Do you know where your files are tonight?
By Mike Brennan
Is any individual or any business safe from cyberattacks? The answer to this question plays out in the following pages, where Michigan experts at the forefront of cybersecurity weigh in on ransomware, connected vehicles and the Internet of Things. Just how secure are we? It’s a fine line between cybersafety and cybercrime.
Cyberattacks … No One Is Beyond Reach
Take a tip from one of the world’s best known hackers, Kevin Mitnick, who for 20 years was on the FBI’s most wanted list until he was caught in 1995 and jailed for five years. Today Mitnick runs a private consulting company that claims a 100 percent successful track record of penetrating the security of any system he is paid to hack.
His advice: Be smart. Be paranoid. And good luck.
Good luck indeed. Cybersecurity has become either a pay-me-now or pay-me-later line item expense.
“You will write a check to someone,” says Grand Ledge, Mich.-based Dan Lohrmann, chief security officer/chief strategist for Security Mentor of Garden Grove, Calif., and former chief security officer for the state of Michigan.
That’s also the message delivered to executives around the country by Chris Pogue of Nuix, a software company based in Herndon, Va.
Pogue adds that if you take appropriate protective measures for online assets, such as mitigating cyber vulnerabilities, conducting penetration tests, building good cyber defense intelligence and ensuring that the right team is in place, the check will be much smaller overall than the bill you pay when a data breach inevitably happens.
The Target fallout
The check written for a cyber breach can be huge. Last year, Target agreed to pay $10 million to settle a class-action lawsuit related to the discount retailer’s 2013 data breach. Court documents show hacking victims could get as much as $10,000 apiece. The company estimates that about 42 million people had their credit or debit information stolen, according to court documents.
How did hackers get into the Target corporate network? Through a third-party vendor, Fazio Mechanical, a refrigeration contractor. A phishing e-mail duped at least one Fazio employee, allowing malware to be installed on Fazio’s computers. The attackers then waited until the malware served up Fazio’s login credentials to access the Target corporate network.
Phishing is a form of social engineering that involves tricking someone into believing an e-mail is coming from a trustworthy source. If the target opens the e-mail, or visits a website in the fake e-mail, a malicious payload gets downloaded and the network is breached.
Education is key
An educated workforce is critical to keeping computer networks secure, says Lohrmann. He’s seen a lot of cyberattacks in his career, having served nearly two decades at the state of Michigan where he helped protect the state’s computer system.
• Conduct a rick assessment. Know where your data is and what you are doing to protect it. Use audit findings to help guide priorities and include a penetration test in your process. Make sure you address these findings when they are available.
• Mitigate known vulnerabilities and network holes. Make sure you do the basic “blocking and tackling” with firewalls and malware detection and fix backup systems.
• Train your people — both end users and technical staff. Have an ongoing security awareness program to keep up with emerging threats and technology changes.
• Build an incident management plan. Know what to do and where to go if you have a cyber incident or data breach. Practice the plan with tabletop exercises (meetings to discuss simulated emergency situations).
• Make sure executives support the security program with the right resources and people. Getting the right cyber talent is key, including a good cybersecurity leader who can champion the effort.
Staying ahead of hackers
Businesses and consumers also have to be wary of several common cybersecurity attack vectors, or ways in which a hacker can gain access to a computer or network server. For instance, Mitnick warned about common mobile threats from USB thumb drives. In a hack, a thumb drive can trick a PC into thinking it’s a keyboard, rather than a storage device. The hacker injects keystrokes and commandeers the device.
Mitnick also warns about the dangers of connecting to a public Wi-Fi, typically found at coffee shops. A hacker can tell the Wi-Fi router to boot all the current users off the network. When they reconnect, the hacker substitutes his Wi-Fi network with the same name. Once users connect, a malicious payload is delivered.
The key to keeping hackers at bay, in most cases, is education, says Nick Lumsden, vice president of technology and product strategy at Online Tech in Ann Arbor, Mich.
“Then practice, test and educate again,” Lumsden says. “There are many tools you can buy to protect your systems, but the biggest threat is your people. Even the best tools won’t protect you from the Kevin Mitnicks of the world.”
The same is true for consumers on home networks. Lumsden urges them to employ the same basics as business to mitigate cyber risks.
“Buy secure products and employ basic network security in the home,” Lumsden says. “Change default user names and passwords, require secure communications and secure your home Wi-Fi.”
The Rise of Ransomware
In June, NASCAR Team Circle Sport admitted it paid off ransomware runners after one of its main test computers was infected with Truecrypt malware, a form of ransomware. The NASCAR laptop was quickly isolated, but the ransomware left the team’s crucial test data locked up two days before a big race.
Despite efforts to recover the priceless data, Circle Sport paid the extortionists hundreds of dollars in Bitcoins — the typical form of payment used by cybercriminals — and the encryption key was sent. Bitcoin is a digital, peer-to-peer payment system. Transactions take place directly between users without an intermediary and are virtually anonymous, perfect for online criminals.
Circle Sport is simply one of the latest victims of ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them. Hospitals, school districts, state and local government, law enforcement agencies and small and large businesses have all been victims. Home computers are just as vulnerable to ransomware. At stake can be family photos, videos and other data. Cybercriminals, like bank robbers, focus on extorting the most cash possible, making consumers a low-priority ransomware target.
An ever-growing threat
Ransomware has been around for a few years, but during 2015, law enforcement saw an increase in these types of cyberattacks, particularly against organizations. Worse yet, according to FBI data, if the first three months of this year are any indication, the number will grow even more in 2016 if individuals and organizations don’t prepare for these attacks.
Ransomware attacks are becoming more sophisticated. Several years ago, ransomware was delivered through spam e-mails, but because e-mail systems got better at filtering out spam, cybercriminals turned to spear phishing, an e-mail scam that targets a specific individual, organization or business.
Some cybercriminals aren’t using e-mails at all.
According to FBI Cyber Division Assistant Director James Trainor, “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software (software containing glitches not yet fixed by the developer) on end-user computers.”
What to do
So what do individuals and businesses do to protect themselves from ransomware? Use layered protection, says Edward Aube, vice president of managed services for Red Level in Novi, Mich. This includes up-to-date anti-virus and anti-malware protection installed on all components, he says. A strong firewall is also important, but the best protection is education and making sure the user is aware when infected e-mails come through, Aube says.
Even with these measures in place, ransomware can still infect computers, which is why it is important to back up all data regularly.
According to the FBI in a bulletin issued earlier this year, in a ransomware attack, victims — upon seeing an e-mail addressed to them — will open it and may click on an attachment that appears legitimate, such as an invoice or an electronic fax, but actually contains malicious ransomware code. Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software.
“If anything does get in, you are at the mercy of the writers of this ransomware,” Aube says. “Paying a ransom doesn’t guarantee a good outcome. There’s no guarantee you’ll get your data back.”
Aube says protecting against ransomware attacks falls into the areas of business continuity and disaster recovery. Creating a good recovery point for data that allows people to restore data to the point where the ransomware got in. Aube’s company, Red Level, offers security and data protection and disaster recovery services.
CloudTech1 of Farmington Hills, Mich., also uses a layered security approach, says CEO Rick Beckers.
“We have cloud-based products that allow us to take data offsite and within minutes after a ransomware attack we can lock down the device involved and make sure the ransomware encryption doesn’t propagate across the computer network,” says Beckers.
Like Aube, Beckers says preventing ransomware from infecting a network is a matter of education and training that should be part of every business human resources manual.
“Rule No. 1,” he says, “is make sure your employees are aware of the dangers of clicking on an unsolicited link in an unexpected e-mail.”
Behind the Wheel
In July 2015, a pair of hackers commandeered a Jeep Cherokee through its Uconnect entertainment system to attack the vehicle’s brakes, engine and navigation system. Fiat Chrysler responded by patching the vulnerability and then issuing a recall for 1.4 million vehicles. Fast forward to July 2016: Fiat Chrysler announced it would pay “bounties” of up to $1,500 to security researchers who alert the company to hackable flaws in its software.
In so doing, Fiat Chrysler became the first of Detroit’s Big Three automakers to work directly with security researchers in an attempt to make vehicles safer from cyber intrusion. Tesla actually pioneered the security-flaw bounty program a year ago and pays upwards of $10,000 to hackers who find vulnerabilities.
This collaboration with the cybersecurity industry expanded on July 22 when the inaugural Automotive Cybersecurity Summit was held in Detroit.
Conference host Thomas K. Billington, chairman and founder of Billington CyberSecurity, said: “With an expected 75 percent of new cars equipped with online capabilities by 2020, this summit comes at a crucial time. We are honored to help advance this important dialogue between senior government and industry automotive leaders.”
Building a safety infrastructure
For years, a group of eight automakers has been working to develop a system to manage cyber risks. The system is a form of public key infrastructure that encrypts and authenticates data and is used extensively by online shopping sites and banks.
The system would allow two vehicles that have no existing relationship to securely exchange data, says Dan Lohrmann, chief security officer and chief strategist for Security Mentor of Garden Grove, Calif.
“All new cars are actually just computers on wheels, and the automakers know that the future is all about technology, innovation and cybersecurity,” Lohrmann says. “The potential ramifications of hacks and data breaches are just too important to not take notice.”
Rick Beckers, CEO of CloudTech1, a Farmington Hills, Mich., managed services company, agrees.
“The telematics of a car that gives it communications capability — whether information, entertainment or autonomous capabilities — are nothing more than a mixture of computer networks,” says Beckers. “As such, the communications between whatever entity it is — OnStar, Sirius or something else — all need to be encrypted. Those vehicles also need an embedded firewall to control what traffic goes in and out.”
Beckers also recommends automakers take a cue from the cybersecurity technology used in business and install intrusion detection.
“Sniffing the network and finding anomalies before they become issues is what is needed in vehicles,” Beckers says. “You find instances where something is out of the ordinary, then use technology to go in and suppress it.”
A long way to go
Is the auto industry finally taking cybersecurity more seriously after stuffing cars and trucks full of connected communications, entertainment and navigation equipment for a decade? No question about it, Beckers says, particularly with the drive toward autonomous vehicles. But a couple of recent accidents involving semi-autonomous Teslas demonstrate there’s still a long way to go before cars drive us home.
“The automobile and the potential for autonomous operations dictate that technology has to be flawless,” Beckers says. “It has to be addressed at such a high level of confidence that consumers will buy and use these products. To trust the artificial intelligence we build into vehicles to perform 100 percent of the time, for now, remains unrealistic.”
Nick Lumsden, vice president of technology and product safety for Online Tech, headquartered in Ann Arbor, Mich., believes it is unrealistic to expect the auto industry to have connected technology perform perfectly so quickly. Typically it takes two to three generations of evolution to flesh out all the flaws. But awareness is the first step, says Lumsden. Knowing what has been tested and certified secure, and what has not, is critical for automakers.
“New threats will always emerge, but the basics need to be covered,” Lumsden says. He recommends using basic principles of security such as changing default usernames and passwords.
The Internet of Things
You’ve probably heard a lot of talk about the Internet of Things, or its shorthand acronym, IoT. Some skeptics have even dubbed the IoT “the Internet of Things that can be hacked.” Good or bad, forecasters predict 50 billion objects will be connected to the IoT by the year 2020.
The IoT allows objects to be sensed and controlled remotely across the Internet — from smart refrigerators that take pictures of the food inside and e-mail the images to your smartphone to smart cities where schools, libraries, transportation systems, hospitals, power plants and water supply networks are connected digitally.
IoT proponents hope it will create opportunities for more direct integration of the physical world into the computer world. As a result, it could improve efficiency and accuracy and generate economic benefit.
The IoT is also known as machine-to-machine (M-T-M) communications. For instance, machinery that works on building cars can also let the manufacturer know when production equipment needs maintenance and why. Some experts predict the M-T-M aspect of the IoT will dominate.
Opening the door to attacks
The “thing” in IoT is a uniquely identifiable appliance of some sort. On the positive side, for example, it enables consumers to connect to Netflix. On the negative side, it opens the door to potential cyberattacks. Popular consumer devices such as TVs, cable boxes, broadband routers, heart monitors and industrial control systems seldom, if ever, are patched, upgraded or hardened against misuse, unlike PCs, tablets, smartphones and computer networks. Cybersecurity was an afterthought for consumer electronic gear.
Recently, the Federal Trade Commission sent comments to the Department of Commerce, outlining a list of concerns about the security and privacy of connected and embedded devices. While many IoT devices have tangible benefits for consumers, according to the FTC, “these devices also create new opportunities for unauthorized persons to exploit vulnerabilities.” Smart meters, connected cars and connected healthcare devices were some of the devices cited by the FTC, but all devices pose security risks.
The following two events showed the world just how much havoc dedicated hackers can wreak on the IoT:
• The 2010 Stuxnet virus attack on Iranian nuclear facilities when malware installed through a thumb drive (developed by the U.S. and Israel) was used to take over control systems, leading to the destruction of critical centrifuge equipment used to develop bomb-grade uranium. The resulting leak disrupted industrial control systems worldwide.
• The 2015 Chrysler Jeep hack (see page 27), when two cybersecurity consultants accessed key vehicle systems through an external cellular connection, manipulating engine management, braking and navigation systems. Chrysler patched the hole and recalled 1.4 million Jeeps to shore up the all-terrain-vehicle’s cybersecurity.
Playing it safe
Despite potential threats, every business, household and consumer will be forced to deal with the IoT, with experts advising prudence and precaution.
“In the data center and office, IoT devices need to be treated like any other device on the network,” says Nick Lumsden, vice president of technology and product strategy at Online Tech in Ann Arbor, Mich. “They must be assessed, managed and kept secure. This is not new; the scope is just expanding. Scale will become the issue, but awareness is still the top threat. As much as the technology is growing, social engineering around technical safeguards is still the best path for an attacker.”
Dan Lohrmann, chief security officer and chief strategist for Garden Grove, Calif.-based Security Mentor, also offers advice about IoT safety.
“Start by doing your homework,” says Lohrmann, who served for nearly two decades at the state of Michigan where he helped protect the state government’s network from cyber intrusion. He also served as an operative for the National Security Agency.
“Know what you’re buying, what data is being collected by the device and which security features are available. Just like you do with a car, research the options and cost/benefit of various offerings,” he says. “Second, enable the security protections that are available on IoT products you buy and even products you already have. Third, change default passwords. Fourth, set up separate Wi-Fi networks for your home PC network and your IoT network.
“You don’t want your oven to become a back door into your laptop tax software. Finally,” he says, “rinse and repeat. That is, don’t rest on previous research or knowledge or advice. As you get new smartphones at home and work, new apps and new IoT devices, the landscape will change fast. This is an ongoing challenge that will not end.”
Are there any “things” he would recommend not connecting to the IoT?
“It depends on the situation, requirements and IoT devices.” Lohrmann says. “There are certainly many IoT devices that I would not buy (at this time) because I don’t see a compelling business case for using them. That is, the risks outweigh the rewards. Where there is already connectivity, I certainly take precautions. For example, I cover the camera on my PC when it is not in use, and likewise, I train my children about the pros and cons of putting too much information online. The same thought process needs to be considered with IoT. Again, my advice is to do your homework.”
No magic pill
CloudTech1 CEO Rick Beckers recommends a layered approach to IoT cybersecurity for consumer or commercial applications. He advises protecting networks with firewalls and, at the device level, making sure virus protection is up to date. Finally, he recommends installing breach monitoring to alert the company IT department when a hack is successful.
“There is no magic pill. You have to look at all these solutions, and use them all.”
Beckers says CloudTech1 advises clients, from small and medium-size businesses to Defense Department contractors, to install a collector that vacuums data from unsolicited sources. This suspect data then is blocked from entering the production network until it can be closely vetted.
“Exposing anything to the Internet that isn’t protected in a well thought out manner is just asking for trouble,” Beckers says.
Mike Brennan is editor and publisher of MITechNews.Com, a news portal site that covers the people and technologies driving Michigan.