This week ethical and unethical hackers and cyber security professionals from all over the world are gathered in Las Vegas for two of the largest cyber security conventions , DEFCON & Black Hat. DEFCON attracted nearly 15,000 people in 2014 and Black Hat attracts cybersecurity professionals from different industries. Attendees to both conferences have differing motives and come from various backgrounds and experience. The attendees represent government, commercial, and criminal entities.
As a cyber security professional, I am always looking for ways to improve the cybersecurity of my clients. Sometimes, it is just a good idea to take a step back and look at the forest as a whole and develop a general idea of how much cyber security is being addressed. I recently conducted a survey to determine just how many openly Internet accessible devices there are in the state of Delaware. I used an online service called Shodan and it revealed that there are nearly 1.2 million devices advertising services that are tagged as being in the state. This can be deceiving in that some organizations in the state use web service or Internet service providers (ISP) in other states. Despite that, it provides a decent snapshot of the general security of Internet connected devices. Let’s put the numbers retrieved from Shodan into perspective, the U.S. Census Bureau estimates that in 2014 there were over 935,000 that call Delaware home. That roughly equates to 1.3 devices publicly accessible on the Internet for every person in Delaware. That does not include the number of devices that are not advertising their services even though they are connected to the Internet.
Those that do not advertise their services are safer than those that do. Of those that are advertising their network services you will find schools (public & private schools, colleges & universities), hotel chains, car dealerships, places of worship, medical and dental treatment facilities, law offices, newspaper agencies, etc. The services open to the world included printer and file systems. The file systems exposed employee names, projects and sensitive documents. such as financial information. Without actually entering their system, I was able to observe the filenames and folders that data was stored in. This enabled me to determine the business’ name and with a simple Google search I learned that this particular business was owned by a politician. Just think about the ramifications if a hacker with criminal intent had found that open system. Fortunately for them, as a professional I reached out to the business and they were able to close the hole to the Internet by which their data could have leaked.
In another example an industrial facility, which I was not able to contact, exposed similar information, but had internal machinery exposed to the Internet as well. It would not have been too difficult to modify the machinery processes by stopping the equipment or preventing it from stopping. That very scenario played out late last year at a German steel mill in which a blast furnace was damaged.
During my survey, I literally found a gas station where I could have changed (if I was a bad guy) the quantity of gasoline in the storage tanks. Just think about it, I could have said the tanks are full and a new supply may have not been delivered and could have led to the station running out of gas. Worse yet, I could have reported the tanks near empty which would lead to them potentially being overfilled. Admittedly, I don’t know if there are any safe guards in place to prevent an overflow situation, but if those failed, the service station could be looking at paying for the clean-up.
I saw a number of servers connected to the Internet that would be easy prey for cyber attackers. The information on the server maybe worthless, but to the attacker it can be a way of disguising an attack on larger and more lucrative target. Reminds me of how children say it wasn’t me.
These examples represent how small businesses can potentially become a target for cyber attackers. Hackers with criminal intent may look at the advertised network services as a potential entry method to get into the business’ network. This can result in the installation of malware or ransomware which can lead to devastating affects to your data and that of others businesses you connect with.
The most alarming part of the survey was quite a few critical infrastructure related organizations are open to the Internet. This includes water companies, fire and EMS organizations, and electricity providers. Of the organizations found, some are subject to compliance reporting due to the data they process or infrastructure they control, yet were found to be open and easily identifiable. After all the news about BlackEnergy2 and breaches of OPM, Anthem, UCLA Health System and others, basic cyber security is still not being adequately addressed.
Large corporations typically have teams addressing cyber security. Mid-sized and large small businesses may have assigned staff or dual hat their IT staff with some of the functions. However it is the truly small business (less than 150 employees) that represents the greatest cyber risk. This includes everything from the small mom and pop corner store to the businesses that provide mechanical or financial services. They typically don’t have an IT staff or they contract it out to a managed service provider. There are well documented examples where businesses thought they had cyber security addressed but in fact were not prepared at all. Those businesses have the ability to bring corporations to their knees as they spend millions to fix the damage.
The lack of preparation has its costs. The cost of a breach continues to rise. The cost is dependant upon the information lost as indicated by the IBM sponsored 2015 Cost of Data Breach Study: Global Analysis by Ponemon Institute, LLC. In the study, the average cost per stolen record runs about $154, with healthcare related data costing as much as $363 per record. The cost per record is driven direct and indirect costs. The direct costs associated include notification (which is required in Delaware), investigation, and remediation of the breach. Indirect costs have the most substantial effect as it takes into account the potential loss of customers once a breach is made public, often by an external entity. Cyber insurance MAY help absorb the cost of a breach, but recently, insurance companies have started to decline payment if a business fails to implement any sort of cyber policy or practices.
In the end, it comes down to businesses of all sizes and in all industries in the First State to address cyber security. Failure to do so can leave us with small businesses that drive the economy failing by not being able to recover from a breach.