By Scott Edger
Little Apple Post
Pottawatomie County’s October 1 revelation that it had paid tens of thousands of dollars in ransom to digital hackers who had infiltrated the county’s computer system was rather ironic, as that day marked the start of Cybersecurity Awareness Month.
Ransomware attacks were escalating exponentially even prior to COVID-19 infecting the world. Once the quarantines and shutdown orders began, cybercrime events proliferated with epidemic fervor.
Businesses and municipalities across the United States have lost millions in revenue to hackers. The financial cost is just the start, as cybercriminals will often permanently damage or destroy critical data and controls, regardless if the ransom is paid or not.
Pottawatomie County’s unfortunate situation is a perfect illustration of the urgent need for vastly improved cybersecurity, for public entities as well as private citizens.
Dr. Eugene Vasserman, associate professor of computer science at Kansas State University and director of the Center for Information and Security Assurance, said that while he had no details regarding the Pottawatomie County incident, attacks like this are almost never targeted.
The hackers likely did not seek out Pottawatomie County or any other individual person or group, but rather cast an enormous digital net.
Targeted attacks are more vicious, shutting down a specific company’s website or operational capability. The targeted attacks are typically meant as reprisals, punishment for a company’s perceived wrongdoings.
Once inside, the malware gets inside and creates a unique key that locks the victim’s data. What hackers are able to do depends on the number and types of checks installed in the network to thwart unfettered access to entire systems. Vasserman said that if the checks and stopgaps are not adequate, cybercriminals could theoretically take control of entire infrastructures.
FINANCIAL CONSTRAINTS
Often, the issue comes down to money. A good on-site backup infrastructure can be quite costly, according to Vasserman, and may still not offer rock-solid protection. A virus that’s designed to move especially slowly through a system may not be detected until even the backups had been compromised.
Digital security has for years relied on the “hard shell, gooey middle” philosophy: build a strong, high wall, line it with barbed wire and security lights, but once someone gets past those measures it’s open season.
“If you get past the hard shell, the rest is easy,” Vasserman said.
The system was set up that way simply to be more user-friendly. “Actually more ‘administrator-friendly', Vasserman explained.
A moat and strong outer wall is the standard protection system for castles. There are, however, other designs that use complex interior architecture to slow attackers after they have breached the outer defenses.
Those interior defenses, in a digital castle, are difficult to design and require tedious management. That’s why the strong outer shell model has been prevalent for so long.
Administrator time is very valuable,” Vasserman said. “It was simply easier to design and administer this way.”
The problem with much public cybersecurity infrastructure is that civic budget limitations can mean that uber-sophisticated infrastructure is clunking along, trying, or failing, to run on outdated hardware.
New security software may not function on older hardware. “You would be surprised how much critical infrastructure still runs on Windows XP.”
Cybercrime is a nuanced problem There is never a simple solution to keeping hackers out. As security measures improve, the cybercrooks’ tactics and methods evolve aggressively.
They look for vulnerable machines, usually automatically and just happened upon the county. The software immediately encodes and encrypts the system’s files, often sending a fully-automated ransom message
“It’s a challenge and I doubt the prevalence of really thorough backup setups.
Every internet-connected device is an entry point for a cybercriminal. Institutions and individuals are vulnerable in many ways. Attacks via email with infected documents or attachments, or systems without updated patches are hijacked every day.
Victims can find themselves in a quandary; paying the ransom is a financial hit and the FBI discourages paying ransoms because it encourages and funds further attacks, but refusal means losing critical data forever, which, for the individual victim, can be more expensive in the long run.
Ideally, groups are able to thumb their noses at the digital hijackers and simply restore their system by means of a regularly scheduled, comprehensive backup.
Businesses and municipalities are, understandably, reticent to discuss their cyber security measures but Corey Meyer, interim director and network administrator for Riley County IT/GIS, said that the County reviews security systems and protocols regularly and makes adjustments as needed. The County’s systems check for updates on a daily basis.
“We do have multiple security professionals that we work with,” Meyer said, “to ensure what we have in place is at or above industry standards.”
RANSOMWARE AS AN INDUSTRY
The programming and coding involved in a ransomware attack is wildly sophisticated, but that does not necessarily mean that the digital kidnappers are equally sophisticated. Often in these attacks, the digital hijacker may personally have little computer or coding knowledge.
Hijacking vulnerable systems is so ubiquitous and profitable that popping up all over the web are ransomware services that actually lease their malicious software out. Ransomware as a service (RaaS, as it is commonly tagged online) allows cybercrooks to simply deploy a service’s convenient malware package for the designated lease period and pay the service a significant portion of the ransoms they collect.
While ransomware has been around for decades, these organized service operations started up just a couple years ago.
“It’s like a turnkey operation now,” Vasserman said. These underground services, typically found in the seedier neighborhoods of the Dark Web, represent themselves as legitimate software providers good customer support, good user-interfaces, professionally written software. They have a definite level of professionalism and business acumen they set up contracts customer support systems.
Literally any backup is better than none. If you have minimal backup you might lose a day’s worth of data
The services are very customer-oriented. For the value-conscious cybercrook, a typical rent-a-hack comes with multiple tools available to overcome or bypass myriad security systems.
They deal in scale, not all ransomware seizures result in fat payouts like the one from Pottawatomie County. Hackers deal in scale, snatching up small funds from as many unsuspecting victims as possible.
Hackers spread a broad net, sweeping the web and blindly casting into the digital ocean for fish with systems that make them bite.
HOW TO AVOID
Even the best digital security is akin to home security. You can put in strong doors and deadbolt locks, install alarm systems and cameras, and a good thief will still find his way in.
According to Vasserman, the fact that even well-defended systems are regularly breached illustrates that the best defense is extensive backups.
Vasserman said simply keeping systems up to date keeping accounts with strong passwords, changing passwords regularly, not sharing accounts between people.
Businesses and private individuals can also take much simpler steps to more successfully deter attacks, Vasserman said. Simply keeping operating systems up-to-date is the most painless, and can be done by simply checking the automatic updates box on your operating system. Maintaining stringent password requirements and changing passwords regularly is recommended. Public and private entities should set up a proper VPN and firewall, and do not sharing accounts between people.
With adequate backup in place, if a cybercriminal hijacks an entity’s system, the entity can go back and restore everything to pre-hack conditions.
“All of these things are less costly than a really thorough backup system,” Vasserman said, “and they could start today.”