Cybersecurity | Protecting and defending the use of cyberspace from cyber attacks

Dragonfly aka Energetic Bear, a Russian-based hacker group that was first detected operating in 2011, started by targeting defense and aviation companies in the U.S. and Canada. PICTURE: Engadget

Last Thursday (21/09) I was fortunate to be invited to present and be a panel member at Digicel’s Cybersecurity Symposium at GPH. The chief guest was the Minister for Home Affairs and so that set a good platform for the day.

Events like these are useful not only for information dissemination, but for networking with colleagues on the field – it is after all not that big and we all need collaboration in this area of cybersecurity.

Cyberspace is defined as the (virtual) area where computer networks, the Web, social media and other information and communications technologies (ICT) exist and function together.

Originally coined by the sci-fi (science fiction) writer William Gibson in 1984, cyberspace has been defined by the US National Institute of Standards and Technology (NIST) as a ‘global domain within the information environment consisting of the interdependent network of information systems infrastructure including the Internet, telecommunications networks, computer systems, and embedded processors and controllers’ (Kissel, 2013: 58).

A simpler definition is given by Bruce Sterling in The Hacker Crackdown (1992): “Cyberspace is the ‘place’ where a telephone conversation appears to occur. Not inside your actual phone … not inside the other person’s phone, in some other city.

The place between phones.” NIST describes cybersecurity as: “The ability to protect or defend the use of cyberspace from cyber attacks” (Kissel, 2013: 58). The concept of cybersecurity is much larger than just IT-security because it involves actors, both malicious and protective, policies and procedures, changing laws and trade agreements and pseudo-social implications.

In the cybersecurity strategy of the European Union (European Commission High Representative, 2012) definition: “Cyber-security strives to preserve the availability and integrity of the networks and infrastructure and the confidentiality of the information Dragonfly aka Energetic Bear, a Russian-based hacker group that was first detected operating in 2011, started by targeting defense and aviation companies in the US and Canada. In 2013, the group moved their focus to US and European energy companies.

In 2014 Dragonfly gained entry through the following methods:

1. Spear (targeted) phishing emails delivering malware;

2. Watering hole attacks on compromised web sites that redirected visitors to legitimate compromised energy industryrelated websites hosting an exploit kit;

3. Infecting legitimate software packages of at least three different ICS (industrial control systems) equipment providers.

Currently Dragonfly’s main motive seems to be cyber-espionage, with possibility of sabotage in the future during a crisis or war situation.

The Dragonfly attacks seem to be more of intelligence gathering i.e. cyber-espionage with possible future sabotage of compromised energy control systems.

This is similar to other critical infrastructure attacks like Stuxnet (Iran 2010) and Shamoon (Saudi Arabia 2012).

The objective of intelligence gathering is further supported by screen captures produced by the malware.

These are then forwarded to unknown servers on the Internet.

In this scenario, the threat – a non-state actor code-named Dragonfly – is found to be attacking energy companies in the US and Europe.

The coordinated attacks done over the past six years, with a twelvemonth hibernation period, is being committed by a very skilled group with a wide range of malware tools developed and available on the black market through Darknet and the rest custom built.

The use of spear phishing to target executives of energy companies used emails with very specific content related to the energy sector, general corporate business concerns and even invites to New Year’s Eve parties – sent in December 2015.

Once opened, the victims’ network credentials were captured and sent to an external server.

As well as malicious emails the attackers used watering hole attacks to try to acquire network credentials through compromising websites that were likely to be visited by those in the energy sector.

As mentioned earlier, the attacks seem to be more of intelligence gathering for sabotage capability and probably leaving backdoor access for later use.

This can be used to disrupt or take over industrial control systems.

Important passwords, such as those with high privileges, should follow standard security guidelines of minimum of eight characters with combination of alphanumeric character etc.

Users should avoid reusing the same passwords on different sites and not share passwords. Some factors to consider:

• Emphasise multiple defensive systems to guard against single point failures in any specific technology or protection method. This is with deployment of regularly updated firewalls as well as gateway intrusion detection or protection systems (IPS), website vulnerability with malware protection, and web security gateway solutions throughout the network.

• Implement and enforce a security policy whereby all sensitive data is encrypted even data belonging to customers. This mitigates against the possibility of even if information is stolen, it requires some effort to make it usable and hopefully by then either the data has been changed or information rendered useless in some other manner.

• Educate employees on the dangers posed by phishing emails, including exercising caution around emails from unfamiliar sources and opening attachments that haven’t been solicited. Employees should be made fully aware of the risks and impact malware poses to the organisation.

Strict penalties should also be put in place for those who do not follow procedures and allow security breaches through negligence.

A well thought out and written cybersecurity policy must have all the key components of confidentiality, integrity and availability.

This is implemented through planned cybersecurity policy framework and should be a holistic part of a National Security Strategy.

The cybersecurity policy framework for critical infrastructure is useful for identifying all the critical components that must be implemented in the procedures.

The cybersecurity framework must have the following:

• Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.

• Provide a prioritised, flexible, repeatable, performance based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.

• Identify areas for improvement to be addressed through future collaboration.

• Be consistent with international standards.

A critical component of this is risk assessment and risk management.

In particular, costing the impact of an incident or breach in terms of damages as well as opportunity cost, reputation cost and financial costs.

The main components of risk management are:

• Risk Identification;

• Risk Assessment and Cost;

• Risk Prioritisation

This can be demonstrated for an organisation diagrammatically where the executives cost and prioritise risk before allocating budgets etc.

The fact that a national cybersecurity policy in Fiji does not exist at the moment leaves critical infrastructure companies and government at risk.

Cyberspace, the Internet and mobile smart phones are changing the way we do business, trade, travel, shop, school and play.

In fact, almost everything done in the modern world is conducted via electronic means in some shape or form.

Use of cash is on the decrease, much in the manner that the bartering system was phased out once currency or cash was introduced and stabilised as a value medium of exchange in the 19th century.

Critical infrastructure systems once isolated are now being upgraded and integrated into the network.

The advantages are many, but there are also disadvantages as the vulnerability to cyberattacks becomes a real one.

Cybersecurity policy is now mandatory as it must be addressed as a holistic part of a national security policy.

Cyberspace has now added a new dimension to protect in the national interest – in addition to land, sea, air and (outer) space.

It is only natural to demand protection of confidentiality, integrity and availability of the information while still protecting the privacy of individuals.

The privacy of individuals is already protected under existing privacy laws and in many democratic countries, their constitutions, but cybersecurity laws are still lagging behind.

As always God bless you all and your families and stay safe in both digital and physical worlds.

• ILAITIA B. TUISAWAU is a private cybersecurity consultant. The views expressed in this article are his and are not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@cyberbati.com

More Stories