Cyber 321: 14th May 2021

Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.

This week: How one cyber attack on one firm had significant knock-on effects across the US East Coast, how another attack on another firm became Finland’s biggest criminal case in history, and what it feels like to be a victim of a cyber crime.

This week’s action: Plan B

THREE ARTICLES

1. One attack on one firm nearly led to panic along US East Coast
   Colonial Pipeline supplies nearly half of all fuel along the US East Coast. When it was attacked by ransomware last week, it shut down its entire network in response. (That’s a pretty significant incident response plan.) The knock-on impact of this response was an increasing concern about panic buying of fuel in the affected region, with reports of petrol stations shutting down due to lack of stock and queues of cars waiting to buy the product. (A longer-term impact may be a sales boost for solar panels and electric vehicles.) The not-so-ordinary-or-decent criminals issued a press release stating “our goal is to make money and not create problems for society”. (I assume they really mean “our goal is to not draw significant attention to ourselves from the US administration and its cyber military machine”. It may be too late for them to achieve this goal.)
   Read more: https://www.bbc.com/news/technology-57063636for details on how the attack happened and the impact, and https://www.npr.org/2021/05/11/996044288/panic-drives-gas-shortages-after-colonial-pipeline-ransomware-attack?t=1620974135766 for the human response

2. How it feels to be a victim of a cyber attack
   “The most stressful 4 hours of my career” is how one interviewee described the feeling of being a victim of a cyber attack. This 2020 survey by the University of Portsmouth in England, commissioned by the UK Home Office, tells us what we don’t want to know. “It is stressful, [..] frightening, [..] distressing that something you could work on for two years, can just, in a heartbeat, disappear.” The financial losses from the attacks ranged from £2 to £10k. (In my experience, the cost of the cleanup and recovery is usually a multiple of the direct cost.) The report describes how one SME spent £80k dealing with the consequences and another lost 70% of its customers after the attack. The non-financial impact also cannot be underestimated. One victim stated “I came in, in the morning, fully expecting to get sacked.” (You need to put reasonable security measures in place – Don’t be a sitting duck. But even then, recognise that you could still be a victim. If James Bond wants to get in, he will get in. In such a situation, it’s important to try to retain perspective – You will get through it, and most people – including most of your colleagues, peers and clients – will eventually be on your side.)
   Read more: https://www.zdnet.com/article/it-is-stressful-it-is-frightening-what-its-like-to-be-a-victim-of-hacking-and-ransomware/

3. If you provide mental health services, you know confidentiality is key. But please recognise that security is also paramount.
   This story from Wired magazine describes a 2020 data breach at Vastaamo, Finland’s “McDonald’s of psychotherapy”. Soon after the breach, patients started receiving ransom demands. If they didn’t pay, all of the notes from their therapy sessions would be published online. The article interviews one victim who had sought help as a teenager. His notes included intimate details of his childhood, including abusive parents, alcohol and drug addictions, and suicidal thoughts. Everything he discussed with his therapist was typed up and stored on Vastaamo’s servers. And when the hackers gained access to Vastaamo, they gained access to this sensitive information. They contacted him. But they also contacted his mother, who had no previous knowledge of what her son had said (in confidence) to the therapist. In total, 30,000 people in Finland were contacted in the same way, turning the data breach into Finland’s largest criminal case in history. Vastaamo has not survived the attack – The article describes it as being “sold for parts”. (The cruelty of targetting people who sought help at difficult moments of their lives and who may be unable to cope with the threat of their notes being made public is shocking. It serves as a reminder as to why ‘that pain in the ass’ GDPR has a special focus on special categories of data such as health information. Enabling a breach of your client’s phone number is one thing. Enabling a breach of your client’s most sensitive thoughts, which have been shared with you in confidence, is very different. If the technology cannot be appropriately secured and the data cannot be sufficiently protected / encrypted, is low-tech or no-tech the solution? Paper is inefficient and easily lost, but it’s impossible to access unless you are physically in the same location.)
   Read more: https://www.wired.com/story/vastaamo-psychotherapy-patients-hack-data-breach/ via https://securethevillage.org/news

TWO STATISTICS

1. 45%: Colonial Pipeline provides 45% of the US East Coast’s fuel. The attack highlights how “cyberattacks are increasingly a threat to real-world infrastructure”. (Little did I know I was following the route of Colonial’s Pipeline on my roadtrip across the States in the 90’s – This article shows a map of the Colonial pipeline, running from Texas all the way via Georgia to New Jersey. We talk about banks being too big to fail but it’s clear why the ‘boring’ oil industry is regarded as critical infrastructure.)
   (https://www.zdnet.com/article/colonial-pipeline-cyberattack-shuts-down-pipeline-that-supplies-45-of-east-coasts-fuel/)
2. 75%: In the University of Portsmouth’s research mentioned earlier, respondents also described the lack of interest from UK police. Of the 52 cases reported, 75% did not received any police response. Unsurprisingly, due to the international nature of attacks, less than 10% led to a criminal prosecution. In Ireland, you report a cyber attack by calling your local Garda station so I doubt the stats look any better here.
   (https://www.zdnet.com/article/it-is-stressful-it-is-frightening-what-its-like-to-be-a-victim-of-hacking-and-ransomware/)

ONE ACTION – If you do only one ‘cybersecurity’ thing this week, do this.

1. Plan B: After that Colonial incident, maybe it’s time to think about solar panels or home batteries as a Plan B to reduce the impact of a future disruption to fuel supply. This isn’t just an issue in the US. Europe imports 58% of its energy needs, with Russia being the largest source, followed by Iraq. Our responses to the Covid pandemic, finding ways to work remotely and (hopefully) continuing to make a living, also forced us to implement a Plan B. Both serve as useful reminders of the benefits of “Plan B” planning. This is more commonly called Business Continuity Planning (BCP), which is evolving into Operational Resilience. While BCP focuses on how you will recover from an event (e.g. power outage; cyber attack; loss of a key member of staff), Operational Resilience focuses on steps you can take now to absorb the impact of an event with minimal need for ‘recovery’ activities. If you’re only starting out on this, focus on the most likely events and the steps you can take to reduce the likelihood or impact of these events, and the steps you will take ‘in the event’ to get up and running again. Then move onto the events that are less likely but could have the greatest impact. If you’re struggling to identify a low likelihood / high impact event, here’s one: Think about your email system going down and in-built failovers and backups failing. If you rely on someone like Google or Microsoft for email, the likelihood may be very low. But the impact of losing all of your emails could be significant.