Webinar presenter Stacey Wright of the Center for Internet Security's MS-ISAC answered a number of your questions after her presentation, "Fall 2018 Cyberthreat Landscape Update." Here are a few of her responses.
Audience Question: Just to confirm, your MS-ISAC is only for government agencies, is there an ISAC for universities?
Stacey Wright: If you're a public university you can join MS-ISAC. We are a government agency but we consider that to be any public entity. If you are a private university or a public one, you can join the Research and Education Network-ISAC (REN-ISAC). They are available specifically to help those in the education field regardless of whether you're public or private.
Audience Question: So much of internet security means educating our end-users, what tips do you have for helping our end-users get on-board with cybersecurity?
Stacey Wright: I think the biggest tip I have is really explain how they have to be a part of the solution. With things like the single sign-on, the direct deposit compromises, they are directly impacted by cybersecurity. Helping folks understand that how they treat cybersecurity and treat the information they are handling really attacks the organization overall. This seems to be the best technique to help them get on board because you can draw a direct correlation from the work they're doing to incidents where things go horribly wrong. Just case in point, example, you lose your paycheck. Their cybersecurity in protecting, watching for phishing emails is what prevents them from falling from something like the direct deposit compromise. In other cases, I know there are lots of open examples with ransomware and 911 centers, major state or local government organizations, police departments, fire departments, getting impacted by ransomware. You can find a couple of those cases and show directly how one employee made that agency go down because that employee clicked on the ransomware email and opened it. So, to me, the real thing about getting employees on board is showing those case examples that help them understand the impact they have so they become champions for you.
Audience Question: Are you seeing any trends among the types of agencies that are targeted? For example, the size of the agency, locale, mostly law enforcement type, so to speak?
Stacey Wright: Since we see two different types of infection, opportunistic and strategic, there are many trends. Opportunistic means that they spray and pray, infecting as many people as possible, that email might go to millions of end users. Those infections are just a matter of targeting everybody they can. The occasional strategic compromise might seem to be targeting local government a little more heavily right now. I just want to be specific this is also for cybercriminals with financial motivation. So, if you are not the target of a cybercriminal they are looking at something else, say a strategic compromise from a hacktivist, that has to be specific to the incident, something like nation-states might be a little bit more targeted towards the education in university sector. But there aren’t major trends in this environment because most of the attacks are opportunistic in nature.
Audience Question: We know the agency executives might be targeted for cyber actors, so like spear phishing but what about others in an agency, who else should be aware of or concerned if they might become a specific target?
Stacey Wright: Right now, with the BEC, you certainly want to warn your Finance, HR, Legal, and Public Relations department. Anybody whose email is on your website is likely to be a target and in fact, that they best practice not to do. Don't put your email addresses directly on the websites, create generic email accounts like 'info@' in your agency. So that nobody is specifically named on your website and becomes a target that way. Other people might be targeted based on their position because they're out in the public eye a lot, they're the folks talking to the public or folks who might possibly have greater access. The one I used on this one is the administrative assistant. The administrative assistant has access to lots and lots of files and in some cases, they're even opening the email before the executive see them. So, they can be a good target because they have access to all those decisional files and they're opening emails that they don't necessarily know to expect or not expect. So, it's sometimes a little bit easier to fool them into clicking on a link or opening that attachment or whatever. So, it’s a really wide variety of who is potentially a target. I would tell you on the most cases though, just train everyone in the agency. It's better to make sure you over train in this case than undertrain.
Click Here to Watch a Recording of "Fall 2018 Cyberthreat Landscape Update."