Listen to learn why does ransomware seem to be so effective and how you can protect your business from being vulnerable to ransomware.
With so many ransomware stories in the news this year, one would think that ransomware is a new technique used by threat actors. In reality, ransomware has been around for almost a decade, and so have the basic principles on how to protect yourself from getting hit with it.
SecurityMetrics VP of Assessments Gary Glover (CISSP, CISA, QSA, PA-QSA) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss all you need to know about what ransomware is and how to stay safe from it.
Listen to learn:
Resources: https://www.cisa.gov/
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. I'm Jen Stone, principal security analyst here at SecurityMetrics. And with me today, I have Gary Glover, the vice president of assessments. Is that correct?
Is that your That's correct.
Okay. Here at SecurityMetrics, also a well, that's even cooler than a principal security analyst. But, and it's always fun to have Gary on the show. We've had you on before.
Super knowledgeable. Lots of interesting things to talk about. So when the topic of ransomware came up, I'll be honest, we were gonna talk about something else. And Gary said, hey.
You know what's really interesting right now? We should talk about ransomware. And so we're going to do that. And it's I think it's an important topic because it is all over the news.
Yeah. We're just hearing over and over again. So let's talk a little bit about, first of all, what is ransomware?
Right. Well, I mean, it could be lots of different things, but mainly, it's something that comes in, grabs hold of stuff on your computer, and makes it so that you can't have access to them. Whether it encrypts it or or does something, now you no longer have access to your files and you realize I didn't make a backup.
Right.
And you realize they're asking for money usually in the form of something that you don't have, like Bitcoin or some other kind of thing. And it's like, how do I get that? Well, that's that's hard sometimes. Yeah. So then there's people that have businesses now that make you so that you can pay rent somewhere with Bitcoin and they make even more money.
Do you know the whole business aspect of it? Somebody asked me just recently, well, why are we hearing so much about ransomware now? And it's a couple of reasons.
One is, that there are are scripts. There's software out there that makes ransomware easy, but also ransomware as a business is now a thing.
That's right. There should be an acronym for that.
R a a s b or something.
Probably something that seems very unwieldy.
But, you sent me some quotes, and I really like some of them. So in Newburger, Is that how you say that?
I think so.
White House deputy national secure security adviser for cyber and emerging technologies. She sent a memo to corporate executives and business leaders this week, urging companies to immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure that you have the ability to continue or quickly restore operations.
That's pretty critical when the government's saying, hey.
Well, it hasn't been something that they've you know, ransomware has been around since twenty thirteen, twenty twelve. It's not like this is this new thing. Well, and ransom was around for much longer than that, probably thousands of years. Right? But, it's not that it's new. It's just all of a sudden, there are some really big things in the news, and governments and administrations are being forced to address it Right. Because many of it is is infrastructure related, potentially.
And if you, if you watch news, shoot. What's the the company that shows us political news all day?
The the, CNN?
Well, it's kind of like CNN. It starts with a c.
But, anyway, there's you can actually go and watch things happening in our Oh, oh, C SPAN.
C SPAN. That's what sorry.
That was really exciting.
Yeah. That's I okay. Yeah.
That's that's why I had a hard time remembering.
I'm That I watched C SPAN.
You do?
I do.
It's well, look, that's pretty Just a night.
Well, that's where you get the what actually went on without all of the here's what I think about this.
And I I don't I don't wanna hear what people think about it.
What I wanna know is what's happening. And so I find it very interesting. For example, they're they're talking to, the the Jen Psaki and and ransomware happens. And then she'll get questions like, what is the government doing about ransomware? And the answer is these are private businesses.
What does the government need to do about? Yeah.
And so so sending out this thing and saying, hey, businesses, you need to take care of this. I think it's the right answer impartially, but, I mean, we could go down. Let's not talk about politics.
No. In general, what should the government be doing?
So no. Let's not do that. We'll get so many people writing in for all the wrong reasons. But the the thing is, I think the point I was trying to make is that people are really worried about it, and they're not quite sure what to do about it. And people who are impacted by ransomware that happens to a company that they have no say in, then they're left going, Well, what do we what do I do as someone with no power in this?
And what is the response of who's responsible and how do we fix this thing? And so I I liked two things jumped out to me about an, Newburger's comment where she said plans to ensure you have the ability to continue or quickly restore operations. And it was like you said, sometimes they don't even have backups.
Right.
But sometimes the backups are also encrypted.
Yeah. They're online as well. They also got them. Yeah.
So so I think it's it is a good time for a wake up call about what's going on. How do we do something about it?
Here here's another one. And, again, normally, we stay as far away as we can from politics because it's very charged. Yeah. It's a charged conversation.
And yet when we're talking about things that involve a lot of people, it's almost impossible to not have some type of government entity involved like the FBI. I mean, these are crimes. This isn't just, a hacker that's that's out there doing mischief or trying to see what they can do. These are actual crimes.
So we have FBI director director Christopher Wray, was quoted in the Wall Street Journal on Friday, June fourth Right. Very recently. While the FBI has a policy of discouraging targets of such cybersecurity attacks from paying the ransom. Mister Ray said the agency was more interested in having companies cooperate with the bureau in their investigations into the attacks to help piece them to piece together the puzzle of who is behind the attacks and figure out ways to thwart them.
There's a shared responsibility, not just across governmental agencies, but across the private sector and even the average American. So you can see how they've taken and tied all of those together. The average person who has no say in what's going on, the companies that are going to impact their lives if they do get ransomware, and then and then you've got government governmental agencies like the FBI that look into it.
Right. Right. And I think it's interesting. You know, like I said, it's like we said, it's all over the news right now.
In fact, even this morning, I heard something saying, you know, again, the government saying don't pay those, ransoms. But it's really, really hard and tempting when you don't really know how to fix it. You don't know what to do. So I get there are many different solutions and ways in and out of ransomware, but, you know, it's fascinating how, again, like you mentioned, the first thing that sometimes we do is, who is doing something about this?
Right.
Are you doing something about this? Right. Right? And and it's like, well, wait a minute.
Isn't who me? Yeah. And, why shouldn't I know what I need to do to help the situation? And so I'd like hopefully, we can talk a little bit more about that because you'd think, oh, no.
There's no way I know what to do. Oh, no. It's it's horrible situation. It's terrorist.
It's the world is falling. Everything's going away.
And, sometimes feels like I don't even know what a Bitcoin is.
How do I how would I pay? You know?
But there are there are reasonable, knowable things that we can do to prevent ransomware. So I don't want people to get discouraged because this is the part where we tell people a little bit about why it's important right now. And it can feel a little overwhelming, but I don't want it to feel that way because there are things that we can do. We will get to that point in the talk. But I just wanted to go one more, very recent quote.
Yesterday. From yesterday.
Yes. From yesterday. Who was it? US Energy Secretary Jennifer Granholm.
Mhmm.
And what did she say?
She was on a CNN interview, and I I saw the video. Yeah. I didn't watch it yesterday, but I saw the video. And the guy asked her in fact, she was on CNN, CBS, all these different ones. They had her lined up, it looked like.
Right.
And she was asked, does the I don't know. Do the bad guys I don't know who the let's, you know, you can use the term the term everybody uses, the cyber activists or the the anyway, the bad guys were gonna say, do they have you know, what do they have power to do? Do they have the power to take over our power grid? And she responded.
She said, yes. They have the power to shut down our power grid today.
Now I don't know. She's not saying they're going to, and I don't know exactly what that means, and maybe she didn't really mean to get that deep into it. But I think it's interesting that they actually said that. When she said it, she looked a little nervous.
Like, I wasn't supposed to say this.
Uh-oh.
Uh-oh. But and I and I don't know that that's a secret. It's not like this big secret. You know?
No. It shouldn't be a surprise to anyone.
Be a surprise. And how I think the point she's trying to make is how easy is it to get somebody to open an email? Yeah. Right?
You and I could write an email that would be attractive to anyone to open. Right? And inside there, there could be something. And if you're on the right kind of operating system when you opened it, it might do something.
So and if you have the right kind of permissions.
If you're right. Yeah. Yeah.
So so there I think that's why, the direction is businesses. You need to convene today.
Right.
And figure out where you're at. And I just I just recorded a podcast, and I don't know if it's going to be released before this one or after. I'm not quite sure how where that's in the lineup, but it's on risk assessments.
And a risk assessment is the perfect way to look at what do you have going on in what way can ransomware attack this? And then what do we do from there? So we're going to get into that a little bit more as we go along. But, one one of the things that that you said was and also that FBI director Christopher Wray said was, who's responsible?
What is the government supposed to do? What are businesses supposed to do? And what are individual people supposed to do? So if you, as an individual, are feeling like I could get impacted negatively by our power grid getting shut down, what does that mean?
What does that mean mean to me personally? How many days could I go without any power at all, and what do I need in place if I don't have the ability to affect the outcome of this, provider?
What can I do for myself if I can't rely on them?
Right.
And and then make decisions based on on how do you how do you feel about the potential for that happening? Can you go with the, you know, a little bit of a fire pit in your backyard and some marshmallows for a few days? Or do you need power because you have some health issues that you need Right. Power full time for? Are there are there, circumstances that you know of in your life that you need to account for that these large companies maybe can't account for? And I think that's where the the individual responsibility and the individual approach to it can come into play.
Exactly. Yeah. And and that's kind of different than talking about cybersecurity. That's talking just about security in general and what do you need to do.
And, you know, that's a topic for for that I could put on some camouflage and we can talk about for some time. But but, that sounds fantastic. Another top that's another podcast you could maybe do, but maybe not a Maybe not a SecurityMetrics branded one.
So but it's true. You know, it's interesting.
As a person, often, I will when I'm when I got my fire pit out, I thought I think, yeah, I guess I could cook something on this every now and then if I needed to. Sure. And when I'm planning something in my garden, I'm going, I really hate weeding the garden, but if I ever needed to, I guess I could grow something. Those are kind of nice, but but that kind of that kind of confidence also goes to companies and to everybody else.
What is your garden at a company? What do you need to be doing to make yourself feel better about if something happens? Right? Right.
And, they aren't it's not rocket science. It's not amazing things that you can do.
And it's not just the US. No. So a lot of times, we we have a very a kind of a US based focused in this in this podcast. And I try not to, and I apologize for people who are outside of the US where it does feel like that is kind of the focus.
But this is where I live, and so that's where my brain is a lot of the times. But let's talk about some of the, the ransomware that has hit that is pretty high visibility. This hit far beyond, the US or even started, you know, its kind of wave outside of the US. One of them is, Petra. So that was two thousand sixteen.
And I think you found out that there was an estimated ten billion dollars lost in financial losses for for Petra.
And that's just financial losses.
Right.
You know, you can't quantify all loss from ransomware. Financially.
And, you know, I don't know that that I don't really know what data that is. I don't know if that's big companies. I mean, that just might be a whole lot of people Yeah. A whole lot of different entities. In twenty seventeen, two hundred thousand people were affected by WannaCry.
Right.
Or not people, entities.
Maybe not people. Well, and then WannaCry also really, hit, like, the NIH. So so the health system's over in in the UK a lot more strongly than they hit some other places. Right?
So you're not talking about just the, what, four billion dollars in losses from WannaCry? Mhmm. But that that's we're talking about people's health Yeah. Affected by WannaCry.
Yeah. It's interesting how you know, I I guess if if you were a criminal wanting to make money, where's the place where you're gonna get your money the quickest? And so, unfortunately, their targets can be places that are critical. Yeah.
You know, we saw the Colonial Pipeline. That's critical. Yes. And, that made my gas cost more.
It did. So It did, and it still cost more.
Still cost more. Wait. What happened? And, but it's it's they're trying to think where can I get paid fast?
You know, attacking a whole bunch of people on their personal computers and getting their photos and their and their tax forms and all that other kind of stuff, it's it's probably, you know, like small ecommerce or whatever. Right? But, what they're really looking for are these places that people need. And I and I think, you know, we've saw I don't know whether it's kind of testing the waters, and now people have had so much time just sitting around thinking, now they're going, we better really go out to some of these big ones.
I don't know. But it it doesn't seem like there were as many really large in the news items than there have been just in the past few months.
Right. And, again, it comes back to that business business. The the concept of ransomware as a business is evolving, where they're realizing, oh, I could go to these two thousand individuals that I have locked up their their machines and and get them to pay me a hundred bucks each to unlock it. Or I could go to Colonial Pipeline, which is so high visibility and so necessary that then the the pressure to cave to the financial demands are very, very high.
Right. Because it's affecting lives. Yeah. It's not just affecting your photos or something. Now I I think it's interesting that, you know, you also jump when you attack a company like that, you jump into a new pond, which is somebody's gonna look really hard for you. Yeah.
And and, you gotta be really confident. You know? And so I think what we're seeing is organizations, which is which is the even more disturbing thing, the people that are doing this kind of attack on a really large organization with high visibility and high priority and high critical, they're feeling bold enough that they're not gonna get caught. Right?
So does that mean they're getting stupider, or does that mean that there are bigger organizations getting involved in this? I you know, we don't know. And that's part of I I think, you know, when you say what should the government do, there's not a whole whole lot that they can do for me personally or even for my company. Mhmm.
But what they can do is somehow do diplomacy, the the national relation international relationships with people to say, look.
If you guys find out about these people in your country doing this, then take care of it.
Right.
So so agreements that So those kind of things I agree government can do.
Sure. You know? There's a lot of our own responsibility, which we're gonna talk about. But government should really again, we're not supposed to be talking about this. Government should focus on the big stuff. Yeah. Yet we look at we look at them like, what are you gonna do for me?
Right. Right. And and and the government cannot come in and fix my my company's systems for me.
Because it's too late then.
Yeah. Exactly. And also, do you want the government coming in and doing your cybersecurity? No.
No. But if somebody goes after our critical infrastructure, then they need to make the decision whether that is a financial act or an act of war, which. Right. And and then act accordingly there.
But so so I think we the reason why we we kind of look at what are these big inflammatory ways we can look at ransomware is to know what is the breadth of it and then how do we bring that in again to the original statement, which was what is your responsibility at your organization and how do we address it? Right. So we we can get, worried and and worked up about where ransomware is happening. But, you know, the individual has to make decisions for themselves based on what they what they know.
How can right. What do I need in life that is so critical to me that if this organization were hit by ransomware, it would affect me? And then you ask yourself, well, who are the people who provide this, and in what ways are they addressing security?
So for me, I travel a lot for work. And so when I fly in an airline, I wanna know that that airline is protecting my security Right. As I fly. Right. And so I have the chance to to go with one or another or another, depending on what's the reputation, what is their, security, what what do I know about their security? And and this can be applied in in any way from the individual level. Let's get back, though, to the to the, the more the corporate level, which is where a lot of the ransomware is being leveled is at the corporations, because these are the guys that have deep pockets and and can possibly pay and will want to pay for ransom.
They need to keep their businesses going. Right. So they can't take a break.
So we already talked about the colonial pipeline, but then we just heard about the meat supply getting impacted by, oh, shoot. What's the name of the the, beef processing?
Is it JSB?
They're Something like that.
Something like that. They're out they're out of Brazil.
They're headquartered out of Brazil, but but they have meat packing plants Right.
All over the US. And and something that happened what was it? Last week? Yeah. All of a sudden impacts, meat supply.
So so now our gas costs more and our meat costs more and life is But don't travel and don't barbecue.
And don't yeah. No barbecues this summer.
And another group and this is another place, not just big companies, but we're also seeing it in municipalities.
So cities like the city of Atlanta Right.
Hit with ransomware.
These city levels often don't have enough security built in. They don't have the the, kind of robust security program.
And that might mean budget as well.
And they might mean budget. Exactly. But they, so do they have the budget to play the ransomware?
Right. And when are they gonna get the budget? And and so there's a lot of time involved in some of these decisions.
Right. Right. Okay. I think that we have really addressed pretty broadly where ransomware gets focused and what the conversation and kind of kind of the feeling, out there now about what is happening with ransomware and why am I stressed about it? If you're stressed about it, a lot of it times is because you can't control it.
Mhmm.
And so maybe knowing more about it can help us, you know, reduce those stress levels. So how do how does ransomware happen? How does it even get into someone's system?
And and we'll never have a a total answer for that. But I think as you've heard on the news and many other places, the main way that any type of malware typically is getting into people's systems are are two big areas.
One, you leave a door open Mhmm.
And people get in through a through a service or a port or a website that that you just haven't done a good job looking after Mhmm. Because you're in a hurry and you want the developers to move quickly. Whatever it is, there's there's many reasons why errors get thrown into publicly facing networks or applications.
The other is just email and clickbait. Right? You know? Or even website clickbait. Any any if you're in an area playing a game or doing other stuff, you know, it is just like catching a virus. Are you being good? Do you have your mask on?
Yeah.
Do you have your are you thinking about what you're doing and where you're doing and before you click on an email?
So a lot of it is human interaction training. A lot of it is personal, habits and training, of what you're gonna do. So it can come from a lot of places. I think some of them the bigger attacks we've seen have been confirmed to be phishing.
Mhmm.
You know, email phishing attacks. Yeah. And, again, there's the human element.
And and you talk about what can I do as a person Right? Right, to protect either myself or my company, that's the main thing is think before you click.
Right. If there's an, a link in an email and the email says, click here to learn more, don't click there.
Right.
And you didn't win an iPhone twelve.
Exactly.
I got two of those today. I I could have had two iPhone twelves today.
Yeah. Nobody and and I'm not gonna say nobody is going to, tell you to click on something to change your password and it be legitimate. I'm not because I've seen those come through. And and every time I see one that is legitimate, I just think, don't train your people to click on something that is, in other circumstances, not legitimate.
So if you get an email and it says click here, we need you to change your password. Hi. Thanks. Your IT department.
Don't do it. Don't do it even if you know it's legitimate. Instead, send it back to them and say, hey. Can you check on this?
This looks like, this looks like, phishing to me. Right. And so it helps kind of train the IT company or IT, group, behavior as well. Yeah.
To, you know, are we all in this together knowing what do I see and and what am I aware of? But let's say that you're, an individual and you get an email from your, bank. Mhmm. And the bank says, here, you need to click on this and and enter these things.
And, oh, by the way, you need to put in this code that we're sending you to your phone. Well, if it's originates from somebody else, there's a very good chance that somebody else is trying to get you to give them information.
And by entering that information online, they get the information. Yeah. So that's where a lot of spear phishing actually works.
Yeah. So, again, the places where the Lorentz somewhere is coming from are the places where everything has come from for the last fifteen years.
Mhmm.
And the more people have email, the more people that are online, the more people that are clicking on things and going to websites from Instagram and every everything. Right? I mean, the more opportunities there are for people to get into a space. And I'm not saying that every place you go or every place you click. I mean, this isn't the sky is falling the world. You should stay in your home and never click on anything ever again. No.
You you should just be wise Yes. And think before you click. And if you if you don't need if if you read the title and you go, that's probably, I mean, it's tempting, but no. Right?
And, you know, even if that happened in many places now, that won't get it every time either because you can write a really clear and nice message that looked like it came from HR Yeah. From the city of Atlanta's HR. Whatever it is. Right? I mean, some so I shouldn't say that. I'd that's not how that happened.
No. It's not. Sorry. But it could.
Of of where does Batman come from? Gotham. Gotham City from the Gotham City HR department don't click on it. Right? I mean I mean, it it it might be real, but you could also make anything look real.
Mhmm.
So confirm like we always do in IT audit. You confirm and you check if you're worried about it. You know, you can't ever get in trouble for saying, did this come from you? Yeah. Call call them up on the phone and say, I'm just checking to make sure this came from you guys. Yes. It did.
Do you know, I like that you said that because if you confirm something from a different channel, Mhmm.
Then then you're going to be able to to, really detect some of these, phishing emails a lot better. So you get an email. Hey. This looks like and and we've seen this.
I wish I can remember the name of the group where somebody's senior enough to, wire millions of dollars to this account. Hey. This has to be done through the email. I'm just getting on a plane.
Make sure that gets done before I hit hit the other side. Well, what they're saying by, I'm just getting on a plane, was you can't call me and verify.
Right. And so the person's stressed out because somebody senior asked them to do something without verifying it.
Right.
Well, there should always be a process in an organization when they're when you're doing something risky to verify it in a different using a different communication band such as phone calls.
And if and if they're not planning on that, then they are learning, oh, we should be doing this different. Maybe we communicate first in another way with a poster, with a with another phone call, with an email message that you know is from a specific person, whatever, that has no clicking in it saying you will receive this. It will look like this. That is us.
Yeah. Right? So and and by by doing the checking and they they're just going, oh my gosh. Another people's another person's calling me about this email.
They're gonna think maybe we ought to do this differently in the future. So there is that kind of corporate behavior you could help, yourself by just having good email hygiene and and a healthy level of doubt. Yeah.
Not fear and not uncertainty and not Mhmm. Oh, no. I can never go anywhere or do anything ever again. I need to stay in my house.
No.
It's let's just think a little bit.
And it's okay to verify. It takes very little time usually to verify that something is correct. And, honestly, I think it's funny whenever I sent send, because on occasion, our IT department has sent something that has a clickable link. And I just think, I know who sent this, and I know why it's like this. So I'm gonna send it back. Yeah. And then I think it's funny and then but it gives them a chance to win it.
Again, so they can think about their process. So that is something you can do, in your own behavior at a corporation Right. Or at home.
But So it gives you it gives you a chance to be able to say, alright.
There are things that I know that are very common ways of ransomware gaining on a system because ransomware is a piece of software that can't just fly onto your machine without a connection.
Exactly. It doesn't seep through the keyboard.
No. Exactly. It has to get there in a way. But there are are kinda easy ways sometimes. One is if you go to a, a website that has, that is infected with with malware, you can, depending on how permissive your settings are on your computer, download and install, software just by going to a website that and you don't even know about it.
Exactly.
But then that says, okay. If you're relying on people to just know things to protect themselves, then the underlying system doesn't have enough protections on it. And so an organization should be putting these just basic things on your computer for you, like malware protection and, things that sometimes annoy us, like white listing. In other words, you get to go where you need to go in order to do your job.
Job. Or you can install this software from our location, but you can't go get a game or some other interesting audio processing software. Right? And and, again, that's a that's the other corporate behavior that's one level above from from somebody that owns a company laptop, and that is you have to classify your users and say, what do I trust this person to be able to do?
You know, maybe if he is a security guy in cybersecurity and IT or whatever, you trust him at a higher level. If he's in, front desk or sales or or somewhere else, you just say, you know, I'm sure there's some really smart people and great people, but we're gonna not let them do anything else to this computer. And, you know, we've seen that for years Mhmm. Especially with big, large corporations.
You can't install any software, you know, or even a change of the OS or anything. You know? Right. And that's one of the reasons why they've done that.
We're and we're getting a little bit into some of the mitigations for ransomware. How do we prevent it? Which I think is a great topic to ship to right now. Because like you told me the the other day, people ask, well, how do we take care? How do we prevent ransomware?
Well, there is no prevent ransomware button.
Right. And there's no software you can buy. No. And so don't look for it. No.
Don't look for ransomware software. No. I mean, ransomware and prevention software. No. You shouldn't look for ransomware software either.
No. That's not a bad idea. But there are companies that say, if you had this, you would not have any problem with ransomware. And that's just nonsense.
It is. Now maybe they have one product that helps one part. Yeah. And so you can say, yes. We help prevent ransomware. We prevent ransomware. It's marketing.
But, you know, it's really you know, we were talking the other day about this topic, and and thinking back fifteen years, the same problems exist today as existed fifteen years ago.
Right.
And and ransomware is not this amazing thing that's thwarting every every known security control that's ever been devised in the past fifteen years. Sorry. Yeah. It is it is exploiting the same problems we have had for the very beginning.
New and unknown.
And there isn't one thing that you need to do to fix it.
Mhmm. You need to just up your game, go back to basics. I mean, how many times do we hear that in every aspect of our lives? Go back to basics and think, and don't don't go read the next book that's gonna change you. Don't don't whatever.
You you need to to evaluate the problem, go back to the basics that you know, and start coming up with a solution. And, you know, I'm sorry to say, you have to have good habits.
Right. And and it and it's that back to that idea of defense in-depth.
And and defense in-depth really means one security control is zero security controls, and two security controls is one secure. Right? So so the the the security controls that you have in place should, overlap and support each other. And and let me give some examples.
If you have, a strong password and multifactor authentication and you also have logging in place that tells you somebody logged in that should not log in even though they had the right password and this, you know, multifactor authentication token that they still they they should not be in, they they shouldn't be in Indonesia right now working at two in the morning, for example. Right? That would be Mhmm. For for a lot of companies based in the US, that would be an abnormal behavior.
Right.
And so having these detect detections in place that tell you abnormal behavior, then you wanna know about that because and that's a potential indicator that something is going on that should not be going on.
Right. So let's just talk about some of the easy things you can do. Yeah. You wanna do that?
Yes.
You know, again, it's when when I started thinking about this, it's like, oh my heavens. This is such a big problem. What can we do? What can we do? And then you kind of sit down and you think, well, what can we do? Well, how does it get there?
Emails, k, training, email filters, good virus protection.
Right. Oh, backups. Mhmm. And keeping your backups maybe in a place that's not on the network sometimes or at least some of them.
Strategies for rebuilding a new computer, and and and that's where it's getting really easy with Docker environments and Kubernetes and all these other things you can bring up instances that you know are clean in an instant.
But what is your strategy for for, boy, this basic hygiene, updating your OSes, training your people, doing your antivirus, doing your, backups, and having a good response plan. If you detect something, what do I do? Right. I run around and say, oh, no.
Oh, no. Ransomware. Ransomware. Where's the Bitcoin? Mhmm. You go, okay. Shut down everything. Start from the backups.
Reload everything. Right. How do we know that there's not ransomware there? That's something you've gotta talk about and come up with your business business continuity plan.
You work with professionals if you need to on those types of things. But isn't it interesting that every one of those things, there's no there's no buy this new super cool ransomware prevention program and install it. No. There's no, install this thing, and it will laser anything that comes into your network and kill every you know, it's there's no there's no missile defense for for this stuff.
Right?
No. It's just the same types of protections we talk about when we talk about a solid security program.
And that's been fifteen years, you know, since I've been working in this industry. It's the same message.
Right.
And it sounds familiar because it is familiar, and it should be familiar. And the news cycle is bringing it up really important right now, and people are thinking, oh, no. This is a new horrible problem. No.
It's the same It's the same problem.
Horrible problem.
That we've had everybody's had, not just the United States. The world has had, corporations have had because they focus on making money. Yeah. And they focus on serving people.
They focus on whatever it is that they're doing, and, it's hard to think, well, my network's gonna be okay. I'm just a small fish. Nobody's gonna worry about me. Nobody's gonna you know?
And then you get bigger. Your company is bigger, bigger, bigger. Anyway Yeah.
Unfortunately, you just gotta be disciplined.
Right. Darn it. Do you know one of the things that has has really kind of shown me two things that I think are are helpful that a lot of organizations still don't have in place, even though we've been talking about them for years and can make a real difference. And that is, multifactor authentication Mhmm. Is is number one.
And that is where you don't just rely on a username and password in order to get into a system, especially if if you can be anywhere in the world and use any computer to log in to something that has critical value to your organization, just using a username and password, that means all the bad guys have to do is get your username and password, and then they too guess it.
Or guess it or guess it. Because how many of us have a username that's easy to guess because it's a lot of times just our email address.
Right?
And so you don't even have to guess the the username.
And then if we have passwords that have been reused at different sites Right.
Because, well, that's just my that's the password I use for secure things. Okay. But it did you use your password, for example, that we already talked about Marriott? Did you use your password for Marriott, and so your username and password for Marriott have been compromised? And maybe it's a different, email that you someplace else, but if if the bad guys can associate or even if if it is the same email and password Mhmm.
And they're like, well, you used it here.
I'm gonna try using it on your banking.
Right.
I'm gonna put it through every bank that has a a login and see if it if we're able to get in using it. And so it's just that easy.
It is. And and like you're saying before about multifactor authentication, there is no secure passwords anymore. I'm sorry to say. Yeah.
We built for less than ten thousand dollars a a machine that's faster than fast Mhmm. You know, and can crack passwords in in hours Yeah. Even if they're really tough.
So Even if they are yeah.
I've I've, seen it in action.
And it's really cool looking. But, anyway, all you gotta do is spend a little money Mhmm.
And you can get and I'm not saying you can crack every password, but, okay, you can crack ninety five percent or eighty percent of passwords.
That's a lot.
Yeah. That's enough to be able to get into a lot of organizations.
You know, you can still have good long passphrases that are, you know, some family phrase that nobody else would know, maybe. I don't know. But but still, two factor authentication is almost necessary now. Do it on Instagram.
Do it on everything. Right? Exactly. So, you know, there the other thing that I wanted to point out is is that even though there's no easy button, there are places that you you don't have to trust me or Jen or SecurityMetrics or anybody.
You can go online and just search for ransomware. I don't know if we can put links at the bottom of the video or whatever.
You bet.
We've got these ones from the the computer information the CISA organization, computer information security agency. I can't remember who that stands for. Is that what it stands for?
So so oh, shoot.
We're gonna get this wrong, and people are gonna laugh at us. But that's okay.
Missus I just saw We'll have the links down there, and there's, like, slash ransomware.
And here's a guide. Here's a PDF.
There and these are gov sites. Right? So Right. Hopefully, you know, if you're wondering what the government is gonna do for you, go to these government sites and find out what you can do for yourself.
Number one. Because the information is out there. They share it with us.
Been there. Yeah. Mhmm.
And it's getting refreshed right now because it's very important right now Yeah.
For for those to look at.
And so, Cybersecurity and infrastructure security agency.
There you go. Okay.
That seems like a mouthful.
So if you just call it CISA. Oh, and I and, you know, a minute ago, I said there are two things that you could do, and and one was use multi factor authentication, and then I didn't say what the second one was. Maybe I should do that so that the people out there listening would be like, you can tell us the second one, and now it's driving me crazy.
I'm sorry. You have to pay for that secret.
Well, the second one is network segmentation.
Oh, very good. Yeah. I wanted to talk about that.
Right? Because that's actually the well, as far as we know, and we don't have all the details yet because it's still fairly fresh, and it takes time to figure out what happened and what could have prevented it. But it's looking like the, Colonial Pipeline hack happened because, malware came in through email. Mhmm. Potentially.
Don't only do that. Could have been something else. But but it was through a user clicking on something they shouldn't have that then affected the pipeline operations.
Well Why are those two on the same network segment?
Right?
Exactly.
You should never have your email Could they travel through?
Yeah. Being a system with such connectivity to your Critical operational. Yeah. Yeah.
That critical Well, let's talk about that for a minute because I think it's it's really interesting.
And we've we've seen we've we've audited. We've looked at, you know, seen and hefted millions, you know, lots of networks over the years.
Hundreds and thousands maybe.
You know, the the interesting thing is you think people are in these big corporations.
You know, we've we've looked at really large financial organizations. We've looked at really large merchant organizations.
Sometimes everything is on the same network.
Right.
And you know what?
That's awesome for IT. Yeah. And that's awesome for business people because they have access to anything and everything whenever they want. There's nobody they have to interact with.
Mhmm. They can just see the computer. You know, you're sitting at your desk, and you can check the controller for that pump for the pipeline. Right?
And that's very convenient. And awesome.
Yeah. But guess who else is convenient for?
But it's also convenient for bad guys. And so, you know, we can't we talked about this the other day too. You can't just say, my perimeter is so strong that nobody can get through it. I have multifactor authentication.
I have, you know, really good app developers. I have email filters. I have really good people. Nobody will ever get in my network.
Yeah. I can't Yeah.
Can't say that.
Blind to yourself about that. So assume that people will get inside your network. Mhmm. Now if they're in the soft gooey center, what can they do?
Well, can they go anywhere and everywhere, or can they only be where they've landed?
Mhmm.
And and I think that's critical. And when you say the word segmentation, we talked about that. What the heck does that mean? And do people even know? Right. Please define segmentation.
And something about armadillos, I think.
Yeah.
And and, it's just splitting up your network into chunks that don't really talk to each other unless they have to, or very carefully, they talk to each other through very controlled access points.
Yeah.
That makes, your IT department have to know what those points are.
Sure.
And that makes when you wanna talk from this zone to this zone, you have to ask somebody to let you do it.
Right.
And that is inconvenient, and that is making us not make money. And so there's all these pressures from various entities in the business that are saying, no. No. No. No. You're keeping me for making this sufficient.
No. No. No. We're keeping us so that our company will remain solvent Right. In the in the event of an attack. And this is a war. Right?
So is it the department of no, Or is it the department of let's figure out a better way?
Yeah. Exactly. And so, you know, let's so so like we said, here are the basics.
So don't go looking for ransomware software I mean, for ransomware prevention software. Don't go looking for an article or a website that's gonna tell you this new amazing product that you can buy or a service that you can buy that'll take care of everything. No. Go back to how was my network design, how am I doing my basic backups, how am I doing my training of my people? How am I updating my OSes? How am I it's the same story that us security people have been saying over and over and over.
That last one that you said, I I almost said there are three critical ones because the No. No. Four.
Sorry. Monty Python.
Thank you, Monty Python.
Because, patching your systems, and applications is is critical to preventing known, vulnerabilities from being exploited. And so, when you have a vulnerability and and you know it exists, of course, you should patch that. Right? So there should be programs in place.
There should be the processes in place that that that that take care of that aspect of things as well. So and yet, like you said, these are basic things we talk about over and over again. I I still I can't get over the time that I that I gave a talk at a security conference, and it was a live hack demo. And I used the, you know, getting through an RDP port.
Mhmm.
And and one of the comments I got was, well, why? Yeah. Say remote desktop. Yeah. So remote desktop protocol is where you can get into a system remotely through this port that lets you in. Right? And and the comment was, well, why do you keep talking about these old things?
Because RDP exploits are still one of the main ways that systems get exploited.
We we Brad and I, the CEO, were at a big security conference, and we did a scan of the the wireless network, all the computers on the wireless conference network, and forty percent of the people had RDP open.
Open.
And this is a security conference.
Come on in.
So you know? And and I it's easy to do that kind of stuff, And so that's why we have many multiple layers as you're saying before. So what happens if you do get hit by ransomware? Yeah. What do you do?
Oh, you just pay it.
Pay it.
Yeah. Yeah. Just pay it. No. You just pay it. No. You don't pay it. You know why you don't pay it?
Because they're gonna come back.
Yes.
If they That's called organized crime.
Yeah. Yeah. Called a protection program. If they have We've heard of those before. Somewhere. Chicago, maybe. I don't remember.
If they have already exploited your systems and then and then you say, alright. I will pay you these millions of dollars.
Then the do you think they're just gonna hand over things and go, oh, we're walking away now?
Nice. They're honest. That's all they want is just that first payment. That's all they need. No.
So that's why it's better to and and that's why I think the government and all the people at the government I think that's a good message for government as well.
We can come back to the government again.
Pay the ransom.
You know, now that's I think you have to say that this is life in general where you say, here's the rule.
You have to decide on the exceptions to the rule. So I'm not telling you that in every single case, there might not be an exception.
If life is involved, that kind of stuff, you may have to to make an exception.
But in general, the rule is take your take your hits Yeah.
And and do better.
Do better. Well, do better before you get ransomware.
Right. Do that first.
But if you do get ransomware, you know Why why don't you you know, one of the things that most organ let's say all organizations that are in the cyber world should do a risk assessment at least annually.
So as a risk assessment test this year, what would be great is if everybody went and said, alright. If we were ransomware ed today, how would we deal with it? And then do run that incident response and and run and then fold that into your risk assessment. Find out what what would your actual ability to recover Right.
Be? First, you have to do that as a thought experiment. Yeah. And then you can start thinking, now how can we make this thought experiment real? Let's swap out this part of the thought with, let's try to restore this backup.
Right.
And so you do have to I think that's one thing that over the years, I've as we've done a lot of assessments, we we would talk to people and say, well, what's your instant response to business continuity? Well, we sat down. We thought about what we do. Okay. Well, that's that's good.
It's nice that you thought about it.
Should probably practice. I mean I mean, that's what that's we're in a war. That's what the military does. They practice over and over even though they never have to do something, let's say. So we're we're in a time of peace.
So back to but what if so that's what we do if we have not yet been ransomed.
But if ransomware hits So what do you do? So what do you do? What's your first We went down and we I looked for some advice out there on the net because there's it's so much So much free information.
And some of these are from government sources. And, you know, I think, they have kind of five basic steps. Number one, ask for help. Right. Right? Don't just say, oh, shoot.
I am so embarrassed. Yeah.
Nobody will ever know that this is gonna hurt our company's reputation, so I can't tell anyone.
You know what?
Ask for help. And, you know, you can help privately or whatever.
You can contact us going to hurt.
See, I say you contact the FBI, the Secret Service. You know? Now if it's two hundred bucks for your house, I don't know. You you know, you have to make those kind of calls. But for large corporations, ask for help.
Mhmm.
Work with an experienced adviser to help recover Right.
From those things.
Because you might internally not have the expertise Right. To get there. If you even if you have internal expertise for running the day to day, recovering from a ransomware attack can be significantly more difficult.
And it and it might be nice to know how they got in. Right? Yeah. If you knew how they got in, then you can figure out, well, we'll at least not make that way easy to get in again.
So forensics forensics maybe. Isolate those affected systems. Right? And make sure that you're turning off things, unplug things.
Don't let it move. There's a lot of this ransomware that moves from one even from one zone to another. If you've got a network that's been chunked up Mhmm.
And and and reinforced in cells, sometimes the ransomware can get through through some weird FTP or or or If they have the right IP.
Yeah.
If they have the right ports available It can sneak around.
It can get through there if the right services Right. You know, present themselves.
So isolate what you've got. Disconnect things from the network. This is pretty much any instant response. Sure.
Whenever you get a Isolate problem.
Isolate. Yep. Then review those connections, relationships, look for, you know, partners that may be affected, vendors that you might need to get in touch with.
Because whether it came from the vendor or you're sending it out to the vendor, that call has to happen.
It's it's not fun, but Right.
You have to let other groups know, hey. You could be infected as well. Right. And so that they can do the same things and shut it down as quickly as possible.
Right. And, you know, it's it's interesting.
I thought that it was interesting that we did hear about the colonial pipeline thing on the news. Right? I mean, there are maybe places in the world where that wouldn't be something that you would necessarily hear right away about. Mhmm.
And and so making it just saying, alright. Here's the situation. Let's get working on it. Again, tell the truth and get working on it.
Right.
And take the consequences.
Yeah. We don't looking for blame right away is never a good idea because, first of all, it slows the process down, and it takes good brains away from solving the problem, which is how do we get back to business?
Exactly. So, and then start looking at your impact business assessment, impact assessment findings, prioritize what you're gonna recover first.
Right.
And if you don't have those plans, then you're gonna have to make them Right.
Right while you're doing it.
That's But which is the more difficult.
So that's why you start thinking about this stuff. So after you're hit then and you've kinda recovered, what should you do? Mhmm. Well, go back and do the basics.
Do all the stuff you're supposed to do before.
Right.
And, correct those issues. Don't let yourself be an easy mark.
Right.
Going forward.
So in other words Learn from the taken you know, so hopefully, the Colonial Pipeline guys and whoever else are going food guys are going, oh, okay.
That hurt. Yeah. But here's what we're gonna do now. Right. And so, you know, make it a positive thing even inside your company, and and fix it.
Block up your networks if you haven't done it before.
Work on making it hard to get data back out of your network.
You know, that's a really good point because it it at one point, it was just, ransomware is it encrypts it in place.
Mhmm.
Now now it's not only they're gonna encrypt it in place, they're also gonna take it out, and they're going to try and pressure you.
We're gonna release it if you don't give us.
Mhmm. Whatever. Yeah. We're gonna release it.
We're gonna sell it or we're gonna do whatever.
So you have to assume probably will do it, frankly, if they haven't.
So So you need to assume that if you're a ransomware that you also have a breach.
You may you may have lost the data.
The the information may may be already out there. Yep.
Yeah. So and then and then you go into regular reviews Right. Over and over and over. And, you know, this is the same message that you've heard from any security company, physical or not, for years is, I'm sorry. You've just got to remember over and over. I had to go to security training over and over and over again when I worked in an industry that required secret stuff.
Right.
Sorry. Well, I remember it from last time. Nope. Yeah.
I know. Gotta do it again. Yeah.
So, anyway So this is, this has really been some super information.
I know that, we could probably talk four hours about how to deal with ransomware because it does come back to the basics. And and when when you're talking about the basics of a security program, that's an extensive amount of information what you can do. But I think that the important takeaway today is ransomware is not, a big new flashy thing that you have to use big new flashy tools to address.
It's it's another way of exploiting information and that can be addressed by the same type of security Same old.
Same old.
Security controls that we have always been talking about. Alright. Well, thank you for joining me today.
It's been great to be here. We'll have to do it again.
And thank you all for joining us. I hope to see you again on the SecurityMetrics podcast.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available among your favorite podcast platforms. See you on the slopes.
.svg)
