Malicious and Non-Malicious Cyber Incidents: Education and Preparation

The presale event for Taylor Swift’s Eras tour crashed Ticketmaster’s service in 2022. The incident caused an outcry that even reached the U.S. Senate, which branded the ticket service a “monopolistic antihero.” Ticketmaster had fallen victim to a denial-of-service attack, which is one of the six types of incidents outlined in the November 2023 report Planning Considerations for Cyber Incidents: Guidance for Emergency Managers by the Cybersecurity and Infrastructure Security Agency (CISA). Planning for these types of incidents is no longer the purview of only the information technology (IT) department or limited to one area of an organization. To remain secure in today’s complex, fast-paced technological environment, everyone in the organization, from the leadership to line personnel, needs an understanding of the importance of cybersecurity – the related risks and the organization’s protocols and procedures. Without that knowledge, it is difficult for employees to properly prepare for and support the organization’s success and missions. This article seeks to educate those working in the preparedness field on the different types of incidents and provide basic steps to plan for them and mitigate potential damages.

Human Error

On July 19, 2024, a faulty software update by the cybersecurity vendor CrowdStrike caused possibly the largest IT outage in history, impacting millions of Windows systems worldwide. The outage is believed to have caused more than $5 billion in direct damages, with healthcare ($1.94 billion) and banking ($1.15 billion) taking the largest hits, and airlines ($860 million) coming in third. In October 2022, Binance, the world’s largest cryptocurrency exchange, reported a loss of $570 million from a bug in its asset transfer software code. According to Binance’s chief executive, Changpeng Zhao, “Software code is never bug-free.”

Although hackers may be the first assumption after a cyber incident, the reality is that between 74% and 88% of cyber incidents have a human error component: misconfiguration of updates, failure to apply patches to known vulnerabilities, or phishing emails with malware. Phishing is a social engineering technique where an attacker poses as a trusted source through email to acquire users’ sensitive data, such as banking or medical information. According to the FBI’s Internet Computer Crime Center (IC3), phishing was responsible for almost 300,000 complaints in 2023, resulting in almost $19 million in damages to individuals. One of the largest loss categories is business email compromise, by which attackers attempt to use social engineering techniques to acquire business data or money using company email. These might include a request from the chief executive officer to send an updated contract quickly, an email from the chief financial officer to send copies of W-2s for review, or other related scams.

With the human error factor being such a large portion of cyber incidents, one of the most important and fundamental prevention techniques is education:

• All personnel should learn about risks and prevention methods. There are free resources, including offerings from CISA and the United Kingdom’s National Cyber Security Centre (NCSC), and free and low-cost options curated by the National Institute of Standards and Technology (NIST).
• Policies should include actionable information and detailed procedures, not vague guidelines like “Do not click on phishing emails.”
• Personnel should be informed of steps to take if they click on a malicious link or make a security error.
• There should be protocols to manage those situations, and employees should be encouraged to report potential issues. A delay could result in catastrophe.
• Unsolicited requests or emails should not be opened. If an email is questionable, users should contact their supervisors or IT or contact the named sender on their official phone or email rather than the contact information listed in the email.

Structural Failures

In 2016, the failure of a single router at Love Field in Dallas caused the grounding of the Southwest fleet for approximately an hour. The critical failure resulted from a then-unknown data chokepoint at the airline’s data center. When the router failed, it led to cascading issues. Although the airline had backup procedures, the unique failure did not trigger the standard procedures for another system to pick up and resolve the issue, leading to catastrophic results. Over 2,000 flights were canceled over the following days as the company investigated the issue, affecting hundreds of thousands of customers and costing an estimated $54 million.

Structural failure is a design flaw in hardware, software, or environmental controls that can cause an outage when the system fails. With the interconnected nature of these systems, it is crucial that managers are aware of their system infrastructure, potential risks, and operational requirements. First, without a clear understanding of the infrastructure and nature of systems used by an organization, it is impossible to develop a plan to protect and manage risk. Consideration should be given to current operations, planned changes to infrastructure (e.g., whether the agency is moving to cloud-based systems or changing communication platforms), and contingencies that activate in emergencies or mutual aid environments. Once the inventory is established, plans should address replacing hardware (based on service life and operational considerations) and developing redundancy for system failures or outages.

Natural Disasters

When Hurricane Sandy hit New York in 2013, Datagram went offline and caused one of the most publicized data center outages. As a preventive measure, the utility company (ConEd), proactively shut off the power at 7 p.m. to preserve company and customer equipment during the storm. On the 25th floor of a building in Lower Manhattan, the data center switched to backup generator power and continued operations. Four hours later, the center went dark. From their location, they were not aware of the flooding in the basement, where the generator and pumping equipment were located. The center was offline for four days while another generator was placed and started operating, with a daily fuel bill of $10,000. While changes have been made in the interceding years, agencies should revisit preparedness strategies and consider items like the locations of backup generators, server rooms, and associated equipment.

According to the National Oceanic and Atmospheric Administration, the Mississippi River reaching historically low levels in 2023 was the United States’ 25th disaster that cost more than $1 billion in a single year. The increasing frequency of major disasters and severe weather across the country necessitates additional focus on the potential impacts of weather events on cyber infrastructure. As an agency creates disaster plans, each potential emergency should include an index for effects on systems and mitigation plans to maintain operational effectiveness. Creating these indexes alongside the other plans allows the team to evaluate needs and expectations during each potential contingency. It is also important to collaborate across departments, backup data in multiple locations (including the cloud, if possible), and rehearse plans and remediation efforts for cyber infrastructure.

Malicious Incidents

Denial of Service

A denial of service occurs when an attacker overloads a host or network with traffic until the target crashes or cannot respond. This prevents legitimate users from using the affected service, which may be a website, customer accounts, email, or other internet-based service. This malicious activity mimics events that occur when excessive legitimate traffic overwhelms a service.

These malicious actors seek to disrupt the service using exploited computers and connected devices, collectively referred to as the rapidly expanding Internet of Things. Of the estimated 17 billion connected devices worldwide in 2022, most were not designed nor built with security in mind. Bad actors can weaponize easy-to-hack computers and devices as drones for a denial-of-service or distributed denial-of-service attack. Denial-of-service and distributed denial-of-service attacks are implemented with various motivations. Some malicious actors send a message or express discontent, financially harm a company or steal their business, extort money, or inject malware into a system.

Organizations can take actions before, during, and after these attacks to protect themselves or mitigate damage. Before the attack, organizations should review their systems and reduce the attack area to the extent possible, plan for expected scale, understand the differences between normal and abnormal traffic, plan mitigation options and response plans, and ensure having adequate firewalls for advanced attacks. During an attack, organizations can verify the attack and nature of the threat, deploy countermeasures and mitigations, and monitor other network assets to ensure the attack is not a decoy for another threat. After the attack, organizations should continue to monitor network resources, update the response plan to improve future responses, and report the incident and outcome.

Malware

Malware is short for malicious software that uses a program or file to perform a harmful action on a network, server, or system, such as viruses, computer worms, Trojan horses, spyware, fileless malware, and ransomware. These programs’ actions vary and may be limited to a single system or designed to spread across an entire network to damage or compromise systems, exfiltrate data, steal identities, disrupt service, or steal resources.

• A computer virus is named for its ability to infect and replicate like a biological virus. These programs attach themselves to files, insert infectious code, and move to other files. They pretend to be legitimate programs that users must execute and commonly spread through email attachments, downloads, file sharing, and removable media. Defending against viruses centers on using a robust antivirus software, paying attention to attachments and executable files, using strong passwords, avoiding questionable websites, and updating browsers and operating systems.
• Computer worms are similar to viruses in impact and damage but do not require another program to replicate. Once in a system, worms use the device to scan for and infect other systems and networks. Mitigation impacts are similar to those for viruses.
• Trojan horses, such as backdoors, downloaders, remote access, rootkits, and banking malware, look like legitimate programs and, when executed, install malware for a variety of purposes. Mitigation and prevention techniques for trojans are similar to those for worm and virus plans: Do not open attachments from unknown sources; update systems; watch for phishing attacks; and maintain robust antivirus and firewalls.
• Spyware, such as browser session hijacking, browser helper objects, cookies, autonomous spyware (independent programs), and bots, captures and delivers data from the targeted system to the attacker. Commonly targeted data include websites visited; credentials for applications, accounts, and systems; email and associated information; screenshots; downloads; and other traffic.
• Fileless malware attaches itself to otherwise benign software packages to infiltrate the system memory directly. This malware does not install anything on the infected device (hence the name) and mainly operates through memory code injection and windows registry manipulation.
• Ransomware is one of the most visible types of malware, with high-profile attacks on governments, agencies, and businesses. Ransomware can encrypt files on a device or system, locking out the users and degrading systems that rely on that data. Attackers then demand some form of payment to decrypt the data and regain access. Attackers may copy the data and export it prior to locking out the user – meaning, even if the target pays the ransom, their data is still in the hands of the attackers and could be sold or used to further extort the victim. CISA started a Stop Ransomware campaign and hosts resources on its campaign pages, including best practices, mitigation, response, and available services.

Third-Party Compromises and Supply Chain Attacks

A third-party compromise takes place when an attacker compromises a partner organization, and that company’s connection is used to access the host organization. With the accelerating interconnection between organizations and the volume of connected services and devices, these attacks have experienced a 700% increase from 2020 to 2023. Reporting in 2024 found almost every company with a third-party relationship has experienced some level of breach, representing almost 30% of breaches overall. Of the sectors examined, healthcare reported the highest breach rate overall (35%) and the second-highest third-party breach rate (36%). This tracks with the size and scope of the healthcare sector and with the value of the personal health information available to attackers.

Software and related technology products were responsible for 75% of third-party breaches in 2023. One of the largest and costliest breaches in history was the SolarWinds attack, by which attackers were able to access a third-party software company and inject malware into a scheduled update, which then infected the company’s customers downstream. The resulting exposure impacted more than 18,000 customers, including some U.S. government agencies and 14% of the Fortune 1000. These companies lost an average of 11% of their annual revenue ($12 million average), and the covered losses are estimated at $90 million. School districts are also frequent targets of these breaches, with New York Public Schools, the Los Angeles Unified School District, and Chicago Public Schools – the three largest systems in the country – all experiencing third-party breaches in 2022.

Third-party compromises can be challenging, as the attackers are not entering directly, but instead exploiting a trusted relationship with an established partner. Agencies can take some basic steps to mitigate risk. Passwords and credentials are often vectors (vulnerability or exploit used in an attack) in these incidents, especially passwords reused on multiple systems or accounts by users. Using tools to determine whether passwords were included in a previous breach can identify potential vulnerabilities in the system. Reviewing systems and attack surfaces is also critical in the risk management and mitigation process. The risk assessment should include internal systems and vendors and their systems. Organizations should have policies and protocols for monitoring and taking action when they suspect breaches or compromises, including notifying law enforcement and other appropriate authorities.

Making a Team Effort

An organization-wide team effort is critical for reducing vulnerability and exposure to cyberattacks. Individuals can take basic steps to prevent and mitigate a range of threats and reduce operational impacts. Education can help users prevent cyber breaches and incidents and understand which emails or links are safe and which should be reported or deleted. Working with an organization’s stakeholders can help ensure cyber resilience in disaster planning and promote forward-looking efforts to prevent oversights or critical failures during larger events. Employing basic security procedures, updating and patching systems, and reviewing policies and procedures are all fundamental elements of overall security. Local agencies can use tools available free of charge from CISA and the Federal Emergency Management Agency to bolster their security and educate their personnel, such as the following:

• Understanding and Responding to Distributed Denial-of-Service Attacks,
• The MS-ISAC Guide to DDoS Attacks, and
• FEMA’s Planning Considerations for Cyber Incidents: Guidance for Emergency Managers.

Using these and other resources and being proactive about cybersecurity, planning, and preventive measures can help all agencies raise their security and preparedness without requiring significant financial resources.