Secure the Breach
A public transit attack provides a useful reminder
by Gorav Arora
As a cybersecurity professional and Bay Area resident, I followed closely the the recent ransomware attack on San Francisco’s Muni light rail public transportation system. The ransomware hit a high-profile target — but not necessarily on purpose. The attacker told media that his automated malware just happened to find its way to Muni’s old vulnerability-ridden Windows 2000 servers on its own.
The malware is believed to be based on a strain known as HDDCryptor, or Mamba. It has more often been used by the attacker in ransomware schemes against American construction and manufacturing companies, but will basically strike whatever it can find. Muni was able to overcome the attack pretty effectively, turning the breach into more of a cautionary reminder about the inevitability of such intrusions, and of the importance of accepting that this is the new reality.
Every day, more than four million data records are lost or stolen and this year alone, we have seen it surpass the one billion mark. The type of “spray and pray” tactics that were deployed in this case are making every organization a potential victim, and it means that every organization, if it accepts this reality, has to take counter measures – including regular system backups. Fortunately for Muni, the agency had done exactly that, and was able to restore services after three days. It’s highest expense, so far, is the lost revenue from the free rides it was forced to give out.
The organization claimed that its payment systems were not hacked, and that no customer or employee information was stolen, as the attacker had claimed. It is unknown whether they had encrypted their data, but that would be a wise choice for anyone looking to adopt a similar mindset of “breach acceptance” and focusing on “securing the breach.” Sensitive data, including people’s payment information, names and/or other personal information, needs to be encrypted, not only to protect the organization but also against the broader impact of the breach. As of January 1, 2017, California’s breach disclosure laws will extend to include encrypted breaches, another example of the wider industry understanding that there are different types of breaches; some more secure than others.
If organizations want to better prepare themselves in other ways, another simple step they can take is to perform regular patch management of their systems. The Muni attack appeared to exploit a Java vulnerability which has had a freely-available patch since last year. This is the case with most attacks – no matter how sophisticated they may be in other ways, they generally just look to take advantage of unresolved patch management — exploiting old, known vulnerabilities.
Another crucial step is to secure the humans using your systems. This includes crisp role-based access control definitions, and multi-factor authentication. Ironically, the ransomware attacker’s email accounts were compromised through password reset features and the absence of multi-factor authentication.
Also, users who undergo basic security education are far less likely to open unknown attachments or click on pop-up links, as was the case this time, according to a Muni spokesperson.
An attack on a public transit system could of course be significantly worse than it was here. As a proponent of the “Secure the Breach” approach, I am encouraged to see my local public agency preparing itself so well to respond, limit the damage, and recover from a breach. This is just the beginning; we are already starting to see a mindset shift in many organizations to accept the inevitable reality of a breach. In the words of Philip K. Dick, “Reality is that which, when you stop believing in it, doesn’t go away.” This principle can be applied to network intrusions. Knowing breaches will happen is one of the biggest steps an organization can take to prepare safety measures like encryption, and avoid the shock of a random attack.
Gorav Arora is the data protection CTO at Gemalto.