In recent weeks, bloggers have discussed many topics during Cybersecurity Awareness Month ranging from best cyber hygiene practices to detecting and avoiding phishing attacks. All of these revolve around the idea of being aware of what’s out there and what’s going on in the cyber world. We’ve even talked about why it’s important to pay attention and what that means for organizations. In this post, we’ll talk about why it’s important to put cybersecurity first.
In May 2021 we learned of a ransomware attack targeting an American oil pipeline system that provides fuel to most of the Southeastern US. It started with a ransom note that appeared on a computer in the control room of the pipeline. An hour later, the company had shut down the pipeline and wouldn’t restart it for another five days. In the meantime, the region experienced fuel shortages while the incident responders scoured the network for traces of the attack. Thecompany affected conducted visual inspection of the pipeline to ascertain physical damage. In the aftermath of the attack, after action reports indicate that the attackers were able to acquire credentials for an unused VPN account that gave them access to the internal network of the company.
All it took to bring down a fuel pipeline was one leaked credential, one password that went unchanged for who knows how long, and one patient adversary.
Why does that matter? It’s just one example of how adversaries target the simplest of attack vectors. We don’t really know how the password was leaked to the dark web, but we know that when it was used – the account was still active and the password hadn’t expired. We know the company didn’t implement two-factor authentication for the account, which would have likely prevented successful entry.
Simple things like changing passwords often and, even better, implementing multi-factor authentication for all credentialing systems are relatively easy policies to implement for most organizations. What isn’t necessarily as easy is developing the mindset of #CybersecurityFirst throughout an entire organization.
What does that look like? Regardless of whether you’re an individual, small business, or large corporation, start with cybersecurity awareness training. Everyone in the organization should be trained at the basic level of understanding how cybersecurity affects their lives. Don’t know where to start? Start with a simple Google search for “cybersecurity awareness training”. While DoD-centric, a good example is the DoD Cyber Awareness Challenge.
Basic Security Controls
Since the end user is oftentimes the easiest target, the organization should consider implementing basic security controls for their users. This includes concepts like implementing strong password policies and multifactor authentication. Keep in mind, these practices are not the only thing you should do, but it’s a good start.
Encouraging cybersecurity awareness and implementing password controls is only the beginning of making #CybersecurityFirst in an organization. The best place to start is with the individual. On a personal level, everyone should ask themselves how they’re managing their own passwords. Are you using a centralized password management tool? Are the accounts you use secured with two-factor (or multi-factor) authentication? If an account is compromised, can that password be used elsewhere to log in to other accounts? Am I practicing effective cybersecurity hygiene on a daily basis?
At the end of the day, it takes significant effort to change and grow into a mindset of being secure in an insecure world, but if you start small, and make many small changes, those changes can grow into bigger changes, which eventually make the world a more secure place.
Do Your Part. #BeCyberSmart.
If you have questions or want to know more about how to secure your organization, please reach out to Sentar here.