CyberWire Daily - How ransomware impacts organizations. [CyberWire-X]
Episode Date: November 21, 2021As ransomware attacks rapidly rise in frequency, eye-popping ransom demands grab headlines, and consumers experience product shortages and difficulty accessing services as the organizations they do bu...siness with are knocked offline. However, little is reported about the impact of a ransomware attack inside an organization. However, little is reported about the impact of a ransomware attack inside an organization. In this show, we cover what steps organizations are taking now to prepare for a ransomware attack and what happens to an organization on that especially bad day when ransomware comes calling. The CyberWire's Rick Howard speaks with Hash Table member Don Welch, Vice president for Information Technology and Global Chief Information Officer at New York University, and show sponsor Keeper Security's CEO & Co-Founder Darren Guccione joins The CyberWire's Dave Bittner on this CyberWire-X as they share their expertise on the topic. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Hey, everyone.
Welcome to Cyber Wire X, a series of specials where we highlight important security topics affecting security professionals worldwide.
I'm Rick Howard, the Chief Security Officer, Chief Analyst, and Senior Fellow at the CyberWire,
and today's episode is titled, How Ransomware Impacts Organizations.
As ransomware attacks rapidly rise in frequency, eye-popping ransom demands grab headlines,
and consumers experience product shortages and difficulty getting services as the organizations they do business with are knocked offline.
However, little is reported about the impact of a ransomware attack inside an organization.
In this show, we cover what steps organizations are taking now to prepare for a ransom attack in the future,
and what happens to an organization on that especially bad day
when ransomware comes calling.
At Program Note, each CyberWireX special features two segments.
In the first part, we'll hear from industry experts on the topic at hand.
And in the second part, we'll hear from our show's sponsor for their point of view.
And since I brought it up, here's a word from today's sponsor, Keeper Security.
Here's a word from today's sponsor, Keeper Security.
Keeper is the top-rated cybersecurity platform for protecting organizations of all sizes from the most common password-related data breaches and cyber attacks.
Did you know that 81% of data breaches are caused by weak password security?
Keeper is more than a password manager.
It's a scalable and customizable security platform that includes industry-leading features
such as automated user provisioning,
role-based enforcement policies,
SSO SAML integration,
advanced reporting compliance,
breach watch dark web monitoring, and more.
Members of the CyberWire community
will receive a free three-year personal password manager
when they take a business demo.
Visit keeper.io slash CyberWire to learn more.
And we thank Keeper for sponsoring our show.
Joining me at the CyberWire hash table today is an old Army buddy of mine, Don Welch.
My name is Don Welch. I'm the Vice President for Information Technology and Global Chief Information Officer at New York University.
And completed my second week there, having recently started in that role when previously I was the CIO at Penn State.
Yeah, so you've been a Hashtable member from the very beginning,
and you've now just taken on this new role, so congratulations.
Thank you. Yeah, it's exciting.
So we're talking about ransomware, and you've got a lot of experience in this kind of stuff, Don,
and I'm wondering, you know, you're looking around, you talk to your peers out there.
done. And I'm wondering, you know, you're looking around, you talk to your peers out there. What do you think the most common root causes that make organizations susceptible to a ransomware attack?
What is the thing they're not doing that allows them to get attacked like that?
So I think it's the fundamentals. So are you keeping your system patched? Do you have good backups that you test? And do your people practice good IT hygiene?
Are they aware of emails and clicking on links and so forth? But really, I think ransomware
exploits a lack of the basic blocking and tackling that we all need to do. Yeah, the non-sexy stuff.
Of the three that you listed there, I'm a big believer in backup plans and testing backup plans.
And it turns out that a lot of people haven't really tested those things,
especially as our environments have gotten way more complex than it was when you and I first started doing this many, many years ago. You know, having a backup plan that covers all your cloud deployments
and your data centers and your laptops and your mobile devices,
the complexity level has must have skyrocketed for organizations like yours.
Yeah, I think you make great points in that we struggle to know
where our information is, how sensitive that information is, and then whether
or not it's properly backed up. But any large organization, especially one that has a more
federated IT management, people are putting critical information in lots of different places,
and it's very difficult for the security team to keep up with that, understand how important that information
is to the institution or the organization, and then to properly protect it. But if you don't
know where it is and you don't know how important it is, then it's very difficult to protect it.
So ransomware has been around for, geez, over a decade now, but it seems like in the last couple
of years, the organizations behind those
attacks have really ratcheted up the kinds of damage they can do. And the question I have for
you is you've had a chance to talk with your peers and things. What goes on after you've been hit by
a ransomware attack? What is the impact to an organization? Can you walk us through a little
bit of that? Sure. So the first part of
your question, what goes on is sheer panic travels throughout everyone who has been told of the
problems that we've got. And so there's a lot of running around with their hair on fire, hopefully
not. I think most organizations now have a process and they hopefully practice it with tabletops
to understand what is the decision-making process.
So the first thing is understanding that you are attacked by ransomware and taking whatever
important steps there are to contain it so that it doesn't spread throughout the organization.
A lot of ransomware attacks are more focused and are designed to spread.
So that's common. You want
to avoid that as much as possible and contain the damage. And then in parallel, you're working on
the technical recovery. So making sure we've got those backups, we know what's going on. We work
through our disaster recovery plan on how we are going to recover these systems and so forth, making sure we understand
how far back in time the intrusion goes to make sure that we don't just restore the ransomware
along with our data.
But at the executive level, there should be a process going on about how you communicate
this throughout your organization to your stakeholders, in many cases to regulatory regimes, to meet compliance requirements. So understanding
that communication and then trying to make sure that you make the decision on what you are going
to do. The FBI encourages us not to pay ransom. And I think most organizations would prefer not to pay ransom.
But in some cases, there's a decision made that it is the best for all the stakeholders
of the organization to do that.
If you are going to do that, making sure that the right people are involved in the decision,
that they fully understand what the circumstances are, whether the information
can be recovered, how long it will take to recover it, what kind of organization we're
dealing with, trying to find out what their reputation is, do they actually give you valid
keys.
So all those things go into the decision.
And of course, now a lot of attackers are not just encrypting your data,
but also stealing it. So they're exporting it out of your network to kind of up the ante in terms of
the damage they can do to your organization. So knowing what they might have and whether their
claims are correct are all important going into that decision. Do you pay the ransom?
and whether their claims are correct, are all important going into that decision. Do you pay the ransom?
And what can you do technically to try and mitigate this attack?
So it really is a very big incident that goes across the institution,
should involve general counsel, executive leadership, risk management,
obviously IT people, business leaders, so that you can
understand what the impact of the recovery time is. You mentioned tabletop exercises, and those
are key here because you don't want to be explaining the options of do we pay ransomware
or not pay ransomware during the heat of the battle. In those tabletop exercises, you're
trying to explain
what are the triggers that will make us pay the ransomware, right?
And so you at least have those discussions up front
without having to do it under, you know, when you're,
like you said, with your hair on fire.
Yeah, and I think with tabletops,
it's really good to explore what you consider to be the unlikely scenarios, because most of us are not really
good at predicting when a catastrophe hits, what that catastrophe will look like. And so I've been
in tabletop exercises where especially the IT people will say, well, that'll never happen because we do this and we do that.
And yep, you certainly hope they're right, but history shows.
Maybe have a backup plan. Maybe we should think about it just a second. Okay. Just in case.
Yeah. Let's put a little bit of time in it. In the army, we used to say,
when the map and the ground differ, go with the ground.
That's exactly right.
I used to do a lot of these tabletops in previous jobs.
And one thing I always learned talking to executives,
when I assumed that they were going to make a decision to go left,
many times they had good reasons to go right.
And it didn't matter how many times I did a tabletop,
I would always be, I don't know,
surprised maybe is the right answer. And I think that's exactly why you want to do it.
From an IT perspective, we have a certain understanding and perspective. And we may
think that, well, you know, we should just do this and we'll recover it, we prepared for it,
and so forth. But they have business considerations
that we might not have that insight into
or may not fully understand.
And making sure they know what the parameters will be,
in our case, those business leaders,
when we say, oh yeah, we can recover this in 36 hours,
what does that really mean?
And what's the probability
that we'll be successful in doing that?
Any project, any major initiative, even like maintenance, we have back out plans for
maintenance windows because things don't always go as planned. I'm shocked I say that plans don't
go right. We're just incompetent. We should be able to do this, but it's hard. That's why they
pay us this much. One of the decisions that people still struggle with is, do you reach out to the law enforcement
authorities?
Do you bring in the FBI right away?
Or do you push them aside?
Is that part of the tabletop discussions going on?
Is there a trigger for when you bring them in?
Or is it just automatic you bring those guys in?
I think any outside help that you bring in,
that's something that you want to tabletop
and go through and have people think about it ahead of time
and what conditions they would.
Because I think that's always got to be an option.
Certainly we would like that the bad guys get caught
and get stopped so they don't do it to others.
So we do want to collaborate with law
enforcement whenever possible. But there are some reasons that the business leaders might have why
we either bring them in later, or maybe it is something that we're just not going to bring
them in on. And others, so most of us have cyber insurance, and cyber insurance have incident response teams that can help.
But do we want to bring those teams in?
And so some of the tradeoffs are when you are trying to manage that crisis, adding more people that you have to communicate with, more people that are making suggestions, adding more complexity, you may react slower. And this is a
judgment call. A lot of times those resources can be really helpful, but sometimes a little bit too
much help can slow down your ability to react to a crisis. So that's a judgment call. And like
any judgment call, going through a tabletop exercise helps you make a better
decision in the moment, having thought of these things ahead of time.
You make a good point.
I was going through the DNC hacks of 2016.
It wasn't a ransomware attack, but one of the interesting things was the Democratic
National Committee didn't have a relationship with the FBI.
So when they needed them, it took them months to build enough trust
so that they could believe what each other was saying.
And you don't want to be doing that during the crisis, I guess, is the point.
So for your tabletop exercises, it may be useful to bring in your FBI rep
and let them sit in on a couple of those just to see what they would say.
Well, I think you make a really good point with outside agencies and especially federal government that having that trust is really
important. There are a lot of people who don't fully trust law enforcement or other federal
agencies, especially in universities, but in other types of organizations too. And there are good reasons for
it. In some cases, once you expose information to law enforcement, it's out of the individual's
hands in terms of what may happen next. So your wishes may not be followed in terms of
what you want to happen because they have to follow their processes. So
understanding that, understanding the people, making sure they know you, understand you,
that trust building, if you've built that ahead of time, that's really helpful and something that
I think is kind of foundational for every cybersecurity team because yes, a lot of attacks just impact your organization, but you may be part of
a broader attack and it may have consequences for public safety that you want to make sure
you're a good citizen and helping that be stopped before it becomes a real issue.
Here at the Cyber Wire, we talk about first principle cybersecurity strategies,
and the things we've been talking about in this conversation kind of fall under the resiliency
strategy. But the question I would ask you, Don, is if you could do one thing tactically to make
your entire environment more safe from these ransomware attacks, could you point to one thing
and say, just do this at first
and let's make sure we get that done?
That to me would be patching all the systems.
If we kept the patch, yeah, right.
I'm not asking for anything easy here.
But if every system is patched very quickly,
reasonable amount of time,
you're going to eliminate an awful lot
of attacks. It takes the bad guys a long time to develop a lot of these exploits. And frankly,
like the old joke, you don't have to outrun the bear. You just have to outrun the person you're
with. Sadly, I think there's a lot of that that is true, that if you are keeping your systems patched, the bad guys, especially criminals who
just want money and they don't care where they get it, they'll go somewhere else. If you're the
target of a foreign intelligence agency and they specifically want something, they will be
determined and go after it. But if you can keep your patch levels up, I think you can turn away a lot of these adversaries.
And so that would be my choice.
I don't disagree with that.
But I think if I had to choose, I would want a system where I could guarantee that the backups I've made can be restored 100%.
Because, you know, we've all done these things.
We make backup systems and we try to recover them. And sometimes it works and sometimes it doesn't. I would like a system, if I could push
a button, says, oh yeah, you know, I hear I'm practicing doing it. It restored it and everything
was good. That's kind of what I would like to have. Yeah. And I think that's valid. And I think
it would be equally valid for someone to say, yep, I want every user to be smart.
You know, as long as we're dreaming. I was going to say, do you get those kind of users at Walmart?
Can you buy a case of them? Or is that how you get there? Yeah. Yeah, absolutely. Well, any last
words of wisdom, Don, about ransomware? Any last words that you want to tell our audience about? I think ransomware goes along with all the kinds of threats that we're facing now.
The reality is for all those threats, you have to have a strategy and it's got to be an integrated
strategy. We've talked about the defense in depth and that this control will work here and that
control will work there. And I think for ransomware and for everything else,
you've got to make sure you've got integrated,
overlapping controls.
And just one thing is not going to be the thing
that saves you.
It's got to be a coherent program.
All very true and all good stuff done.
So thanks for coming on
and good luck on this new gig.
We appreciate it.
Yeah, thank you. Good stuff, Don. So thanks for coming on. And good luck on this new gig. We appreciate it. Yeah.
Thank you.
Next up is Dave's conversation with Darren Guccione, the CEO and co-founder of Keeper Security, our show's sponsor.
Well, ransomware has increased by nearly 400% over the past two years. It began many years ago as more of a consumer threat and has evolved more into a B2B threat.
So we find this to be existential global.
So we find this to be existential global. I would also tell you that every few seconds, an organization or an individual is paying a ransom.
And these ransoms can range anywhere from a few hundred dollars to several million dollars.
It's really an interesting point in that I think the high-profile, high-dollar amount incidents are really what grab the headlines. But are what you're
saying here is that there's been no real lowering of the number of the small-dollar-value ransomware
attempts that are still happening out there? Well, unfortunately, we don't hear about those.
And conversely, they're the most common. So if you look at the attack landscape and just the surface area that we're talking about,
you've got SOHOs and SMBs, which comprise of really north of 400 million potential entities
out there that represent attacks.
And they are basically the cohort that represents 80% of the global GDP and over 90% of the global employment
base. And at the same time, they have probably the least in terms of cybersecurity defenses
available to them, mainly because they lack formal budgets, they don't have sophisticated
IT staff on hand, and they often don't know where to
start. The good news, however, is that they do have access to technologies and products. The key there
is educating them and making them aware that these technologies exist to protect them because they
are the primary attack target for a cyber criminal. We just don't hear about those in the
news because those ransoms typically range anywhere from $1,000 to $100,000 per incident.
And as you know, just through sensationalism, the larger organizations that pay ransoms into
the millions of dollars are typically what make waves in the headlines.
into the millions of dollars are typically what make waves in the headlines.
Do you suppose that there's a lot of folks who think that because they're small,
that they're not going to be an interesting target to these ransomware operators?
Unfortunately, yes. More than 65% of the time when there's a ransom being paid,
it's paid by either a SOHO or SMB. When I say SOHO, I mean small office, home office.
And so, you know, is really, you're talking about, I'd say, north of 300 million potential entities out there that represent targets. And then you talk about small to medium-sized businesses.
That's an amazingly large attack vector and target for cyber criminals. So I would
just say that at the end of the day, a lot of work has to be done by vendors like ourselves. And this
is where we spend a lot of our time to educate and build awareness in the marketing ecosystem
so that these organizations know that they can get help on a cost-effective basis.
Because quite frequently, you know, where someone says, well, these solutions may be
too expensive for me, they're actually not.
You know, you can get protected, you know, for under $1,000 a year based on, you know,
the size of the company.
Obviously, larger organizations will pay, you know, hundreds of thousands, if not millions of dollars for
a robust cybersecurity plan and set of technologies. But generally speaking,
these are accessible, they're affordable, they're super easy to use, and they're easy to provision.
You know, I think a lot of folks are probably intimidated by what they perceive as the potential high cost of cybersecurity, the amount of time that
it may take from them. What sort of things do you and your colleagues help people with in terms of
onboarding, of sort of walking them through that process and educating them on what's available to
them and how to make it work within the resources that they have. Yeah.
So the good news is there's really three things that cybersecurity software should have in order to appeal to today's world.
And today's world, I would say ostensibly, is really focused on hybrid work environments.
And we know that distributed remote work is a big deal, but we
also know that more companies are starting to move back into the office or operate on a hybrid,
and that's how we operate today. So I would say 90%, for example, of our operation is distributed
remote work, and 10% of us come into the office. Some days it's more, some days it's less.
of us come into the office. Some days it's more, some days it's less. But the key here is that when you build software, it has to be affordable, it has to be easy to use for whoever the end user
is transacting with it, and it has to be easy to provision or distribute. If you hit those three
things, then you're going to be in a really good position to sell into the Soho and SMB market
because those teams of people, albeit smaller, they're also very smart. They're in dire need of
this technology and the products, provided that they are easy to use, is going to be a key in
adoption. Historically, there's been this concept and a stigma, I'll call it a stigma,
where the more secure a software is to use, the more secure it brings you into the organization,
the harder it is to use. And if software is hard to use, that has an inverse relationship in terms
of adoption. So building software that's secure,
that's easy to use and easy to provision drives an increase in adoption. It makes it more desirable
for a small to medium-sized business because typically they don't have sophisticated IT
personnel on staff. So for us, for instance, when we're working with an SMB or a SOHO to basically purchase
and distribute the software, they are done with training, full distribution,
loading everything on every device that they have across every employee. That entire process
takes about one hour, and they're off to the races, and they're good to go. And we'll, I would say,
infrequently hear from them about a support issue because the key here is if you make the software
very easy to use, then you're in really good shape. How do you strike that balance and how
important is it to not throw up roadblocks for the user, to not increase friction?
You have to implement what we call passwordless technologies, and of use, and security into a single platform is the key to that question.
And it's all around elegance, right?
How do you build something that's modern and elegant and at the same time hyper secure to protect the user. So for us, we spend a lot of time with our design team,
which is in-house, of course, to always simplify whenever possible. How do we take something that
takes three steps and turning it into one? How do we avoid having a user to enter digits into a device as a two-factor method of authenticating into a system, right?
So eliminating those steps, right? Because if you look at any workflow, transportation, storage,
rework, delay, data entry, those are wasteful activities in any type of business process.
Those are wasteful activities in any type of business process.
And this holds true in design. So when we're designing applications, we want to really enhance the workflow and mitigate or eliminate the waste.
design and then the backend technologies that we couple into that to really build in more of a elegant, seamless, and very fast experience. Where do you suppose we're headed? I mean,
as you mentioned, folks are heading back to their offices, but it looks like this hybrid work is
here to stay. Is ransomware here to stay? Are you optimistic that we'll be able to really make a
dent here? Well, I think we are making a dent. Is it visible? I would say no, not now. Ransomware
is definitely here to stay. I mean, there's roughly 25 cartels now that are earning billions
of dollars a year in the aggregate. This is a huge business, right?
Just as we sell software above sea level, right?
In the ordinary course of life,
we sell software as a service.
They sell ransomware as a service.
So in the subterranean world of the dark web,
you know, the RAS software reigns supreme now, and that is evolving.
It's becoming more sophisticated.
It's becoming more clever.
It's financially backed by, like I said, billions of dollars in capital, and it's potent.
So you're going to see those ransomware attacks increase.
We are in a cyber war.
There is no doubt about it.
I say it repeatedly in various podcasts that we are in a cyber war, and we are.
And the only way to win that war is through, and I'm going to back up for a second, it's
really through education and awareness.
These types of discussions that you and I are having today can be invaluable to someone
who needs to gain access to a technology that they can afford that could literally save their
company. And you're talking about a few hundred million potential accounts out there that are all
being targeted by cyber criminals. Because like I said, the cyber criminals
don't like to go after hardened targets. They go after low-hanging fruit. And unfortunately,
for the private sector, the low-hanging fruit are the SOHOs and SMBs. As you move upstream
into mid-market enterprise, yes, they are often victimized and they pay massive
ransoms, but you'll find that they have formal IT budgets, they have sophisticated or technical IT
staff on hand, and they have at least some level of a cybersecurity plan in place. The cyber
criminals, yes, they will spend time attacking those targets,
but the more hardened the target is, they typically move on, right? And they focus on the low-hanging fruit because to them, they've got a buffet table with 400 million potential
targets sitting on it. So this is where the future is.
And that's a wrap. We'd like to thank Don Welch, the CIO of NYU,
and Darren Guccione, the CEO and co-founder of Keeper Security,
our show's sponsor, for being on the show.
Cyber Wire X is a production of the Cyber Wire
and is proudly produced in Maryland at the startup studios of DataTribe,
where they are co-building the next generation of cybersecurity startups and technologies.
Our senior producer is Jennifer Iben.
Our executive editor is Peter Kilby.
And on behalf of Dave Bittner, this is Rick Howard signing off.