Useful ransomware protection for you.
Roger Grimes: We need to, as the world or an industry, decide, are we going to do backups the right way, the correct way that we've always said that we're doing them, or are we going to continue in this kind of fake myth that we're doing them really well, but we're not?
Dave Bittner: Hello, everyone, and welcome to the CyberWire's “Hacking Humans” podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week - and later in the show, my conversation with Roger Grimes. He is the data-driven defense evangelist at KnowBe4.
Dave Bittner: Hey, so this is your boss speaking. I'm going to need you to go ahead and wire transfer some company funds to an account that I'll send you. I'm going to need that done today. Don't worry about clearing it through finance. They already know about it. I promise. So this is obviously not your boss. But cybercriminals try this exact tactic all the time in the form of email CEO fraud, also known as business email compromise. They'll spoof your CEO or CFO's email address, send finance or HR an email about transferring money or sharing sensitive employee data. And an unsuspecting and untrained employee just might do it. Our sponsor KnowBe4, providers of the world's largest security awareness training and simulated phishing platform, know a thing or two about equipping employees to handle these threats. We'll learn how later in the show.
Dave Bittner: All right, Joe, why don't we jump right into some stories this week? I'm going to start things off for us. And my story actually comes from the folks over at the fact-checking website Snopes. This is written by Jordan Liles, and it's titled "We Infiltrated a Crypto Scam Network That's Hosted by Meta," the company formerly known as Facebook (laughter).
Joe Carrigan: Right.
Dave Bittner: And this narrative follows the story of some scams that are being run on Facebook in Facebook - using a combination of Facebook groups, but also Facebook Messenger. and it starts with a Facebook page that's called Tina's Finance, which is not a real company.
Joe Carrigan: Right.
Dave Bittner: And Tina's Finance starts off with an advertisement with a photograph of billionaire Warren Buffett. And he's holding a giant...
Joe Carrigan: As they often do.
Dave Bittner: Yeah. And he's holding a giant Bitcoin.
Joe Carrigan: (Laughter).
Dave Bittner: And it invites Facebook users to learn about Bitcoin and other cryptocurrencies. And once you...
Joe Carrigan: I'm looking at this picture right now, Dave. It's obviously photoshopped, (laughter) right?
Dave Bittner: Yeah. Yeah, I know. But, you know, I guess it works well enough for these scammers.
Joe Carrigan: Yeah.
Dave Bittner: So once you engage with these folks, you go into a group, and they promise that funds you invest with them are going to be using a special app, which is called MetaEx or MetaEXC, before your funds are returned. But, of course, the funds are never going to be returned...
Joe Carrigan: Right.
Dave Bittner: ...Back.
Joe Carrigan: Yeah.
Dave Bittner: So the way it works is you join up with this group and you enter a Facebook group, and in that group are a bunch of other people, supposedly like-minded people, who are also interested in learning about cryptocurrency. And when you log in, there's a message that says, we have established a cryptocurrency exchange group. There are professional teachers - share knowledge in the group. Would you want to join? - so a little broken English there...
Joe Carrigan: Right.
Dave Bittner: ...As a first red flag.
Joe Carrigan: Yep.
Dave Bittner: And they say that this will be a way for you to find a new way to wealth, which evidently is a phrase that they use over and over again.
Joe Carrigan: A new way to wealth.
Dave Bittner: A new way to wealth.
Joe Carrigan: OK.
Dave Bittner: And once you enter this group, there are what are allegedly like-minded people who are also interested in this. But they're not real people. They are...
Joe Carrigan: Really?
Dave Bittner: Well, most of them are other members of the scam group, probably - I mean, this could all be being run by one person, right?
Joe Carrigan: Right. Absolutely.
Dave Bittner: Yeah.
Joe Carrigan: Could be coming - he could have a bunch of different windows open on his machine coming in from multiple machines and multiple browsers, all while sitting at the same monitor.
Dave Bittner: Exactly. So they use a combination of this Facebook group, but also group chats in Facebook Messenger, where they take you down a pathway of other people saying, you know, we're ready to go, ready to invest. Here we go. And then someone who is supposedly the leader of this group says, OK, everyone, you know, we're scheduled to make our deposits at this time, at this moment. Everybody ready? And everybody says, yes, we're ready. We're ready.
Joe Carrigan: (Laughter).
Dave Bittner: So you have this getting-on-the-bandwagon thing, right?
Joe Carrigan: Right.
Dave Bittner: All these other people are going to be involved in this. And you can see other people saying, oh, I've - you know, I've done so well with this - can't wait to invest more - that sort of thing.
Joe Carrigan: Yeah.
Dave Bittner: So, of course, when you put your money, you take your cryptocurrency. So you go and you buy some cryptocurrency. And by the way, they're more than happy to help you - to walk you through the process of...
Joe Carrigan: (Laughter) I'm sure they are.
Dave Bittner: ...Buying your cryptocurrency. And then you put your cryptocurrency in this app where it supposedly is going to be invested. Once it's in there, you can see a fake dashboard that shows you how your investment - and investment is in air quotes - is doing.
Joe Carrigan: Right.
Dave Bittner: But if you ask to have your money removed, you'll get a message that says, due to the excessive transaction volume and abnormal system data, the technical department will deal with it and will reply within 24 hours.
Joe Carrigan: Right.
Dave Bittner: Right?
Joe Carrigan: Yep.
Dave Bittner: So what are we doing here, Joe?
Joe Carrigan: Well, they're just taking your money. That's it - you're not (laughter)...
Dave Bittner: They're taking your money, but they're also buying time, right? So...
Joe Carrigan: Oh, with that, yeah, they're buying time. Exactly. Yes.
Dave Bittner: Yeah. Yeah, yeah.
Joe Carrigan: They're buying time so that you - I mean, but once you've committed the crypto transfer into this app, which is really not how cryptocurrency works - you make a transfer of cryptocurrency to an address. And once you do that - I mean, yeah, and there are apps out there that help you manage it, right? Like, I have an app on my phone that has some cryptocurrency in it. I actually made a cryptocurrency purchase at a cryptocurrency ATM.
Dave Bittner: Oh, I've seen a few of those. Yeah. Yeah.
Joe Carrigan: Yeah, recently. And, you know, I was like, you know, I have five bucks. What happens if I lose five bucks? You know, nothing, right? But no, I actually...
Dave Bittner: (Laughter).
Joe Carrigan: ...Got my cryptocurrency, right?
Dave Bittner: OK.
Joe Carrigan: Now, I only got $3 worth of cryptocurrency, so I did lose two of those dollars to fees.
Dave Bittner: Uh-huh (laughter).
Joe Carrigan: But, you know, that's all part of the transaction fee, Dave.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: But yeah, this is not like that. This is you're just transferring your crypto, your cryptocurrency to somebody else's wallet. And then when you go to say, OK, let me have it back, they're like, yeah, yeah, give me a minute.
Dave Bittner: Mmm hmm. Mmm hmm. And of course, you will never see that money again.
Joe Carrigan: You'd never see it again. That's right.
Dave Bittner: These are just scammers. One of the things that this article points out is that they went and notified Facebook and Messenger, and weeks went by, and the groups are still up and running.
Joe Carrigan: Really?
Dave Bittner: Yeah. Yeah. So be mindful of these sorts of investment things. Again, let your friends and family know about them. They are scams. And, you know, look, there's no shortage of professional financial advisors in the world if you are really looking for correct ways to invest your money.
Joe Carrigan: Right.
Dave Bittner: Plenty of due diligence you can do without having to jump into a Facebook group to do something like that. It's disappointing that Facebook and Meta are not more active in tracking these things down or shutting them down with a - when a legitimate source like Snopes informs them that, hey, there is a scam going on here, and here's the evidence, that that isn't shut down immediately, that's disappointing.
Joe Carrigan: Yeah, that is disappointing. You know, if Snopes came to me and said, hey, Joe, we have a scam going on in one of your systems, they would have my immediate attention.
Dave Bittner: (Laughter) Right.
Joe Carrigan: If nothing else, I'd be investigating, right?
Dave Bittner: Right. Right. Exactly. Exactly. So a word to the wise, again, this particular group is called Tina's Finance, but there are lots of them out there. Any images of Warren Buffett are a red flag, of course. But...
Joe Carrigan: Right. Any images of actual bitcoins, you know, like the gold coin that they always hold up...
Dave Bittner: Yeah.
Joe Carrigan: I hate those images.
(LAUGHTER)
Joe Carrigan: Again, this is a digital currency. It's not a physical thing. It doesn't have any real existence. It exists on a ledger in the - essentially on the internet.
Dave Bittner: Yeah.
Joe Carrigan: So I want to say in the cloud, but it's not really the cloud. It's the internet.
Dave Bittner: Yeah.
Joe Carrigan: So it's not how these things work. There is no physical picture or thing you can hold in your hand that is a bitcoin.
Dave Bittner: Yeah, yeah. All right. Well, that is my story this week. Of course, we'll have a link to that in the show notes. Joe, what do you have to share with us?
Joe Carrigan: Dave, my story comes from Alicia Hope at CPO magazine. Recently, Electronic Arts, which is a game company, confirmed that attackers use phishing and social engineering tactics to execute account takeovers against high-profile FIFA Ultimate Team gamers.
Joe Carrigan: Eurogamer, which is a website that talks about video games, first reported the account takeover attacks when they had a bunch of tweets that they noticed were going on. And these tweets were saying that their accounts had been stripped of FIFA points and coins.
Dave Bittner: OK.
Joe Carrigan: So apparently you earn coins and points in this game, and you can transfer them to other players.
Dave Bittner: Ah.
Joe Carrigan: Any time you have any kind of in-game currency like that, this becomes a target.
Dave Bittner: Sure.
Joe Carrigan: Now, I don't play sports video games. I do play video games, but I don't play sports video games. Because I always say, you know, if I want to play soccer, I will go buy a soccer ball, walk out to the schoolyard behind my house and then fall on the ground and scream while holding my shin.
Dave Bittner: (Laughter).
Joe Carrigan: But I digress.
Dave Bittner: OK.
Joe Carrigan: The attackers reportedly use gamer tags from FIFA, from the FIFA leaderboards, which is - so EA publishes this leaderboard of who's the best FIFA Ultimate Team players, right?
Dave Bittner: Right. Right.
Joe Carrigan: And then these guys go, OK, well, I can see their gamer tags. And then they get in touch with EA staff and try to convince them that they are the legitimate owners of these accounts. EA account representatives allegedly revealed the account email addresses associated with these gamer tags - right? - which essentially gives them - lets these guys know who the real owners are. It provides a way for them to - OK, so I know the email address of who actually owns this tag. Now I can target that person, right?
Dave Bittner: I see.
Joe Carrigan: Right. The other thing they did was these guys actually convinced the EA account representatives to reset passwords, allowing the attackers to just take over the account...
Dave Bittner: Wow.
Joe Carrigan: ...Just by calling up and saying, hey, here's my gamertag. Reset my password, right? Gamertag - I guess it's analogous to a username here. EA customer service reps actually reset the passwords for these guys, these bad guys. Here's a quote from EA - "Using threads and other social engineering methods, individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to player accounts." So by going directly to EA, they were able to just nullify the protection offered by multifactor authentication...
Dave Bittner: Yeah.
Joe Carrigan: ...Which I think is amazing. If I went through the - we're going to get to that later. But if I went through the process of putting multi-factor authentication on my account and EA just gave my account to somebody else, I would be very upset.
Dave Bittner: Yeah.
Joe Carrigan: EA is doing three things here. They're saying all of their advisers are receiving individualized retraining and additional team training with specific emphasis on the account security practices and phishing techniques used in those particular incidents. I think that's great. But I think you should have broader social engineering training. I think that's very important. EA is implementing additional steps to their account ownership verification process, such as mandatory manager approval for email change requests. That's good - get another set of eyes on the problem, right? And finally, their customer software will - their CRM system will be updated to better identify suspicious activity, flag at-risk accounts and other kind of stuff. So what they're doing here is actually a good three-pronged approach. They're addressing their people, their processes and their systems, right?
Dave Bittner: Right.
Joe Carrigan: Which are the three things I often say you need to think about when you're worried about social engineering or, actually, cybersecurity in any way, shape or form. EA disclosed that fewer than 50 accounts have been compromised in their press release. However, reports of lower-ranking hacked FIFA 22 accounts have also surfaced online, suggesting that the number of account takeovers is higher than EA has admitted. Now, here's my question, Dave - do you think that EA will effectively restore the access and assets of 100% of people affected by this attack?
Dave Bittner: No. No, I don't think so.
Joe Carrigan: I don't think so either. I don't think so either. I don't have an account with EA because they're mainly a sports game company. And, you know, like I said, I don't play sports games. But I do have accounts with other major companies. And if someone took over, like, my Steam account, for example, I would lose access to every game I've purchased via the platform. It's not a ton of games. It's, like, 70 games, and a lot of them are bundled together, right? A lot of them came bundled.
Dave Bittner: Right.
Joe Carrigan: But I'd be very upset, especially after losing access to some of the progress I've made in my games that are tied to my Steam account.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: Yeah, sure.
Joe Carrigan: Like, the one that comes to mind is World of Warships. You know, I got Tier VIII ships, which are pretty high-level ships, and it took me a long time and a lot of playing. If I lost that overnight, I'd be furious.
Dave Bittner: (Laughter) I'm sure you would.
Joe Carrigan: I'd be absolutely furious. Where's my North Carolina, Dave?
Dave Bittner: (Laughter) Yeah, yeah. I have experienced that myself for sure - had games that I've spent a lot of time making my way through and, for whatever reason, through a system update or a device update or something like that, lost my progress or...
Joe Carrigan: Oh, yeah.
Dave Bittner: ...Lost the, you know, special - what do you call it? - like, heroes that I've purchased for the game or whatever.
Joe Carrigan: Oh. Yeah, that would make me very upset.
Dave Bittner: Yeah.
Joe Carrigan: Very upset indeed.
Dave Bittner: You know, I mean, that's - yeah, it is upsetting. But I suspect I probably get less upset than you do (laughter).
Joe Carrigan: Yeah, probably. Yeah, I might call and go very angry, which is, you know...
Dave Bittner: Right.
Joe Carrigan: ...The exact social engineering technique that these guys used here...
Dave Bittner: Right.
Joe Carrigan: ...Would be my natural response.
Dave Bittner: (Laughter).
Joe Carrigan: You know, I don't know. I don't know what I'd do. I mean, at that point in time, I might just walk away from everything and just be done with it.
Dave Bittner: Yeah, that's - and sometimes, that's what you - I mean, yeah, I've had that happen, too. Well, I guess I'm done with this game...
Joe Carrigan: Right.
Dave Bittner: ...'Cause I'm not doing that again, you know?
Joe Carrigan: Yeah, yeah, absolutely.
Dave Bittner: (Laughter) Let me find something new.
Joe Carrigan: (Laughter) Yeah, if I lost access to all those, you know, battleships or - actually, you know, not just battleships, but my favorite, the destroyers - if I lost access to those things, I would be - I would not do that again. I would not go through that process again.
Dave Bittner: Yeah, yeah. Well, there's - sometimes, there's a cleansing element to that sort of loss as well.
Joe Carrigan: Yeah, there is.
Dave Bittner: (Laughter) Yeah, being forced to move on.
Joe Carrigan: What am I going to do with all my free time now (laughter)?
Dave Bittner: Right, exactly, exactly. All right. Well, interesting story. And of course, we will have a link to that in the show notes. We would love to hear from you. If you have a story you'd like us to cover or a catch of the day, you can email us at hackinghumans@thecyberwire.com. Speaking of catch of the days, it is time to move on to our catch of the day. Joe, what do we have this week?
Joe Carrigan: Dave, our catch of the day comes from a listener named Jesse who writes, I listen to your show every week, and you guys are awesome. Hey, thanks, Jesse.
Dave Bittner: Yeah.
Joe Carrigan: I'm happy to let you know that I can drop out of school and I don't have to listen to your show anymore as I just got a text from Facebook, and I've won $600,000.
Dave Bittner: Wow. Congratulations, Jesse.
Joe Carrigan: Yes. I think Jesse is being facetious, Dave.
Dave Bittner: (Laughter) Well, we're lucky that Jesse sent along his text message. I'll read it. It says...
Dave Bittner: (Reading) Hello, my name is Sheryl Sandberg, the chief operating officer of Facebook. Nice meeting you. I was assigned to contact you from the CEO of Facebook, Mr. Mark Zuckerberg. There is an online draws that was conducted by random selection. You were picked by CEO of Facebook in order to claim your 600,000 USD. Click on the link to claim your cash prize. Congratulations in advance.
Joe Carrigan: (Laughter) And it's got a link that was sent to him. This is interesting that this came via a text message - just an SMS message, right?
Dave Bittner: Yeah, yeah.
Joe Carrigan: You know, they call this smishing. I hate that term. I hate a lot of these terms that we use in the cybersecurity world.
Dave Bittner: (Laughter).
Joe Carrigan: But smishing is - I mean, this is just phishing via text message. It doesn't need to have a different name, smishing, because it comes from a text message. The technique is the same. But this is exactly the kind of thing that you see all the time. It's simple. It's unbelievable. But it works because somebody will go, who's Sheryl Sandberg? And then they'll Google Sheryl Sandberg and find out that, yes, Sheryl Sandberg is, in fact, the chief operating officer of Facebook.
Dave Bittner: Right.
Joe Carrigan: And then they'll - if they don't know who Mark Zuckerberg is - I know a lot of people do know who Mark Zuckerberg is - they'll say - if they don't know that, they'll Google that, and they'll go, hey, this adds up. This all makes sense.
Dave Bittner: Sure.
Joe Carrigan: And the person that does that is the exact person they're looking for here.
Dave Bittner: Yeah.
Joe Carrigan: The person who is curious and may not know the information also may not know that this is a scam, and that's kind of what they're looking for.
Dave Bittner: Yeah, yeah - that trusting person who also might think, well, what do I have to lose?
Joe Carrigan: Right. Exactly.
Dave Bittner: Right? And the answer is plenty.
Joe Carrigan: A lot. Yeah.
Dave Bittner: Yeah (laughter).
Joe Carrigan: I don't know what happens when you click on this link.
Dave Bittner: Right.
Joe Carrigan: You know, it's probably - I mean, I guarantee you the link is in some way malicious. It may ask you - it may just be an attempt to steal your Facebook credentials, right?
Dave Bittner: Yeah.
Joe Carrigan: Which is a route to another scam. It could be a malware installation page that - you know, a drive-by download or something that exploits some vulnerability on your phone that you have. It could be any number of things. But my guess is if you click on this, you're going to see a fake Facebook login page.
Dave Bittner: Yeah. Yeah, yeah. Probably. Could be.
Dave Bittner: All right, well, again, thanks to Jesse for sending that in to us. And again, we would love to hear from you. It's hackinghumans@thecyberwire.com.
Dave Bittner: Joe, I recently had the pleasure of speaking with Roger Grimes. He is the data-driven defense evangelist at KnowBe4, a company you may have heard of from...
Joe Carrigan: Yes. They...
Dave Bittner: Well, they sponsor this show (laughter).
Joe Carrigan: ...Sponsor our show.
Dave Bittner: So here's my conversation with Roger Grimes.
Roger Grimes: Well, you know, I think certainly overall, it's - just ransomware attacking everyone is probably most people - most IT people's overriding concern. I think they've calculated that it hit at least 50% of all businesses last year, and they're predicting it's going to be somehow greater next year. And the ransomware attackers have exfiltrated, you know, tens of billions of dollars. A lot of it's being done from Russia, which has become a cyber safe haven for criminals. You know, there's other - it's kind of been a blended of nation-state attacks and different countries' attacks - very difficult to put down 'cause you can't prosecute and stop those criminals.
Roger Grimes: And I really felt like the most common question out there from people that, you know, email me and I talk to are like, well, how do I - you know, what do I do if I get hit? How do I prevent it? And what do I do? What steps should I do? There's a lot of really good organizations that help people do recovery and incident response to ransomware attacks, but I didn't see anything really written out really well. So that's what came down to the "Ransomware Protection Playbook" - is both trying to focus on better prevention - 'cause backup is not prevention; it's recovery.
Roger Grimes: And No. 2, what are the steps? What should you do on Day - you know, Hour 1, Day 1, Day 2, Week 1, you know, the first month to recover from ransomware? What are the decisions involved? What are the things you should be doing now to prepare - that sort of stuff.
Dave Bittner: Well, let's go through some of the specifics together. And I guess let's start at the beginning here in terms of prevention. What sort of things do you outline?
Roger Grimes: Well, you know, so I call myself a data-driven defense evangelist because I believe in looking at the data of how you're most successfully attacked. Like, if you're - if you find that people are breaking into your home, you're not going to stop those attackers unless you stop how they're getting into your home. So I've spent 22 years of my life looking at how attackers and malware and, in this case, ransomware successfully breaks into devices and victims and organizations and networks and people.
Roger Grimes: And what I found out is that the vast majority of it, like all hacking and malware, is due to social engineering. So 50% of ransomware breaks in through some type of social engineering, usually tricking the end user into running a Trojan horse program or giving up their passwords. About 25% is due to unpatched software. Twenty-five percent is usually due to some type of password guessing, password hacking. And then another 25% is a whole range of things, including they actually have your password. They bought your password from some other person and compromised you. They log in to your Remote Desktop Protocol connection and just put in your password and walk right on in.
Roger Grimes: But I really looked at - you know, I don't think any of the other guides really spend a significant time of looking at, well, this is how you're broken into, so this is how you need to defend yourself. Like, No. 1 - fight social engineering. If you want to stop ransomware, fight social engineering, and you'll not only put down ransomware, but the majority of other hacker and malware attacks.
Roger Grimes: Let me say that I've been looking at all kinds of literature, and I'm surprised by how often very authoritative sources, like the FBI, will say, hey, be careful. Like, a couple weeks ago, they put out Hive ransomware, and they said, breaks in using social engineering emails. But then in their list of eight mitigations, none of them talked about how to prevent social engineering through email. So - and let me say that's not an outlier. That's the vast majority of ransomware protection recommendations either completely neglect social engineering or mention it last out of a list of a whole bunch of things.
Roger Grimes: And so mine was kind of a, hey, look - if you look at the data, you really need to be focused on preventing social engineering and patching and having better password policy to prevent ransomware. And so I really wanted to bring the focus back to, this is how people are breaking into your house. It's through the windows, not the doors. And if you don't better secure the windows, they're just going to keep getting in.
Dave Bittner: On the social engineering front, I mean, you - as you mentioned there with the FBI, why do you suppose there's some fuzziness there? Is it because it's a human factor, and that's a little harder to quantify?
Roger Grimes: Yeah, you know, I certainly think that is a big part of it. Let me say, I don't understand why people don't focus on social engineering. Social engineering's been the No. 1 way that devices and people have been compromised since the beginning of computers, well over three decades, and yet it's not concentrated on very much. I mean, like, I've been looking at lately - I'm getting ready to release another white paper on this. I've been looking at all the top regulatory guides - so NIST and Sarbanes-Oxley and PCI DSS and GDPR and NERC and FERC and all this stuff.
Roger Grimes: And as an example, in PCI DSS - you know, that's the regulatory document you have to comply with if you want to have Visa and MasterCard transactions on your network. Well, it's, like, a 180-page document, and it has 12 main controls. Under those 12 main controls are another, like, 230 subcontrols to meet the main control. Well, the first one they mention is having a really good firewall, which turns out hasn't worked for two decades. I mean, almost everybody has firewalls today, and most of the attacks that target us don't care whether you have a firewall or not. But it's the first recommendation. It's eight pages of controls, 35 controls. Fighting social engineering, which is the No. 1 thing you can concentrate on, it is mentioned as three controls in five sentences at the very end of the document.
Roger Grimes: Now, let me say, every single document does this. They literally - not only are we doing computer security incorrectly, by not focusing on the biggest threats, first and best; our documents are training ourselves and the newcomers to do it wrong, too. So I'm trying to be this - you know, part of this person yelling out loud, why are we doing it so badly? Like, I don't - so it is - and I talk about it. I've been giving these talks. I wrote a book called "Data-Driven Defense" a couple of years ago. I talk about it all the time about, what are all the factors? Why don't we concentrate on the right things? And, you know, part of it is we - you know, it just isn't sexy enough, you know? Like, I - one of the statistics I give in my book and some of my papers is that - this comes from the Bill and Melinda Gates Foundation a couple of years ago. More people die every day from mosquito bites than in shark attacks in the last 100 years, and yet there is no Mosquito Week on Discovery Channel.
Dave Bittner: Right (laughter).
Roger Grimes: Sometimes the - you know, sometimes these other attacks are just sexier, more - you know, we're all fearful of being bitten by a shark or - you know, like, people are really scared - a lot of people, including myself, who fly a lot get scared when a plane is taking off, but your odds of dying in a plane crash are, like, 1 in 12 million at best. But your odds of dying on the way to the airport that morning are, like, 20 times higher. But nobody's shaking and nervous in the car on the way to the airport, you know? It's just humans don't really - we don't factor the fears correctly.
Dave Bittner: How do you suppose, then, we can go at it to do a better job with this, to realign our priorities?
Roger Grimes: Well, that's exactly it. I mean, so mine is - you need to focus on preventing social engineering better. I mean, it's 70 - in my research, it's 70 to 90% of all successful data breaches involve social engineering. Unpatched software's in about 20 to 40%. Those figures are a little bit lower in ransomware. In ransomware, it's at least 50% for social engineering, and unpatched software's about 25%. We need to do a better job of focusing. Those two things - focusing on social engineering and better patching your software - is anywhere between 75 to 99% of the risk in most organizations. And so if we don't focus on those two or three things - you can throw passwords in there, having better password policies or using MFA. You throw that in there, that is absolutely 99% of the risk. If you don't focus on those three things better, well, the rest of everything you do doesn't really matter. Firewalls don't work nearly as well as they say. Antivirus doesn't work as great. Something like 85% of people successfully compromised by ransomware had up-to-date running antivirus software.
Roger Grimes: You know, and I always - you know, the antivirus vendors are always going 100% detection, 100% detection. If that was anywhere true, we would not have malware or ransomware today. But it's not true. We're being lied to. And so looking at the data, I'm trying to tell people, hey, don't look at the shiny, sexy object. Don't buy this new expensive service or new expensive thing that's supposed to fight hackers and malware and stuff like that. Concentrate - if you look at the data, concentrate on social engineering, better patching, better password policy and MFA. Those are the three or four things that really mean everything for most organizations. And I'm just trying to be a voice in the wilderness shouting that out, you know, as loud as I can.
Dave Bittner: (Laughter) What about mitigation itself? I mean, for the folks who find themselves hit with ransomware, do you have any recommendations there? Are there any things contrary to the - you know, the common advice?
Roger Grimes: Yeah. Well, I don't know if it's so much against the common advice. I mean, there might be. But it's more of making sure to mention the common advice. Like, maybe a really common - as a great example, OK, you know you're hit by ransomware, and you've got to now stop the damage, right? The first thing you want to do is stop the spreading of the ransomware, the damage that it's causing. One of the big decisions would be, you know, do I disconnect or power off the machines or whatever? Well, I say, OK, go ahead and disconnect from the network, but you probably want to do it at the network device level, not at the individual device level because that way when you start to implement fixes or search for malware, you can turn - selectively turn on networking to different devices, and you don't have to manually touch each and every device.
Roger Grimes: And then I go further and say, sometimes - now, so there is a lot of advice that says never turn off the computers, but you could be actually having a wiperware event wipe - there is a lot of ransomware out there or what looks like ransomware that is really wiperware, where, you know, there's been entire companies decimated because they thought it was a ransomware event. It posed as a ransomware event. It took out the country of Ukraine (laughter), for one. And it says, oh, we're ransomware, and we're collecting this. But if you looked at the code, it was really wiperware. In Saudi Arabia - and Aramco's been hit by this a couple of times.
Roger Grimes: So the common advice is never turn off the machines. Well, that's not true. That may be true if you've just got traditional ransomware, but there are times where you have wiperware. And it does hit different organizations. It hit Sony Pictures. It hit Aramco. It hit the entire country of Ukraine. Well, then you want to turn your machines off. It isn't a simple yes or no. It really depends on the scenario. So I kind of present the scenarios and say, OK, this is what you should do. Oh, and if you do need to disconnect the network, do it at the network level and not at the device level, that sort of advice.
Dave Bittner: Can you give us your insights on backups themselves? What advice do you have their
Roger Grimes: No. 1, they're not a prevention control. They're an incident response recovery control. But you should have a good backup. And you should have what's called 3-2-1, which means you have the copies of the data in at least three places - the original place the data is and then in two backup locations. That's the three. The two is you should have them on two different types of media, meaning that, you know, the idea is if the attacker gets to one, maybe they don't get to the other. And then the one is one should be stored offline.
Roger Grimes: And let me say the biggest thing - biggest mistake I see is a lot of people think their offline backup is offline when it's not. I'm amazed. I ask many people, hey, do you have an offline backup? They're like, yeah, yeah, yeah, you know, see probably 75% of the hands come up. I go, can you get to your offline backup through an online console to restore it? And almost all of the same hands come up. I'm like, it's not offline. If you can get to it in an online console, and it doesn't take someone physically doing something separately, then it's not an offline backup. And if you can get to it, the attacker can get to it. And so a lot of people that get hit by ransomware, when they initially get hit, the IT people are like, hey, we've got a backup. Don't you worry. Well, they've never tested the backup. They've never tested it against ever - like, turns out, even if they had the backup - and I'm not making this up - many times after they do a test restore during the recovery, it shows that it's going to take a thousand years to restore all those machines.
Dave Bittner: Right. Right.
Roger Grimes: But more importantly, a lot of times they tell the CU (ph), don't you worry. We've got backups. And then they find out the backups were corrupted or encrypted or deleted or whatever. So most people are not doing what's called 3-2-1 backups, making sure that one's offline. And they're not - they haven't really done - they're like, oh, I've done a restore, I've done a test. And let me say, that's everybody's compliance checklist. Have you done - you know, do you got good backups and you test that they work? Yeah. It means they tested like one file, one folder, one server. But have they tested trying to restore every single server they have, like in the scenario of what ransomware is likely to hit? No. Absolutely not. Most companies have not done that. And how do we know this is the case? Because somewhere between 60- and 80% of the victims are paying the ransom now. And, you know, even in the lowest times, I think it was 40%, 40- to 60%. And that means that a lot of people did not have the backups that they thought they had.
Dave Bittner: Yeah. I mean, I guess, to be fair, it's hard to know where that sweet spot is in terms of, you know, balancing your risk versus the amount of energy, your finances and so on that you're going to put into your backup plan. And it's hard to know exactly where to dial that in.
Roger Grimes: Yeah. Yeah. I mean, you're exactly right. But I tell you, the part that's embarrassing to me is that every compliance guideline in the world says, do you have tested backups, you know, that you - and you do test restores. And everybody's saying, yes, checking OK, we're in compliance. And most people are lying. And even the auditors kind of know they're lying because to do that would take a significant amount of resources. Like, suppose you had a dedicated full-time equivalent FTE that was doing backups. You'd not only need a second full-time employee to do this, but you would have to have the money and resources to be able to do the backup and restoration and restore it.
Roger Grimes: You know, let's say you were backing up 800 servers. You would have to then do a test restore of those 800 servers to another environment. That costs money, and it takes time. And it really - most people are not doing it anyway. It's a cost benefit, but I do find it ironic and-or sad that our entire computer security industry, our cyber resiliency is based, at the bare minimum, on the fact that we all have good backups for disaster recovery and business continuity. And I think it is a revealed myth that we actually have these good, secure, tested backups. And I think - so we need to as a world or an industry decide, are we going to do backups the right way, the correct way that we've always said that we're doing them, or are we going to continue in this kind of fake myth that we're doing them really well, but we're not?
Roger Grimes: I mean, and it's all right if we go, you know what? We looked at the cost, we looked at the benefit, and it's not really worth it to do this full - you know, the way that we've been saying we're doing it. We should just stop lying about it. The first step of the problem is to be honest with ourselves.
Dave Bittner: (Laughter).
Roger Grimes: And then go, you know what? We looked at it, and it's just too expensive to do it the way that we're supposed to do it. And so we're going to kind of halfway do it. I think it's all right to say that we're going to halfway do it. What I think is wrong is to say that we're doing it completely the right way and checking compliance checklists and everything's great, and then, huh. And then when you get hit by ransomware, it turns out, oh, our backups aren't working or will take a thousand years to restore or whatever it might be.
Dave Bittner: All right, Joe, what do you think?
Joe Carrigan: Wow. Tens of billions of dollars lost to ransomware - I am not at all surprised by that number. I think that is probably - you know, like, we often say on this show, this - cybercrime is - 95% of it is financially motivated. And the Verizon Data Breach Investigation Report talks about that every single year. And ransomware is remarkably effective at getting people to cough up money. Roger makes a great point about backups. It's not prevention. It's a recovery. It's an incident response tool. The important part to remember about ransomware is that it is essentially just the last step of an attack all the time. When you have an attack that ends in ransomware, there has been tons of other stuff that's been going on, and you're looking at the end of the incident at that one time.
Dave Bittner: Right, right.
Joe Carrigan: And somewhere, that incident has a starting point. I like the breakdown that Roger provides on initial infection vector for these incidents. The biggest one is social engineering. Somebody says, hey, here, run this, right? And it's some kind of Trojan horse that does something. A lot of times, it's just something that provides, like, a back door to these attackers because it's not just going to be the encryptor that you - that you're asked to run. That's not really very helpful to these attackers. It's going to be something that lets them in so they can explore your network. And then once they know where all your valuable data is, they're going to start encrypting it. But before they do that, they're going to take it.
Dave Bittner: Yeah.
Joe Carrigan: The rest of the vectors of initial attack are split pretty evenly between unpatched software, password compromise and other access methods like brokered access, right? Like, somebody has gotten into this account, and then they're just going to sell that access. One of the interesting points that Roger makes in this that is spot on is recommendations for prevention generally neglect the social engineering angle. They talk about the - what he calls the shiny object, the sexy thing, you know? Hey, look at this firewall. You know, firewalls are great at preventing, like, port scanning of things inside your system, right? But you still have to have that service open to the internet, and the firewall generally lets that go through, especially if that traffic is encrypted - right? - through something like SSL, unless you have the firewall opening up and inspecting all the packets. And even then, you're still not 100% protected.
Dave Bittner: Right.
Joe Carrigan: So - because if I can just send somebody an email and say, run this email for me and convince them to do it, or run this attachment for me and convince them to do it, then I've just bypassed everything 'cause a lot of these firewalls don't stop outbound connections because that stops people from using their computers like they normally do, right?
Dave Bittner: Sure. Yeah.
Joe Carrigan: So I mean, that's how you get around a firewall is you just ask somebody on the inside to get around the firewall for you, and they do it.
Dave Bittner: Sure.
Joe Carrigan: And that's the social engineering aspect. And Roger's 100% correct. That is neglected. And he talks about the PCI DSS that talks about it in three lines or three sentences at the end of the document - right? - but spends an entire section on talking about firewalls. It's a great point and a great observation, and it's really something that you and I have been championing for now three years, right? But it is something the industry, I think, is still missing. They're getting better at it, but they are still not good enough, I think.
Joe Carrigan: Three things to do for prevention - I like what he says here. Social engineering training - mandatory. I think that is probably the biggest payback for a return on investment that you can get. Software patching - a good patching program is a real bonus. And then good password policy or multifactor authentication - and I just say, if you're going to do one of these things, multifactor authentication is going to be the best thing. You should also do software patching and social engineering training. But multifactor authentication can stop a lot of these low-effort social engineering attacks in their tracks, particularly with account takeover things. I think that's where your biggest - the biggest bang for your buck in a product comes from. And training - definitely, software - or social engineering training. And then software patching is free. You just have to have the process and the people inside to manage it. I mean, you know, all the software you already pay licensing fees for, you should be updating that whenever there's a vulnerability that comes out or whenever a new version comes out.
Dave Bittner: Yeah, yeah. Sometimes, easier said than done in a...
Joe Carrigan: It is.
Dave Bittner: ...You know, active environment. But sure, the point is well-taken.
Joe Carrigan: Correct. Right. You need a good software patching program and configuration management program around it. But these things - what's interesting about these things is these things are all very mundane things, right? They're not, like, the superstar, latest cool product thing. They're the basics.
Dave Bittner: Yeah.
Joe Carrigan: And we're not doing it well. And then he goes on to talk about backups. I like his three-two-one backup model. That's great. Data in three places - the original place, a backup and a second backup. Two different types of media - right? - so, you know, you have it on disk, and maybe you have it on tape as well. And then one of those backups has to be offline, and that's critical. And when you say offline - when he says offline, that means that it has to be - you know, it's not accessible. You can't just go, oh, well, here it is. It's over here on this computer. That's not offline. Offline is in a tape or some media that you've taken out of a computer, and it physically can't be touched. It's air-gapped and not even powered on, actually.
Dave Bittner: Yeah, yeah.
Joe Carrigan: You know, there's no power supply to it.
Dave Bittner: It can't just be an unmounted volume because...
Joe Carrigan: Right.
Dave Bittner: A lot of the malware these days will go and look for unmounted volumes and mount them.
Joe Carrigan: Right. Absolutely, absolutely. It's - this was a great interview, Dave. I liked a lot of what Roger had to say. I think he is a champion of common sense in the security industry, and I really appreciate his perspective.
Dave Bittner: All right. Well, again, our thanks to Roger Grimes for joining us. We do appreciate him taking the time.
Dave Bittner: That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The “Hacking Humans” podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
