Cautionary Tales for SMBs from Hacked Water System

by

As you probably read or heard last week, the small city of Oldsmar, Florida, population 13,500, narrowly escaped a disaster from a cyber attack.

A hacker manipulated the Lye ratio in the water system of the city near Tampa using the remote access tools the city’s water department deploys to remotely manage the chemicals that make the city’s water safe to drink.

The story doesn’t tell us as much about the vulnerability of our nation’s critical utilities, however, as it does about what can happen when municipalities and businesses cut corners on the technology they use.

Oldsmar turned out to be fortunate in this case.

First, the hacker chose to access the system during working hours in full view of on-site staff, who immediately alerted their superiors to the attempts to drastically change the lye content in the water. Had the hacker attempted to do this after hours, the problem might not have been caught until the next morning.

Second, the water plant still remotely accesses the system with Windows 7 32-bit computers a year after Microsoft retired that operating system and declared it unsafe, but that was the least of the plant’s security transgressions.

The computers used to access the plant’s treatment control system shared the same password for remote access. In addition, all appeared to be directly connected to the Internet without a firewall.

Budget concerns justifiably come into play with cyber security measures at small municipalities, just as they do for small businesses.

But using different passwords, changing them from time to time, installing a firewall, and implementing multi-factor authentication offer low-cost protection that any organization can afford.

Another cost-effective measure would be cyber security awareness training for employees and management.

For information on what a security awareness training program can do for your business, visit https://threatucation.com, call me at 302-537-4198, or email me at ericm@threatucation.com.

Security Awareness not Just for Employees

by

An article I read this morning on one of my security web sites reminded me of the need for small business executives to understand that when it comes to cyber security awareness, they are also employees — but with a twist — they hold the keys to the kingdom.

While a higher percentage of CEOs and business owners now recognize the threats small organizations face from hackers than they used to, it is likewise true that cyber criminals have recognized the value of attacking them directly because they have access to the most sensitive information a company handles.

The article I read pointed to a discovery by researchers at the security software developer Trend Micro that found that 45 percent of the phishing attacks they studied directly targeted the CEO’s email address rather than everyone in the organization (anecdotally, I have seen an increase in direct attacks on CEOs, as well).

Also known as “whaling” because the CEO is considered the big fish in a company, that’s almost as many attacks against the CEO as everyone else in those organizations combined. Managing Directors and Chief Financial Officers are also frequently targeted at 9.7% and 4.8%, respectively.

What makes this important is that I encounter executives who at times consider themselves to be almost immune to the attacks their employees face.

From the article, quoting Ryan Flores of Trend Micro, CEOs and other top executives sometimes view email security mechanisms or policies as “an inconvenience to them” and because of that, they behave like they are “an exception to the rule.”

I offer this blog less as an admonishment of SMB executives as a reminder that they, too, are as susceptible to Social Engineering attacks like phishing and whaling emails as their employees. Executives need to be even more vigilant, though, as these attacks increasingly focus on them specifically and the sensitive nature of what they know and have access to.

To create a culture of Cyber Security that starts from the top down in the hierarchy of your organization, contact me personally at ericm@threatucation.com or 302-537-4198 to discuss a Cyber Security Awareness Training program tailored to you and your employees.

Test Your Backups Regularly

by

Most businesses back up their data frequently. Some even back up to multiple locations in the event of a fire, hard drive failure, natural disaster, or theft.

But few realize the cyber security implications of TESTING your backups to ensure they work if you need to recover critical files or data after a Ransomware attack.

Backups fail anywhere between 5% to 25% of the time depending on the backup service used according to the research firm Gartner. Backups fail either in the backup process or in the recovery process.

If you have a Managed IT Services Provider, your backups should not only be monitored for failures but also tested regularly to ensure that files restore successfully when needed. The last thing you want is to end up in negotiations with the hackers after learning your backups won’t restore your files.

If testing your backups was not discussed when you signed up for an automated backup plan, or you simply don’t know if they are tested, ask your backup provider or backup software company if they are and if not, how to do this.

Backups should be tested on a regular schedule like this:

  • At least once a month, pick a random backup version date and restore a handful of files to see if they restore successfully (be careful not to restore over the current version of those files)
  • At least once a quarter, perform a deeper restore operation of numerous files from different backup dates, again being careful not to overwrite the current versions of your files
  • At least once a quarter, check all files in the most recent backup to be sure that you are backing up all files that you would need to restore
  • On a daily basis monitor your backups for failures. Any good backup software will let you know whether the backup succeeded or failed with an email or within the software itself
  • If you see errors at any stage of the backup or restore processes, resolve those issues or have your IT or backup service resolve them for you.

Keep in mind that if your data is critical to the operation of your business, you should perform the steps above more frequently to minimize the risk of partial or complete data loss when you need to restore from your backups.

For help implementing a backup testing program or an automated backup program if you don’t have one, call 302-537-4198 or email me personally at ericm@flexitechs.com.