What Can The FM Sector Learn From The ISS Malware Attack?

• Content
• Features
• What Can The FM Sector Learn From The ISS Malware Attack?

26 February 2020 | Updated 04 March 2020

After breaking the news of the ISS World malware crisis, ThisWeekinFM speaks to the industry experts, to identify how FM companies can better manage cybercrime attacks.

 

Is phishing responsible for the ISS World malware attack?

 

TWinFM spoke to Mike Gillespie, Founder of Advent IM, an independent cyber security specialist, to look at the ISS “malware infection” in greater detail. 

Gillespie told us of the likelihood that the malware entered ISS systems due to human error. 

“An organisation can have all the perimeter protection it can afford, but most malware is brought in through human error, often by clicking on a phishing link. Phishing remains the most effective and not surprisingly, widely used delivery system of malware globally. Phishing is used in targeted attacks as well as non-targeted incidents, which is what the incident with ISS looks like so far.”

 

“An organisation can have all the perimeter protection it can afford, but most malware is brought in through human error, often by clicking on a phishing link. Phishing is used in targeted attacks as well as non-targeted incidents, which is what the incident with ISS looks like so far.”

–Mike Gillespie

Director, Advent IM Ltd

 

The language of cyber security can mislead

 

The very wording of “cyber attack” or “malware attack” has connotations of malice and a deliberate target, when this may not always be the case. Gillespie maintains that this is an important distinction to be aware of:

“We do not know if ISS were the target or if they were a conduit to an organisation in their supply chain/ecosystem. 

“The language of cyber security can be misleading and the use of language can add a layer of confusion; referring to an attack when actually it was a random infection not an attack, for instance. This imprecise language makes an already challenging landscape, even more confused.”

 

FM has a strong “desire to improve cyber resilience”

 

EMCOR Group and Bouyges are two other FM companies to have recently fallen foul to cybersecurity issues, but Gillespie sees the sector in general as wanting to improve in this area:                

“We have engaged with the FM community for a long time and know that the desire to improve cyber resilience is very strong in this sector.”  continued Gillespie

“We also know that they, like all their clients will have Operational Technology (networked systems that are not IT) and other systems, such as Fire and Life, Security and Building Management Systems, that not only are not secure, but aren't designed to be secure.” 

 

 

Ransomware: to pay or not to pay?

 

The BBC speculated that the incident may have been linked to ransomware, which encrypts IT systems, locking users out and demanding money. 

In the race to find a solution and rescue data, some firms choose to pay out, as with the Maastricht University case. The university disclosed that it paid the 30 bitcoin ransom (roughly $220,000) requested by the attackers who encrypted some of its critical systems following a cyberattack that took place on 23 December 2019.

Paying ransomware could be viewed as no more than another business decision to weigh up. A report from ZDNet, looked at research that suggests that, even if you don’t end up paying the ransom, it should be considered as a viable option. Citing the research and advisory firm Forrester, it says:

“Forrester’s guidance is not a recommendation of whether or not to pay a ransom but to recognize paying the ransom as a valid recovery path that should be explored in parallel with other recovery efforts to ensure that you’re making the best decision for your organisation.” 

Others take the view that this should never be considered a viable option. As Gillespie told TWinFM:

“My advice is to never pay. It is well accepted that payment funds organised crime gangs and in turn terrorism and Trans-National crime groups. Not only that, you are ensuring that the aggressors are well-financed to be able to refine and improve their offensives against everyone, not just those that pay up.

“This should not be considered a cost of doing business” 

Whether the incident was a ransomware attack or not is, as yet, unconfirmed by ISS World.

 

How to handle releasing a public statement

 

The importance of handling the media when managing incidents of cybercrime is a point worth noting. Media statements, or a lack of, can have an effect on managing potential repercussions.

With reference to internal communication and best managing press statements, Gillespie firmly believes that honesty is the best policy:

“You cannot expect them [communications teams] to come in and work media magic if you have not kept them in the loop of developments, because actually a poorly briefed comms team can make you look ridiculous” 

“Remember, if you can’t explain it to them, don’t expect them to be able to translate into anything meaningful for media, clients or public. Clarity is key along with honesty both internally and externally. It doesn’t need to be complex, just clear”

 

The expert advice: familiarisation, supply chain vigilance and network segmentation 

 

TWinFM also spoke to Chris Phillips, a fellow of the Security Institute and the Chartered Institute of Security and Crisis Management, and managing director of IPPSO:

 

"There is a growing number of attacks on all types of business and there is no doubt that FM companies will continue to be targeted in the future."

–Chris Phillips

Managing Director, IPPSO

 

"There is a growing number of attacks on all types of business and there is no doubt that FM companies will continue to be targeted in the future.

"The following are the top tips are given by the National Cyber Security Centre and I would recommend that all businesses familiarise themselves with this advice"

If your organisation has already been infected with malware, these steps may help limit the impact of the infection:

• Immediately disconnect the infected computers, laptops or tablets from all network connections, whether wired, wireless or mobile phone based
• Consider whether turning off your Wi-Fi and disabling any core network connections (including switches) might be necessary in a very serious case
• Reset credentials including passwords (especially for administrators) - but verify that you are not locking yourself out of systems that are needed for recovery
• Safely wipe the infected devices and reinstall the operating system
• Before you restore from a backup, verify that it is free from malware and ransomware. You should only restore from a backup if you are very confident that the backup is clean
• Connect devices to a clean network in order to download, install and update the operating system and all other software.
• Install, update, and run antivirus software
• Reconnect to your network
• Monitor network traffic and run antivirus scans to identify if any infection remains.

 

When it comes to prevention, Gillespie asserts that clients using FM service providers should be vigilant with their supply chain assurance and to be wary of “a procurement mentality that prioritises price over value.”

 

“In a time where it is ‘when’ not ‘if’ a cyber attack will hit, organisations need to limit the risk by maximising control and enabling full visibility across a network, which will assist in defending against the next wave of cyber threats.”

–Myles Bray

VP EMEA, Forescout

Myles Bray, VP EMEA at Forescout, a security platform that helps businesses and government agencies  orchestrate actions to reduce cyber and operational risk, added:

“To fully protect themselves and their networks, businesses need to implement security systems that ensure secure network architecture, such as a segmented network.

“Network segmentation has been designed to allow businesses to automate the identification and isolation of threats, without impacting operations. In a time where it is ‘when’ not ‘if’ a cyber attack will hit, organisations need to limit the risk by maximising control and enabling full visibility across a network, which will assist in defending against the next wave of cyber threats.”

Picture: Original error message from ISS World's site

Article written by Ella Tansley | Published 26 February 2020

Share

---

---

Related Articles

---