Presented as part of ABA’s BISC & BusMARC 2021 Virtual Safety & Maintenance Series
The American Bus Association’s Bus Industry Safety Council (BISC) and Bus Maintenance Repair Council’s (BusMARC) 2021 Virtual Safety & Maintenance Series offered a sequence of educational webinars early this year, covering a variety of industry-related topics.
As part of their ongoing educational webinar series, the ABA hosted a virtual meeting with presenters Lee Allen, a Surface Division Cybersecurity Lead with the TSA’s Office of Security Policy & Industry Engagement/Surface Division, and Benjamin Gilbert, a cybersecurity advisor with the Cybersecurity and Infrastructure Security Agency (CISA).
Formed in 2018 as the newest federal agency under the Department of Homeland Security, CISA’s mission is simply, but broadly, to lead the national effort to understand and manage risk to the nation’s critical infrastructure. Because of this, CISA is often considered the nation’s risk advisor. The agency’s motto is “Defend Today and Secure Tomorrow.”
“When looking at today’s risk landscape, as the nation’s risk advisor at CISA, we can do more to advance the national risk management agenda than any other single place in the U.S. government right now,” Gilbert explained. “Particularly now, it is important to understand that for critical infrastructure – whether with transportation, financial services, law enforcement, healthcare providers, retail, or virtually any other industry – risk of cyber-attacks have increased. And that risk of cyber-attacks carries with it an increased risk of operational impacts as well.”
Methodology of a Cyber Attack
Our world today has forced many organizations, large and small, to move toward a remote working operating environment in order to maintain their operations. Moving toward a new hybrid or remote-only operating environment adds new technology and added complexity to the current operating environment. These newly added technologies increase the attack surface.
According to Gilbert, migrating to remote operations means organizations are now becoming more reliant on technology for day-to-day operations. With widespread disruptions, utilizing this technology means a potentially greater impact to operations.
“When you are looking at today’s threat landscape and understanding the different cybersecurity threats that are out there, it is important to understand that it’s no longer the ‘kid in the basement,’” Gilbert said. “It’s really more of a sophisticated team of cybersecurity experts and hackers that carry out a cyber-attack in a very methodical way.”
Gilbert explained that, regardless of what type of cyber-attack you might be dealing with, all attacks generally flow through a single methodology, almost always starting with external reconnaissance.
“There are a variety of tools out there, including social networking sites, that are used to gather as much open-source intelligence and then build a profile of any given targeted organization,” Gilbert explained. “Once they gather enough information, they carry out their initial attack, their initial compromise. Roughly 90 percent of the time, that compromise comes through a phishing email. It is essentially a social engineering attack through digital means.”
Once the victim or would-be employee in that organization clicks on a link or malicious file and starts the initial compromise, the threat actor then works to escalate permissions, establish a foothold, and maintain a presence on that workstation. From there, they pivot through the organization and begin conducting internal reconnaissance network discovery, continuing to do so until they understand and learn the high-value assets in the organization’s operating environment.
Once they understand those high value assets in the operating environment and have gathered enough information, they then work to complete their mission – either through data exfiltration or ransomware attack.
“It doesn’t matter whether it a very sophisticated cyber-attack or just a quick and dirty cyber-attack,” Gilbert said. “The threat actors use the same methodology. It is also important to understand that these attacks can be, by and large, prevented just by carrying out very basic protective measures, or what we call ‘the essentials.’”
Protective Measures
You cannot protect what you do not know you have. According to Gilbert, IT security professionals in leadership should keep an inventory of all IT access – prioritizing access according to what is most critical to the organization’s operations.
“Deploy antivirus on servers and workstations,” Gilbert said. “Even that old computer in the corner that is collecting dust and is maybe turned on once per month. Threat actors seek out those systems because they can use that a sort of command center to pivot throughout the network.”
Gilbert also recommends turning on logging for all network appliances, service, and servers; backing up data regularly using known, secure, well-tested, and accessible backup solutions; implementing strong patch management practices; implementing strong user management practices to include strong password policies; having a cyber incident response plan in place; implementing strong and innovative security awareness training; implementing a secure network architecture; and lastly, conducting internal audits and periodic cyber assessments – from strategic-based assessments, to risk-based assessments, to very technical and tactical-based cyber assessments.
“Cybersecurity is everybody’s business,” Gilbert said. “Everyone in the organization should be participating in cybersecurity awareness and training. Everyone should be aware of your digital footprint and know the end-user security features available to you. In today’s operating environment, we take our home with us to work, and we take our work with us back to home. Because of this we have to be prepared to protect ourselves and our organizations.”