For small businesses, the result of a cyber incident can be disastrous. While larger organizations and enterprises may be able to absorb the monetary costs and reputational damage that is caused by a cyber incident, most smaller businesses are unable.
“The National Cyber Security Alliance has recently released statistics that show 20% of small businesses experience such an attack every year, and that 60% of these businesses were forced to close within six months of being hacked.”1
Cybersecurity risks are constantly evolving as organizations adopt new technology (such as cloud services) and cyber criminals adopt new tactics, techniques, and procedures (TTPs). The construction industry doesn’t have the same regulatory and compliance requirements pertaining to cybersecurity that other industries—such as the financial and healthcare sectors—have, yet they face the same threats. For this reason, it is imperative for the construction industry to focus on cybersecurity risks to avoid becoming the next victim of cybercrime.
There are many ways that cybercriminals (also known as threat actors) can compromise confidential information in an organization. Below, we’ll address three of the most common vectors for a successful cyber attack:
One of the most common techniques, “spear phishing is an email targeted at a specific individual or department within an organization that appears to be from a trusted source. It’s actually cybercriminals attempting to steal confidential information. A whopping 91% of cyberattacks and the resulting data breach begin with a spear phishing email, according to research from security software firm Trend Micro. This conclusively shows that users really are the weak link in IT security.”2
Often, threat actors will employ the use of malicious file attachments when conducting these types of attacks. “There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary’s payload exploits a vulnerability or directly executes on the user’s system. The text of the spear phishing email usually tries to give a plausible reason to open the file, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.”3
This technique “uses one password (e.g. Password01), or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.” For instance, from September 2018 through February 2019, Proofpoint conducted a six-month study that analyzed over 100,000 unauthorized logins across millions of monitored cloud user-accounts.”4
“The company found that 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks, while 25 percent were successfully breached in this manner. Proofpoint noted that the number of IMAP-based password-spraying attacks jumped up following the December 2018 publishing of the Collection #1 data dump that exposed nearly 773 million unique emails and 21 million unique passwords.”5
Exploiting Vulnerabilities in Unpatched Software
“Earlier this year, the National Security Agency urged organizations to ensure that they are using patched and updated systems in the face of growing threats. The vulnerability is present in Windows 7, Windows XP, Server 2003 and 2008, and although Microsoft has issued a patch, potentially millions of machines are still vulnerable.”6
Dean Dorton recommends that organizations consider the following to identify their risks and enhance their cybersecurity preparedness:
- Identify where your valuable information is stored (on your internal network and the cloud)
- Develop policies, procedures, and standards pertaining to cybersecurity
- Adopt a cybersecurity control framework
- Develop a cybersecurity incident response plan
- Secure your backups; also, test your backups to ensure they work correctly upon use
- Disable legacy authentication protocols (such as IMAP)
- Enforce two-factor authentication (2FA), also referred to as multi-factor authentication (MFA)
- Update and patch your computers. Vulnerable operating systems and third-party applications are often targeted by threat actors. You should ensure that your operating systems and third-party applications are updated with the latest updates.
- Train your organization. “Organizations should ensure that they provide cybersecurity awareness training to their personnel. Ideally, organizations will have regular, mandatory cybersecurity awareness training sessions to ensure their personnel are informed about current cybersecurity threats and threat actor techniques. To improve workforce awareness, organizations can test their personnel with phishing assessments that simulate real-world phishing emails.”7
- Perform regular cybersecurity assessment and penetration tests against the network—no less than once a year. Ideally, run these as often as possible and practical. Dean Dorton can perform these tests for you.
Dean Dorton’s Information Security Office (ISO) provides a team of experienced information security professionals who can augment your organization’s information security team or take the lead in designing, implementing, and maintaining a strong information security program on your behalf.
Please join us on October 24 at the Ohio Valley Construction Conference, where Gui Cozzi will be presenting on the latest trends and threats in cybersecurity. After reviewing recent incidents and breaches, we will walk through the critical aspects of a comprehensive cybersecurity program. We will discuss how a properly designed and implemented cybersecurity program can help mitigate your cyber risks.
Gui Cozzi will address the following learning objectives:
- Knowledge of current cyber threats and techniques
- How to build and maintain an effective cybersecurity program
- Understanding of key controls that can mitigate current cyber threats