How ransomware impacts organizations.
Rick Howard: Hey everyone. Welcome to CyberWire-X, a series of specials where we highlight important security topics affecting security professionals worldwide. I'm Rick Howard, the Chief Security Officer, Chief Analyst, and Senior Fellow at the CyberWire, and today's episode is titled "How ransomware impacts organizations." As ransomware attacks rapidly rise in frequency, eye-popping ransom demands grab headlines, and consumers experience product shortages and difficulty getting services as the organizations they do business with are knocked offline. However, little is reported about the impact of a ransomware attack inside an organization. In this show, we cover what steps organizations are taking now to prepare for a ransom attack in the future and what happens to an organization on that especially bad day when ransomware comes calling.
Rick Howard: A program note: Each CyberWire-X special features two segments. In the first part, we'll hear from industry experts on the topic in hand and, in the second part, we'll hear from our show's sponsor for their point of view. And, since I brought it up, here is a word from today's sponsor, Keeper Security.
Rick Howard: Keeper is the top rated cyber security platform for protecting organizations of all sizes, from the most common password related data breaches and cyber attacks. Did you know that 81% of data breaches are caused by weak password security? Keeper is more than a password manager. It's a scalable and customizable security platform that includes industry leading features, such as automated user provisioning, roll-based enforcement policies, SSO SAML integration, advanced reporting compliance, breach watch dark web monitoring, and more. Members of the CyberWire community will receive a free three-year personal password manager when they take a business demo. Visit keeper.io/cyberwire to learn more, and we thank Keeper for sponsoring our show.
Rick Howard: Joining me at the CyberWire Hash Table is an old army buddy of mine, Don Welch.
Don Welch: My name is Don Welch. I'm the Vice president for Information Technology and Global Chief Information Officer at New York University, and completed my second week there having recently started in that roll when, previously, I was the CIO at Penn State.
Rick Howard: Yeah so, you've been a Hash Table member from the very beginning, and you've now just taken on this new roll so, congratulations.
Don Welch: Thank you. Yeah, it's exciting.
Rick Howard: So, we're talking about ransomware and, you know, you've got a lot of experience in this kind of stuff, Don, and I'm wondering, you know, you're looking around, you talk to your peers out there, what do you think the most common root causes that make organizations susceptible to a ransomware attack? What is the thing they're not doing that allows them to get attacked like that?
Don Welch: So, I think it's the fundamentals. So, are you keeping your system patched? Do you have good backups that you test and, do your people practice good IT hygiene? Are they aware of emails and clicking on links, and so forth? But, really, I think ransomware exploits a lack of the basic blocking and tackling that we all need to do.
Rick Howard: Yeah, the non-sexy stuff of the three that you listed there, I'm a big believer in backup plans and testing backup plans. And it turns out that a lot of people haven't really tested those things, especially as our environments have gotten way more complex than it was when you and I first started doing this, many, many years ago. You know, having a backup plan that covers all your cloud deployments and your data centers and your laptops and your mobile devices, the complexity level must have skyrocketed for organizations like yours.
Don Welch: Yeah, I think you make a great point in that, we struggle to know where our information is, how sensitive that information is, and then whether or not it's properly backed up. But, any large organization, especially one that has a more federated IT management, people are putting critical information in lots of different places and it's very difficult for the security team to keep up with that, understand how important that information is to the institution or the organization, and then to properly protect it. But, if you don't know where it is, and you don't know how important it is, then it's very difficult to protect it.
Rick Howard: So, ransomware has been around for, Jeez, over a decade now but, it seems like in the last couple of years, the organizations behind those attacks have really ratcheted up the kinds of damage they can do. And, the question I have for you is, you've had a chance to, you know, talk with your peers and things, what goes on after you have been hit by a ransomware attack? What is the impact to an organization? Can you walk us through a little bit of that?
Don Welch: Sure. So, the first part of your question, what goes on is sheer panic travels throughout everyone who has been told of the problems that we've got. And so, there's a lot of running around with their hair on fire. Hopefully not. I think many organizations now have a process and they, hopefully, practice it with tabletops to understand what is the decision making process. So, the first thing is understanding that you are attacked by ransomware and taking whatever important steps there are to contain it so that it doesn't spread throughout the organization.
Don Welch: A lot of ransomware attacks are more focused and are designed to spread, so that's common. You want to avoid that as much as possible, and contain the damage. And then, in parallel, you're working on the technical recovery. So, making sure we've got those backups, we know what's going on, we work through our disaster recovery plan on how we are going to recover these systems and so forth. Making sure we understand how far back in time the intrusion goes, to make sure that we don't just restore the ransomware along with our data. But, at the executive level, there should be a process going on about how you communicate this throughout your organization to your stakeholders. In many cases to regulatory regimes, to meet compliance requirements. So, understanding that communication and then, trying to make sure that you make the decision on what you are going to do.
Don Welch: The FBI encourages us not to pay ransom, and I think most organizations would prefer not to pay ransom but, in some cases, there's a decision made that it is the best for all the stakeholders of the organization to do that. If you are going to do that, making sure that the right people are involved in the decision, that they fully understand what the circumstances are, whether the information can be recovered, how long it will take to recover it. What kind of organization we're dealing with, trying to find out what their reputation is. Do they, actually, give you valid keys? So, all those things go into the decision and, of course now, a lot of attackers are not just encrypting your data but also stealing it. So, they're exporting it out of your network to, kind of, up the ante in terms of the damage they can do to your organization.
Don Welch: So, knowing what they might have and whether their claims are correct, are all important going into that decision; do you pay the ransom and, what can you do technically to try and mitigate this attack? So, it really is a very big incident that goes across the institution, should involve general counsel, executive leadership, risk management, obviously, IT people, business leaders, so that you can understand what the impact of the recovery time is.
Rick Howard: You mentioned tabletop exercises and those are key here, because you don't want to be explaining the options of do we pay ransomware of not pay ransomware, during the heat of the battle. In those tabletop exercises, you're trying to explain what are the triggers that will make us pay the ransomware, right? And so you, at least, have those discussions up front, without having to do it under, you know, when you're, like you said, with your hair on fire.
Don Welch: Yeah. And I think with tabletops, it's really good to explore what you consider to be the unlikely scenarios, because most of us are not really good at predicting, when a catastrophe hits, what that catastrophe will look like. And so, I've been in tabletop exercises where, especially the IT people will say that, "Well, that will never happen because we do this and we do that." And, yep, you certainly hope they're right. But, but maybe have them--
Rick Howard: [LAUGHS] History shows, maybe have a backup plan, Maybe we should think about it just a second, okay, just in case.
Don Welch: Yeah, let's put a little bit of time in it, you know. In the Army, we used to say, "When the map and the ground differ, go with the ground."
Rick Howard: [LAUGHS] That's exactly right. [LAUGHS] I, you know, I used to do a lot of these tabletops in previous jobs and, one thing I always learned, talking to executives, when I assumed that they were going to make a decision to go left, many times they had good reasons to go right. And it didn't matter how many times I did a tabletop, I would always be, I don't know, surprised maybe is the right answer.
Don Welch: And I think that's exactly why you want to do it. From an IT perspective, we have a certain understanding and perspective. And we may think that, well, you know, we should just do this and recover it, we prepared for it, and so forth. But, they have business considerations that we might not have that insight into, or may not fully understand. And, making sure they know what the parameters will be, in our case, those business leaders, when we say, "Oh yeah, we can recover this in 36 hours," what does that really mean? And what's the probability that we'll be successful in doing that? Any project, any major initiative, even like maintenance, we have backup plans for maintenance windows, because things don't always go as planned.
Rick Howard: I'm shocked, I say, that the [LAUGHS] plans don't go right. [LAUGHS]
Don Welch: We're just incompetent, you know? We should be able to do this. But, it's hard. That's why they pay us this much.
Rick Howard: [LAUGHS] One of the decisions that people still struggle with is, do you reach out to the law enforcement authorities? Do you bring in the FBI right away, or do you push them aside? Is that part of the tabletop discussions going on? Is there a trigger for when you bring them in, or is it just automatic you bring those guys in?
Don Welch: I think any outside help that you bring in, that's something that you want to tabletop and go through and have people think about it ahead of time, under what conditions they would, because I think that's always got to be an option. Certainly, we would like that the bad guys get caught and get stopped so that they don't do it to others, so we do want to collaborate with law enforcement, whenever possible. But there are some reasons that the business leaders might have, why we either bring them in later, or maybe it is something that we are just not going to bring them in on, and others.
Don Welch: So, most of us have cyber insurance, and cyber insurance have incident response teams that can help. But, do we want to bring those teams in? And so, you know, some of the trade-offs are, when you are trying to manage that crisis, adding more people that you have to communicate with, more people that are making suggestions, adding more complexity, you may react slower. And this is a judgment call. A lot of times, those resources can be really helpful but, sometimes, you know, a little bit too much help can slow down your ability to react to a crisis. So, that's a judgment call and like, any judgment call, going through a tabletop exercise helps you make a better decision in the moment, having thought of these things ahead of time.
Rick Howard: You make a good point. I was going through the DNC hacks of 2016. It wasn't a ransomware attack but, one of the interesting things was the Democratic National Committee didn't have a relationship with the FBI so, when they needed them, it took them months to build enough trust so that they could believe what each other was saying. And you don't want to be doing that during the crisis, I guess, is the point. So, for your tabletop exercises, it may be useful to bring in your FBI rep and let them sit in on a couple of those, just to see what they would say.
Don Welch: Well, I think you make a really good point with outside agencies and, especially, federal government that having that trust is really important. There are a lot of people who don't fully trust law enforcement or other federal agencies, especially in universities but, in other types of organizations too, and there are good reasons for it. In some cases, once you expose information to law enforcement, it's out of the individual's hands in terms of what may happen next. So, your wishes may not be followed in terms of what you want to happen, because they have to follow their processes. So, understanding that, understanding the people, making sure they know you, understand you, that trust building, if you've built that ahead of time, that's really helpful and something that I think is, kind of, foundational for every cyber security team. Because, yes, you know, a lot attacks just impact your organization but, you may be part of a broader attack and it may have consequences for public safety that you want to make sure you're a good citizen and helping that be stopped before it becomes a real issue.
Rick Howard: You're at the CyberWire where you talk about first principle cyber security strategies, and the things we've been talking about in this conversation, kind of, fall under the resiliency strategy. But, the question I would ask you, Don, is if you could do one thing, tactically, to make your entire environment more safe from these ransomware attacks, could you point to one thing and say, "Just do this at first and let's make sure we get that done?"
Don Welch: That to me would be patching all the systems. If we kept the patch--
Rick Howard: Mm, which is hard, you know?
Don Welch: Yeah. Right, I, I'm not asking for anything easy here.
Rick Howard: [LAUGHS]
Don Welch: But, if every system is patched very quickly, reasonable amount of time, you can eliminate an awful lot of attacks. It takes the bad guys a long time to develop a lot of these exploits and, frankly, like the old joke, you don't have to outrun the bear. You just have to outrun the person you're with. Sadly, I think there's a lot of that that is true that, if you are keeping your system patched, the bad guys, especially criminals who just want money and they don't care where they get it, they'll go somewhere else. If you're the target of a foreign intelligence agency and they specifically want something, they will be determined and go after it but, if you can keep your patch levels up, I think you can turn away a lot of these adversaries, and so that would be my choice.
Rick Howard: I don't disagree with that but, I think if I had to choose, I would want a system where I could guarantee that the backups I have made can be restored a 100%.Because, you know, we've all done these things. We make backup systems and we try to recover them and sometimes it works and sometimes it doesn't. I would like the system, if I could push a button, says, oh yeah, you know, I hear on practicing doing it, it restored it and everything was good. That's kind of what I would like to happen. [LAUGHS]
Don Welch: Yeah, and I think that's valid, and I think it would be equally valid for someone to say, "Yep, I want every user to be smart."
Rick Howard: [LAUGHS]
Don Welch: You know? And, as long as we're dreaming--
Rick Howard: I was gonna say, do you get those kind of users at Walmart? Can you buy a case of them? Is that how you get them? [LAUGHS]
Don Welch: [LAUGHS] Yeah. Yeah.
Rick Howard: Yeah, absolutely. Well, any last words of wisdom, Don, about ransomware? Any last words that you want to tell our audience about?
Don Welch: I think ransomware goes along with all the kinds of threats that we're facing now. The reality is, for all those threats, you have to have a strategy, there's got to be an integrated strategy. We've talked about the defense in depth and that this control will work here, and that control will work there and I think, for ransomware and for everything else, you've got to make sure you've got integrated, overlapping controls, and just one thing is not going to be the thing that saves you. It's got to be a coherent program.
Rick Howard: All very true and all good stuff stuff, Don. So, thanks for coming on and good luck on this new gig. We appreciate it.
Don Welch: Yeah. Thank you.
Rick Howard: Next up is Dave's conversation with Darren Guccione, the CEO and Co-Founder of Keeper Security; our show sponsor.
Darren Guccione: Well, ransomware has increased by nearly 400% over the past two years. It began many years ago as more of a consumer threat, and has evolved more into a B-B threat, so we find this to be existential global. I would also tell you that every few seconds an organization or an individual is paying a ransom, and these ransoms can range anywhere, you know, from a few hundred dollars, to several million dollars.
Dave Bittner: You know, it's really an interesting point in that I think the high profile, high dollar ransomware attempts are really what grab the headlines. But, are what you're saying is that there's been no real lowering of the number of the small dollar value ransomware attempts that are still happening out there?
Darren Guccione: Well, unfortunately, we don't hear about those and, conversely, they're the most common. So, if you look at the attack landscape and just the surface area that we're talking about, you've got SOHOs and SMBs which comprise of really north of 400 million potential entities out there that represent attacks. And they are, basically, the cohort that represents 80% of the global GDP and over 90% of the global employment base. And, at the same time, they have probably the least in terms of cyber security defenses available to them, mainly because they lack formal budgets, they don't have sophisticated IT staff on hand, and they often don't know where to start. The good news, however, is that they have access to technologies and products. The key there is educating them and making them aware that these technologies exist to protect them, because they are the primary attack target for a cyber criminal. We just don't hear about those in the news because those ransoms typically range anywhere from a $1,000 to $100,000, per incident. And, as you know, just through sensationalism, the larger organizations that pay ransoms into the millions of dollars are, typically, what make waves in the headlines.
Dave Bittner: Do you suppose that there is a lot of folks who think that, because they're small, that they not going to be an interesting target to these ransomware operators?
Darren Guccione: Unfortunately, yes. More than 65% of the time, when there's a ransom being paid, it's paid by either a SOHO or SMB. When I say SOHO, I mean small office home office and so, you know, it's really you're talking about, I'd say, north of 300 million potential entities out there that represent targets. And then, you talk about small to medium sized businesses, that's an amazingly large attack vector, and target, for cyber criminals. So, I would just say that, at the end of the day, a lot of work has to be done by vendors like ourselves, and this is where we spend a lot of our time, to educate and build awareness in the marketing ecosystem so that these organizations know that they can get help on a cost effective basis. Because, quite frequently, you know, where someone says, "Well, these solutions maybe too expensive for me" they're actually not. You know, you can get protected, you know, for under a $1,000 a year, based on, you know, the size of the company. Obviously, larger organizations will pay, you know, hundreds of thousands, if not millions, of dollars for a robust cyber security plan and set of technologies. But, generally, speaking, these are accessible, they're affordable, they're super easy to use and they're easy to provision.
Dave Bittner: You know, I think a lot of folks are probably intimidated by what they perceive as the potential high cost of cyber security, the amount of time that it may take from them. What sort of things do you and your colleagues help people with, in terms of on-boarding of, sort of, walking them through that process and educating them on what's available to them, and how to make it work within the resources that they have?
Darren Guccione: Yeah so, the good news is, there's really three things that cyber security software should have in order to appeal to today's world. And today's world, I would say, ostensibly, is really focused on hybrid work environments, and we know that distributed remote work is a big deal but, we also know that more companies are starting to move, you know, back in the office or, operate on a hybrid. And that's how we operate today. So, I would say 90%, for example, of our operation is distributed remote work, and 10% of us come into the office. Some days it's more, some days it's less. But, the key here is, is that, when you build software, it has to be affordable. It has to be easy to use, for whoever the end user is transacting with it, and it has to be easy to provision or distribute. If you hit those three things, then you're going to be in a really good position to sell into the SOHO and SMB market. Because, those teams of people, albeit smaller, they're also very smart, they're in dire need of this technology and the products, provided that they are easy to use, is going to be a key in adoption.
Darren Guccione: You know, historically, there's been this, you know, concept, and a stigma - I'll call it a stigma - where the more secure a software is to use, the more secure it brings you into the organization, the harder it is to use. And if software is hard to use, that has an inverse relationship in terms of adoption. So, building software that's secure, that's easy to use and easy to provision, drives an increase in adoption. It makes it more desirable for a small to medium sized business because, typically, they don't have sophisticated IT personnel on staff. So, for us, for instance, when we're working with an SMB or a SOHO to, you know, basically, purchase and distribute the software, they are done with training, full distribution, loading everything on every device that they have, across every employee, that entire process takes about one hour. And they're off to the races and they're good to go. And we'll, I would say, infrequently hear from them about a support issue because, the key here is, if you make the software very easy to use, then you're in really good shape.
Dave Bittner: How do you strike that balance and how important is it to not throw up roadblocks for the user, to not increase friction?
Darren Guccione: You have to implement what we call passwordless technologies, and passwordless tech is built into our application. By that, we talk about biometrics. So, converging ubiquity, convenience, ease of use, and security, into a single platform, is the key to that question. And, it's all around elegance, right? How do you build something that's modern and elegant and, at the same time, hyper secure to protect a user? So, for us, we spend a lot of time with our design team, which is in-house, of course, to always simplify whenever possible. How do we take something that takes three steps, and turning it into one? How do we avoid having a user to enter digits into a device as a two-factor method of authenticating into a system, right?
Darren Guccione: So, eliminating those steps, right, because if you look at any work flow; transportation, storage, rework, delay, data entry, those are wasteful activities in any type of business process, and this holds true in design. So, when we're designing applications, we want to really enhance the work flow and mitigate or eliminate the waste. And it all comes down to design and then the back end technologies that we couple into that to really build in more of an elegant, seamless, and very fast, experience.
Dave Bittner: Where do you suppose we're headed? I mean, as you mentioned, you know, folks are heading back to their offices but, it looks like this hybrid work is here to stay. Is ransomware here to stay? Are you optimistic that we'll be able to really make a dent here?
Darren Guccione: Well, I think we are making a dent. Is it visible? I would say, no not now. Ransomware is definitely here to stay. I mean, there's roughly 25 cartels now that are earning billions of dollars a year, in the aggregate. This is a huge business, right? Just as we sell software above sea level, right, in the ordinary course of life, we sell, you know, software as a service, they sell ransomware as a service. So, you know, in the subterranean world of the dark web, you know, the RASsoftware reigns supreme now, and that is evolving. It's becoming more sophisticated, it's becoming more clever. It's financially backed by, like I said, billions of dollars in capital, and it's potent. So, you're gonna see those ransomware attacks increase. We are in a cyber war. There is no doubt about it. I say it repeatedly in various podcasts that we are in cyber war, and we are. And the only way to win that war is through - and I'm gonna backup for a second - it's really through education and awareness.
Darren Guccione: These types of, you know, discussions that you and I are having today, can be invaluable to someone who needs to gain access to a technology that they can afford, that could literally save their company. And, you're talking about a few hundred million potential accounts out there that are all being targeted by cyber criminals. Because, like I said, the cyber criminals don't like to go after hardened targets. They go after low-hanging fruit and, unfortunately, for the private sector, the low-hanging fruit are the SOHOs and SMBs. As you move upstream into mid-market enterprise, you know, yes, they are often victimized and they pay massive ransoms. But, you'll find that they have formal IT budgets, they have sophisticated or technical IT staff on hand. And they have at least some level of a cyber security plan in place. The cyber criminals, yes, they will spend time attacking those targets but, the more hardened the target is, they typically move on, right? And they focus on the low-hanging fruit because, to them, they've got a buffet table with 400 million potential targets sitting on it. So, this is where the future is.
Rick Howard: And that's a wrap. We'd like to thank Don Welch, the CIO of NYU, and Darren Guccione, the CEO and Co-Founder of Keeper Security, our show sponsor, for being on the show. CyberWire-X is a production of The CyberWire and is proudly produced in Maryland at the startup studios DataTribe, where they are co-building the next generation of cyber security startups and technologies. Our Senior Producer is Jennifer Eiben, our Executive Editor is Peter Kilpe and, on behalf of Dave Bittner, this is Rick Howard signing off.