“We need to start imagining what can happen and respond accordingly as opposed to always looking at what the last problem was.”
Senator Maggie Hassan from New Hampshire was on target with this statement during the Senate hearing about the recent Colonial Pipeline hack.
The attack on May 7th incited a shutdown of the pipeline and consequent gas shortages on the east coast, ensuing panic and disrupting the lives of millions of east coast Americans. President and CEO of Colonial Pipeline Joseph Blount testified about the ransomware incident before the Senate homeland security committee on Tuesday, June 8, 2021.
Colonial Pipeline surrendered 75 bitcoins worth about $4.4 million to the Russia-based cybercriminal group DarkSide, 63.7 of which the government was since able to retrieve.
The US government is preparing
In an opening statement, Senator Gary Peters from Michigan expressed the need for a united effort between the federal government and private sector to strengthen defense against bad actors. Colonial Pipeline is one of several essential-product victims of recent ransomware attacks. For instance, JBS, the largest meat processing company in the world, had taken a hit as well. There’s no way of knowing who the next victim is, but officials anticipate that worse attacks are coming that will harm the US economy and citizens.
Senator Peters expressed that (1) private companies, especially those whose products are essential to Americans and are heavily relied on in daily life, are responsible for regularly assessing their risk and investing in technologies to prevent cyber attacks. He also stressed the importance of complete transparency and immediate notification from private companies to CISA when hacked. And (2) the government must play a part in defense by creating an official guide to help companies avoid breaches, take the right course of action in the event of a breach, and crack down on perpetrators.
60 offices in US Congress had been hit with ransomware, signaling that nobody is immune, including the government.
Many of the attacks on the private sector do not only end in loss of revenue and business reputation. They have real-world consequences as well, as we’ve witnessed after the Colonial Pipeline hack.
What led to the Colonial Pipeline hack? Could it have been prevented?
The Colonial Pipeline breach could have been avoided. 87 percent of such attacks can be avoided.
Blount testified that Colonial Pipeline takes the safety and security of their systems very seriously, maintains regular communication with CISA, that nobody on the board has ever denied more funding toward security, and that if the CIO wants funds, she gets them.
Where did they go wrong?
We learned that Colonial Pipeline didn’t use 2-factor authentication and used a legacy VPN (introduced over 30 years ago).
Had Colonial Pipeline enforced all employees to use multi-factor authentication when logging into systems, DarkSide would not have been able to compromise a password of a VPN account. Although the password in question was allegedly a strong one, DarkSide had no issue slipping through the cracks.
The lesson here is that all companies should at the very least mandate their workers to use 2-factor authentication. Other basic cyber hygiene practices can be found here.
When all else fails, should companies pay the ransom?
Unfortunately, there is no playbook or simple answer to this. There are pros and cons to paying off cybercriminals.
The pros are that you typically will be allowed back into your infrastructures, regain visibility, and can focus on re-establishment and re-building right away while assessing the damages. For Colonial Pipeline, it also meant that east coast individuals, first responders, ambulances, and airplanes could promptly re-access fuel. Still, Blount expects Colonial Pipeline to take months and months, if not years, to restore its systems completely.
The cons would be that, by paying the ransom, you are essentially incentivizing criminals to commit the crime again. If no one paid the ransom, there would be no reason for ransomware. This is why it is CISA’s and the FBI’s strong recommendation not to pay the ransom. However, if Colonial Pipeline hypothetically didn’t pay, the consequences would have been unknown, beyond limiting 45 percent of the east coast fuel supply.
What we do know is that 95 percent of hacks are due to human error. We can afford human error by practicing good hygiene, such as updating operations to include 2-factor authentication.
Practicing good hygiene is easiest when you upgrade and modernize your tools and systems. It’s not about how much money you spend on security or IT, but about assessing which platforms are most critical for you to protect and making sure you’re automating wherever possible. Smarter tools - not necessarily the most expensive ones - will help you rest assured that you won’t be the next ransomware case on the news.
