Public transit is integral to metropolitan areas. The public transit sector ranges from buses to trains, overground systems, underground systems, light rails, ferries, and more. New York’s Subway, London’s Underground, and Paris’ Métro are hallmarks of the cities’ cultures. But the growing dependence on and integration between public transit and technology opens up new areas of risks to cities with public transit systems. If a public transit system is compromised by a cyber attack, how does the city continue to function? Is the city prepared to defend its systems? Does the city pay a ransom, lose data, or hire incident response help?

The Need for Effective Cybersecurity Strategies

The complexity and interconnectivity of transit systems’ infrastructures, matched with evolving technology, increases public transit’s, and the cities they operate in, exposure to cyber risks. APTA’s Cybersecurity Considerations for Public Transit says, “Cyberattacks can destroy a transit agency’s physical systems, render them inoperable, hand over control of those systems to an outside entity or jeopardize the privacy of employee or customer data. Cyberattacks threaten every aspect of modern life that is touched – indirectly or directly – by information technology.” It’s crucial that the public transit sector and its personnel realize these threats are real.

When ransomware hit San Francisco’s light rail system in November 2016, the San Francisco Municipal Transportation Agency (SFMTA) had two choices: shut down the light rail or let consumers ride for free. On one of the busiest shopping weeks of the year, the SFMTA let consumes ride for free. Fortunately, this cybersecurity attack did not impact the functionality of San Francisco’s buses, light rail, street cars, or cable cars. The attacker demanded a $73,000 ransom, but the agency informed the public, “The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing.”

In February 2018, SamSam’s ransomware attacked the Colorado Department of Transportation (CDOT), eventually costing the state an estimated $1.5 million. The attacked impacted about half of CDOT’s computers. They never gave into the hacker’s ransom demands, but it took several weeks and many unexpected resources to investigate, contain, and recover. The incident response team went from 25 IT employees to 150, in addition to CDOT, the FBI, state emergency officials, and private companies getting involved. The state’s Office of Information Technology attributed their recovery to their backup plan and segmentation strategies, which proved to be successful. Governor Hickenlooper did declare a disaster emergency due to this cybersecurity incident, which authorized state agencies to coordinate response efforts, including the deployment of the National Guard.

Key Cybersecurity Challenges for Public Transit

In order to implement an effective cybersecurity strategy, organizations within or serving the public transit sector must understand the challenges they face. The goal is always the same: to achieve information security and cybersecurity by upholding confidentiality, preserving integrity, and providing availability. Several of the key challenges in reaching this goal include:

  • There are typically three layers to a public transit system’s infrastructure: operational systems (like SCADA), enterprise information systems, and subscribed systems. All three systems are dependent on one another in order to function properly, which means the attack surface triples in size.
  • Software, hardware, and personnel could all be exploited in order to compromise a public transit system. Software infected by malware is often the type of cyber attack we think of, but the attack would also come through intentional manipulation of personnel or physical tampering of hardware that’s connected to software. Once again, the attack surface
  • The transition to mobile and wireless communication, from both operators and consumers, expands every day. On-board technology, command and control systems, fare payment technology, traffic signals – with each innovation that makes public transit more accessible, the attack surface
  • A public transit system may just be collateral damage in an attack that’s targeting any and every system it can.
  • In every industry, the lack of cybersecurity professionals is causing real challenges. In the public transit sector, operators who don’t understand cybersecurity and no cybersecurity professionals to educate them can keep the entire industry from progressing.

As a city with a public transit system, your city must accept the responsibility of implementing effective cybersecurity strategies. By doing so, you will protect your city, technology, consumers, and business partners. Is your city looking to improve your public transit’s cybersecurity posture? Are you meeting the security, privacy, and cybersecurity obligations expected of you? Contact us today to ensure you can deliver secure and reliable public transit.

More Cybersecurity Resources

Horror Stories – 5 Cities Victimized By Cyber Threats

How Can Penetration Testing Protect Your Assets?

Providing quality customer service is crucial for the financial services industry, but there are many potential pitfalls when your employees go above and beyond for your customers. Consider the number of sensitive assets that banks rely on every day to conduct business: Social Security numbers, credit information, PINs, cardholder data, mailing addresses, email addresses, account balances, and more. It’s all available and accessible to employees, which means that it’s susceptible to being compromised by a malicious hacker. That’s why it’s critical to focus on social engineering training for bank employees. This will educate them on how to identify and report social engineering attempts.

What is Social Engineering?

How sure are you that your employees can withstand a social engineering attempt? Social engineering is creative and engineered to trick your employees. Social engineering leverages and manipulates human interactions to compromise your organization. This could be something like bypassing a procedure and letting a guest into an employee-only area or believing someone’s unusual circumstances that lead to breaking policy. Eventually, these breaks in policy or procedure lead to malware or unauthorized access to your system. The stories that come out of social engineering engagements can be shocking to security officers and executives who believe that their employees would never fall for it – especially in the financial services industry. Social engineering doesn’t require a lot of technology or complicated processes; all it needs is a distracted, careless, too-accommodating, or overworked employee.

What Types of Social Engineering Attacks Could Happen at a Financial Institution?

While phishing attacks are the most common social engineering attack that the financial services industry typically faces, they’re not the only kind that could cause a data breach or security incident. Whether it’s via email, website spoofing, or a physical attack at a financial institution, malicious hackers will find a way to access sensitive data. Let’s take a look at the following types of social engineering attacks that could happen at a financial institution.

1. Email

The goal of phishing is to gain access to an organization’s network or systems by compromising the login credentials of an employee or group of employees. Emails are often sent under the disguise of senior management, contain corrupt links or files, and are often hard to identify. For example, let’s say that an employee who has worked at your bank for over ten years receives an email that requests that she verify her login credentials immediately or else her account will be suspended. Although this employee has never received an email like this before, the urgency of the request coupled with a fear of being locked out of the network she needs to fulfill her duties influences her to click on the malicious link in the email, leading to a major data breach. Would your employees fall for this scenario?

2. Website Spoofing

Website spoofing is often combined with phishing emails. Website spoofing occurs when a malicious hacker creates a website that looks nearly identical in both design and web address to an original website. For the financial services industry, this can be especially problematic given the sensitive nature of the data used to conduct business. For example, if an employee receives an email that directs them to their company website (i.e. www.wellsfargo.com), but the link provided in the phishing email is www.welllsfargo.com, how many employees would be able to spot the difference between the two URLs before clicking on the link and compromising their credentials?

3. Physical Attack

Physical attacks are just as much of a threat as phishing attacks at a financial institution. Consider the variety of people that walk into a financial institution every day: customers, vendors, maintenance personnel, etc. A malicious hacker, for example, could walk into a bank disguised as an IT professional. If employees aren’t trained on proper policies and procedures for dealing with outside IT professionals, such as verifying identify, would they give the unverified third party access to their computer?

Scenarios like those mentioned above happen more frequently than you would think. Let KirkpatrickPrice help you mitigate the risk of you and your employees being compromised. Contact us today to learn more about our advanced social engineering services.

More Social Engineering Resources

Not All Penetration Tests Are Created Equal

How Can Penetration Testing Protect Your Assets?

Why is Ransomware Successful?

What Security Threats Do Education Institutions Face?

In today’s threat landscape, there’s no excuse for any industry to not be aware of the advancing cyber threats they’re faced with. For education institutions, this could be malware, ransomware, internal attacks, targeted attacks, and so much more. In this webinar, one of our expert penetration testers, Stuart Rorer, discusses why the education sector needs to be concerned about security risks, gives real-life examples from his experience as a systems administrator at a private school, and provides next steps your organization can take to ensure that you remain a secure and trusted education institution.

While some may view the education sector as less of a threat for a cyber attack, the reality is that the education sector is just as likely to experience a data breach or security incident as, let’s say, a financial institution or a healthcare organization. Think of the different types of sensitive assets the education sector uses on a daily basis: names, dates of birth, standardized testing scores, attendance and grade records, email addresses, phone numbers, Social Security numbers, and financial aid information. These types of sensitive assets are hot commodities for malicious hackers, and they’ll do anything they can to get their hands on them, regardless of whether you’re a public or private school or if you have hundreds or thousands of students. All education institutions are faced with the threat of experiencing a data breach or security incident because of the security difficulties they’re faced with such as open access infrastructure, loose security controls, ease of access, and external trusts.

Real-Life Examples: Security Threats to Education Institutions

Understanding the threats facing education institutions wouldn’t be possible if there weren’t real-life examples to learn from. In this webinar, Stuart Rorer covers four examples, including:

  1. Ransomware Attack: Not wanting to leave his laptop in his car, an accountant brought his work laptop into a coffee shop, logged into open network WiFi, and because he didn’t use a VPN or other secure way to access the internet, he inadvertently downloaded ransomware.
  2. Disgruntled Employee: A higher education institution experienced an internal attack from a disgruntled former employee. This employee accessed a file with salary information and threatened to release the information to one of the global addresses within the organization.
  3. K-12 Organization: A K-12 organization believed they had a persistent intruder who tried to access student information, tests, etc. Recognizing this, the organization began to change the admin password, but attacks kept occurring. While it was initially believed to be malware, but it turned out to be one of the senior students.
  4. Community College: A community college was having a lot of malware issues, and their IT administrators couldn’t figure out what was causing the problem. Their penetration tester realized that there was a wireless network that was named similarly to the college’s network, which allowed students, faculty, and staff of the college to input their passwords and other sensitive information when they connected to that network, making them easy targets for an attack.

Are you an education institution that needs to learn more about the security threats you’re facing? Want to learn more about how penetration testing can help keep the education sector secure? Watch the full webinar now.

Cybersecurity attacks can strike where you least expect them. Would you expect the energy sector to be a target? The U.S. Office of Cybersecurity, Energy Security, and Emergency Response (CESER) states, “In today’s highly interconnected world, reliable energy delivery requires cyber-resilient energy delivery systems. In fact, the nation’s security, economic prosperity, and the well-being our citizens depends on reliable energy infrastructure.” The energy sector literally powers any city; it is the most critical infrastructure that we can protect and support.

The Need for Effective Cybersecurity Strategies

As cities depend on energy and as energy sources become more reliant on technology and data, more vulnerabilities appear. The U.S. hasn’t seen a widespread power outage from a cyberattack yet, but that doesn’t mean these types of attacks haven’t been attempted. The threat of state-sponsored hacks and attacks on U.S. energy sources is becoming more real every day. In 2016, an anonymous water treatment plant was hacked through phishing and SQL injection, leading to chemical changes in tap water. In 2018, the DHS linked Russia to the ongoing hacking  of U.S. power suppliers and publicly spoke about the cyberattacks to warn and prepare other energy suppliers.

At a federal level, effective cybersecurity strategies within the energy sector is a high priority mission with many people behind the fight. The CESER, the Department of Energy (DOE), the Department of Homeland Security (DHS), the Cybersecurity Risk Information Sharing Program (CRISP), the Executive Branch, and so many others are developing and implementing cybersecurity strategies to support reliable energy delivery.

 

Key Cybersecurity Challenges in the Energy Sector

Key Cybersecurity Challenges in the Energy Sector

Appendix I of the DOE Cybersecurity Strategy says that cybersecurity preparedness, incident response and recovery, and a lack of resilient systems are the main cybersecurity challenges facing the energy sector. These challenges fall in line with the President’s agenda to implement modern information technology, create data, accountability, and transparency initiatives within the energy sector, and build a workforce that’s agile enough for the 21st century.

1. Cybersecurity Preparedness

Preparedness requires proactive efforts, which many organizations in the energy sector can struggle with. How do you prepare for evolving, complex cyber threats while the attack surface continuously grows? Who has the expertise to perform an effective, formal risk assessment? How do you exchange data while also meeting security and privacy requirements of that data? How do you effectively and widely exchange the data you’ve collected?

2. Incident Response and Recovery

Organizations across all industries struggle with incident response and recovery. Because energy sources cross over so many geographic areas and involve so much personnel, it makes response and recovery incredibly difficult. Policies and procedures must be effective, yet flexible enough to adapt to the ever-changing threat landscape. Not only is performing incident response and recovery activities difficult, but proactively testing them to ensure they will work is also difficult when you’re dealing with widespread energy sources.

3. Resilient Systems

Energy sources require technology, but this can range from legacy systems to devices provided by third parties to the supply chain. Any piece of technology use in energy delivery must be secure and adapt enough for future technology. To manage and defend this technology, we need a talented cybersecurity workforce. The lack of cybersecurity professionals today creates a real challenge for a sector as important as energy.

Goals of Cybersecurity Strategies in the Energy Sector

The DOE Cybersecurity Strategy follows the guidance of 34 documents, where you’ll see some familiar frameworks and concepts. FISMA, NIST Framework for Improving Critical Infrastructure, and NIST Risk Management Framework play roles in the guidance, as well as DHS strategies, Executive Orders, DOE strategies on sustainable energy delivery, and more. Although the energy sector faces many cybersecurity challenges, the goals of cybersecurity strategies remains the same for all providers of energy delivery:

  • Deliver high-quality, reliable services
  • Continually improve your cybersecurity posture
  • Take action to put a focus on your consumers
  • Use taxpayer dollars effectively

As a provider of energy sources, your organization must accept the responsibility of implementing effective cybersecurity strategies. By doing so, you will protect your city, consumers, and business partners. Is your organization in the energy sector looking to improve your cybersecurity posture? Are you meeting the security, privacy, and cybersecurity obligations expected of you? Contact us today to ensure you can deliver secure and reliable energy services.

More Cybersecurity Resources

DOE Cybersecurity Strategy 2018 – 2020

Horror Stories – 5 Cities Victimized By Cyber Threats

How Can Penetration Testing Protect Your Assets?

Independent Audit Verifies Quiq’s Internal Controls and Processes

Bozeman, MT – Quiq, a customer engagement platform and business SMS text messaging solutions provider, today announced that it has completed its SOC 2 Type I audit. This attestation provides evidence that Quiq has a strong commitment to deliver high quality services to its clients by demonstrating the necessary internal controls and processes.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 audit reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s audit report verifies the suitability of the design of Quiq’s controls to meet the standards for these criteria.

“The SOC 2 audit is based on the Trust Services Criteria. Quiq has selected the security, availability, confidentiality, and privacy categories for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Quiq delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Quiq’s controls.”

About Quiq

Quiq makes it possible for any company to deliver a world class customer experience using business text messaging. Quiq’s messaging platform enables companies to use their existing landlines to send and receive messages to their customers via SMS/text messaging, live chat, social platforms, and in their own app.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 800 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.