Each month Peters & Associates hosts a webinar focused on Cyber Security. This is our way to bringing awareness to our client community and we encourage you to join in the discussion.  Our goal is to help you learn from those mistakes in the industry and bring attention to matters in your sphere of responsibility.

In November we reported on four newsworthy security incidents, which are outlined below.

Attacks and hacks in the news

  • U.S. Navy – 3rd Party Provider leaks personal details for 130,000 US Navy personnel.
  • San Francisco – City wide train system (SFMTA) experiences ransomware impacting 2,000+ ticket/fare terminals for an entire weekend.
  • Election Tuesday – Microsoft and Adobe together release patches combating 68 unique attack vectors setting off alarms for unpatched servers.
  • U.S. Army – Openly asks all “Ethical Hackers” to expose holes and provide notification of issues with .mil web sites.

3rd Party Provider – U.S. Navy

The U.S. Navy, like most organizations, has third parties that provide services.  As we all know, when 3rd party security controls are missing, it’s YOUR data that gets leaked.  This happened when an HP contractors’ laptop was stolen containing the information on 130,000 current and former Navy personnel.

Lessons Learned

  • Have a Vendor Management plan with enforceable contracts with key vendors and written expectations for 2nd and 3rd tier vendors.
  • Look for assurances (preferably from impartial parties) on 3rd party security posture.
  • Consider cyber-liability insurance where risks cannot be lowered.

San Francisco – Train System Down

This month, the city of San Francisco experienced ransomware in a personal way.  The system containing 2,000+ terminals responsible for tickets, fares, and schedules was infected with ransomware that crippled the boot sector of their hard drives.  The actor requested $78,000 in Bitcoins.  In the end, it was unclear if SFMTA paid the ransom, but the short-term alternative of free rides for everyone certainly had a cost!

Lessons Learned

  • Backup, or more importantly restoration, is the primary path to resolution. In this case, drive replacement was necessary as the malware was destructive.
  • Prevention stems from network monitoring tools, user education, and enhanced email protection.
  • The Mamba ransomware is a simple modification of previously seen ransomware.

Election (Patch) Tuesday

By coincidence, Election Day happened to coincide with Microsoft “Patch Tuesday” (a scheduled time when security patches are released).  Between Adobe and Microsoft, a total of sixty-eight security vulnerabilities were exposed.  At this point, two were actively being exploited and three were publicly available exploits available before the patch.  Additionally, it was encouraged to disable Adobe Flash until it is needed for something specific.

Lessons Learned

  • Patch Management processes should be mature, have known testing mechanisms, responsibilities, and SLA’s.  Anything less will not do in today’s world.
  • The time frame for implementing patches after release must be shortened.
  • Traditional security approaches must be operated with vigilance and speed.

U.S. Army – Calling all Ethical Hackers!

The U.S. Army, like most businesses, knows that security is a group effort.  In November, the U.S. Army is engaging ethical hackers (a.k.a. “white hats”) in the open public to review and comment on the security of all .mil government sites.  This open call for hacking is a trend in the industry to invite the best and brightest, under some guidelines, to educate site owners on security vulnerabilities before non-ethical hackers do!

Lessons Learned

  • As a supplement to extend port vulnerability scans, ethical hacking is a developing strategy for key sites.
  • While occasionally there are public calls, often this is part of a paid security review
  • Simple rules outlining rewards, public accolades and freedom from persecution are typically the minimum guidelines.

Please join us in January for our next This Month in Cyber Security webinar.  You will find the information to register at https://www.peters.com/events/.

For more information, email info@peters.com or call 630.832.0075.