By Mark Lanterman
Each July, organizations are encouraged to remind employees and management about preparing for a particularly pernicious type of cyber threat. As part of Ransomware Awareness Month, many organizations take stock of their current defenses and reiterate to their teams that acting cautiously on the internet is not to be taken lightly. Unfortunately, July 2023 started with a large ransomware attack in Japan that clearly demonstrated how this type of threat can impact business operations. While not all the details have been made known as of this writing, Japan suffered a ransomware attack on its biggest port, delaying shipments. “Russia-based ransomware group Lockbit 3.0 was responsible for the hack,” according to Bloomberg News, which went on to note, “Ransomware attackers tend to target vulnerabilities in VPNs and remote desktop protocols.”1
In addition to providing data encryption and IP address masking, a virtual private network, or VPN, can give a user direct access to a system or network. Vulnerabilities in such a scenario may involve a VPN connection with improper access controls or misconfigurations. Remote desktop protocol allows users to grant remote access to their device. This ability could allow for successful social engineering attacks (for example, a cybercriminal posing as an IT person requesting control over a victim’s device and proceeding to install malicious software). Insecure devices and networks or poor cyber hygiene outside of the physical office can also help a cybercriminal gain access. To combat these problems, Mihoko Matsubara, NTT Corporation’s chief cybersecurity strategist, stated that updating and software patching is a critical part of business operations. Implementing a robust cybersecurity awareness program is equally essential in addressing the threat of ransomware, ideally including more than an annual training.
Ransomware and cyber threats more generally have always come with any number of interlacing risks—damage to how consumers view an organization that mishandled their personal information; financial losses brought about by mitigation efforts, lost business, or worse, paying a ransom to an attacker; legal ramifications following a failure to report. Now, these legal consequences are becoming even more personal for those most responsible for an organization’s cybersecurity and incident response.
This past May, Uber’s former chief security officer, Joseph Sullivan, was sentenced to a three-year term of probation and a $50,000 fine for his role in the 2016 Uber attack response.2 In that episode, a hacker was able to trick an employee into sharing their credentials, granting access to sensitive data.3 The investigation subsequently revealed that Sullivan kept information from the FTC during its investigation and that he actively paid the hackers for their silence. This coverup gave the hacking group more time to continue to attack and extort other companies, a fact that Sullivan knew.4 The verdict was much anticipated and the case itself was remarkable in that it represents a distinct shift in how accountability for cybersecurity is viewed. Chief information security officers (CISOs) are being held personally responsible for how cyber incidents are managed, and individuals are being called to task for their actions. In handing down the sentence, the Wall Street Journal noted, “District Judge William Orrick… said that because of Mr. Sullivan’s character, the unusual nature of the case and that it was the first of its kind, he had shown Mr. Sullivan leniency, but he said chief information security officers shouldn’t expect that in future cases.”5 In addition to the release of the new National Cybersecurity Strategy,6 it is clear that a more aggressive approach to cybersecurity failures is being implemented.
Similarly, “SolarWinds recently disclosed that the Securities and Exchange Commission notified top executives of pending legal action over the company’s landmark data breach—a step that some have described as unprecedented.”7 The notice stated that SolarWinds may have violated the law “with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures.”8 While the outcome of the case remains to be seen, increased regulatory pressures are already beginning to take shape. Following appropriate reporting procedures is essential, and actions taken to cover up a cyber event are unethical and potentially illegal. Ransomware, zero-day vulnerabilities, social engineering, and supply chain risks are among some of the many issues that organizations should consider when evaluating the strength of their cybersecurity postures (including their education programs). It is also important to remember that while some measures, such as using a VPN, may give us peace of mind, no single security measure is foolproof.
Mark Lanterman is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.
Notes
1 https://www.bloomberg.com/news/articles/2023-07-05/ransomware-attack-cripples-japan-s-biggest-port-delaying-cargo
2 https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-sentenced-three-years-probation-covering-data
3 https://fortune.com/2022/10/06/uber-former-chief-security-officer-joseph-sullivan-convicted-cover-up-2016-data-breach-hackers-stole-millions-customer-records/#
4 https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach
5 https://www.wsj.com/articles/former-uber-security-chief-gets-probation-in-obstruction-case-87c7c0b9
6 https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/
7 https://www.washingtonpost.com/politics/2023/06/29/sec-notices-spark-alarm-cyber-executives/
8 https://www.reuters.com/legal/us-sec-considering-action-against-solarwinds-over-cyber-disclosures-2022-11-03/