Symantec’s recent Internet Security Threat Report (ISTR), Volume 22, reveals that 2016 was a banner year for cyber criminals whom achieved extraordinary attacks against governments, cities, banks and other organizations.
“Cyber criminals caused unprecedented levels of disruption by focusing their exploits on relatively simple IT tools and cloud services,” said Kevin Haley, director of Symantec Security Response.
Government cybersecurity and cybersecurity in general are being discussed far, wide and often. All the third party reports are now recognizing cybersecurity as the number one threat, noted Jennifer Nowell, national director for state and local government business at Symantec. Nowell sat down with EfficientGov to give municipal governments the backstory on the firm’s latest findings and to share advice on government cybersecurity.
Obstacles to Government Cybersecurity
Symantec boasts the world’s most comprehensive database, which has recorded 88,000 vulnerabilities over 78,900 products developed over two decades. The firm also monitors the security of 1/3 of the world’s email traffic, more than 2 billion messages.
On the government side, funding has been the number one challenge, Nowell said. Usually, cybersecurity costs fall under emergency management budgets. But, “it’s a bigger problem than we think it is,” she said.
New vulnerabilities presented by the Internet of Things and movement of data and operations to the cloud and software as a service (SaaS) are two areas that open up a multitude of pathways for hackers.
The 2016 ISTR report found that chief information officers have lost track of how many cloud applications are used inside their organizations. Most respondents said they have up to 40, “when in reality the number nears 1,000,” Nowell said, noting as an example, Sales Force might be counted as one IT application. But the SaaS actually has numerous interconnecting underlying applications, she said.
Also, when governments create proprietary apps for their citizens to use — such as snow plow trackers or tools like Cincinnati’s Heroin Tracker — they can also be used to breach cybersecurity, raising the need for ‘shadow IT’ in order to observe how the tool is being used.
“This has become trickier, there aren’t any perimeters anymore,” she said. “And that’s challenging.”
Who, Why & What’s Next?
Probably when you think of a hacker you think of the lone wolf sitting in an unsuspecting or seemingly abandoned location. But Nowell said Symantec’s 22 years of research has shown it’s more groups now. In tracking various groups, the last five years of activity has revealed different motivations.
In short, “There is income to be had,” she said.
Cybersecurity crimes are typically characterized as fraud, with with money being lost, or data breaches of personal information. Presumably the hacker is retrieving for a person or organization that wants to do something with the data it’s paying to get.
In 2016 ransomware continued to escalate. The ISTR identified more than 100 new malware families — along with a 36 percent increase in ransomware attacks worldwide. The United States is a number-one target. Symantec found 64 percent of American ransomware victims are willing to pay a ransom, compared to 34 percent globally. Size of ransoms spiked 266 percent. A key defense is backing up data so there is no reason to pay the ransom, said Nowell.
But like any other crime, attackers employ methods that might go out of fashion, only to resurface later. For example, a particular Trojan virus recently reappeared attacking cyber resources in Saudi Arabia after five years of not being used, Nowell said.
Cybersecurity needs to be baked into an organization’s processes, she said.
It’s Too Easy to Get In
“Email is the weapon of choice,” Nowell said. Symantec found that 1 in 141 emails in the public sector, and 1 in 131 emails in the business sector, contain a malicious link or attachment. It’s the highest rate the cybersecurity company has seen in five years.
Also Business Email Compromise schemes, which rely on little more than carefully composed spear-phishing emails, scammed more than three billion dollars from businesses over the last three years, targeting over 400 businesses every day, according to Symantec.
A third point of entry is when a user accepts Microsoft document macros — they easily enable a cyber attacker’s entrance without being noticed.
Thus, vigilance over messaging gateways is critically important, because once they are in, "They are living off the land,” Nowell said.
Hackers no longer have to build their own access tools — command line tools like Powershell — are installed on most PCs. Once they are in , they can use the computer’s tools to facilitate the cyber attack.
How to Get CyberStrong
#1 Be Careful – Cautious – Thoughtful
“We forget how much social engineering plays into these threats,” said Nowell. People naturally want to be helpful when presented with a query, so when it comes to “pushing back, it’s not in our DNA.”
That’s been especially true for phishing scams. An employee of Janesville, Wisc., received a falsely branded letter from a legal vendor containing ransomware, and unaware, forwarded it on to colleagues.
Training leads to greater fitness to be cyberstrong, Nowell advised.
What kinds of training have worked?
Nowell suggested a ‘click bait’ tactic that automatically enters workers that fall for it into a brief training module, like Anti-Phishing Phyllis by Wombat Security Technologies. Symantec also offers government cybersecurity training solutions.
#2 Follow Nowell’s ISTR 2016 Government Cybersecurity Actions Checklist
Finding: Targeted attacks shifted from economic espionage to politically-motivated sabotage and subversion. Actions:
Finding: The frequency of ransomware attacks is up by 36 percent, and the average ransom has gone up from $294 to $1,077. Actions:
Finding: Attackers are using the same tools already installed on users’ systems to covertly hack data. Actions:
Finding: Cloud and IoT hacks are on the rise, with IoT devices being compromised within two minutes of connecting to the Internet. Actions: