Assignment 1: Security Management

Nicola Brown

USER11538209

Security Management: UEL–CN-7014-27394

Saheed Yakub Kayode

Date: September 16, 2021

Part 1A: Cyber attack

Introduction
This report analysis takes a deep dive into the cyber-attack that affected the Colonial Pipeline in
May 2021. The report covers a background of the attack, the nature of the attack, the threat
actors, and the incident analysis, there is also a brief coverage on how similar companies could
learn from this attack and implements it for their organizations to prevent or prepare for an attack
of such nature. This report will cover how easily a hacker can exploit vulnerabilities in an
organization, and why it is important for companies to regularly check their systems for
vulnerabilities.
 
Incident Overview
 
The Colonial Pipeline, the East Coast’s biggest supplier of fuel suffered from a major
cyberattack in May 2021. The attack forced the fuel company to temporarily shut down its
operation for six days, from May 6, 2021, to May 12, 2021. The attack resulted in the company
ceasing operation of its pipeline to control the attack since the cyberattack affect its
computerized equipment managing the pipeline. The company paid the requested ransom of $4.4
million in bitcoin within hours of the attack with assistance from the FBI. The hackers sent a
software application to the company to restore their network after receiving the ransom. The FBI
was able to track and recover a portion of the ransom. This cyber-attack is considered to be the
largest attack on an oil infrastructure in the United States. The attack was so severe that it did not
just impact the company operations but also several businesses and consumers who rely on this
fuel company. The attack causes several people in the states along the east coast to panic buy
resulting in a shortage of fuel at several gas stations and airports. During the ongoing
investigation regarding the attack of a Russian hacking group, Darkside was identified as the
threat actor, the motive for the activity is still unknown. The Colonial Pipeline Company is still
recovering from the attack.
 
Incident analysis
 
On May 6, 2021, the Colonial Pipeline suffered the biggest cyberattack any oil infrastructure in
the United States has ever encounter. According to Robertson and Turton (2021), the hackers
gain access to the system a day before the attack was launch and stole approximately 100
gigabytes of data out of the Alpheretta, Georgia-based company network in only two hours. The
Colonial pipeline is consist of two is 5500 miles long, which can carry 3 million barrel of fuel
per day between Texas and New York, and provides roughly 45% of the East Coast's fuel,
including gasoline, diesel, home heating oil, jet fuel, and military supplies. The attack that forced
the company to shut down operation affected many people and businesses including the trucking
industry, the main airports on the east coast, and several airlines that had to change their routes
or/and make several stops for fuel before arriving at their final destination. Not only did the
shutdown affect several businesses’ operations, the cause panic among commuters resulting in
fuel hoarding with resulted in an increase of oil barrels to $3 per gallon for the first time in years,
which further resulted in a gasoline shortage.
The type of attack that affected the Colonial Pipeline was a ransomware attack, the threat actor
gain access to the system and shut down control from the company’s side, and threatened to
release confidential information if the company refused to meet their demand by paying a
ransom of 75 bitcoins. Denaburg (2021) defines Ransomware as a form of malware that infects
and restricts access to computers and data until or unless the targeted organization pays the
attacker a ransom. In the case of the Colonial Pipeline, the threat actor demanded a ransom
payment of 4.4 million in the form of bitcoin payments. The BBC News (2021) reported on a
meeting held between the US Senators and the boss of the Colonial Pipeline, Joseph Blount,
where Mr. Blount issued an apology for the cyber-attack and the impact that it cause, it was also
reported that Mr. Blount stated that paying the ransom of 4.4 million dollars was the hardest
decision he has ever made in his career, however, he believed he made the right decision to
resume operation as soon as possible. The company received a decryption tool to unlock the
system that was compromised by the attacker shortly after making the cryptocurrency payment.
According to a BBC news report (2021), the United States of America has since recovered 63.7
of the bitcoin totaling 2.3 million dollars.
The attack on the Colonial Pipeline was critical, several industries and companies were affected,
and the attack caused panic buying among citizens which resulted in a gas shortage in several
states. Denaburg (2021) quoted industry experts describing the attack as “the largest impact on
the energy system in the United States (US) we’ve seen from a cyberattack”. The pipeline
encounter a major fuel distribution shortage from the attack, seventeen (17) states declare a state
of emergency relating to the fuel shortage stemmed from the attack (Denaburg, 2021). The
colonial pipeline attack is an eye-opener for businesses on the importance of having proper, well-
maintained security infrastructure.
The federal bureau of Investigation on May 10, 2012, released a statement confirming the attack
on the Colonial Pipeline to be Darkside Ransomware. Darkside is alleged to have been active
since 2020, Darkside’s malware is offered as a ransom as a service, once the system has been
compromised the ransom payment demand can be over a million dollars. According to Lerman et
al (2021), Darkside released a statement on May 9 on their website stating “We are apolitical, we
do not participate in geopolitics, do not need to tie us with a defined [government] and look for
other our motives”. Darkside further added to their statement that “Our goal is to make money,
and not creating problems for society.” Based on the statement of the hacking group, it would
seem as though they did not intend to cause as much damage as it did. Even though the
statements above were release on the Darkside website, there was no mention of the colonial
pipeline nor did they admit they were responsible for the attack.
The CIA triad is the main element of security, a compromise in any of the three can cause a
major problem for any company. It is important that a company set up its security infrastructure
to prevent intruders from compromising any of the following; confidentiality, integrity, and
availability. The cyberattack on the colonial pipeline affected the billing system, the hacker
block access from the company making it impossible for them to bill customers. The element of
security that was compromised in the colonial pipeline attack was availability. The company was
unable to access their system to proceed with regular operations, seeing a section of their system
being compromised the company decided to shut down operation for the rest of their system to
prevent further attacks. The full lockdown of operation affected consumers’ accessibility to fuel,
with resulted in panic buying and airlines and airports having to make adjustments to their
operations (Osbourne, 2021). During the attack it was discovered that the company’s IT network
was infiltrated by malware, this forced the company to shut down its operation technology (OT)
system to prevent further damage. Kaspersky ICS CERT (2021) cited Bloomberg stating that
approximately one hundred (100 GB) gigabytes of data were stolen shortly before the attack. The
company did not resume fuel transportation through the pipeline until they got confirmation from
experts that it was safe to do so and after receiving the federal regulator’s approval.
Hackers are also seeking new ways to access a company’s infrastructure for the base of their
attacks. Vulnerabilities are searched for and exploited when found. The hackers gain access to
the Colonial Pipeline Information Technology system through an inactive virtual private network
(VPN) account, this is an encrypted internet connection that allows employees to access the
network remotely. Mr. Blount, boss of the Colonial Pipeline, stated in a meeting with the US
Senators that the VPN was inactive at the time it was hacked they did not have a two-step
authentication step up for the VPN. Mr. Blount emphasized that the password compromised was
not simplistic (BBC new, 2021). The vulnerability exploited in the Colonial Pipeline attack
should teach other companies and the Colonial Pipeline team the importance of deleting unused
VPN and activated multi-factor authentications for access to their systems. Lyons (2021) cited
Bloomberg on the discovery of Darkside using a compromised username and password to access
the VPN, it is uncertain on Darkside discovered the compromised username and password
however, the password was discovered in a batch of leaked passwords on the dark web.
The action taken by the Colonial Pipeline to shut down the operation of its pipelines immediately
after acknowledgment of their system being compromised was a good action to prevent further
damage. At the time the ransom message was displayed on the system, the company had no idea
how crucial the attack was nor how many of its systems were being attacked, in order to prevent
widespread malware and to prevent other systems from being compromised the decision was
made to do a full shutdown to prevent further damage.
 
Lesson learnt
 
The cyberattack on the Colonial Pipeline called attention to cybersecurity concerns for both
government and business organizations. Both government and business organizations should
understand the importance of system monitoring, based on the investigation it was discovered
that hackers gained access to the colonial Pipeline system and stole approximately 100 GB of
data before the attack. System monitoring with includes threat intelligence and detection would
have notice and made alert of abnormalities in the system. The Colonial Pipeline Information
Technology team now knows the importance of dismantling and shutting down access points and
obsolete networks to prevent a surface attack and data breach risk, if this was a regular practice
by the company they may have avoided the cyber-attack. It is crucial for companies of all sizes
to practice proper Information Technology governance, this is their chance to prevent a cyber-
attack and limit unauthorized access to their systems. Another lesson learned is the importance of
having backed up data readily available in the instance where your system has been a breach and
your data is being held by ransom. Data backup is essential for any business, small or large. The
most important lesson of all is not cyber-attack proof, any company at any given time can be a
target for a threat actor and fall victim to cybercrime. Therefore, any company should take the
necessary precaution and add security to their infrastructure based on the increasing number of
cyberattacks taking place globally.
 
Conclusion
 
In conclusion, the attack on the Colonial Pipeline is one of the most significant attacks on critical
infrastructure within years, which directly and indirectly affected multiple industries. While there
was no report address the security infrastructure of the Colonial Pipeline before the attack, it is
clear that there is a need to prioritize security, it simply cannot be overlooked in a company this
large and important. Every company needs to have a team of cyber security experts to constantly
assess and implement security measures where necessary to protect the organization. The
company should be able to set cybersecurity priorities, have a sufficient budget to implement
these measures, and having the authority to enforce the measure to protect the organization. In
other words, the company needs to invest and commit to a cybersecurity program and have an
incident response in place. There is an increasing rise in the cyberattack on various cooperation,
the number of attacks is increasing each year. Companies need to understand the importance of
protecting their system prior to an attack. It is detrimental for companies to build resilient
cybersecurity platforms, this will detect the enterprise asset, vulnerabilities, threats, and risk.
This must be a secure system that safeguards a continuous check and identify risks and include
regular education of end-user to ensure protocols are being followed.
Part 1B: Cyber Kill Chain
Stage 1 Stage 2 Stage 3 Stage 4 Stage 5 Stage 6 Stage 7 Stage 8

Reconnaissan Privilege Lateral Denial of

Intrusion Exploitation Anti-Forensic Exfiltration
ce escalation movement Service

Research Gain access to Exploit Gain access to Try to access Use self- Search for Remove the
Colonial computer vulnerabilities additional data more system or encryption back-up on the compromised
Pipeline and system via and deliver and seek higher data to gain critical strings victim’s data from the
collect data on legacy VPN. malicious code level/admin addition to avoid system and company’s
the victim’s on the system privilege to leverage triggering disable them. system in order
computer to encrypt steal and against the detection. Encrypt data to demand and
system to learn selective data compromise company. using private ensure ransom
their technical depending on data. key. payment.
environment. their directory, Block
file name and legitimate
file extension. user’s access
remotely to
prevent them
detecting,
monitoring or
blocking the
attack.
PART 2: BUSINESS CONTINUITY AND DISASTER RECOVERY

a. Briefly explain the incident.

On June 8, 2021, several businesses that offer service over the internet experience a disruption in
their service. All the companies whose services were affected are members of Fastly, a content
data network provider. Fastly acts as an internet intermediary that transmits content from a
business server to its end-user. Peng (2004) describes CDN as an effective approach to
improving the quality of internet services. On the evening of June 8, Fastly’s infrastructure was
down for approximately one hour due to a bug. This resulted in end users receiving a 501 service
unavailable error (Dutta, 2021).

b. Discuss the incident response and disaster strategies that companies affected by this
event should implement.
Having an incidence response and disaster strategy is critical to every company. It includes how
a company will react in the event of an attack and how fast the company can recover and
continue its operation. CDN is an important infrastructure used for delivering web content to
web users. This outage was a reminder for the companies to ensure that their sites and
applications are continuously performing at optimal levels. Companies affected by the outage
can implement the following incident response and disaster strategies:
 Have a diverse delivery system – companies should not depend on one CDN for content
delivery. Using two or more CDN will reduce the impact resulting from disruption in any
one CDN.
 Create a backup plan – Companies can set up system alerts to be notified of issues or
disruptions in their service, this will enable them to deploy their backup plan promptly.
 Regular site evaluation – evaluating the performance and availability of the service
continuously will allow companies to react proactively to issues as they arise.

c. Create a 'Business Continuity' Information Security policy document for the event.

Business Continuity Information Security Policy

Introduction
This policy supports the implementation of business continuity for information security. This
policy will address the aspect of managing redundancy and be resilient in the company’s network
system.
Objective:
To ensure the availability of information processing facilities.
To ensure that the computer can recover and continue business after or during a disruption.
Scope:
The policy covers the business continuity for information security.
Information security continuity
The policy is design to reduce the impact and likelihood of the following threats:
1.  Introduction of damaging or disruptive software or malicious code (e.g. malware).
2.  Network connection failures.
Planning Information Security Continuity
The organization will determine the requirements for its information security and its continuity
during the event of a crisis or disaster. Staff across the organization will engage in cyber security
training to help prepare them to notice and react to a crisis.
Implementing Information Security continuity
The organization will establish, document, and implement, and maintain processes, procedures,
and control for information security continuity during and after an unfavourable situation.
Information and Data transfer Resilience
The organization will transfer traffic to a neighbouring POP if present POPs are experiencing
serving content to end-users.
The organization will monitor multiple internal and external reporting channels to detect service-
related issues.
Verify, review and evaluate information security continuity
The organization will test and verify the established and implemented information security
continuity controls at regular intervals in order to ensure that they are valid and effective during
inauspicious situations.
Lesson learnt
Post-incident investigations shall include a root cause analysis to ensure appropriate remediating
action is taken to protect against future incidents and improve security measures.
PART 3: SECURITY MANAGEMENT QUESTIONS
1. Discuss the benefits of ISO/IEC 27001 certification.

The ISO/IEC 27001 is a risk-based approach to information security. This certification allows
the organization to implement an Information Security Management system (ISMS) (Lambo,
2006). The ISO/IEC 27001 certificate provides several benefits to an organization, the main
benefit is that it shows that the organization follows information security best policies to protect
clients, customers, and suppliers’ confidential information. Additional benefits provided by
ISO/IEC 27001 certificate includes:

 Protection from cyber-attacks – one of the main benefits of ISO 27001 is that it reduces
the number of successful cyber-attacks in an organization. Implementation policy
encourages organizations to regularly assess, identify, and addresses areas that need
improvements.

 Operation expenses reduction – since ISO 27001 encourages organizations to implement

and practice a risk-based approach to information security, businesses will have a
decrease in security incidents and benefit from financial savings (funds that would be
used to recover from security breaches).

 Reputation protection – having the ISO/IEC 27001 certification will show existing and
new customers that the organization had=s taken the necessary steps to protect their data.
 Reduce the need for frequent audits – the certification is accepted globally as an
indication of effective security practices, this reduces the need for frequent customer
audit both internally and externally.

2. Discuss and explain how an audit or what type of audit should be used for the
chosen incident in Part 1A.

A security audit is done to ensure that sensitive data is protected. According to E.C Lo and
Marchand (2010), an audit is not a one-time occurrence but an ongoing process that provides a
balance between protection, availability, and user acceptance. In regards to the Colonial Pipeline
attack, an internal audit must be done to leverage lessons learned and to conduct a post-incident
review to help prepare and stay ahead of a future threat and reduce the likeliness and impact of a
future cyber-attack. The internal audit needs to perform a complete security audit and update the
organization’s systems, all malware must be removed securely, and patches and updates applied
to the system. The internal audit will help the company to access the company’s response,
business continuity plan, disaster recovery, and the initial breach of the system – this will help
the company to fix gaps and deficiencies. The internal audit will play a critical role in creating an
incident report to assess the organization’s backup data and recovery access control, this will
help to improve the incident response plan for future attacks (Mainse, 2021). During the auditing
process, the internal audit will closely monitor the organization’s system to ensure that the issue
does not reappear. The internal audit will ensure that the company has good information security
practices by accessing the backup and authenticate system, they will assess what helps protect
the system from the previous attack and which measures failed. Overall, the internal audit will
educate the company on what its system needs to mitigate future attacks.

3. Outline a Risk Management process for the incident in Part 2.

Understand the objectives, internal and external evironment of the

Context organization.

Find, recognize and describe risk.

Identify

Determine the nature/level of the risk.

Analyze

Review existing mitigation strategies and determine whether the risk is

Evaluate acceptable.

Modify the risk by mitgating, avoiding or transfer or accepting.

Respond

continually check and update risk status to identify change from response
Monitor level required.

Report/
Inform stakeholders on risk current state and managament.
Commuicate

Context:
The main objective of the organization is to successfully deliver content to its clients’ end users.
Identify:
The following risks may prevent the organization from achieving its objective:
 A service outage
 A bug or malware in the system.
Analyze:
The risks identified may potential impact on the organization’s financial, operational, human
capital, strategic and legal liability.
Evaluate:
Based on the risk analysis, the risk identified will require an priority response implementation.
Respond:
The organization shall implement backup networks to deliver content to end user in an adverse
situation.
Monitor:
The organization shall continually check and update status of the risk to identify change from
response level needed or expected.
Report/ communicate:
The organization shall communicate with stakeholder using various communication methods,
depending on an risk's scope and severity.
 Reference
BBC News. 2021. “Colonial Pipeline boss 'deeply sorry' for cyber attack” BBC News, available
at: https://www.bbc.com/news/business-57403214 (accessed on: 10 July 2021).
FBI. (2021). “FBI Statement on Compromise of Colonial Pipeline
Networks” FBI National Press Office, available at:
https://www.fbi.gov/news/pressrel/press-releases/fbi-statement-on-compromise-of-
colonial-pipeline-networks (accessed on 8 July 2021).
Denaburg, R. (2021). “Colonial Pipeline Cyberattack: What Happened
and What’s Next?” Homeland Security Today. Available at:
https://www.hstoday.us/subject-matter-areas/infrastructure-security/colonial-pipeline-
cyberattack-what-happened-and-whats-next/ (accessed on 19 July 2021).
Dutta, M. (2021). “Internet down globally: Amazon, NYT, Bloomberg, Reddit and more
websites hit by the outage” BGR.in, available at: https://www.bgr.in/news/internet-down-
globally-amazon-nyt-bloomberg-spotify-reddit-and-more-websites-hit-by-the-outage-
965104/ (accessed on: 5 August 2021).
Lambo, T. (2006). “ISO/IEC 27001: The future of infosec certification” ISSAJournal: The
Global Voice of Information Security, available at: https://efortresses.com/wp-
content/uploads/2020/08/InformationSecurity.pdf (accessed on: 8 September 2021).
Lerman, R. Nakashima, E. and Harwell, D. (2021). “DarkSide group that
attacked Colonial Pipeline drops from sight online” The Washington Post The
Washington Post, available at: https://www.msn.com/en-us/news/us/darkside-group-that-
attacked-colonial-pipeline-drops-from-sight-online/ar-BB1gJZcg (accessed on: 29 July
2021).
Lo, E.C. and Marchand, M. (2004). "Security audit: a case study [information systems],
Canadian Conference on Electrical and Computer Engineering (IEEE Cat.
No.04CH37513), 2004, pp. 193-196 Vol.1, doi: 10.1109/CCECE.2004.1344989.)
Available at: https://ieeexplore.ieee.org/stamp/stamp.jsp?
tp=&arnumber=1344989&isnumber=29618 (accessed on: 8 September 2021).
Lyons, K. (2021).“Hackers reportedly used a compromised password in Colonial
Pipeline cyberattack” The Verge, available at:
https://www.theverge.com/2021/6/5/22520297/compromised-password-reportedly-
allowed-hackers-colonial-pipeline-cyberattack (accessed on: 3 August, 2021).
Mainse, N. (2021). “4 Types of Safety Security Audits on a Regular Basis” Cyber Matter,
available at: https://cybermatters.info/cyber-security/security-audits/ (accessed on: 9
September 2021).
Osbourne, C. (2021).“DarkSide explained: The ransomware group responsible for
Colonial Pipeline attack” Zero Day, available at: https://www.zdnet.com/article/darkside-
the-ransomware-group-responsible-for-colonial-pipeline-cyberattack-explained/
(accessed on 20 July 2021).
Peng, G. (2004). “CDN: Content Distribution Network” Cornell University, available at:
https://arxiv.org/abs/cs/0411069 (accessed on: 20 July 2021).
Robertson, J. and Turton, W. (2021). “Colonial Hackers Stole Data Thursday Ahead
of Shutdown” Bloomberg, available at: https://www.bloomberg.com/news/articles/2021-
05-09/colonial-hackers-stole-data-thursday-ahead-of-pipeline-shutdown (accessed on: 20
July, 2021).