All things considered, West Virginia escaped the shutdown of the Colonial Pipeline relatively unscathed.
People rushed to buy gasoline in a few places, but any shortages at gas stations in the Mountain State didn’t compare to what other parts of the country experienced.
North Carolina was hit especially hard, as GasBuddy.com said approximately 65% of gas stations were without fuel in the days following the May 7 cyberattack that crippled the supply pipeline. In neighboring Virginia, 44% of its stations had empty tanks.
The security breaches have been closed and the pipeline is up and running, though it will be days before availability reaches normal levels. In the meantime, officials have been left to ponder how to avoid further attacks and what to do if one occurs.
The incident also brought to light how such cyberattacks can happen at any stage of commerce, including small business. Prevention and/or recovery at that level could be crippling for the unprepared and uninitiated.
Kevin Dillon, Sr., is a cybersecurity analyst for North American Consulting Services, Inc. He discussed the Colonial hacking with the Gazette-Mail, and offered tips and best practices for how businesses of any size can practice better “cyber hygiene.”
Q: How did this happen?
A: “The FBI has confirmed the Darkside hacking group is responsible for the attack on Colonial. Darkside is believed to be based out of Eastern Europe/Russia, and has denied affiliation with any government agencies.
“Technical details regarding the exact methods attackers used to compromise Colonial have not yet been published. Based on how previous large-scale breaches have been handled, we will likely see an official report released in the coming days or weeks.
“Although these methods have not yet been confirmed for the Colonial hack, ransomware is often delivered via a phishing email or other social engineering attack. Victims are tricked into clicking a link, opening a file, plugging storage media (such as thumb drives) into their computer, or otherwise taking some action that inadvertently triggers the ransomware or gives attackers access to their network.
“In the case of the latter, attackers will often remotely (virtually) access the computer network and gather and extract info, as undetected, to leverage before triggering the ransomware. Unresolved vulnerabilities in expired systems are also commonly exploited.”
Q: What’s the process for correcting something of this magnitude?
A: “The official stance of the FBI is to never pay ransomware demands. Their basis for this is that victim organizations have no guarantee they will get their data back if they pay the ransom, and by paying the ransom, the malicious organization gains funding and resources to launch further attacks.
“However, the reality is that many organizations find themselves in a position where they have to take a chance and pay the ransom if they want their business to survive. Decrypting files which have been locked by sophisticated ransomware is highly unlikely at best, and most often downright impossible without the decryption keys held by the attackers.
“If the business is unable to financially survive the cost of rebuilding locked systems from scratch plus the lost revenue while they’re unable to provide services, unfortunately they often don’t have a choice but to pay. In the case of the Colonial hack, the company chose to submit $5 million as ransom payment in exchange for the tools to decrypt their data, and a promise from Darkside that stolen data would not be made publicly available.”
Q: Where are small businesses most vulnerable?
A: “Small, medium and large businesses alike are most vulnerable where people are concerned. In the earlier days of hacking, malicious actors were most likely to target machines directly. Now, with software developers taking a much more proactive approach to security, attackers are far more likely to target people to gain entry into an organization by utilizing social engineering tactics. By convincing someone to click a link or open a file, attackers can often bypass many of the security controls built into modern computing systems.
“Small businesses also tend to be more vulnerable because they often have tighter budgets and don’t dedicate funding to proactive security measures, or employ in-house security employees. This can make them an attractive target for less sophisticated attacks by smaller groups, which exist in greater numbers than complex, well-funded hacker groups.”
Q: What can small-business owners do to protect themselves?
A: “The easiest, no-cost step business owners can take is to ensure all computer systems and applications in the organization are kept up to date with the latest upgrades and patches. This ensures that they are not susceptible to exploitation of known vulnerabilities in out-of-date software versions. Additionally, antivirus software should be installed on all systems and kept up to date. This can help to mitigate attacks by known malicious software, however it should be noted that antivirus will likely not detect malware that hasn’t been previously detected.
“Businesses should also employ a strict backup strategy to ensure they can restore their systems in the event they fall victim to ransomware. The safest approach is to back systems up to removable media, such as an external hard drive. Physically disconnecting this storage media between each backup ensures malicious software can’t spread to it and encrypt the backup files, too. However, this is a highly manual process and one that can be easily overlooked or forgotten.
“Finally, businesses should partner with a consulting firm to conduct vulnerability assessments and user education. These proactive measures greatly reduce the risk that an organization will fall victim to ransomware or any sort of data breach. It can be hard to justify the cost of such services, especially for small businesses, but these costs pale in comparison to the cost of a successful attack. This is especially true where regulatory bodies are involved, such as health care, payment processors, etc.”
Q: What steps should a business take to seal things up in the event of a data breach?
A: “The remediation steps required post-breach can vary greatly based on the type of industry, the systems the organization utilizes, and how the attack was carried out.
“The best option is to partner with a third-party to take a comprehensive look at what happened during the incident and the state of the computing systems in order to develop and implement a remediation plan. This is especially true for smaller businesses without a dedicated security team, but is often a strategy employed by the world’s largest corporations with tremendous internal security resources. Bringing in an outside firm allows for an objective, unbiased analysis of what happened and how to fix it.”