Listen to learn what you should do before, during, and after a ransomware attack.
Of all the types of malware, ransomware is one of most dangerous. In this episode, Dave Ellis (VP Forensic Investigation, GCIH, CISSP, QSA, PFI) sits down with Jen Stone (Principal Security Analyst, CISSP, CISA, QSA) to discuss:
“When it comes to your cybersecurity, don’t trust anything. Games, quizzes, and other fun apps seem harmless, but may very be collecting personal data or installing backdoors on systems,” says Ellis.
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome to the SecurityMetrics podcast. I'm coming at you here from the Security Slopes. My name is Jen Stone. And today, I have an international Manna Mystery for my guest.
Super excited to introduce you to him. Dave, welcome to the podcast. Thank you. Will you please tell me a little bit about and look, I mean it about the whole international Manna Mystery.
I don't know if other people have ever seen your office, but there's, like, stuff from all over the world that looks really interesting that I have no idea where it comes from or or but and I've also heard you have this wild background. So tell me what you did, what you do for SecurityMetrics. Tell me a little bit about your background so we all know.
Okay.
Alright. Well, what I do at SecurityMetrics, I'm, vice president over investigations, computer forensic investigations.
And what got me here is kind of a an unusual road. It wasn't the typical path. I didn't study computer science. I didn't study digital forensics in in college. I was actually a cop with the Oakland Police Department in California.
I was a cop for twenty years, loved the job there. I was part of the tactical team. I was the commander of the hostage negotiations team.
All of those things, were a lot of fun. I loved it. I I loved my former career. An injury cut the, the line of duty injury, cut my career short.
As my kids say, I got out almost in one piece.
But, so a couple of the assignments I had while I was with the Oakland Police Department did sort of lend into the career that I'm in now. At one point I oversaw the the computer crimes, team, which back in those days that amounted to two guys with a pager, And, and one of our drug dealer was arrested, and he had a a computer that one of their pagers would go off, and they'd go and make a a forensic image of it and and come back and analyze it, that that sort of thing. It didn't have the level of sophistication that that computer forensics has today, but it was the leg that sort of got me into this career.
Now to put things into perspective, shortly after coming to SecurityMetrics and starting in on computer forensics, I remember going home one day and and I was kind of excited because, the case that I was examining this hacker was really creative. And so it wasn't sort of the cookie cutter thing that I I was seeing, you know, day to day. And I went home and I I guess I was a little animated as I was telling my wife and thirteen year old daughter about, you know, how creative this hacker was.
My daughter put me in my place immediately.
She rolled her eyes and said, dad, your old stories were so much better than your new ones.
So, for yeah. From, a career in in law enforcement to computer forensics here at SecurityMetrics, it it was a bit of a leap. My wife likes it a lot better. I don't get shot at very often anymore.
Probably only when I upset my, you know, the folks on my team And with with Nerf guns at this point?
Oh, yeah. Yeah. We used to have hostile work environment day where you'd get attacked with Nerf guns, things like that.
But, the full the full extent of the background, I I've attended the the, FBI National Academy, where they invite police commanders from all over the world. And it's kind of a think tank. You spend three months back in Quantico, Virginia. And, so those were some of the interesting things in in the former career. Since being here at SecurityMetrics, and I I've been here for thirteen years now, our team has investigated seven or eight hundred, cases of data breaches anywhere from, municipalities, private sector, public sector, you know, government entities, airports, universities, you name it, from major corporations with thousands of locations down to a MonPAS store with a single computer.
We've we've kinda covered the the gamut.
Wow. So I knew that your story was cool, but I didn't I didn't know any of that before. So when they said, hey, did you wanna interview Dave Ellis? I'm like, yes. Because I knew there was something wild in your background.
Well, yeah. To to keep it interesting, we'd have to get out of the computer forensics, which takes us, you know, away from what we're doing today. Oh, yeah. Okay. My daughter was probably right. The old stories are are a little more interesting.
So focused as my my boyfriend is constantly saying to me, Jen, stay on target. It's I struggle with that, but, super happy that you're here today. How you handling the the current stressors? You got, you got some outlets there to relax a little bit?
It's funny, the COVID-nineteen has separated our team. We're mostly working from home. I'm in my office today because I see fewer people here. I virtually have seen one person here in the building since I've gotten here today, And there's ten of us living in my house at home. All the kids moved home after the virus and Oh, wow. Outbreak. So it's I I'm more segregated here in my office than I am anywhere else.
Nice.
But the kind of work that we do, it really hasn't slowed us down much. We do most of our work remotely anyway.
You know, five, six, seven years ago, I was on a on an airplane traveling to some business almost every week.
Mhmm.
And that's just not the case anymore. Most of our work is online, ecommerce, and, and and we do most of that, remotely.
Excellent. Excellent. So, maybe this would be a good time to talk about the topic is ransomware.
So, and we try and kind of shape this podcast so that people who are not really technical, who who are not really don't have a strong security background, we wanna make this information kind of accessible to everybody. So if you could tell, people kind of what ransomware is from maybe from a little more of a layman's perspective.
Okay. Great. Yeah. Ransomware.
Okay. In computer forensics, you'll hear the term malware, which means malicious software or malicious executable.
Ransomware is on the evil scale near the top of, you know, up the ladder.
It's nasty stuff that you don't wanna have any part of. What it is essentially is an attacker will get into your system and he will lock you out of your system or lock you out of your critical files by encrypting them.
Mhmm.
And he goes in and he encrypts them all. He has the key to decrypt them, usually.
And and then he comes back and says, hey, guess what? I've locked you out of your system. If you wanna get back in, you're gonna have to pay a ransom. Mhmm. So that's that's where the the term comes from. And it's it's it's an absolute extortion. Mhmm.
The companies it it hits everybody.
For a while, the hospitals and health care industry were kind of the number one targets.
Mhmm.
And then it evolved to where businesses of all sizes were being hit.
Even down to, I have a friend that he got hit, and his business has two computers.
And and so it's it has really spanned the, you know, the universe of of who can fall victim to these things.
When it happens, what makes it so nasty though is what he says is if you don't pay the the ransom, I'm just gonna throw away the key. And, you know, good luck to you then.
Wow. And another current trend I'm seeing in who's getting hit with ransomware are municipalities.
Yeah. Absolutely. Yeah. We we have done actually two, fairly good sized cities, that that got hit and, the extent was was pretty brutal for them.
Right. And especially right now with, in the healthcare industry, they have enough stressors on them. But the the ransomware, impact is is pretty high and and the bad guys know this. The bad guys know that the the groups that have to have their information right now are key targets for ransomware because they can't afford to let it go.
Absolutely. Yeah. You know, when they look at it, if a hospital sits there and goes, okay, I need it. I can't access x rays.
I can't access their prescriptions. I can't access anything. Yeah. You're right. So the the immediacy of the need of the data that they have, those are the groups that you typically see paying the ransoms.
Right.
And and that's that's another road that we could go down whenever you Well, I would love to hear actually, that is one of my my my questions that I have for you is, what do you think about paying the ransom?
I I I'm a believer of not negotiating with terrorists. These are already people who, you know, have a a malicious intent. They didn't, you know, come in as a good friend that, hey, I'm gonna help you, you know, build a better system, and that's why I hacked you. This is just straight they they want your money. And so if you understand that they are evil in nature, evil in their intent, you've got to look ahead and say, okay, if I pay them, are they going to give me the key to decrypt my files?
I've seen unfortunately conflicting data on this. It is somewhere between one third and two thirds of the time the key that they will provide you after you make payment will actually decrypt all of your files.
Sometimes that key will only decrypt some of your files and they come back and say, oh, if you want everything else, you gotta pay me again.
Right.
You know, so they can linger on. Another problem is a lot of times they don't provide you a key at all, or the key that they provide you is bogus. It just does not work.
It's one of those thing about the honor among thieves.
You can't really trust them.
There is one other element in here that's kinda funny.
I I mentioned that a friend of mine had his business system attacked, locked up with ransomware. Once they realized that he was a very small potatoes organization, they settled on two fifty bucks.
Wow. He pays the money and the guy comes back and goes, Oh dude, I'm not even the attacker who locked you up. I have no idea. I I don't have your key. It was a man in the middle attack in the middle of a ransomware attack.
So Got his two hundred and fifty bucks, but it was a completely different attacker.
Well and the other thing that I've heard of is, organizations will pay their the ransomware or pay the ransom and, and their files will be decrypted. But then all of the things, the vulnerabilities that were in place that allowed that malware to be inserted in the first place are still there. And so and not only are they still vulnerable, they also know that, hey, here's a company that will pay up. And so, they will just go in and lock it up again and say, hey, Round two.
Happened to a municipality that we investigated. Two weeks later, they hit them again. And and actually, the second time they hit them, it was a a variation on the first. And so they couldn't use any of the intel that that they had gained from the initial investigation.
A third thing that happens, is that you pay and maybe they, you know let let's assume in this scenario that they do actually provide you a working key and it decrypts your files, but they put another payload, a malicious payload in your system that might be a key logger. It might be any other type of thing, and now they come back later and they and and and exercise a different type of attack against you, where they're now capturing your customer credit card information. They're downloading your PII, your, you know, personal information or protected or confidential information.
Understanding, and I I should have included this in my first description, that a ransomware attack is not typically an attack to gain information from your systems. It simply simply locks you out. Well, the type of thing I'm talking about now is we've seen them actually drop malicious payloads behind the ransomware that will then allow them to capture your confidential information, and then they come back later on not to exercise a a ransom against you, but now they're just selling your data. They're going on the on the dark web. Yeah. Yeah. And suddenly they track information.
Because if you if you have vulnerabilities in your systems and you have, information that's valuable, there's a lot of ways that they can monetize that.
Yeah. Absolutely.
So, so we don't like paying the ransom.
Not a fan.
Yeah. What what do we like for a response?
Well, for the response, the the first thing that I hope is that you have solid backups.
And and when we say this, it it's important not only to understand that you have backups, but have an understanding of what it takes to restore your systems from a backup.
Because or those backups need to make sure that they are not live on your network.
Right.
Because yeah. We had a pharmacy not far from here that, was attacked a few months ago, and we got a hold of them. We said, yeah. Yeah.
Do you have backups? And they said, sure. And I go up there, and they hand me the this, hard drive that they had as their backup. Well, the hard drive was encrypted as well because it was it was live online all the time.
And so when their system, you know, got encrypted, it reaches out and it's it's looking for USB connections and it's gonna, you know, encrypt those things as well.
Sure. So so offline backups are pretty critical. So so that's something that hopefully people have set up prior to getting hit by ransomware.
Yeah. And and it's important to practice what would it take to restore from our backups. Yeah. We had a we had a case about a little less than two years ago, and it was a eight hundred retail locate not retail, hospitality industries or or excuse me, eight hundred food and beverage locations.
Sure.
And they got hit with ransomware. They they knew that they weren't gonna pay it. They said, hey, yeah. We have backups.
We're we should be good to go. There were tape backups. Oh. They had never restored from tape backups.
It took them three days.
Sure. Yeah.
And and so for three days, this company couldn't process credit cards across eight hundred locations. They lost millions and millions in revenue.
Right.
So the the, so sometimes I go out and I do, an assessment of of an organization a health care organization that has to meet HIPAA, compliance guidelines. And and one of the things that HIPAA says is that you need to have a backup and restore plan. And and and I always ask them that question. Have you tested your backups?
And I would say two thirds of the time, I get what?
Well, what do you mean? We we get these results that they have backed up. I'm like, no. But have you taken them and actually done a restore?
And and the the kind of mystified looks on people's faces tells me that this is not the way a lot of people think. And it's it it's a it's a key step in making sure your backups are backups are worthless if you don't know that they're going to to to restore properly.
Right. Yeah. We see the same thing. Do you have backups? And they go, yeah. They're on that server over there.
Yeah. And, okay, what's your next step?
So And they go, well Yeah.
You know, and and another thing for businesses to do and and this is before you get attacked, train your employees on spotting phishing emails.
Now, you know, years past, you'd get that email that said, hey, you know, I'm the deposed Nigerian son of the Nigerian prince, and I've got, you know, two million dollars in this escrow account. Sure. You know, and and it didn't take too long to figure out that those were, you know, that those weren't very legitimate. Mhmm. The ones now are extremely sophisticated.
And oftentimes, an attacker will do a lot of reconnaissance into a business to the point where he can craft his email to appear extremely legitimate and extremely relevant to you. Mhmm. It might it might address you, you know, by name. It might appear to come from a coworker, a peer, a supervisor, the CEO, manager of HR. We've seen all of those.
And so to help people understand that, you know, when you get an email, don't click on links.
Right.
Even if you think you know who it's from, if there's a link in that, don't click on it. Go out and go into the the site that you know is legitimate and get the information that way.
We've had a lot of cases lately where well, not a lot, but we had one brutal case lately where it was a finance company in San Francisco.
And an employee got an email that appeared to be from the CEO, and it was, you know, about moving funds, etcetera.
Looked legitimate, clicked on it, and next thing you know, they are locked out. They're done.
So Yeah.
I've got a I have a friend in banking who told me that they have experienced a four hundred percent increase in phishing attacks since, COVID nineteen because anytime you have elevated sense of urgency or, you know, anxiousness, people make worse decisions.
So this is a really good time for the people sending phishing emails to have a high degree of success.
And so just just knowing that that people are already anxious, and and teaching them to take that step backwards and either go to the source rather than clicking on a link or pick up the phone, ask the person who sent the email, ask the person who you think said the email, did you send this to me?
And you can call them. You can hear their voice, you know them, you know, rather than than, you know, clicking on the link, that's an email.
And don't just reply to the email and say, hey, did you send this to me?
Because bad guys are gonna go, uh-huh.
Yeah. I did.
You know what's a really sneaky one right now is, the one that tells you you have a voicemail and there's a partial transcription with the attachment of the voicemail because, you know, the response is, hey, I I got a voicemail but I can't tell what it is. I'm gonna click on that attachment just to see if I need to respond to it. But clicking on an attachment is, is another way to get that malware onto your system.
Absolutely. Yep. Absolutely.
Yeah. And on those, that's that's one of those where you you're gonna wanna look at the the header information in the email. You're gonna want going to wanna validate, you know, did this actually come from my service? Does it appear? Because a lot of times you if you do a little bit of research, look, you know, at at some of that information a little more closely, you end up seeing that, you know, it it's coming from a dot ru, you know, it's coming from Russia, it's coming from somewhere else.
It definitely does not appear to be coming from, you know, your your phone provider.
Sure. So, so we know some of the bad responses.
What are what's some of the best responses that you've seen to to ransomware?
Some of the best responses.
I guess you don't get called in so much when it's a really good response.
But Well, you know, I I can we can actually take that question and say, you know, in the cases where we are called in, what are some of the things that we have been able to do?
Yeah. Occasionally, we have been able to find a published key, that works for the this particular person. So usually what we will do early on is after we've explored their ability to restore from, backups and and, you know, that one hasn't worked, we begin the process of recovering data from deleted files, because those usually aren't encrypted. We can restore a lot of usable or valuable information just by restoring things that they've deleted in the past.
We will investigate early on to try to identify the type of ransomware that was used, and then we will go out to see if if anything has been published on that. And there are legitimate companies that that store information, that that go out and and glean as much as they can about these attacks and publish keys that have been known to be, you know, usable.
And occasionally, we'll find it hackers that they use the same key every time. You know, they're not rep they're not, you know, creating anything new. And and if you imagine, you know, they're they're throwing these attacks out in in hundreds, if not thousands of directions, so it's not a surprise that they sometimes, you know, reuse their their keys.
Sure.
So we we have had some success in in that.
And I'll bet that they have success in doing that because not everyone is going to to either have the the in the internal knowledge or call in someone who knows. Hey, let's go look for a key somewhere. Yeah.
Yeah. Yeah. So that yeah. That that's been, you know, beneficial on on a few occasions.
Other things that are helpful is and and this would kinda go back to the prevention stage again. And most of most of what you can do related to ransomware is gonna be, you know, in the beginning, you know, before it ever hits you.
Content scanning software for your email is is very important. If you can have a tool that that does content scanning, it should be able to highlight the fact that, hey, the link in this email that you just got is malicious. Mhmm. It's scaring me, so don't open it. You know, you you can get that kind of, of a response from, you know, from, tools that you can have on your system that will help you identify, malicious stuff.
So, one of the things that that has kind of been on my mind with people going and working from home, during this time and then going back to their their networks. Tell me a little bit about what you think is going to happen when people take their machines and go back to the office.
Yeah. So a big problem that happens there is I'm gonna guess a high percentage are not using VPNs or other security protocols when they're on their home networks, and so their computer is now exposed to all of the different sites that they might be visiting in the home environment, and now they take this back to work and they log into the work network. We've seen this not solely in ransomware cases, but in a number of data breach cases where somebody has used their computer at home and they're visiting sites at two o'clock in the morning that their mom probably wouldn't approve of, and and junk gets, you know, installed on their system that they're unaware of. Mhmm.
And now they log in at at work and they introduce that vulnerability at work or that, you know, that malware at work.
And we've we've had a number of very high profile cases and that the problem all began at home. So the the solution to that is, you know, use a VPN at home so that you you're kind of inoculating or insulating your computer from, you know, all the different stuff that you can do on Facebook or on, you know, social media, all those games that look so fun and are simply designed to little by little capture information about you. Yes. Because those little tidbits of information then can be formed into that phishing email that goes out to make it look all the more legitimate.
Okay. I have friends on Facebook and they do this thing, ten things you didn't know about me. And they list the ten things, and now I want you to tell me ten things I didn't know about you. I'm like, oh, every piece of information you put up there is something that could potentially be a security question answer.
And in order to or, you know, there's a lot of ways that that social engineering can happen if you know enough information about a person. That's hard because, you know, people are feeling isolated. They they want to have that human interaction and so they're turning to social media and they're and they're trying to make these connections, but they're not their friends are not the only people paying attention to that. And and the hard thing for me is is, you know, that balance of you should not be putting your information on social media and but also the understanding that people need that connection.
Right? So I just I I just want people just to stop with the list ones. If they could just stop answering lists, that would be fantastic.
Yeah. You know, that's you you summed it up perfectly because those lists start talking about what's your favorite color, what was the name of your first pet, and I have seen those as, you know, as questions to restore passwords and and things along that line.
And Facebook quizzes. Hang on. Don't do Facebook quizzes. Thank you.
Well, can I throw one more in there?
Yeah.
So, you see a lot of these games that that are out there, and most of the games are are gonna be fine. You know, they they were put out by legitimate companies, but there's a lot of ancillary things that sometimes go along with the game. Other groups that get started up, and I I saw one. There was a a popular game that my kids were into, and so I start investigating it, and you get you you can converse with other players, and and a player comes on and says, hey, go over to this site because if you do this, this, and that, they'll give you unlimited lives and unlimited coins or whatever it is.
Sure.
That's why I went over and I looked at the things, and part of it was, oh, all you have to do is subscribe to two of the following five things. Well, I examined the five things, and they all involved, installing backdoors onto the onto your system. Yeah. Yeah. So yeah. Don't trust don't trust anything.
Don't yeah. Yeah.
Seriously.
Okay. So what about how well does antivirus on a this you know, still thinking about this bring your own device to work And then as as but now it's like work devices coming back to work. It's kind of the same thing if they haven't been on VPN, if they haven't been fully protected.
How well does antivirus help with some of these things?
A a good robust antivirus can be helpful with it. Like I said, it might it it might have incorporated into it a content scanning filter of some sort so that it would identify that links, in emails or or whatnot might be, you know, might be malicious and you need to avoid them.
Some of them may recognize, you know, some of these attacks. The important thing there is is, you know, use reputable AV antivirus and keep it updated.
Right.
Because so many of these things change so frequently.
Most of the antivirus is signature based, meaning it's it's looking for something that somebody has previously told the, you know, the developers, hey, this is bad. Mhmm. You want your product to identify, you know, this, whatever the this is. And, and and so if you don't keep your antivirus updated, you might miss, you know, the the most current, attack, signatures.
Okay. Great. You know, the the the concept of updating, this is near and dear to my heart because patching Mhmm. System patching is something that, a lot especially in the health care industry when when WannaCry came in and just devastated the health care industry, The the problem was their patches were not installed. And and there's a there's good reasons why in the health care industry, they lag behind a little bit in some of the patching protocols.
But everyone needs to be aware. We we get that little pop up on our screen that says, updates are ready to be installed. And we go, oh, crap. What's it gonna break? How long is it gonna take? You know, do I have to really do this?
And then so people tend to ignore it because there's kind of a Remind me tomorrow. Remind me tomorrow.
Remind me tomorrow.
Yeah.
I'm busy now.
You do that for the next three weeks.
Yeah. Don't talk to me about that right now. But but the the the problem with putting it off is if it's a security update, then there are likely I'm not even say likely. If there is a security update out there, then there are already malicious actors who have created a way to exploit that vulnerability.
Right.
Right?
So so when we get these things that say you need to install patch The original developers are rarely the ones who recognize there's a vulnerability and and patch it themselves.
It usually comes after there's been a problem.
That's totally what I'm saying. This is vulnerabilities tend to be fine found by the people who did not build the software And and that's fine as long as as we get those patches up there before there are exploits available before it's it becomes widespread. But but for sure, I mean, let's look at, dang it. What's the name of that credit company that got hit?
Oh, Equifax.
Equifax. Thank you.
Or Experian one of us. Yeah.
Or was it yeah. Okay. Now I don't remember. Sorry. One or the other. I got one of you wrong.
But their problem was they had, an SMB, patch that that just didn't go in there. Right? Apache Struts, update didn't go in, but it was months old. It it had been available for months.
And and so when you see some of these attacks, part of me is like, oh, that's so bad that these malicious actors get out there and and attack. The other part of me is like, guys, the patch was available.
Install your patches. Right? So for for large organizations, they should have a patching program. But for individuals, especially, you know, going working from home that may not be able to connect to the the automatic patching, systems, whatever. However you do it normally in an office might not be available out there. Don't put it off. Go ahead and and install your your updates.
No. You know, and you bring up another really good point here or at least you you made me think of it. In addition to the the patching and keeping those, you know, up to date, there should be somebody in your organization who has the responsibility to receive the the messages that would come that an update is available or if you have, you know, any type of of scanning antivirus that is going to throw a warning out that says, hey, I like final integrity monitoring.
If a critical file has been changed or there's an attempt to change a critical file, somebody should be receiving those notifications that has the responsibility to check on a daily basis and and, you know, do those little mini investigations to make sure that the system is still secure.
Yes.
We did an investigation that was really sad, where nine hundred stores were breached.
And as we investigated back in time, we saw that that their software, their AV software was throwing warnings about what was going on six months before they got hit. And or six months before actually the data was the the attacker was sufficiently, in the system to be able to to to pull data out.
Right.
And the problem and it was throwing these warnings, and the problem was is no one was watching.
No one was looking for them. So they could have prevented the entire breach.
And I and I see that very commonly out. One of the things that as an assessor I do is I'll say, hey. If you have a a SIM, the security inform oh, shoot.
I didn't have enough caffeine before this podcast, did I? But it's it's your event monitoring. Right? So you you look at your dashboard, and and I'll see a lot of times, they'll tell you when patches have been installed, which systems have not, installed them yet. And I'll ask whoever's showing me the dashboard, hey. How come you have this ten percent is is red?
And they'll say, oh, well, those computers need to be restarted before they can accept the the new install. Well, okay. So how is that going to happen? Well, I don't know.
They'll eventually, they'll just restart the computer. But it's not an act of saying, hey. This hasn't been done and it needs to be done. So like you say, there's there are actions that have to be taken.
So knowing that that there are alerts coming and then having the responsibility for acting on those alerts, it will save companies a lot of heartbreak.
Absolutely. Hey, you know, there's one aspect of ransomware that that I left out on the, you know, so what to do when it's actually hit you. So Right. You know, despite all of your best efforts, you've been locked out of your system.
Oftentimes, the the attack will occur at a single desktop or a single laptop or a single device or just a couple, and it takes a little little bit of time to migrate outward and eventually encrypt your entire network.
If that is the case, it's imperative that you unplug that one immediately from the network, you disable its wifi so that you can isolate it from the rest of your network, or if it's two or three computers, you can reduce the amount of damage before it spreads.
We had a situation, it's very sad, a hospital in the Midwest that, as they described to us what happened, if they had just unplugged one computer Oh.
And and, you know, disabled its WiFi, They had they actually had almost a full day before it migrated to other computers in the system. And and by the end of it, it had migrated to about eighty percent of the computers in their environment.
Oh, that's devastating.
Yeah.
It brings up a good point. There's, sometimes I'll I'll recommend that organizations segment their network. And and just for people who aren't familiar with it, that's a way of saying, hey, This group of computers can talk to this group of computers and this group of computers cannot talk to them. Like, just sectioning it out so that if there's no need for the accounting group to be able to talk to, radiology, then that should be segmented.
Right? So that's just a just a word for saying what is allowed to talk to what. So, one of the things that that segmentation can really help with is it it sort of isolates computers, for you. Right.
And then you can you have endpoints that you can just really block off and and solidify that not not talking to anything at that point. But if you have, if you have a network where everything can talk to everything, then knowing where the malware has gone is going to be pretty difficult. And it'll spread pretty pretty quickly.
It it will spread fast into those environments too. And and then recognize also anything you have connected to the affected devices if you have USBs, dongles, external hard drives, all of those are going to be potentially infected. You wouldn't want to take a USB thumb drive out of one computer and then go, you know, let me see if I can restore this on this other computer. Well, you're just likely to infect that other one as well.
The infection. Alright. Yeah. Well, that's this has been a lot of good information about ransomware. Before we wrap it up, is there anything else that that's kind of been that we didn't cover yet that that, you might wanna throw out there about ransomware?
So what I I think I wanna close with is the importance of ensuring that your security in your environment, and this example that I'm gonna give kind of is a larger corporation would maybe experience this.
Don't take your security for granted, and don't assume that your compliance with industry standards is going to inoculate you from everything else. As an auditor, I think you'll appreciate the story. There was a business where we sent an auditor, our company sent an auditor out to it, and the company had recently employed end to end encryption.
They said, well, or point to point encryption. They said, well since we have point to point encryption, everything else outside of the card data environment is out of scope for the audit. And the auditor, having been familiar with this company having done audits in in the past couple of years, said, you know, I don't think you want to disregard the security, you know, and and while I'm out here, I you know, let me take a look at a couple of other things in your corporate environment. And they said, nope.
CDE is all you get to look at, and they they locked the auditor basically down to that was the only area where they wanted to hear the auditor.
It's not a good sign.
It wasn't a good sign. Well and it was only four months after that audit that they called us, and they said, we've been locked out with ransomware.
Mhmm.
And so what had happened is their CDE was fine. The card data, even with the ransomware attack, was never at risk. The point to point encryption was doing its job and and protecting the actual transaction data, but the company couldn't access anything. They were locked out of several hundred locations, and they lost millions, tens of millions of dollars of revenue by the in the amount of time that it took them to finally be able to restore and and get back to normal operations.
That's rough.
So yeah. So that that's all about, you know, PC PCI compliance or HIPAA compliance. Those are all essential and important, but understand that they're also they they should be considered kind of building blocks.
Yes.
Nobody nobody knows your environment better than you do, and a a data security standard can't always take into account all the nuances that your environment might have. So you you need to look at data security as kind of like a living, breathing organism that you need to feed and keep healthy.
I am so glad that you mentioned that because, compliance versus security is Yeah. Is one of my favorite topics. And, as an auditor, I there are things that have to be in place for me be able to sign the paper and say, yes, you have met the standard of compliance against these certain requirements.
But as a security professional, I always have those extra conversations about, what is the what does this mean in in terms of, broader security.
And, so even though I can't require certain things in order to sign that paper, we have some pretty hefty conversations about security when when things seem like they're they're going sideways in in terms of that. People need to remember compliance, the intent of a security compliance standard is to make a baseline for security for a very specific thing.
So just because you're protecting your credit card data, and they probably did, they there is probably no fraud related to that that, that problem. Card data was never Card data was fine.
But Yep. But if you if you don't understand that that that's all you're protecting with that standard, then it leaves you very blind to the broader picture. So thank you for bringing that up.
Yeah. Well, it's it's been fun.
Hey. Thank you so much for coming and talking and telling me your stories. That was I loved it. And and, hopefully, we can talk again in the future. And and also, I I think maybe a podcast in the future would be worth talking about compliance versus security. So you gave me a good idea there.
Okay. Anytime. Alright.
Thank you all for joining us. I hope you join us again back here at Security Slopes.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the right. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
