Hacking Humans 10.29.20
Ep 122 | 10.29.20

New consequences, extortion and cyber insurance.


John Pescatore: At least 10% of the time, even if you pay off the ransom demand, they don't restore your data or your systems, and then you're still liable. And also, if you do pay off, then quite often you're put on the stupid list, and then you see attacks from others in the future.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with John Pescatore from the SANS Technology Institute. We're going to be talking about whether or not you should pay off a ransomware demand. 

Dave Bittner: All right, Joe. Let's kick things off with some stories here. Why don't you start for us? 

Joe Carrigan: I will, Dave. Mine comes from Susan Hogan, who's at NBC4 in Washington, D.C., which is a local station for us. I grew up watching them. 

Joe Carrigan: There is a woman who is a dermatologist in Bowie, Md. Her name is Dr. Melanye Maclin. And she noticed some charges on her credit card that she wanted to dispute. And these charges were coming from Facebook advertising. So perhaps because she's a dermatologist, she has a business. So maybe she had done some business with Facebook in the past, purchasing advertising. And now they're charging her card, and these are not legitimate charges. 

Dave Bittner: Right. 

Joe Carrigan: So she wants to call Facebook. So she goes to Facebook and searches for Facebook customer service number. And guess what she finds? She finds one. Now... 

Dave Bittner: First of all, I'm shocked that that's possible (laughter). 

Joe Carrigan: Right. 

Dave Bittner: But go on (laughter). 

Joe Carrigan: Well, and you would be right to be shocked, Dave... 

Dave Bittner: OK (laughter). 

Joe Carrigan: ...Because Facebook does not have a customer service number. They just don't. I've looked around for ways to get in touch with Facebook customer service, and it's very difficult to do this even if you're doing something online. I don't even know if you're a customer of theirs - like, if you've actually given them money - if there's a way that you can call somebody and talk to them. This is why I don't think I would ever do business with Facebook, period... 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: ...Just because I can't - there's no single wringable neck for me. It's a big cloud of people that you wind up screaming into the void. And I don't like doing that. 

Joe Carrigan: So - but Dr. Maclin found this customer service number. When she calls the number, the person answers, Facebook customer support. And she tells the guy about her problem, and the guy says, oh, you need to install an app on your phone. So she installs an - this app on her phone that the guy recommends, and then he connects to her phone and she watches as he starts, like, opening her Facebook app. And then she opens her Instagram app. And then this guy opens up her Cash App and transfers over $6,000 out of her checking account to himself. 

Dave Bittner: Wow - while she's watching it happen. 

Joe Carrigan: While she's watching it happen, yeah, in a series of a number of transactions. And eventually, she has to uninstall that app to get him to stop doing this, to take the control away from him. And during that time, this guy made off with about $6,000 of Dr. Maclin's money. 

Dave Bittner: Wow. 

Joe Carrigan: Now, there are still these listings on Facebook for these customer support numbers. So guess what I did, Dave? 

Dave Bittner: Oh, dear (laughter). Go on. 

Joe Carrigan: I fired up a Google Voice number, and I started calling them, right? 

Dave Bittner: OK. 

Joe Carrigan: I found two numbers on Facebook. And what was interesting is, you know how when you dial out, sometimes it will say, OK, you're calling into this number, right? 

Dave Bittner: Yeah. 

Joe Carrigan: It'll give you a company name. One of those company names was Norton technical support or customer support. So this is a series of scams. Nobody answered the phone calls, but one guy did call me back. And when he talked to me, I started asking him questions. 

Joe Carrigan: And I said, I'm trying to reach Facebook technical support. He goes, oh, this is Facebook technical support. I said, you work for Facebook? He goes, no, no, we're a third-party provider. I'm like, OK, what's your business model? How do you make money? And he says, well, you will pay us for this service. And I'm like, OK, and how much do I pay you? And he goes, well, that's for the technician to determine. I said, OK, this sounds kind of scammy (ph), and that was the end of the call. 

Dave Bittner: Wow. 

Joe Carrigan: But these guys are out there. They're putting their numbers up on Facebook as Facebook customer support. You're calling them, and then somehow, they're scamming you out of either money for technical service fees, which I guess you could argue may be a legitimate business model. But this, what happened to Dr. Maclin, is definitely not. This guy stole six grand from her. And... 

Dave Bittner: Do we have any idea what kind of app that they were using that would allow you to have remote control over your mobile device? 

Joe Carrigan: The story didn't cover this, but I imagine it's, like, a customer support app. So like, when your mom calls, you can say, go install this app, Mom, and then let me do that, right? 

Dave Bittner: Right. Right. 

Joe Carrigan: I never do that. I never tell them to do that because I don't want this thing sitting residually on their systems. In fact, I've not been a big fan of these apps even when I was providing, you know, Joe's unlimited lifetime tech support to my in-laws who live far away. That would've made my job really easy, but I never did it because I just didn't want them to be vulnerable that way. However you want to handle it, let's handle it. But I don't want to install that app. 

Joe Carrigan: I really want to say thanks to Dr. Maclin for coming forward on this. A lot of people would not do that. A lot of people would be embarrassed about this. And I'm sure that she's not proud of it. But I mean - but she is going beyond what's embarrassing and got in touch with Sue Hogan over at NBC4 and has shown up on the news talking about this. That needs to happen more. That's courageous. And I really, really, really appreciate it. So thank you, Dr. Maclin, for coming forward. This is an educated woman. She has a medical degree, and she got scammed. This happens to everybody. All they're looking for is the right opportunity for it to happen. 

Dave Bittner: Yeah. So, I mean, if we look at our take-homes here, I guess there's a couple lessons. The first is that these companies like Facebook and Google and Amazon - they try to do everything they can to not have a phone number for you to get ahold of them with, right? 

Joe Carrigan: Yeah. They just want your money. They don't want to bother talking to you. It's the perfect business model, right? 

Dave Bittner: (Laughter) Right, right, yes. 

Joe Carrigan: People shuffle in, empty their pockets and shuffle out. It's almost like a... 

Dave Bittner: Yeah, business would be great if it weren't for all these pesky customers, right? 

Joe Carrigan: Right (laughter). 

Dave Bittner: Yeah. And then I guess the other thing is if somebody is asking you to install an app on your phone or your computer, I mean, that is about as bright a red flag as there is, right? 

Joe Carrigan: Yes, agreed, agreed. 

Dave Bittner: Universally. 

Joe Carrigan: And Dr. Maclin is probably not very technical in her skills since she's a medical doctor. I don't know that that would've sent up a red flag for her, but it certainly would've sent up a red flag for most of us. 

Joe Carrigan: But, yeah, never install software that you didn't ask for. And if someone on a customer support line says you need to install software, that should be a red flag. I've never, ever done that. And actually, I don't know that I've even been asked to do that. But if I was asked to do that, that would be an end-of-the-phone-call kind of thing. 

Dave Bittner: Right, right. Yeah. So worth spreading the word about that. 

Joe Carrigan: Indeed. 

Dave Bittner: You know, let your folks, your more vulnerable friends and family know. Just a good reminder not to do that, not to do that. Wow, what an interesting story. 

Dave Bittner: All right, well, my story this week comes from Jan Kopriva over at the SANS Technology Institute - interesting story. It's titled "Phishing Kits As Far As The Eye Can See." And really what they're unpacking here is the fact that phishing kits, which are, you know, these tools that you can buy to spin up your own phishing campaign - I don't know about you, Joe, but I would have thought that this is the kind of thing that you'd have to venture into the dark web... 

Joe Carrigan: Right. 

Dave Bittner: ...To find on some of those kinds of forums. And the research that they've done here at SANS shows that, no, these things are pretty much out in the open. What struck me as particularly interesting is that they could find many of these phishing kits out for sale on YouTube. 

Joe Carrigan: Really? 

Dave Bittner: Yeah. I've seen YouTube used for things like illegal serial numbers for software - things like that... 

Joe Carrigan: OK. 

Dave Bittner: ...You know, or hack - you know what I mean? People spread around serial numbers for software they don't own, right? 

Joe Carrigan: Right, because that's easy to do because it's hard to Google it - right? - 'cause you're looking at images. In other words, Google would have to index the entire video doing OCR on it. And that takes time. And Google may not do that. 

Dave Bittner: Yeah. And I think, also, YouTube has kind of a low threshold. 

Joe Carrigan: Right. 

Dave Bittner: Unless it's copyrighted music... 

Joe Carrigan: Yes. 

Dave Bittner: ...YouTube has a low threshold (laughter) for what they search and - or a high threshold - I don't know - whatever it would be. But you know what I mean. 

Joe Carrigan: Let me ask you a question, Dave. Did they find that these phishing kits had YouTube advertising on it? Because if they did, why would YouTube take these videos down? They're making money off it. 

Dave Bittner: The article doesn't say either way. I would suspect if I was someone selling one of these kits, I would not enable YouTube advertising because I wouldn't want to draw any additional scrutiny to what I'm doing here. 

Joe Carrigan: Right. And how are you going to collect that money anyway? 

Dave Bittner: Right. These kits are affordable. They're easy to get. And I just thought that was remarkable that - I guess the boldness of these folks who are out there selling these things. I don't know if they're just foolish or if they feel like they're beyond the reach of the law, which may be the case. 

Joe Carrigan: Maybe. 

Dave Bittner: Yeah. Well, and that's the thing. You know, we see - every couple of months we'll see the Justice Department or someone, the FBI, you know, working with international partners... 

Joe Carrigan: Right. 

Dave Bittner: ...Will round up a bunch of people or shut down a forum, or it turns out that they had been running the forum, you know, for the past few months. They'd secretly taken it over. So... 

Joe Carrigan: Right. And they have a bunch of IP addresses of people. 

Dave Bittner: Right. And I think that's a good message to send to these folks, that you better be looking over your shoulder because you don't know who's watching. 

Joe Carrigan: There's an interesting graphic in here about what the phishing kits are going after. About 13% of them are going after PayPal, and then 11% are going after Microsoft 365 accounts. 

Dave Bittner: Yeah, which is interesting because I suppose that rather than being a direct thing - in other words, you get in someone's PayPal account, you can get their money. 

Joe Carrigan: Right. 

Dave Bittner: You get in someone's Amazon account, you can buy stuff. 

Joe Carrigan: Right. 

Dave Bittner: But with Office 365, seems like that is a stepping-stone along the way to a business email compromise or something else like that. 

Joe Carrigan: That's exactly my thinking as well. When you're looking for a big payout, that's where you start. You start with getting into someone's email account. 

Dave Bittner: Yup, exactly. So just an interesting insight, again, from the folks over at SANS Technology Center. This is from their Internet Storm Center, which is - they have a daily infosec podcast that's quite good. Our friend Johannes Ullrich hosts that. Worth a listen. All right, well, interesting story there. We'll have a link to that in our show notes. 

Dave Bittner: Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from Sawyer Dickey, or someone who calls himself Sawyer Dickey. He's a moderator on r/scambait. And he received this message. And we're going to read just the first message 'cause I think it's pretty good. We're going to put a link to this in the show notes. You should go read this because he does a little bit of back-and-forth with this scammer, and it's pretty funny. But the exchange is rather long. I thought that the first message that Sawyer received was pretty funny. So I recommend that everybody go out and read the entire exchange. It's very good. But, Dave, why don't you read this email? 

Dave Bittner: All right, here we go. 

Dave Bittner: (Reading) Dear sir/madam, this message is from the Department of Blacklist Removal Office USA in Nigeria. Why we decided to communicate with you today is because we've discovered that you are pursuing too many transactions in internet in which all are failing you after wasting much money in pursuing them. Some of these transactions are fake, and some are real. But the reason you have not received any fund is because your name is in U.S. blacklist, which makes it impossible for you to send money out and also receive your inheritance funds out of the country or within. So it is better you stop wasting your money in the name of receiving your inheritance funds until your name is removed from the blacklist and enter into U.S. whitelist. Blacklist is a list of people or groups regarded as unacceptable or untrustworthy and often marked down for exclusion or blocked from receiving huge amounts of funds outside the country or from within the country. 

Dave Bittner: OK, that's the first period at the end of the sentence right there. 


Dave Bittner: It goes on. 

Dave Bittner: (Reading) So if you want to remove your name from the blacklist and place it in American whitelist, then contact this office, or you keep having problems receiving your funds after sending so much money to them. 

Dave Bittner: The requirement for removing your from the blacklist are as follow - your full name, your home address, telephone number, your occupation, country, your international passport or driver's license or state ID. Above all, you are obligated to pay the sum of $50 for the insurance of removing your name from the blacklist. But please do not contact us if you know that you cannot pay this fee. But if you are willing to remove your name from the blacklist and kindly purchase an iTunes card of $50, and immediately and after that shall transfer your total of $3.5 million into your bank account or any means by which you want to receive your fund. 

Dave Bittner: While this Department of U.S. Blacklist Removal Office is located in Nigeria is because Nigeria is origin country of your fund. Thanks, Mr. Donald Anderson, director of Blacklist Removal, USA. 

Dave Bittner: Wow. 

Joe Carrigan: This is a great one. And Sawyer goes on to say he's unable to pay the $50 insurance fee because his name is on the blacklist. And he goes back-and-forth with the scammer for a little while. It's pretty good. 

Joe Carrigan: I mean, obviously, this is just trying to scam somebody out of a $50 gift card and, at the same time, build a collection of personally identifiable information that they can sell. 

Dave Bittner: Yeah. 

Joe Carrigan: It's pretty straightforward what this scam is, but it's - I love it. It's so poorly written. 

Dave Bittner: (Laughter) It really is. 

Joe Carrigan: Your cellphone number... 

Dave Bittner: I don't know what the deal is with - there's never - like, these run-on sentences that just go on and on and on. 

Joe Carrigan: Yeah, that's... 

Dave Bittner: I wonder if they're just feeding it through some sort of translation engine that - I don't know - isn't good at that. Maybe - I don't know. Maybe someone who knows linguistics better than we do can give us a little hint as to... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Why that happens so often. 

Dave Bittner: All right, well, that is our Catch of the Day. 

Dave Bittner: Joe, I recently had the pleasure of speaking with John Pescatore. He is from the SANS Technology Institute and our second SANS mention on the show today, right? 

Joe Carrigan: Right, yeah. 

Dave Bittner: And our conversation focused on this notion of whether or not it's a good idea to pay off the ransomware demand, the pros and cons of that. Here's my conversation with John Pescatore. 

John Pescatore: You know, there's various types of security incidents we've had over the years. Sort of early in the stage of every new technology and certainly early in our use of the internet, denial of service were the first types of attacks, where bad guys or curious people would find ways to crash stuff. And then all of a sudden, our customers couldn't reach us or our employees couldn't reach the internet. 

John Pescatore: The Morris Worm of 1989 was a denial-of-service incident. And a lot of malware attacks result in just crashing computers and are essentially denial-of-service attacks. 

John Pescatore: And as the attackers get more sophisticated, we've, over the years, started to see data breaches where they're stealing something - typically data, could be intellectual property, could be credit card numbers, could be health care numbers, anything that has monetary value or can be sold on a black market or used to commit cybercrime. So we've had data breaches. 

John Pescatore: And so over the years, we've figured out ways to defend against denial of service and figured out ways to detect breaches by noticing if data is flying out through the perimeter in ways it normally doesn't or it never should. 

John Pescatore: And ransomware came along and used many of the same malware-type techniques to get in but then had very different consequences. It had denial-of-service consequences, essentially. It encrypts all your files and you can't do business, or it encrypts key executables and your systems no longer work, such as happened to Baltimore or happened to the railway system in San Francisco. 

John Pescatore: But the added component, the, like, totally new part is this idea of extortion - you know, saying, we're hurting you right now; we can make it better if you make this payment. And that is always a decision that's outside the scope of the security team. And it's also something that's sort of reinvigorated, I guess would be the word, efforts I've been doing or interest I've had in looking into cyber insurance as people start to say, well, wait a minute. Doesn't insurance pay off on extortion demands? 

John Pescatore: So the key things that have happened as the bad guys have focused more on ransomware are, well, three things. The two I've already mentioned - or one is sort of a similar style of attack with different consequences. Second thing - it brings in this issue of extortion demands, which all of a sudden changes the response. And the third thing is this cyber insurance issue, which is - sort of reinvigorates, well, is it cheaper to just get insurance to pay off the cost, or is there any way we can actually prevent this and self-insure, essentially? 

Dave Bittner: And what about this trend we've seen more and more lately where the ransomware folks are not only locking up your files, but they're exfiltrating them and threatening to release them publicly? 

John Pescatore: Yeah, that's happened before the ransom demands in past years, just so they could prove they really had the data. And that's happened in breaches as well, where there's been some cases of that. 

John Pescatore: So the other part that comes out of this is relatively off. And it's very hard to get statistics on much of this. But at least 10% of the time, even if you pay off the ransom demand, they don't restore your data or your systems, and then you're still liable. And also, if you do pay off, then quite often you're put on the stupid list, and then you see attacks from others in the future. 

John Pescatore: So there's a lot of sort of variance here on what actually happens, whether you pay off or don't pay off, or the types and amount of ransomware demands they make. If they make a very small monetary demand, it may be more tempting to pay off. If they make a very large one, obviously not. 

John Pescatore: And then the other thing that happens is almost all businesses - all large businesses - typically have some form of insurance around executives that might include kidnapping of executives. And there - so there are some insurance payoff issues. There's also the standard issues of, do we notify law enforcement or not, that start to happen once any ransomware or exposure demand is brought into play. 

Dave Bittner: You know, it strikes me that it seems like if you ask law enforcement - you know, the conversations I've had with folks from the FBI and other agencies - they will say do not pay the ransom. But I guess for a lot of organizations, I mean, it's more complicated than that. The decision-making there isn't necessarily black and white. 

John Pescatore: Well, the first thing is that here recently, in the past couple months of 2020, the FBI has changed their guidance. They have actually said that's the standard recommendation, but all circumstances are different, and businesses have to make their own decisions. So the FBI is sort of taking a step back from that standard advice. In the physical kidnapping days, I don't think they've changed it. In this world of cyber extortion, they have changed it. 

John Pescatore: But it is definitely an executive-level decision. You know, it is not a chief security officer decision, obviously, unless he's going to open his wallet and pay for it with his own money... 

Dave Bittner: (Laughter). 

John Pescatore: ...Versus the company's money. So there's a lot of analysis that has to go in. And that's something myself and an instructor at SANS - Ben Wright, who's actually a lawyer, is - we're looking into a project for research we'll be putting out probably early next year. 

Dave Bittner: Let's discuss the insurance side of this. You know, we see more and more companies are getting insurance that specifically covers cyber events. Does ransomware generally fall into that? 

John Pescatore: Well, here's where everything gets very complicated. So first off, one reason why more companies are getting standalone cybersecurity insurance policy is the insurance carriers are starting to change all their other policies to remove any coverage of cyber incidents. So it wasn't unusual to see other forms of liability insurance or other types of standard business insurance policies have some coverage of cyber incidents. And then you started to see the insurance carriers fight back and say, no, that was an act of cyber war, and your existing policy does not cover acts of war, or, no, they exploited a vulnerability that existed before you signed the policy, and that's a preexisting condition. 

John Pescatore: So the insurers, in order to remove their own liability to claims against general purpose insurance, have started to thin down those policies and force anybody who wants cyber insurance to get a standalone policy so that a lot of the growth in these policies is almost manufactured by the insurance industry. 

John Pescatore: And, you know, some other things - in my looking into sort of the costs and payoffs of this type of thing, I've tried to find some statistics. So from the Deloitte & Touche report, in the - those typical property and casualty insurance-type policies, for every dollar of premiums the insurance companies collect, they pay out about 60 to 70 cents per dollar in payments. The other 30% is their profit, and the investment of the premiums before something bad happens is additional profit. On the cyber policies, they're only paying out about 23 cents for every dollar of premium collected. 

John Pescatore: So you see these policies are priced pretty high compared to how they price property or casualty insurance because of a lot of the uncertainties about what they will have to pay or not have to pay. Or if ransomware hits one of our clients, is that same ransomware going to hit a hundred of our clients - called aggregation or accumulation risk. 

John Pescatore: So it's a very strange world. The pricing in cyber insurance is basically called market pricing. It's like lobster. If they caught a lot of lobster... 

Dave Bittner: (Laughter). 

John Pescatore: ...Today, lobster's cheap. If they didn't catch a lot of lobster, lobster's expensive. 

Dave Bittner: Right. As opposed to being based on, you know, a hundred years of history of, you know, this - I'm thinking of things like insurance for fires or hurricanes or floods, you know, things we've been tracking for a long time. 

John Pescatore: That's often this idea that there's no actuarial table. So we can give life insurance policies 'cause we know how long people live. So there's definitely not as much - or not as much data. That's a big problem in cybersecurity in general. 

John Pescatore: But I think there's a bigger issue at play here. I've been doing a lot of talks with government agencies and big enterprises on things like artificial intelligence and machine-learning algorithms, where, you know, now that computers can beat humans in chess and go and do all this cool object-recognition-type stuff and character recognition, you know, there's a lot of hype out there that AI machine learning will solve all these security problems. We won't need as many people. 

John Pescatore: Well, the reality is that most problems, like will a building burned down or not, what's the next best move in a chess game, are bounded problems. We know how well a building is built and if it was built with fire-retardant materials or not because there's building codes that say it has to be. There's building codes about fire sprinklers and things. In chess, the pieces can only move in certain directions, the board has boundaries, and the players take turns. 

John Pescatore: Well, in cybersecurity, none of that applies. There are no strength of materials. Each piece of software is a unique piece of craftsmanship itself. Nobody knows how strong it is or even how strong it needs to be. The attackers - they can make the horse do a hundred moves and then turn right instead of left or go diagonally. They can do whatever they want. They don't have to wait for their turn to go. So it's a very different problem. 

John Pescatore: So the - this idea that, well, over time they'll accumulate actuarial data I really don't think is going to happen. I think it's - the problem is much closer to the health insurance problem - that new viruses and coronaviruses come along, and novel ones that we've never seen before, the body doesn't have antibodies. So we have health care data, but we have similar problems in health care and how health insurance works. 

John Pescatore: And in the health insurance world or in the medical world, everybody knows and every doctor preaches you're better off preparing or getting - staying healthy and avoiding illness than you are just relying on insurance and medicine to deal with the illness afterwards. And that's sort of the part that's been missing in a lot of cybersecurity approaches. 

John Pescatore: And this type of insurance, cybersecurity insurance, does not transfer liability, doesn't cap liability. It merely reduces the cost. You know, let's use Baltimore as an example. Baltimore - after their - what they said was an $18 million ransomware incident, they went out and bought cybersecurity - two cybersecurity policies for $20 million of coverage, and they paid 835,000 for a year's worth of that coverage and had 2 million in deductibles. So they now are safe. They'll get up to $16 million benefit - you know, $18 million plus 2 million deductible. But if they had a $20 million incident or a $40 million incident, the cost will just keep rising. 

John Pescatore: So compared to car insurance or home property insurance, where you get repaid the full amount of what you're insuring, in health insurance and in cyber insurance, you're really only getting a portion back. You're not getting your leg back if it rots off; you're getting some money towards the operation to remove your leg. 

John Pescatore: So cybersecurity insurance can't be seen as an alternative to good security hygiene and protecting yourself. And that's where the focus of what we're looking at here lies. 

Dave Bittner: Yeah, that's interesting. I mean, I guess it's more of a backstop, another layer of protection. If your - you know, if the other things fail - if your backups fail, for example - then maybe, you know, your insurance can help ease that pain some. 

John Pescatore: Yeah. And in many instances, it makes sense because if what you've done is say, well, we've done the basic security hygiene things, so we would really have to make a number of mistakes - a number of multiple things would have to go wrong for us - for an attack to succeed against us, and with insurance, we can minimize, you know, or reduce the cost of an impact, that may make financial sense in some cases. 

John Pescatore: It may not make sense. For small businesses, for example, the policies are often cheaper 'cause small businesses usually have less costly incidents. They're smaller targets. They're often not targeted. But the cost of keeping themselves secure is often higher as a percentage of their revenue for smaller businesses. So for smaller businesses, $1,000 a year for 200,000 of protection of coverage may make sense. 

John Pescatore: For a large company that has to pay 20 million a year, let's look at the ransomware attacks from a couple of years ago that hit Maersk and the big FedEx unit that they had to publicly announce $300 million incidents. And that was all because they did not patch known vulnerable Microsoft software and other software - known vulnerable software. They failed in basic security hygiene in a big way. If they were to carry 300 million of cybersecurity insurance, that would have cost them a hundred times more than it would've cost them just to patch things. 

John Pescatore: So, you know, at a board of - I do a lot of board of directors briefings, and this topic comes up. And a lot of it is you can't justify insurance if you're not doing the basic minimums to keep yourself healthy. Nobody's going to give a smoker who smokes 10 packs of cigarettes a day lung cancer insurance. 

Dave Bittner: Right. 

John Pescatore: And if you're not doing basic security hygiene, the premiums, the deductibles you'll be paying on top of the cost of the incidents - then it makes no sense. 

Dave Bittner: Yeah. I like to use public health as an analogy for a lot of this stuff as well. And one of the things that strikes me is that, you know, you can do all of those things - you can wash your hands, you can, you know, try not to be near sick people and all those things - but sometimes you're still going to get a cold. 

John Pescatore: The smart part about that is that's exactly what insurance is supposed to be for - unlikely occurrences. So if you take away all the likely ways you're going to get a cold or get a flu or get the coronavirus... 

Dave Bittner: Right. 

John Pescatore: ...Then insurance makes sense because now you're trying to cover the unlikely event. Similarly, in cybersecurity, you know, there's a thing out there called the Critical Security Controls. SANS supported it, kept it going for years. It started in NSA. It's its own standalone nonprofit thing now under the Center for Internet Security. That's all about basic security hygiene. 

John Pescatore: And the Australian government adopted a slightly modified version of it, and they showed that just by doing four of the 20 basic security hygiene things, they were able to avoid 85% of targeted attacks. They're ignoring the simple malware that's easy to stop. But targeted attacks, custom malware, ransomware - just doing these four basic security hygiene things of patching, reducing privileges and segmenting networks and a few other things - four things - avoid 85% of these big attacks. 

John Pescatore: Now you start to say, now only 15% of the bad things could ever happen to us. And that's starting to be in the realm of where you start to say cybersecurity insurance might make sense to cover these unlikely events. You don't buy insurance for losing your car keys or something you do every week. You get it for very unlikely things that if it does happen, you need some recompense. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: I thought that was a really good interview, Dave. Some interesting points that were made in the interview - ransomware - first off, I want to talk about ransomware in general. It's on the rise because it works. And if you compare it to the exfiltration-only business model, you know, where I steal your data, then sell it, a malicious actor can sell your data, but there is no one to whom your data is more valuable than you. So if I can deny you access to your data - and then I really can capitalize on that. And that's why this works. 

Joe Carrigan: I'm - maybe I'm stating the obvious here. I have a real penchant for doing that, by the way. But it's really very simple. This stuff works because this information is terribly important to the people that have it. And when it gets taken away, a lot of times, the easiest thing for them to do or the fastest thing or maybe even the only thing is to pay the ransom. 

Dave Bittner: Yeah. 

Joe Carrigan: I like what John talks about when he says the ramifications of paying. He says, first off, you may be out the money and not have any benefit, right? They may not restore your system. That's a real risk. He calls it the stupid list - that you pay, and then they put you out on some list or let everybody know in their community, hey, this guy paid the ransom. So they have the money to pay, and they're willing to pay, and they like paying ransoms. So that makes you a target, right? 

Joe Carrigan: Not paying the ransom - like, I don't think anybody else is going to try to attack Baltimore City because they incurred $38 million in costs rather than paying a ransom that was less than $100,000. So that's probably not going to pay off again in the future. And now they have the insurance, so who knows? Who knows what'll happen in the future with that? We'll have to watch, see if they get hit with another cybersecurity event. 

Joe Carrigan: It is interesting that he talks about reducing your risk being easy towards the end of the interview and that there's, like, four things you do to reduce your risk by 80%, 85% And that was true in the case of Baltimore City, as well. If they had just patched the systems from a known vulnerability, they would not have had that ransomware attack. It wouldn't have happened. 

Joe Carrigan: It's also interesting that the FBI is changing their stance on this. You know, they would say in the old days or last year, never pay the ransom. And now they're saying that's an executive decision you have to make. That's an interesting change from the FBI. 

Joe Carrigan: I'm not at all surprised that insurance companies are isolating their cyber insurance to its own product. And I am kind of surprised by the payouts. You know, the property and casualty payout - usually, for every dollar of insurance money they take in, they pay out 60 to 70 cents. And with cyber, they're only paying out 23 cents. 

Joe Carrigan: I don't know how I feel about that, I mean, because I understand that there's a risk with a ransomware attack that can be widespreading. He talks about that. You know, it's not really the same kind of thing. You worry about a casualty event, let's say, like your car insurance. You have a catastrophic car insurance event, and you're an insurance company. One of your insured people, one of your customers is going to run over a pedestrian, and that's going to cost you, right? 

Dave Bittner: Right. 

Joe Carrigan: But when that happens, that doesn't increase the risk of that happening with, like, hundreds of other of your insured customers. But with a ransomware attack, imagine a situation where there's a zero day out there, and there's a ransomware operator out there exploiting that zero day. And you get hit with the first ransomware attack, and now you get hit with a hundred other ransomware attacks. And that changes the calculus of how you cover this immensely. 

Joe Carrigan: And John has a great point here. The problem of cybersecurity is absolutely unbounded. This is limited only by the creativity of the malicious actors, not by any rules or anything. There are no rules. It's not something you can plan for. 

Dave Bittner: It strikes me as being kind of like catastrophic weather events. You know, here in our hometown - you know, in my hometown in Ellicott City, you know, you have these hundred-year floods, right? How are you going to plan for that? I mean, they don't happen very often, but when they do, they're catastrophic. 

Joe Carrigan: There is one thing John said I want to caution the listener about. He said the small business may not be targeted. I don't think that small businesses should take that as, you know, a chance to wipe their forehead and go, whew, I'm off the hook. 

Dave Bittner: Yeah. 

Joe Carrigan: Oh, no, you're not off the hook. These guys are still targeting you, and they're targeting you more and more because these larger organizations have cybersecurity budgets that make it very difficult for malicious actors to get in. Smaller companies do not have that. Therefore, it's a lot easier for them to get in. 

Joe Carrigan: The flip side is something that John said that's absolutely correct - is your assets are a lot less valuable to these malicious actors. They're easier to insure. And these malicious actors are not going to spend months trying to get into a small business. They're going to try something quick and easy, see if it works. And if it doesn't, they're going to move on. 

Joe Carrigan: Yeah, they're not going to waste a lot of time going after you. That's true. But to say that you're less likely to be targeted - I'm not on board with that. That's one thing I'm going to disagree with John on. But I don't think he meant it to be reassuring. I just want to make it lucidly clear that small-business people should still be vigilant. 

Dave Bittner: Yeah. Yeah. I think to me, it's - you hear folks say, well, I don't have anything of value. You know, why would they come after me? 

Joe Carrigan: No, that's not true. 

Dave Bittner: And you do have if - you have something of value, trust me. 

Joe Carrigan: You have tons of stuff of value. 

Dave Bittner: Yeah. Right. 

Joe Carrigan: Do you have a credit card? That's of value. Do you have a computer? That's of value. Is there data that you care about on your computer? Malicious actors have ways of monetizing all of that. And so, yes, you have something of value. The other thing is you've got to remember you're dealing with - a lot of times, you're dealing - like in a Catch of the Day, you're dealing with somebody from Nigeria. You know, the median income in Nigeria is around $2,700 a year. So if I can scam people out of $2,700, I'm doing OK in Nigeria. 

Dave Bittner: Right. Right. Yeah, absolutely. 

Joe Carrigan: I don't need to commit a lot of cybercrime to live a good life in some of these countries. 

Dave Bittner: Right. All right. Well, our thanks to John Pescatore from the SANS Technology Institute for joining us. Really interesting conversation. 

Dave Bittner: That is our show. Thanks to all of you for listening. And, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.