By the time Brendan Rooney, director of the Crypsis Group, gets involved in a cybersecurity matter, it’s often the case that significant damage has already been done. The Crypsis Group is a digital forensic and investigative consultancy that frequently acts as the first responder when financially motivated cyber thieves, organized crime, nation-state threat actors, and hacktivists compromise a victim network. While threats are always evolving, two primary methods of ingress Crypsis encounters, are ransomware or business email compromise (BEC).
That means that first call is a tough one for Rooney. While it’s the start of the process for him, if the brand owner or OEM he’s dealing with isn’t insured against cyber-attacks, the victim may stioll have to incur a big ransom payout out of pocket. Odds are great that the victim company will also experience a disruption in productivity or suffer possible permanent loss of data. In some cases, the victim suffers all of the above.
“Our analysis aims to get answers to three initial questions,” Rooney says. “How did attackers gain access to the system? What did they have access to? And what may have been exfiltrated from the environment?”
The following is geared toward OEMs, but much of the information applies upstream and downstream as well.
Ransomware is a form of malware targeting both human and technical weaknesses in an effort to make critical data/systems inaccessible. Ransomware is delivered through various vectors, including phishing attacks, and also via Remote Desktop Protocols that allow computers to connect to one another across a network.
Business Email Compromise (BEC) is a sophisticated scam targeting businesses that work with foreign suppliers and regularly perform wire transfer payments. A subset of BEC called Email Account Compromise (EAC) targets the individuals who regularly perform these payments. While most BEC and EAC victims reported using wire transfers as their regular methods of transferring business funds, some reported using checks. The fraudsters used the payment method most commonly associated with their victims’ regular business practices. Rooney says the relatively standard but often overlooked step of multi-factor authentication on business email accounts can go a long way in mitigating BEC threat.
Safeguards for OEMs to have in place before the dreaded call
Third party assessments: Many CPGs currently require unbiased, third-party opinions on network safety, benchmarking against established frameworks. Having these assessments completed and available ahead of time can be a differentiator for OEMs and can be a sales tool for new client acquisition. Rooney also mentions the flip side to that: by not having third party assessments available can be perceived as a safety deficiency, rightly or wrongly.
Insurance: While many attendees asked, there’s no magic bullet number for how much cyber insurance is enough; that’s really a business decision. Rooney did provide questions to ask yourself in making the determination: “Is your insurance program tailored to your operations? And how are you calculating potential loss?” He also noted that depending on the end user of the equipment, insurance itself may be a contractual requirement, and a differentiator from competitors.
Employee training: this can pay dividends in shoring up cyber safety. Rooney adds that most successful cyber-attacks aren’t a failure of technology, rather a failure of personnel. Frequent training of both IT and OT can minimize risk exposure, though given this is a human element, it can’t be eliminated.
Hire or outsource: Rooney recommends understanding the roles of contracted vendors, and identifying any gaps between them in security. Truly talented IT people are hard to find, and harder to keep, so perhaps outsourcing can be an option. And if there’s a question which party is responsible for security, ask questions and get that worked out as soon as humanly possible.
Steps toward improvement, according to The Crypsis Group
Even the most astute employees can be taken in by phishing scams, but training exercises can make a difference. Training exercises can make a difference.
- Ensure your organization’s personnel and partners get cybersecurity awareness training and are adequately trained to perform their day-to-day activities with cybersecurity in mind.
- Enable multifactor authentication whenever possible. The added layer of difficulty can help mitigate the risk of an intruder accessing your systems.
- Principal of least privilege: Give access only to those who need it. Really. And be strict about this.
- Application whitelisting and asset management: Ensure the data, personnel, software programs, and devices that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.