I stumbled upon an interesting article from the United
States Computer Emergency Readiness Team here: https://www.us-cert.gov/ncas/alerts/TA17-293A.
The information provided to be extremely fascinating as they describe, in
detail, the specific actions that the threat actors took to compromise various
government entities. These targets included governmental energy, nuclear,
water, aviation and other critical manufacturing sectors. The threat actors
used a multi-pronged APT attack, to help disrupt resources and gather critical
if threat actors or hackers want some kind of access to your system, they will
get it eventually. The most important thing you can do is mitigate what
information or control they can get. The most important topic, indirectly touched
upon in regards to spear-phishing but vitally important none-the-less, is
social engineering. Social engineering is regarded as the most successful way a
threat actor can gain information / access. To help mitigate these attacks
end-user awareness training is paramount. I.T. departments should regularly
educate their users on proper Internet Usage, Email Training, and information
storage. The website gives an example on how something innocuous like a
picture, was turned into an avenue of attack for hackers: a high definition
image posted on a website was exploited to view model numbers and status
indicators for various hardware.
layer of defense is data security. If the threat actors are successful in their
social engineering attempts, it is imperative that they do not have an easy
road to grab any data they can get their hands on. Attachments that were sent
to some of the employees contained infected Microsoft Office to look like legit
traffic. This is where software and hardware patching is more important.
Keeping your OS, anti-virus and regular end-user software updated, can help
close potential holes and flaws. Data security also includes another important
aspect: user authentication. Firstly, making sure end-user passwords have some
kind of complexity is a must have, standard dictionary words have been proven
to be easily hackable. Certain plain text passwords were discovered and
exploited by the hackers. I.T. Administrators must also make sure default
usernames and passwords are changed or disabled on all kind of software and
hardware. There have been many horror stories of firewalls and security
appliances left with defaults on and unchanged.
the end of the article, there is information on detection and preventative
measures as well as general best practices. I would think, someone who is in
charge of the I.T security / cyber security of government infrastructure
would’ve taken some simple measure to heart already. Maybe I am lucky, working
for the Town of Franklin, that I am surrounded by smart, thoughtful people.
They give network segmentation as an example of best practice going forward.
Why wouldn’t they have already had their network segmented already? Having
files that are accessed by regular employees, should not be on the same network
as SCADA systems for example. You should need separate credentials, which only
a limited amount of people have access to. Something infinitely simpler and
just as important are log files. It seems like none of their systems were setup
to keep a log of information. This would make detection of unauthorized activity
quicker! An admin could even create their own syslog server, having different
pieces of hardware and software dump all their logs into a centralized place.
Things like this separate decent I.T. folks from great ones.
FireEye solutions and systems present definitely do seem like a solid software
/ hardware package that can be rolled out to beef up system security. However,
that is only half the battle. From other cyber-security classes I have taken so
far CS-102 and CS-103, a lot of these solutions are only as good and effective
as your end-users and I.T. staff. I.T. staff needs to be trained effectively to
meet the demands of the company’s / institution’s needs. Throwing hundreds of
thousands of dollars into hardware and software security is useless of it is
NOT used properly. I also cannot impress enough the important of end-user
training. Teaching employees what to ignore, avoid and use successfully in the
first place, can avoid myriads of hacking / social engineering attempts. It
doesn’t matter how complete your security package is, if your end-users are
careless with company hardware, software or information.