By: Tom Breen, Cybersecurity Liaison, SecuLore Solutions, LLC
Did you know October was National Cybersecurity Awareness Month (NCSAM)? Yes, October is now officially in the books, but cybersecurity is a topic that needs to be top of mind twelve months a year. NCSAM is a collaborative effort between the Cybersecurity and Infrastructure Security Agency (CISA) and its public and private partners — including the National Cyber Security Alliance — to ensure every American has the resources they need to stay safe and secure online. This is especially important in public safety and organizations that provide critical communications for obvious reasons. As such, in tribute to NCSAM, and as a reminder that it needs to be a priority year round, Zetron is pleased to provide the following guest post by one of our trusted technology partners, SecuLore.
Cyber-attacks on government networks are growing exponentially, and in some cases – with lethal consequences! Public Safety networks are under cyber-attack because they are a high value/high vulnerability target to hackers. The very nature of ‘always-on’ computers and mission-critical 9-1-1 services make Public Safety networks the perfect target for ransomware and cryptomining/cryptojacking, and the impacts are significant.
For the first six months of 2021 cryptojacking volume hit 51.1 million registered attacks, as published in the 2021 mid-year SonicWall Cyber Threat Report. Similarly, SecuLore’s Cybersecurity Attack Archive indicates there have been over 100 Public Safety cyber-attacks and more than 250 Local Government cyber-attacks (disclosed) in the USA in the past 24 months (a rolling quantity, often higher). By the end of 2021 Cybersecurity Ventures reports that ransomware is expected to attack a business every 11 seconds, and ransomware damages are estimated to hit $20 BILLION.
How Are Hackers Attacking Public Safety?
The most common attack methods used by hackers against Public Safety include (not limited to):
• Brute force attacks, compromised Remote Desktop Protocol and Virtual Private Network credentials are the top three common infection vectors. Reciprocity reports there were 377.5 million brute force attacks on RDPs in Q1 of 2021.
• Phishing / Social engineering
• Compromise of Active Directory via various techniques including credential stuffing. Enables the intruders to effectively distribute malware and collect data using AD itself.
• Hackers probe targets using Exploit Kits to deposit various malicious “payloads” e.g., ransomware. Exploit kits can be acquired as a service (RAAS) via the dark web (Internet, the cloud, etc.
• TDoS and DDoS attacks cause service disruptions at PSAPs that can be life-affecting when real callers cannot reach the help they need. Additionally, there can be costs associated with these attacks that certainly include the time wasted when Telecommunicators have to triage between real and fraudulent calls.
Steps Public Safety Should Take to Harden the Target
Holistic Security Approach
✓ Continuous behavior-based cybersecurity monitoring of your network is the most important aspect of protection!
✓ Vulnerability assessments – Per the Task Force on Optimal PSAP Architecture (TFOPA), vulnerability assessments should occur at a minimum of every 90 days across the whole of the infrastructure to ensure your cyber-defense preparations are functioning as expected. Exception per CSRIC VII: if the type of cyber monitoring in use provides weekly reports and regular external analysis, then vulnerability assessments could instead be done annually.
✓ NIST 800-53 Rev 5 CA-7(1) recommends employing independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.
✓ Recommended Mitigation Methods for Ransomware include:
• Comprehensive backup strategy which includes frequent backup testing (see below). It is the most important step in ransomware recovery.
• Preventative architecture techniques including employing least privilege, especially with admin credentials (Limit admin permissions to the lowest level required to perform each person’s job responsibilities).
• Endpoint protection
✓ Create strong passwords, requiring sufficiently high entropy. SecuLore recommends 12+ character password from an unrestricted alphabet (include special characters!). A computer-generated password ensures a high entropy result. (NIST SP 800-132 Recommendation for Password-Based Key Derivation – December 2010 describes Entropy as; “A measure of the amount of uncertainty in an unknown value”).
✓ Train your staff in cyber hygiene. Training is widely available and can help reduce risk by up to 40%
(e.g., SecuLore’s Cybersecurity Hygiene Training).
✓ Hide your super-secret info (encryption keys, API keys, etc.), in an encrypted wallet or vault rather than plain text files.
✓ Use MFA (Multi-Factor Authentication) and only access the network via IT approved devices.
✓ Lock down remote access. Any remote access to critical systems should first enter a sandboxed environment (i.e., via VPN). If it is not operationally necessary to provide remote access, remove it entirely.
✓ Secure your ports by controlling access with a firewall and closing ports that are not being used.
✓ Keep patches up to date (police your vendors too!)
✓ Have a well-thought-out Incident Response Plan in place and test it on a timely basis. See TFOPA.
✓ Keep complete/regular backups using the 3-2-1 approach and test them on a prescribed schedule to ensure they will work when needed.
Questions to consider when testing your backups:
• What needs to be backed up? Are you considering all your critical data?
• How often should you test? Are you testing too often or too little?
• Are you able to restore the data?
• Was the recovery accurate and effective?
• Was the recovery reliable?
• How to test without putting your “production” system at risk?
Implementation Planning Considerations
• Have contingency plans for offline operations
• Ensure personnel are trained in offline operations
• Have manual methods of performing mandatory functions
• Partner with nearby ECCs for support
• Consider vendor and 3rd party services, and make sure they have contingencies too!
• Prepare physical copies of critical documents and store them safely and keep them updated
• Have printed lists of emergency contacts and store them safely and keep them updated
• Consider cyber insurance to help pay for 3rd party assistance, NOT for paying ransom (paying ransom should be an absolute last resort)
Cybersecurity References Applicable to Public Safety
• NENA Security for Next-Generation 9-1-1 Standard (NG-SEC) NENA-STA-040.2-201X (originally 75-001, v1) (under rewrite at this time)
• The National Institute of Technology (NIST) Cybersecurity Framework is an excellent source of best practices to defend against or improve the odds of recovering from a successful cyber-attack.
• In August 2020 the FCC’s Advisory Committee, CSRIC-VII included reference to the ‘Center for Internet Security® (CIS) model for improving cybersecurity practices. CSRIC-7 also formally recommended implementing the appropriate industry-recognized cybersecurity controls in their entirety where possible, or in phases if necessary, during the transition to NG9-1-1. See Appendix D of the CSRIC Report. On September 30, 2021 while announcing CIS Community Defense Model 2.0, CIS stated that the bottom line is that implementation of CIS Controls, and specifically IG1, are a robust foundation for your cybersecurity program.
• The NIST’s “A Guide for Managed Service Providers to Conduct, Maintain and Test Backup Files” is a great resource for the Managed Service Providers (MSP) that typically operate the ESInet for Public Safety to use to improve their cybersecurity and the cybersecurity of their PSAP customers.
Want to know about new posts? Subscribe today and receive periodic alerts on what’s new on the Zetron Z-wire blog!