the link, the goal would be to start educating employees to reduce the percentage and simultaneously reduce the company’s risk. Education can start with targeted cybersecurity lunch and learns where experts can discuss various risks prevalent in the industry. “Teach your people not to be an enabler,” Butts advises.
Being Proactive, Not Reactive
“The defender has to be perfect,” Esser says. “The hacker only has to find one flaw.”
A common mistake business owners make with their company’s cybersecurity protection is not having a strategic plan. For some, “cybersecurity is either non-existent or it’s compliance focused only,” Butts says. “Sometimes organizations get basic compliance and they only do the bare minimum or they’re not doing it at all. At the end of the day, they don’t operationalize cybersecurity the way that they operationalize the rest of the business.”
She says business owners must consider how their business operates, what’s important to their company, what data flows, what information streams and what revenue is critical so that they can protect the things that matter.
Another important step is communicating with the IT department, ensuring they are trained to respond to a cyberattack. “A lot of companies are very reactive, but proactive equals prevention,” Butts says.
“Growing up in school, we all had fire drills. You learned what to do in certain situations,” Esser says. He suggests the same steps should be taken for cyberattack drills.
Butts agrees. “If businesses run through tabletop exercises as though they were breached and integrate the legal team, auditing team or their public relations team, digital forensics and the IT team, they have a better response for if and when something does happen so that they don’t lose public or consumer trust or even stakeholder investments.”
At the base of it all, Butts says, business owners should understand their company’s risks and employ people who are trained and able to demonstrate their proficiencies. “When you do that and you operationalize cybersecurity, that gives you a really robust program,” she says, adding that the next step is proper training. “Every person in an organization or a business, no matter what their role is, has a part in making sure that they protect the business’s data.”
Investing In Protection
“You kind of have to assume that there’s going to be a successful attack at some point” Esser says. “Organizations don’t have enough money to protect everything at the same level, so you have to identify what’s most important and prioritize your investment there.”
When hiring an outside organization to manage a business’s cybersecurity, Esser says it’s important to find an organization that will take the time to understand how the business operates so that they can apply the right cybersecurity posture. “What does their architecture look like, and why does it look that way? Do they have local storage? Do they have point of sales systems? Do they have supply chain dependencies?” All of these questions are critical.
“At the end of the day, you are trying to drive up the cost to the adversary beyond what he’s willing to spend so that he moves on to the next guy,” Esser explains. “That’s really what it comes down to. Don’t be the next guy.”
Kevin Esser remembers a call G2 Ops received from a local company after an employee noticed their apps behaving in a way they didn’t understand. “Emails were disappearing, there were new folders in their online accounts, they were missing data,” he recalls.
Their team found that the employee’s password had been compromised and used to access the employer systems. “It was at that point that we said, ‘OK, is this password common with anything else that you use?’ And the employee said, ‘Yeah, I use the same password for everything’” which included credit cards, banking accounts, social media, business and personal email accounts, etc.
This is a common practice among users, and it’s also an easy way for attackers to hack into various accounts from one user or, in some businesses, among all employees who are using the same passwords.
The safest practice for users is to dedicate a different password to every single account. Hard to remember all that, right? “The issue with passwords is you have to find that balance between complexity and reasonable use,” Esser says. Here are some options our cyber experts suggest when choosing passwords that are difficult to crack but easy to keep track.
Diceware is a methodology that relies on a set of word libraries. The user rolls five dice (or rolls one die five times) and reads the dice from left to right. Each five-digit number corresponds to a word in a Diceware list (available for downloading online). Users then determine how many words they want to use as their passphrase (five is decent; nine is better) and keep rolling the dice, generating a new word each time, until they’ve reached their optimal number, then their password is that grouping of words.
Memory Phrase is the method that Wu prefers, which he outlines in four simple steps: 1. Choose a sentence that is easy to remember, such as, “My best friends include John, Maria, Kenneth, Emma, Austin and 2 birds.” 2. Use the first letters of the words for your password: MbfiJ,M,K,E,Aa2b. 3. It should have at least 12 characters. 4. It should include uppercase and lowercase letters, numbers and symbols.
Password Safe is an application that allows users to save a whole series of passwords that are randomly generated and extremely complex. “This is the key thing—you have to have one really long, really strong password,” Esser says. That password is used to protect the Password Safe application, which generates unique, complex passwords for every account that they use. “You’re using complex, very difficult passwords that are not related to you personally in any way,” Esser says, “and they’re all unique.”