Cloud and Aerospace Defense Contractors Targeted by Phishing Emails
Last week, the Associated Press (AP) reported that the Fancy Bear hacking group targeted at least 87 employees working for U.S. defense contractors via personal Gmail accounts and some corporate email accounts. Fancy Bear is said to be associated with a Russian military intelligence agency, according to several information security firms.
According to the report, both small and large defense companies were targeted, including key contractors working on advanced technology for militarized drones, missiles, rockets, stealth fighter jets and cloud computing platforms. AP reported that 15 people that worked on drones were targeted.
If compromised, proprietary company data, such as advancements in drone and weapons research, and the U.S.'s defense could be at risk. The AP's analysis of classified emails collected by SecureWorks found that 40 percent of the victims clicked on phishing links (sample size of 19,000 lines of "email phishing data" from March 2015 to May 2016).
One CEO of an intelligence and aerial systems firm clicked on an email disguised as a Google security alert in his inbox - but stopped short of entering his credentials, as he realized it was a phishing scam. Another specific target included a drone sensor specialist, an electronics engineer for batteries and drones, and a senior engineer at one of the largest aerospace companies in the U.S.
In addition to targeting aerospace and drone companies, the hacking group also went after the Gmail accounts of a compliance officer and operations manager of cloud computing services. They also targeted another federal service provider that helps the FBI and other intelligence agencies with high-speed storage networks, data analysis and cloud computing.
While it can be difficult to secure or manage the personal email accounts of employees, there are a few simple best information security practices that can help mitigate the potential effects of a phishing attempt:
- Ensuring User Trust - Nowadays, stolen passwords and spoofed network addresses mean attackers can impersonate legitimate users and fly under the radar within company networks. Strengthening authentication by adding in multiple factors (multi-factor authentication or two-factor authentication) helps secure access to accounts.
- Ensuring Device Trust - Checking the security health of every endpoint that logs in to company applications can protect against threats or malware that exploit vulnerabilities in out-of-date software.
- Strong Access Policies - To protect access to critical applications and data, set up device certificates that help you identify corporate-owned vs. personal devices and create strong access policies to block or warn users about devices that don’t meet your company’s security standards.
Data Security Standards for Contractors
The Dept. of Defense (DoD) has extended its Jan. 1 deadline to require contractors to have a plan in place to comply with NIST's (National Institute of Standards and Technology) Special Publication 800-171, the standards by which contractors should follow when handling controlled unclassified information.
There is a rule to require civilian contractors to comply with the NIST guidelines, and the public comment period is open from April to June 2018. The General Services Administration (GSA) is also tightening requirements for reporting of cybersecurity breaches, among other proposals as listed in a Federal Register Notice from January.
One reason to standardize data handling systems is to make data sharing more secure and convenient (eliminating the need for risk assessments and sharing agreements) as information travels from one agency to another, as Federal News Radio reports. Another reason is to standardize the protection of information as it moves from the federal space to the non-federal.
For small manufacturers, the DoD provides a high-level, plain language guide to their cybersecurity requirements, outlining why and what they must do, including reporting breaches within 72 hours.
To help protect against threats posed by phishing attempts similar to the ones launched by Fancy Bear, the NIST SP 800-171 basic security requirements include the section 3.5 on Identification and Authentication:
- 3.5.1 - Identify system users, processes acting on behalf of users, and devices.
- 3.5.2 - Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational systems.
As well as a number of derived security requirements, including:
- 3.5.3 - Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Check out the complete list of NIST 800-171 (PDF) requirements to learn about the fourteen security requirement families, including access control, awareness and training, incident response and more.