MonthMay 2021

The failures that led to the Colonial Pipeline ransomware attack

An earlier version of this post appeared on CNN

By now, we have all heard about last week’s Colonial Pipeline ransomware attack that caused a shutdown of the 5,500-mile pipeline responsible for carrying fuel from refineries along the Gulf Coast to New Jersey. The disruption led to stranding gasoline supplies across half the East coast, raising gas prices at the pump and to some states preemptively declaring an emergency.

After six days, the company announced the pipeline launched the restart of its operations Wednesday evening and that it’ll take several days for service to return to normal. But Colonial’s information technology (IT) department — and the cybersecurity community as whole — could have ensured this never happened.

The attack was stoppable because ransomware isn’t new. By 2015, ransomware was already leaving a trail of corrupted data from victims all over. The infamous Sony Pictures hack in late 2014 was due to it, and there had already been attacks on a string of hospitals and law firms. In 2016, I wondered if that would be the year of online extortion.

I was wrong because it wasn’t just 2016 — it’s been every year since.

In 2020, nearly 2,400 local governments, health care facilities and schools were victims of ransomware. The average downtime because of it was 21 days, with an average payment of $312,493 — a 171% increase over 2019, according to an analysis by the Institute for Security and Technology.

We cannot afford this. Neither at the gas pump nor as a nation where most are already economically strained.

I also offered a series of suggestions. Fixing the technical problems (by better securing networks and computing systems), improving national and international law enforcement efforts (by centralizing breach reporting, coordinating remediating, strengthening legislation) and fixing the user problem (by applying social science to educate users and improve their cyberhygiene). My hope was to get policy makers and the cybersecurity community to focus on these issues — because it would have stopped this attack from ever happening.

Sadly, the cybersecurity community focused on what they like to focus on — technology.

Like the parable of the man searching for his keys under the streetlight rather than near his car where he’d lost them, the security community’s efforts focused on the hacker’s technical sophistication, the complexity of their malware and the byzantine lines of code they had to rewrite. Their solutions were commensurately complex: more complex encryption algorithms, more granular network monitoring and more layers of software.

At the policy front, late last month, a Ransomware Task Force made up of representatives of technology firms submitted an 81-page report to President Joe Biden. Priority recommendations included the need for aggressive enforcement, establishing cyberresponse and recovery funds and regulating cryptocurrency. But other than creating a national awareness campaign and providing more security awareness training in organizations, there was little proactively called for to protect the primary point of ingression — users.

All of these — be it the technical fixes or the policy recommendations — while pertinent and necessary to adopt, merely stop hackers after they are in the network or prosecute them after the fact.

Ransomware attacks occur because of how easy it is for the attacker to come into a computing network. They do so using spear phishing that deceives users into clicking on a malicious hyperlink or attachment. It’s how almost 50% of all ransomware gets a foothold into networks, according to Verizon’s 2020 Data Breach Investigations Report.

And according to the FBI’s Internet Crime Complaint Center (IC3), the number of phishing attacks doubled in 2020 as more of us work from home, away from organizational IT protections. Hackers stole people’s identity, corrupted data and extorted money — with estimated losses of $4.2 billion.

All this while we tried to fight technology fires after they have raged or strike back with even more technology.

The only way to stop spear phishing, and with it ransomware, is to deal with what we have ignored — or merely paid lip service to — the user. We need more than just media awareness campaigns. Because by now, every user is aware of phishing. Besides, much of our present training teaches users about attacks that have occurred, not the attacks that are yet to come, because no one, not even people in IT, know what they will be.

We need to invert the cybersecurity paradigm. Our policies cannot work from the technology organizations downwards, where standards and policies are created by a software manufacturer, a security company or a federal organization. IT security is not just a technological problem that can be gunned down with bigger technological bullets. It’s a user problem — one that can only be resolved by understanding users, who is at risk, why they are at risk and by helping them reduce it.

This requires us to put users first and work upwards towards solution. We need to apply the social science of users — much of which already exists — towards the problem. We already know the triggers in emails and messages that lead to deception in users. We know how users’ thinking, their cyberrisk beliefs and their technology habits influence spear phishing detection. And we also know how to measure and assess their levels of cyberhygiene.

But what we haven’t done is apply this towards protecting users. We can do this using the accumulated knowledge to build a user risk scoring system. This can work like financial credit score, only for cyberrisk.

Such scores would quantify risk and help users understand their level of vulnerability. It would also help organizations understand what users lack so they can be better protected. For instance, if someone lacks awareness or knowledge in an area, they can be provided this. However, if someone suffers from poor email-use habits, this can be addressed by changing their work patterns and improving their email hygiene.

In this way, policies, protections, even data access can be premised on user risk scores. And because these scores are based on the users’ mental and behavioral patterns, the scores are naturally impervious to changes in technology, making them future-proofed.

While the approach for doing this has been documented, it hasn’t been widely implemented. The reason for it is that the security community, made up mostly of engineers, doesn’t focus on users. For the engineer’s hammers, everything technical is nail. Spear phishing is considered a user problem — an external factor to the security model. And we have suffered the ramifications of this. It is why in 2014 the Sony Pictures hack happened. It is why the Colonial Pipeline hack occurred. And it is why such attacks will continue, until we change the security paradigm.

One of the many lessons of the pandemic is that simple solutions based on sound science work. Even as scientists applied cutting-edge pharmaceutical science to develop vaccines, simple social-behavioral solutions — wearing masks, washing hands, maintaining safe social distances — have been key to stop the spread Covid-19.

If we are lucky, we might just pay a small price at the gas pump because of the Colonial Pipeline ransomware attack. But there’s surely more coming. The social science fix for it already exists. The cybersecurity community must implement it.

The Colonial Pipeline Hack Was Avoidable

The Colonial Pipeline hack is now making the news and many cyber security experts are providing their take on how to recover from it.

Of course, while this attack is new, such attacks aren’t. The Sony Pictures hack was also ransomware. And in 2016, there were many such attacks occurring. In response to them,  I’d written a piece on CNN asking if 2016 was the year of online extortion? This was after ransomware attacks on hospitals in California and Kentucky.

I had provided pointed solutions and called for a focus on users, rather than solely on technology. After all, they are the ingress points for ransomware, which almost always coming via spear phishing.

Unfortunately, every year since 2016 has led to bigger and more successful ransomware heists. The Verizon DBIR 2020 shows exactly how these attacks come in–and they come in through spear phishing.

And all along, we have–and we continue to– ignore user weaknesses and focus on the technical issues—almost always after a crippling breach.

This time, we are all paying a direct price at the gas pumps. Who knows what’s coming next?
The solutions from then are just as pertinent today.  Here’s my article in CNN from 2016. [Original can be found on the CNN website]

 

“This week, a hospital in western Kentucky was the latest organization to fall victim to a “ransomware” attack – a class of malware that encrypts all the files on a computer, only releasing them when a ransom is paid to the hacker holding the encryption key.

In this case, the hospital did not pay up. However, other hospitals, law firms, small businesses and everyday citizens have already paid anywhere from $200 to $10,000 in ransoms. Indeed, based on complaints received between April 2014 and June 2015, the FBI estimated that losses for victims from just one of these malware strains were close to $18 million.

Sadly, this year could well be worse.

Ransomware has existed for some time, the earliest dating back to the late 1980s. Back then, most was developed by enthusiasts – individuals testing out their skills. In contrast, today’s ransomware is often developed by global software teams that are constantly updating their codes to evade anti-virus software and selling them as off-the-shelf products.

Already, newer strains appear capable of infecting mobile devices, of encrypting files stored on cloud servers through mapped, virtual drives on computers, and of transitioning to the “Internet of Things” – infecting gadgets like watches and smart TVs that are going online. In the near future, the likelihood of an attack locking us out of our car, or worse yet in it, while we drive, demanding an immediate ransom, is becoming increasingly possible.

Thanks to the Internet, this malware-for-hire is available to virtually anyone, anywhere with criminal intent. Making things easier for hackers is the availability of Bitcoins, the online currency that makes monetary transactions untraceable. And making things even easier for them is our inability to stop spear phishing – those innocuous looking emails whose attachments and hyperlinks conceal the malware.

All this makes anyone with minimal programming skills and a free email account capable of inflicting significant damage, and with everyone from presidents to pensioners using emails today, the virtual pool of potential victims is limitless. No surprise then that cybersecurity experts believe that 2016 could well be the “Year of Online Extortion.”

But we can stop these insidious attacks, if everyone – individuals, organizations and policy makers – works towards a solution.

First, everyone must be taught to spot, sequester, and deal with spear phishing emails. This requires cybersecurity education that is free and widely available, which is presently not the case. While different training programs exist, most cater to large organizations, and are outside the reach of households, senior citizens and small businesses, who remain vulnerable.

What we also need is training that helps people develop better “cyber hygiene.” This includes teaching people to frequently update anti-virus software, appropriately program firewalls, and routinely back up their computers on discs that are then disconnected from the network. In addition, people should be taught how to deal with a ransomware attack and stop its spread by quickly removing connected drives and disconnecting from the Internet.

Second, organizations must do more to protect computer networks and employees. Many organizations continue to run legacy software, often on unsupported operating systems that are less secure and far easier for hackers to infiltrate. Nowhere is this problem more pressing than in small businesses, health care facilities, and state and federal government institutions, which is why they are the sought-after targets of ransomware.

Besides updating systems, organizations need to overhaul the system of awarding network privileges to employees. The present system is mostly binary, giving access to employees based on their function or status in the organization. Instead, what we need is a dynamic network-access system that takes into account the employees’ cyberrisk behaviors, meaning only employees who demonstrate good cyber hygiene are rewarded with access to various servers, networks, and programs through their devices.

Finally, policy makers must work to create a cyber crime reporting and remediation system. Most local law enforcement today is ill-equipped to handle ransomware requests, and harried victims usually have limited time to comply with a hacker’s demand. Many, therefore, turn to their family and friends, who themselves have limited expertise. Worse yet, some have no choice but to turn to the hacker, who in many cases provides a chat window to guide the victim through the “remediation” process.

What we urgently need is a reporting portal that is locally available and staffed by cybersecurity professionals, so people can quickly report a breach and get immediate support. Such a system currently exists, in the form of the existing 311 system for reporting nonemergency municipal service issues. It’s a system that has already been adopted by many cities in the nation, and allows for reporting via email, telephone, and smartphone apps. Strengthening this system by providing it the necessary resources to hire and train cyber security professionals, could go a long way towards stopping ransomware attacks that are now making their way past Main Street to everyone’s homes.

Perhaps the best way to look at the problem is this: How safe would we feel in a city where people are routinely being held hostage? Well, cyberspace is our space. And we have to make it safe.”