Continuous Cyber Risk Management in Focus

As the global elite gathered in early 2023 at Davos, the World Economic Forum released its Cybersecurity Outlook 2023 report. The report’s main theme emphasizes how geopolitical stability exacerbates the risk of catastrophic cyber-attacks. These are the kinds of attacks (often low-frequency, yet high-impact in nature) that are the focal point of Axio’s continuous cyber risk methodology. Continuous cyber risk management emphasizes how the threat of cyber-attacks is constantly evolving. We have all seen how new vulnerabilities and attack methods are constantly being discovered, and attackers are becoming more sophisticated. To effectively protect against these threats, organizations must continuously assess their risk and take more advanced steps to mitigate it. This includes regularly reviewing and updating security policies, implementing security controls, using cyber risk quantification, and monitoring for potential attacks. Once implemented, continuous risk management helps organizations comply with regulations and industry standards and to protect sensitive information.

Even though 2023 has just begun, the weeks leading up to the Davos summit have been notable. We have already seen some high-impact disruptions due to digital events, such as interrupted mail delivery, grounded flights, and the loss of electricity to thousands of customers. Even though not all these events can be immediately credited to cybercriminal activity, they justify the need for continuous cyber risk management in these times of geopolitical tensions and economic uncertainty. All the scenarios can be realized through attack vectors such as DDoS attacks, ransomware, supply-chain attacks, data breaches, and the manipulation or disruption of industrial control systems. Below, we summarize several recent events in the news. Some are credited to cybercriminals, and others are not, but all should be top of mind for cybersecurity professionals.

Royal Mail: Suspension of International Mail Delivery due to Ransomware Attack

On January 13, 2023, Royal Mail disclosed that they suffered a cyber incident that forced them to halt international shipping services. The attack was confirmed to be caused by ransomware from the LockBit operation (or at least someone using their encryptors), encrypting devices used for international shipping and causing ransom notes to be printed on printers used for customs dockets.

The unfortunate reality is many organizations are still not prepared for a ransomware attack like this. Our latest 2022 research study, 2022 State of Ransomware Preparedness Report, provides real-world data to assess how organizations are fighting the cybersecurity scourge of our generation, and we uncovered some disturbing data points. Our research findings show many organizations have still not gotten the fundamentals right— and are not practicing basic cyber hygiene. This is concerning as attackers are very prepared adversaries, eager to exploit these weaknesses and ready to strike with great tools at their disposal.

Axio’s senior cybersecurity Advisor, Richard Caralli, notes, “The practices and controls that seemingly are the easiest to do in an organization are still the things that organizations struggle with the most—whether it is ensuring critical vulnerabilities are patched within 24 hours or ensuring continuous security of high-value privileged accounts. Only 24% of organizations report to be patching systems within a day —a scary figure considering the continued digitization of the modern company.”

Caralli was recently featured on the Cyberwire Daily podcast discussing our research.

Federal Aviation Administration: All Flights Grounded

The computer failure that prompted a halt of all US flight departures on January 11, 2023, was caused when a data file was damaged as a result of a failure to follow government procedures, the Federal Aviation Administration said in a press release. Unspecified “personnel” were responsible for corrupting the file, which led to the outage of an FAA computer system that sends safety notices to pilots, the agency said in a statement. The FAA was forced to halt all US departing flights, causing thousands of delays and cancellations Wednesday. Even though there was no evidence of a cyber-attack, it’s important to think about the interdependencies of critical systems used by third parties to ensure they are protected with the necessary policies and controls. This is an ongoing effort since organizations such as FAA rely on third-party vendors to guarantee service.

Multiple US Power Stations Damaged in String of Attacks

Vandals broke into and damaged four power stations in Pierce County, Wash. leaving thousands in the dark for multiple days in late December, which seems to be a growing trend replicated on the East Coast as well. Three North Carolina power stations belonging to Duke Energy were targeted by gunfire since late December, with the latest one in mid-January 2023. Axio’s extensive work in the utility sector often considers physical attack vectors when performing cyber risk assessment workshops and risk quantification exercises. Continuous cyber risk management emphasizes the interdependencies of both IT and OT, making sure you get a bird’s eye view of all your technology and physical dependencies. Concerns about physical protection can alter cyber architecture and vice versa. Implementing risk mitigation strategies for cyber-attacks will often result in strengthened control over physical attacks. The end goal is always to do everything possible to ensure business operations remain uninterrupted. In the case of a breach, proper mitigation strategies can greatly reduce financial and physical exposure.

Hacker Group Claims it can Deploy Ransomware on an RTU (Remote Terminal Unit)

In a Twitter message on January 11, 2023, the hacker group GhostSec, an affiliate of Anonymous Operations, claimed it conducted a first-ever ransomware attack against an RTU (remote terminal unit), which is a small device deployed across industrial control system environments. If this claim is true, it reiterates our thesis on how increasing cybercriminal sophistication requires continuous cyber risk management. This type of ransomware can directly disrupt the operation of critical infrastructure. In the tweet, the hacking group, which is pro-Ukrainian, provides a scenario of hacking Russian trains directly.

#GhostSec claims to have conducted the first ever #ransomwwre attack against an RTU – remote terminal unit used in ICS environments.@uuallan @RobertMLee#cybersecurity #infosecurity #infosec #cyber pic.twitter.com/ks3MNyeVEJ

— CyberKnow (@Cyberknow20) January 11, 2023

LastPass Breached: Cybercriminals Access User Crown Jewels

In December of 2022, password management company LastPass suffered a data breach in which a threat actor stole customer data, including encrypted website login info, unencrypted website URLs, and personal information.

The breach was disclosed via a December update to a blog post disclosing a separate-but-related breach that occurred in August. According to the company, a threat actor used stolen technical data from the previous breach to target a LastPass employee and steal encryption keys. The keys included dual storage container decryption keys and a cloud storage access key, which were used to steal customer information from backups. LastPass suffered from great reputational damage, as it has long been relied upon by security professionals as a place to keep their digital crown jewels. Looming class-action lawsuits by the password manager’s users will most likely test if LastPass’s leadership implemented a continuous cyber risk management methodology as part of their overall business strategy and determine to what extent they are liable for this incident. Considering the lapse in time between the two breaches, questions may be raised to determine if the organization did everything it could to protect its users and learn from past oversights and/or cybersecurity deficiencies.

FBI Shuts Down Hive Ransomware Group

In recent developments, it was announced on January 26th that the FBI had shut down a major ransomware operation accused of extorting more than $100 million from its victims. Known as the Hive ransomware group, the cybercriminals successfully disrupted medical services in the United States and abroad. One of their most publicized victims was the country of Costa Rica. In their June 2022 attack, the gang took Costa Rica’s entire public health service offline. FBI’s announcement is a great win for the cybersecurity community, yet the unfortunate reality is new threat actors will take their place, continuing to focus on the most vulnerable sectors of society.

Events in the news can serve as textbook scenarios of low-frequency, high-impact incidents that can severely disrupt the delivery of essential goods and services. These scenarios, however, are important to understand as they give a bird’s eye view of your business operations. Cyber risk quantification enables you to prioritize what matters and maintain optimal controls without being overburdened by the need to defend and protect everything. You can save precious organizational resources by focusing on the high-impact consequences that can cripple your business.

Tools and Techniques for Continuous Cyber Risk Management

Cybersecurity is a continuous endeavor and requires a risk-centric approach. As the risk of catastrophic cyber-attacks increases, it’s critical to ensure you build your cybersecurity program around consistent and measurable improvement. A continuous cyber risk management program:

• Avoids the use of disconnected spreadsheets to perform risk assessments but uses a platform that enables collaboration with the entire team.
• Can visualize cybersecurity improvement goals and deadlines in one place with the ability to reference them back to performed risk assessments and cybersecurity maturity measurement.
• Prioritize investment decisions based on the risks that affect business operations.

To get started on your continuous cyber risk management journey, check out our free, single-user Ransomware Preparedness Assessment here.