Ransomware, email-borne malware and phishing remained significant online threats to state, county and local governments last year according to two reports on Internet security and data breach investigation. But the threats don’t end there — the public sector is also at risk from cyberespionage, elicit cryptomining and software supply chain attacks.
Verizon’s 2018 Data Breach Investigations Report, released April 10, and Symantec’s 2018 Internet Security Threat Report, launched the week of March 19, both identify worrisome trends on the rise, many of which have already impacted the public sector and others believed to carry the same potential.
Symantec, a cybersecurity company active in more than 150 countries, scans about 30 percent of the world’s email traffic daily. Verizon, a major telecommunications provider to U.S. state and local governments and public safety, founded this year’s report on reports from 67 contributing agencies in 65 countries.
Of the more than 1 billion Web requests analyzed daily in 2017, Symantec noted that 1 in 13 of these requests led end users to malware, a 3 percent rise from 2016.
Significantly, the company also identified an 8,500 percent increase overall in the detection of so-called cryptominers; and a 600 percent increase in Internet of Things-related (IoT) attacks, up from around 6,000 in 2016 to around 50,000 in 2017. The United States ranked second only to China in IoT attacks by country, at nearly 11 percent — an improvement from nearly 19 percent in 2016.
Prior to a cryptominer surge that began in September, detections of mining software were “not particularly notable,” authors said, and numbered in the tens of thousands, and peaked at 1.6 million detections in December 2017.
In 2017, Symantec identified a 46 percent increase in ransomware, pointing out that 5.4 billion WannaCry attacks had been blocked. But Thomas MacLellan, Symantec’s director of policy and government affairs, said the ransomware market has become so crowded it has blunted creation of new ransomware families and sent demands lower.
State of Missouri Chief Information Security Officer Michael Roling said he sees “no sign that it will slow down anytime soon” and described the far-reaching attacks as impressive in how they have impacted so many organizations so quickly, leveraging a previously-fixed exploit rather than entering via a phishing campaign.
“These attacks proved the value of a disciplined patch management program and strong network security controls,” Roling said.
State of Minnesota CISO Aaron Call said his agency has deployed a new anti-virus technology that has proven effective in keeping ransomware malware at bay. Like Roling, Call said it’s possible bad actors are making use of recent patches to enable an entry point — but he linked this tactic to co-opting computing power for use in illegal cryptomining.
Public administration figured prominently in its ranking of email-borne malware by industry, placing first out of 11 with an incidence of 1 in 120. The public sector also ranked first out of 11 in an examination of email malware per user by industry, at roughly 53 email malware per user. Public administration ranked third out of 11 in a rating of phishing rates by industry, reflecting an incidence of 1 in 2,418.
Software supply chain attacks are also on the rise, posting a 200 percent increase in 2017, and are well-positioned to target governments, MacLellan said, because users “say ‘Oh, this is coming from whoever the software provider is, this is an update.’”
“It all kind of ties into this notion of getting folks to think about what it is that they’re doing, making sure the organization has the proper safeguards to limit people from doing significant harm to themselves and to their network,” he said, noting spear phishing remains the top way criminals gain access.
In its report, Verizon identified more than 53,000 incidents, or security events compromising an information asset, and 2,216 confirmed data breaches, an incident resulting in a confirmed data disclosure, in 2017.
The public sector, or public administration, was responsible for 22,788 incidents or at least 43 percent, a high number according to authors in part because governmental entities are often required to report incidents the private sector would not disclose. Of these incidents, 304 resulted in confirmed data disclosure.
So-called “social attacks” accounted for 93 percent of all security incidents. The public sector was by far the top industry impacted by social breaches, registering 92 breaches, with health care registering at 62 breaches.
Cyberespionage, defined to include “unauthorized network or system access linked to state-affiliated actors” and/or with an espionage motive, was the top recognized pattern for the public sector, identified as being behind 10,311 incidents and 77 breaches.
Sixty-seven percent of all public-sector incidents and breaches came from external bad actors, with exactly half of that subset being state-affiliated criminals. Nearly half of all bad actors targeting the public sector, or 44 percent, were motivated by espionage, but 36 percent were financially motivated.
“The government is kind of [between] Scylla and Charybdis in that because they are at once both one of the country’s largest employers and they have tons of information about the public at large and they store a great deal of sensitive strategic and military data,” said David Hylender, a Verizon senior risk analyst and report co-author.
Ransomware ranked fifth among 20 “action varieties in incidents” across industries, but despite its fearsome reputation, phishing was the No. 1 tactic used in public-sector breaches, followed by the use of a back door.
Hylender called it a “huge threat” across nearly every vertical, but said almost all espionage cases begin with phishing, which can lead to pretexting — and move from email to telephone and even personal dialogue.
The Verizon official suggested agencies may want to clamp down on privilege access, implement “better security awareness training,” and improve monitoring and security audits, given the large nexus between cyberespionage and phishing.
Roling said Missouri continues to push out targeted monthly lessons to 40,000 users, along with fake phishing campaigns for end users, and also offers online education for IT professionals.
“When over 90 percent of significant breaches involve phishing attacks, elevating awareness and end-user best practices becomes paramount. Strengthening our IT staff in various disciplines will give us the ability to harden our infrastructure and services even further,” he said.
Call said Minnesota creatively uses its tools to knock out cyberespionage, and is working with the legislature on funding increases. His organization does annual awareness training for staffers and has recently begun to send its own fake phishing emails — but the CISO identified a pro-cybersecurity mindset as equally important.
“Organizations that don’t do that, where users aren’t acclimated to that, are much more likely to fight and resist or circumvent those security controls,” Call said.