Editor’s note: Wired for Safety is a column on cybersecurity and other tech issues. Duane Dunston is an assistant professor of cybersecurity and networking at Champlain College. He received his bachelor’s and master’s of science from Pfeiffer University. From 2001 to 2011 he worked in cybersecurity for NOAA. He is a doctoral student at Northeastern University with a concentration in Curriculum, Teaching, Learning, and Leadership. His other activities include “You Have A Voice,” a project to develop an electronic screening assessment to identify human trafficking victims.
[I] was reading an article how the Matanuska-Susitna (Mat-Su) borough of Alaska was impacted by a ransomware attack. The cost of recovering from the breach was around $2 million. A comment by someone regarding the cyberattack was “Who or why would anyone ‘hack’ a little rinky dink town?” The motivations for attackers are varied and that comment can lead to inadequate planning for a cyberattack.
Cyberattackers may target large or small organizations. The smaller organizations are perceived as better targets because it is believed they will not have the in-house expertise to detect the compromise, may not have the funding to hire a third-party organization to help recover from the cyberattack, or may be more willing to pay the ransom as the city of Valdez, Alaska, did around the same time of the Mat-Su borough. The breach of the (Mat-Su) systems affected over 700 devices. All those devices have to be analyzed to ensure that the malicious code doesn’t reappear at a later time.
What does that mean? Malicious code can “sleep” for a given period. That means that the code is running on the computer, but is not doing anything that would use a lot of CPU or memory on a computer. After a given period, it will check some code to determine what it should do. It could be told to sleep for a few hours, days, weeks or months. After the specified time, it will check again and could be programmed to connect to a remote computer which could provide an attacker with remote access to the infected computer. From there, the attacker could log in to the computer and re-infect other computers, steal data, etc. Again, it depends on the motivations of the attacker. That is why all computers have to be analyzed or, in many cases, reinstalled. In the case of the Mat-Su borough, hundreds of devices had to be examined and cleaned. Dealing with a mass compromise takes a lot of time and expertise to clean up properly. It is essential to know this because it helps to explain the costs that can be involved in recovering from a cyber breach and why the cybersecurity experts need to analyze all computers. It also explains why it is important to perform periodic risk assessments and have third-party organizations assist with identifying risks and providing recommendations to minimize the likelihood of an incident and helping to learn and recover from a cyber incident.
Preparing for cyber incidents requires understanding that any organization, regardless of size could be impacted (whether targeted or incidental). Risk has to do with understanding the likelihood of a breach or cyberattack occurring and the impact if it does happen. For your organization, start the discussion of risk impact by asking the questions: What would happen if I lose internet connectivity? or What would happen if some or all of the files I depend on become unusable? Sit around the table with key stakeholders in your organization, unless it is just you, and determine your alternatives if you lost internet connectivity right now or your files became unusable. Just because you lose internet connectivity doesn’t mean that your business operations have to stop. It may mean performing processes manually like using a manual credit card swiper, investing in a hotspot with a different internet provider so internet-based operations can still occur (even if downtime is 10 minutes to switch to the hotspot), or, in the case of Mat-Su, they had to use typewriters for some functions. If you believe you can just recover your files from backup, ensure the backups have been tested and will restore as expected.
As you begin to discuss what the impact would be, document each issue. For each item, identify a backup solution to sustain your operations until you have fully recovered from the incident. That will be documenting and implementing the contingency planning process. Contingency planning is the process of documenting and frequently reviewing and testing the plans you have developed to sustain your business operations (or day-to-day processes) until you have fully recovered from the cyber incident. Here is a contingency planning template.
Determining the risk of an event can be a daunting process if you are not aware of the various types of cyber events that could occur (it also includes natural disasters). Conducting a risk assessment is possible and may require hiring a third-party organization for some organizations, or you can do it yourself. Here is one of the shorter NIST documents designed for small businesses to assist with assessing risk and implementing essential security controls.
It is essential to be prepared for a cyber breach, assessing risk and developing contingency plans can help with sustaining business operations until an organization has fully recovered from an incident.
