A Low Profile Is Part of a Good Cyberdefense, Expert Says

U.S. ransomware attacks reported to the FBI in 2017 resulted in $2.3 million in losses, and cybersecurity experts don’t see that trend slowing. In Alamance County, N.C., IT experts are doing everything they can to defend the network.

by Isaac Groves, Times-News / April 22, 2019

(TNS) — One thing Internet security specialists don't enjoy talking about with news media is their organization's Internet security.

"Somebody out there might think, 'let's test this out,'" said Paul Bobak, network operations manager for Alamance County.

And there are more somebodies out there than there were a couple of years ago, Bobak said, making his job both harder and more important.

"The last two years is a whole new normal," Bobak said.

Anything that raises an organization's or an individual's profile can attract attention from the wrong people, but a lot of things can make one a target.

"It's not always very logical about how you get picked," said Megan Squires, computer science professor at Elon University. "Sometimes it's for money; sometimes it's for revenge; and sometimes it's just for practice or bragging."

Ransomware seems like the most-common hack these days. That's often software that gets into a computer or computer network and encrypts all the files so they can't be accessed without the code key, which only the hacker has. They've been happening a lot in the past couple of years.

"There's Charlotte a year and half ago, Atlanta, Davidson County, Orange County," said Assistant County Manager Bruce Walker.

And it's not just local governments. LabCorp was hit less than a year ago. Ransomware attacks reported to the FBI in 2017 resulted in $2.3 million in losses.

That's what happened to Orange County government last month. Ransomware got into 120 computers, but administrators kept it out of the county's servers. While they stopped the infection before it infected the whole network, services from the register of deeds to the public library were shut down for a day or more. It was the third time Orange County has gone through that in six years.

"You can pay them, you can kiss your data goodbye, or, hopefully, if you've been infected you have good backups," Bobak said, "and so, you will cut out the cancer and you will start from scratch. You will load servers back from backups."

Backups means copies of all the data, or at least all the most important data – on all the computers in your network. Backups allow administrators to basically erase everything on individual infected computer drives and restore them with that backup data. Not everything on every desktop computer is likely to be saved, Bobak said, so whatever so-and-so was working on but hadn't submitted is probably gone.

No one really recommends paying ransom. For one, anonymous criminals don't always keep their word and then you don't have your data or your money. For another, if word gets out, your organization becomes even more of a target, according to Information Security Media Group.

Prevention

The best thing, of course, is to keep viruses out of computers and networks. Two ways to do that — that people will talk about — are software and training.

Antivirus software has been around for years, and most computer users have ignored the annoying pop ups reminding them to update theirs or held off on the expense of upgrading. They shouldn't. Updates for security systems, operating systems and other software can close vulnerabilities — ones that hackers look for.

"Sometimes you get targeted because you're running particular software," Squires said.

There is an evolution in antivirus software, too, Bobak said. About two years ago, Alamance County switched to algorithm-based antivirus software.

Signature-based software has been the norm for decades, Bobak said. It recognizes viruses and other malware, kind of like a flu vaccine, Walker said, and flu shots work, until a new strain comes along.

"It does have one huge weakness," Squires said, "if you can make your signature not match the ones they have."

Algorithm-based software is at least similar to artificial intelligence.

"It unpacks something and sees what it does and based on the algorithm or the rules it creates a score of 0 to 100," Bobak said, "and basically if it scores anywhere on that scale at all... it will say you can't run."

It took weeks to train the software, Bobak said, and three or four times in the past two years he has had to review something questionable it flagged. Squires said the software is more expensive and she questions a system that doesn't check for the signatures of the countless viruses already out there.

"I think is the primary reason we are more secure than the standard," Bobak said. "There are other things we're doing, but that's the biggest."

Alamance County has never been hacked, Bobak said, knocking on wood.

The weakest link is you

The biggest vulnerability, however, are the people operating the computers. Walker said training is half the battle. Bobak said it's more. Squires put it at 95 percent.

"The problem exists between the chair and the keyboard," Squires said.

That's because malware usually gets into the system when someone lets it in. It could be on a stick drive someone puts into a computer's USB port, or more often in a file or a link in an email that looks legitimate — called phishing.

There were 15,690 email compromises of businesses and other organizations in 2017, according to the FBI, costing $675 million in losses.

Once, most phishing attacks were crude, poorly written and designed, but like the ransomware itself, they have become more sophisticated — something called "social engineering."

"I got an email that looked like it came from my dean," Squires said.

Often there are still ways to spot them like looking at the URL or email address to see if it matches that of the organization or person it's supposed to come from, which few people do.

"The thing that's going to get you is something that you were too lazy or too busy to do something about," Bobak said. "You've got to treat everything like it's important."

"Hostile environment"

The risk of attack is going up because basically anybody can do it.

"It takes very little technical know-how; you don't have to be a hacker" Bobak said. "You can buy software from somebody else. You don't have to write the software."

It's also hard to stop them. The government knows who attacked Atlanta and LabCorp, Walker said, but they are in Iran, so if they ever come to the United States, they can be arrested.

Romania also generates a lot of good hackers, Squires said, for some reason.

"We used to joke that it's really cold," she said.

Low profile

"The best hackers work for governments," Bobak said.

Russian hackers have become notorious boogeymen men for the cyberwarfare they've waged all over the world for their government.

"These are highly motivated state actors," Squires said.

For the most part, top-tier hackers don't seem too interested in local government, Bobak said, which is good, because if they can hack Google and Facebook, they can hack the county.

"For the most part government doesn't have the juicy targets to be worth the time of the best hackers," Bobak said.

But hacking a government organization gives hackers bragging rights, Squires said, which can be important to them especially when they are starting out. And while the data at county level might not be that valuable, local governments do some important things like public safety and elections so an atmosphere of "healthy paranoia," as Walker puts it, is an important part of defense.

The county also tries to keep some information quiet, though it's still public record, like the brands of the systems it is using. Of course, there are an infinite number of places for leaks. One of those vendors, for example, has a case study about the work it has done for Alamance County on its website with Walker and Bobak's names in it.

"I feel really good about where we're at," Bobak said. "But if we got the attention of a talented, experienced hacker they could probably get in and out and we wouldn't even know it."

©2019 Times-News (Burlington, N.C.). Distributed by Tribune Content Agency, LLC.

Platforms & Programs