CEO and Co-Founder of Suridata
CEO - Towerwall
President, CEO, and Co-Founder at Tallo
Have I Been Pwned?
Founder and CEO of Intelligence Arts, LLC
Threat Analyst at Emsisoft
As an Energy Programs Administrator for TDEC OEP, Ben manages activities related to energy security planning, preparedness, and response, as well as the energy-water nexus. He currently serves as Co-Chair of NASEO’s Energy Security Committee and represents Tennessee on the Federal Emergency Management Agency’s Hazard Mitigation Framework Leadership Group.
Cybersecurity Advisor Cybersecurity and Infrastructure Security Agency,
U.S. Department of Homeland Security
Brent is a Sr. Security Consultant at NTT Security as well as a Trusted Advisor for the Tennessee Department of Safety and Homeland Security on the topics of Physical and Cyber Security.
Krista Mazzeo is the first Cyber Center Manager for the National Capital Region Threat Intelligence Consortium
Chief Information Security Officer (CISO)State of Tennessee
CTO of EMSISOFT
Alissa Knight is a recovering hacker of 20 years, blending hacking with a unique style of written and visual content creation for challenger brands and market leaders in cybersecurity. Alissa is a cybersecurity influencer, content creator, and community manager as a partner at Knight Ink that provides vendors go-to market and content strategy for telling brand stories at scale in cybersecurity.
Alissa is also the principal analyst in cybersecurity at Alissa Knight & Associates.Alissa is a published author through her publisher at Wiley, having published the first book on hacking connected cars and recently received two new book contracts to publish her autobiography and a new book on hacking APIs.
As a serial entrepreneur, Alissa has started and sold two cybersecurity companies to public companies in international markets and also sits as the group CEO of Brier & Thorn, a managed security service provider (MSSP).
Video will be posted after the interview!
So, when your doorbell rings, and you open the door, do you invite the person in before you know who they say they are? Well, I’m originally from NY, so the answer is NO! I get verification of whom they are, the intent of their visit, and verification of their identity, along with whom they claim to be before entering. Why wouldn’t I? We, in the security industry still make claim in all our talks about cyber security/data protection how we must ‘Trust & Verify’ prior to entrance into our networks. I see no logic in this statement whatsoever. I know that we have been taught in security to Trust but then Verify prior to taking any action. So, if that is true then we need to instill to Verify first and not even think about Trust until Verified.
This needs to be re-thought. It should be: ‘Verify & then Trust’
We live in a whole new world. Maybe years ago, when you were dealing with vendors, outsourcers, and your end users you were able to use your trust & verify mentality. But now, in this high-powered world of digital data and transformation, it is more difficult to keep up with all the moving parts due to the ease of data movement. Not only do you have to worry about the direct vendor you are dealing with, but you must verify and validate the vendors they are associated with because your contracted vendor may also be outsourcing their workload. One may say, how can I manage not only my vendor but also all their vendors.
Vendor management has been an ongoing problem with most organizations over the years. And now we add the ‘Cloud’. Yes, they are another vendor. They have the infrastructure and you have the data. So, do you really want to put all my data in the trust of this vendor. Oh, it’s because they say they are a certified shop. And what does that mean? Certified for what? They cannot certify your access controls. They cannot certify your ability to maintain rights to data. And I just love when they say, ‘we are HIPAA certified’. What does that even mean?
Access control due diligence: Data Classification. If you have not properly classified all your information (categorized the data), how are you disseminating your access control rights to your end users. Just by moving the application to the cloud or at a vendor site does not make it better. Have you verified the data rights based on data owner’s acceptance before trusting the user into such environments?
Now, let’s go back to vendor management. One word – Contracts. Yes, this is the life preserver you must have in place or you will sink. Please review your vendor contracts. Watch for clauses about liability. What the vendor is responsible for and what you will own. Moving your data doesn’t relinquish you from liability and accountability for your data controls (regulatory, business). Review all your regulatory data requirements before moving data offsite (Example: IRS, SSA, CMS, CJIS)
Data ownership: If you are the source of the data, then you are the data owner no matter where the data goes, and the regulatory controls around that data go with the data, no matter where the data goes. You don’t get a pass on a data compromise, even if you are no longer storing the data at your home site. Here we go again – Verify and then Trust those entities that will be storing/processing your information.
Let’s speak a little about the world of data privacy and compliance: Data privacy is a part of data security and is related to the proper handling of data – how you collect it, how you use it, and maintaining compliance. Data security is about access and protecting data from unauthorized users through different forms of encryption, key management, and authentication. Privacy is not intended to be a security problem, although security controls a significant part of any approach to privacy compliance. Compliance does not equal security, nor are they the same thing. Compliance is a one-size-fits-all, point-in-time snapshot that demonstrates you meet the minimum security-related requirements of specific regulatory standards like PCI, SOX, FTI, SSA, CMS or HIPAA.
Do you think that these regulatory boards are assuming that you are just Trusting who you are dealing with? Or, are they hoping that you are Verifying who/whom you are dealing with when you outsource your information? Again, at the end of the day you are the data owner (What I mean by the data owner is, Not IT. Data is owned by the business owner, and you hold the key to how the data is protected. Where liability ends with a hosting provider is who you allow to access your data. They have the infrastructure that will maintain the controls you need to protect your information, but you need to ensure that the proper security controls/tools/applications needed to protect your data are part of the overall vendor contract (i.e. network monitoring, system patches, application patches, intrusion detection, incident handling and management).
We need to understand that data is an asset and has value. Security architecture approaches increasingly recognize the need to implement controls that are focused on the ▪ data asset itself, which is normally the asset demanding protection (data is an asset and has value), rather than solely on the infrastructure. Data-centric security enhances other security architectures by ensuring that data becomes the focus for protection. Data security concepts sometimes bring together or refocus existing controls, such as application security and identity and access management.
Social Engineering is that one threat that businesses deal with daily. I have seen that many call centers/help desk personnel are starting to Verify who the caller is that is requesting information prior to Trusting them and releasing requested information. This can be information anywhere from trying to locate an employee, client information, system access password change. This is just one way for a hacker to do first level discovery, down their path for initiating a cyber-attack into a business’s network. Security awareness training is a great tool to help prevent this type of security threat. Just understanding social engineering and how it works and what the actual financial impact (damages) one can do with the right information in the wrong hands to a business is a preventative to such attacks. So, it all comes back to Verify and then Trust prior to release of information to a source that is not one that you have not had confirmation of whom they are.
We live in an ever-changing cyber security world where the attack surfaces are getting larger as we forge forward with all this new great technology at our fingertips, this has made it a reason for implementing control measures around the data we need to protect. As we provide better user experiences to our clients, citizens, customers, there needs to be a continuous thought process of how to best serve and protect both their data, but also your business reputation.
How does this all tie into your world? You have employees, contractors, and vendors you deal with each day. Your systems (technologies) are subject to connections from many different sources. Just the awareness alone from insider threat has made us raise the bar to monitor our internal devices to see who is accessing what/how and when.
So, with all this said, what does this all sound like? Am I talking about Zero Trust?
Zero trust is now moving from vision to reality
He wrote about Zero Trust from an industry standpoint.
A group of IT leaders recently gathered to explore why this long-discussed concept is finally getting traction and the challenges still remaining. The discussion was on the record but not for individual attribution, and the quotes have been edited for length and clarity.
Here's what the group had to say.
“Government's interest in zero trust originally focused on computer networking. Yet when the federal CIO Council asked ACT-IAC (American Council for Technology-Industry Advisory Council) to explore the applicability of zero trust security in 2018, "it became apparent almost at light speed that it's bigger than the network," one official recalled. "We're talking about zero trust architectures, not just zero trust networking.Networking is a very critical subset of the discussion, but it's really about that architecture."
All this reinforces the need and focus on a good security program. Use a framework that will meet your business needs based on the type of data you are protecting. As I spoke about earlier, just the simple questions to ask a vendor who is hosting your data ‘do you run anti-virus, do you patch your systems, do you perform background checks of your employees, do you have a disaster recovery and incident response plan’. This is just touching the surface. It comes down to a solid vendor contract with built in SLA’s and the right security language.
As you work through your security protection programs, and implement your processes, keep this thought of Verify & Trust as you discuss cyber security and protection processes with your teams.
Peter Gallinari, over 47 years of experience in Information Technology, with 27+ years as a professional leader in the field of Data Privacy, Cyber Security & Compliance. Industry expertise in Financial services, Health Care and Government Sectors. Have held positions as: Chief Data Privacy Officer for the State of Tennessee, Domain Information Security Officer for the State of Tennessee, former Chief Security Officer (CSO) at GE Capital and GE IT Director of Operations, Chief Security Officer (CSO) supporting 3 hospitals in New York, AVP (Assistant Vice President) Delivery Services for Merrill Lynch. Regulatory compliance leader for such regulatory controls; GLBA, SOX, HIPAA, FERPA, FTI, CJIS, SSA, EU Privacy Directive (GDPR), Commercial compliance for PCI. Keynote speaker for Data Privacy and Cyber Security conferences, both public and private sector audiences.
Michelle Drolet is CEO of Towerwall, a highly specialized cybersecurity, cloud and virtual CISO services firm with clients such as Foundation Medicine, Boston College and Middlesex Savings Bank. Founded in 1999 in Framingham, MA, Towerwall focuses exclusively on providing small to mid-size businesses customized cybersecurity technology programs. Reach her at email@example.com.Telephone 774-204-0700.
1. With the growing number of high-profile cyber-attacks, PII (personally identifiable information) is being taken by malicious actors. While we talk about regulatory compliance, we have a deficit in protecting this information. What problems do you see in actually protecting this information?
Yes I agree there’s a deficit. Regulations like GDPR, CCPA or PCI mandate protection of PII data and breach disclosure however, little is being talked about the ramifications of when this data gets into the wrong hands. Every human record sold on the dark web is a potential entry point into deeper levels of crime. From faking identities to dodging law enforcement to cyber espionage, hackers can leverage online data dumps to do just about anything, which is pretty scary. For regulations, this is a grey area because it’s extremely difficult to calculate or ascertain the severity of the risk.
2. In your opinion, what is the biggest threat to cybersecurity?
Identity fraud, cyber espionage, targeted cyber-attacks and social engineering (phishing) leading to successful ransomware scams. Attacks can easily bypass technical defenses and be extremely difficult to detect. Such forms of cybercrime can result in major losses and severe financial and reputation damage. Look what is happening right now at UMASS Lowell.
3. As companies see an increase in ransomware, VPNs are often proving to be inadequate. It is estimated that Zero Trust Network Access will be implemented by over 60% of all businesses. Do you feel that ZTNA will be a big portion of protection for businesses?
ZTNA in all probability will be the next evolution of VPN. VPN technologies are inherently vulnerable and not designed for a largely dispersed workforce which we have today. ZTNA on the other hand is much more secure and can be implemented across the organization, even extended to 3rd parties if needed. While VPN provides access to the entire network, ZTNA goes a layer up and provides security to each individual application irrespective of the network and is a better user experience overall.
4. With more workers working from home, and cloud services being implemented for scalability and lower costs, do you see more misconfigured cloud settings as a leading cause of breaches for 2021 and in the future?
Yes absolutely. Data breaches from cloud misconfigurations already cost the global economy $5 trillion annually. As more companies move to the cloud, this number is bound to compound. Lack of awareness of cloud security, lack of adequate controls and oversight, presence of too many APIs and interfaces and negligent insider behavior are some of the leading root causes of cloud misconfiguration.
5. Do you see insiders as a threat as we work with trusted business partners and hire remote workers?
Insiders are human beings and humans are the weakest link in cybersecurity. As technical defenses become sophisticated over time and cyber criminals find it harder to access a backdoor, people (intentionally or unintentionally) hold the keys to open the front door to our intellectual property. Holding customer data is a huge liability companies too often ignore as such. In today’s era of hyperconnectivity, suppliers and other trusted business partners routinely have access to sensitive information whose theft or breach can disrupt the entire organization.
6. Globally the IT industry says there is a need for cybersecurity professionals. Training at colleges with hands-on, certifications and internships is growing. While there are cybersecurity tracts globally, what model do you see as the best model? What else should colleges be doing? Should companies be mentoring their next generation of cybersecurity professionals?
Many companies are finding it challenging to source the right talent even when threats are growing in both scale and sophistication. What the industry needs is a holistic solution that includes cybersecurity education, career development with a recruitment mindset and partnership with key corporate bodies that support and nurture upcoming talent. At the corporate level, businesses can focus on reskilling existing IT talent, expand training and mentorship programs and network with key institutions or communities to expand their talent pools. There’s high demand for (and huge shortage of) security talent. Career opportunities galore.
7. Any career advice for people interested in Information Technology?
Data is the new oil and businesses are bound to hire skilled professionals that protect their data. If you’re interested in cybersecurity there are a number of websites with free resources and a number of well-known conferences like Black Hat and RSA that offer a great networking opportunity. College degrees, formal training and certification courses are a great start, although most employers value experience and problem-solving more than certifications; so make sure you get practical experience by securing a job, internship or select a program with hands-on curriculum. Once you’ve got your foot in the door, look at specializations in areas such as cloud security, DevOps, network security, incident response and forensics, identity management, penetration testing, governance, risk and compliance (GRC) and more.
# # #
Look for more interviews from the above Cyber Experts soon!
Brent is a Sr. Security Consultant at NTT Security as well as a Trusted Advisor for the Tennessee Department of Safety and Homeland Security on the topics of Physical and Cyber Security. He is also the founder of the Nashville DEF CON group (DC615), and is the Global Coordinator for the DEF CON conference “Groups” program. He has held the role of Web/Project Manager and IT Security Director for a global franchise company as well as Web Manager and information security positions for multiple television personalities and television shows on The Travel Channel.
Brent has been interviewed on the popular web series, “Hak5” with Darren Kitchen, BBC News, and on Microsoft’s “Roadtrip Nation” television series. He has also spoken at numerous security conferences, including DEF CON, DerbyCon, ISSA International, Techno Security & Forensics Con, Appalachian Institute of Digital Evidence (AIDE) at Marshall University, and more.
1. What is the biggest cybersecurity threat you have seen during the 2020 pandemic?
As a social engineer, I have alarming success gaining access to secure networks by convincing employees to perform simple tasks for me. With more people working from home, things that might have seemed "unusual" before when an employee is speaking to someone such as the caller ID information, background noise, and other non-office sounds are not that unusual anymore.
2. What threats continue to linger from 2019 that are growing worse?
Social engineering-based attacks are a lingering threat that is getting worse. As I mentioned that more people are working from home, there are more feasible scenarios that can be utilized by an attacker during vishing, phishing campaigns. You are removing the restrictions in place that you get with an office building, and putting work right in the middle of everyday life.
3. We can see there is no end in site for many of the threats that plague the IT industry as a whole. What can individual teams do to help prevent these threats?
Outside of the standard recommendations of keeping systems updated, etc., Security Awareness training for employees is extremely important. They need to understand how easy it is for an attacker to gain access by exploiting a person's natural desire to help others. They need to understand the signs to look for, as well as know how to escalate suspicious activity.
4. As we move towards 2021, what direction do you see cybersecurity moving towards
More two-factor authentication implemented, and hopefully better alternatives for authentication methods other than passwords.
# Business Link:
Krista Mazzeo is the first Cyber Center Manager for the National Capital Region Threat Intelligence Consortium where she currently leads a team of two cyber analysts in the identification, analysis, and dissemination of cyber threat intelligence. She previously was a Senior Cyber Threat Intelligence Analyst in the New Jersey Cybersecurity and Communications Integration Cell, serving as one of its founding members. Krista earned her Bachelor’s degree in English/Communications from Cabrini College and her Master’s in Cybersecurity from Virginia College. She is also a Certified Ethical Hacker and enjoys attending hacker conferences, analyzing malware, and tinkering with new technology.
1. What is the biggest cybersecurity threat you have seen during the 2020 pandemic?
There were many cyber threats that targeted individuals and organizations throughout the 2020 pandemic. However, the largest and most impactful cyber threat I observed was phishing. As workers across the country transitioned to a telework posture, cyber threat actors increasingly targeted end users with these social engineering campaigns designed to steal account login credentials, financial and other sensitive information, and deliver malware. At the start of the pandemic many phishing campaigns began using COVID-19 as a lure to exploit the fears and concerns of the public. These malicious emails advertised pandemic-related news and information, but contained malware-laden documents and links leading to specially crafted phishing pages. Other phishing campaigns sought to victimize people facing financial difficulties by advertising fraudulent “work from home” job offers and phony financial relief services. The threat actors behind these campaigns would then take victims’ information and use it to conduct network intrusions and commit financial fraud and identity theft. This year certainly highlights the fact that end users are still the biggest risk to any network or organization, especially when they are working off-site where they may no longer be protected by enterprise network security solutions.
2. What threats continue to linger from 2019 that are growing worse?
Without a doubt, ransomware has grown much worse throughout 2020. Although ransomware is not new and has been a threat for many years, ransomware campaigns have quickly evolved and have become much more sophisticated this year. Initially, ransomware campaigns would target victims individually, asking for a relatively small payment in exchange for a decryption key to restore encrypted data. They target victims through phishing campaigns or by compromising ad networks to serve the malicious code to unsuspecting website visitors. However, as efforts to mitigate and prevent this threat improved, ransomware threat actors began changing their tactics and set their sites on larger prey, namely public and private sector organizations and managed service providers (MSPs). Targeting larger organizations that had critical functions resulted in much larger payoffs for these financially motivated criminals. Additionally, targeting MSPs allowed these threat actors to victimize multiple organizations in a single attack and helped coerce victims into paying the ransom demands quickly to restore data and service to customers. Lately, there has been a drastic increase in ransomware actors using “double extortion” tactics to demand multiple payments, such as charging one amount to receive the decryption key and a second amount to delete sensitive data that the actors stole from their victims’ networks and prevent it from being released publicly. This incentivizes victims to pay the ransom even if they could restore the encrypted data from backups. As ransomware attacks have proven to be quite a lucrative activity for profit-motivated cyber criminals, I don’t see this threat disappearing any time soon and it will likely get worse in the coming months and years.
3. We can see there is no end in sight for many of the threats that plague the IT industry as a whole. What can individual teams do to help prevent these threats?
First of all, continued education of the workforce is key. As many cyber threats rely on social engineering tactics to trick users into performing actions against their or their organization’s best interests, educating end users at all levels on how to recognize and avoid these threats is a critical component of keeping networks and data safe. Secondly, IT teams within organizations must have a cyber incident response plan in place so that when a cyber attack does occur, it can be mitigated quickly to reduce the impact to operations. Other recommendations include prioritizing asset management, including knowing what is connected to your network and monitoring what needs to be updated or decommissioned if vendor support is no longer supplied, implementing a robust data protection, backup, and restoration strategy. Lastly, creating and participating in cyber threat intelligence sharing initiatives can also help IT teams keep abreast of the latest cyber threats and vulnerabilities and help them prioritize mitigation efforts to reduce their overall risk quickly and effectively.
4. As we move towards 2021, what direction do you see cybersecurity moving towards?
Unfortunately, I predict that it will only become more challenging for IT teams and cybersecurity specialists to protect networks and data against the growing number of cyber threats and threat actors intent on stealing sensitive information and disrupting operations. In addition to profit-motivated hackers launching attacks for their own personal financial gain, we also have to maintain awareness of highly skilled advanced persistent threats (APTs) conducting cyber espionage campaigns and targeting our critical infrastructure and key resources, which will likely increase in the coming months and years. Attacks against cloud-based services will increase as more organizations transition to a cloud environment to support a remote workforce and insider threats will grow as economic uncertainly may result in workers agreeing to compromise their organizations’ networks and data for personal financial gain. The best the cybersecurity workforce can do right now is to remain vigilant for emerging threats, encourage the adoption of best practices, implement proven and effective mitigation strategies, and recognize when we may be trading security for convenience.
Chief Information Security Officer (CISO)
State of Tennessee
As Chief Information Security Systems Officer (CISO) for the state of Tennessee, Curtis Clan is able to utilize his vast technical knowledge, as well as his information security systems knowledge to keep the state well ahead of any threats to the state network. After receiving his Bachelors degree from Eastern Kentucky University, Curtis worked his way up the IT ranks through positions at Fort Knox, Keesler Air Force Base, Fort Campbell, and finally the state of Tennessee. Initially he came on board in a contract position, working as a network engineer. During his 23 years working in Tennessee State Government, Curtis has moved from network engineer, to manager, to director, and in 2015 to State CISO. Curtis believes in a strong work ethic, which he learned during his upbringing in a very small, but industrious farming community
1. What is the biggest cybersecurity threat you have seen during the 2020 pandemic?
While this hasn’t been the case as much for Tennessee, quite a few states have seen a significant increase of fraud attempts on the Unemployment Insurance platforms. Tennessee has reached out to the others states for lessons learned and has taken actions accordingly.
There has also been an increase of phishing activity with a focus on COVID related content. We have tuned our email gateway to help mitigate this risk.
The remote workforce has dramatically increased and some industries depend on their employee’s devices being on their network for detection and prevention against cyber-attacks. This has heightened the importance of proper use of Virtual Private Network (VPN) and endpoint detection and response (EDR) software.
3. What threats continue to linger from 2019 that are growing worse?
Across all the States we continue to see ransomware and Emotet attempts thru either phishing or social engineering. Another threat that continues is compromises thru system vulnerabilities which makes patch management so critical.
4. We can see there is no end in sight for many of the threats that plague the IT industry as a whole. What can individual teams do to help prevent these threats?
There are several things an organization can do to protect their assets. Two common ways that malicious actors are successful with are leveraging vulnerable systems and social engineering people. With that being said, it is extremely important that you have a mature patch management program, proper firewall rules and network segmentation. In addition, a comprehensive security awareness program that reaches out to every computer user that accesses your systems is needed. Every employee must be able to detect suspicious emails and hyper aware of nefarious phone calls and social engineering tactics.
Early detection and proper log retention is also extremely important. No organization is going to be perfect but having proper logs to determine the level of compromise will save you in the long run.
5. As we move towards 2021, what direction do you see cybersecurity moving towards?
The use of cloud services whether it be SAAS, PAAS, or IAAS is going to increase dramatically and it will be important that we push for the proper security controls.
I believe more and more industries are going to move from a CAPEX to an OPEX model leveraging to some extent outsourced security operational functions.
I think that more applications will enable Multi-Factor-Authentication (MFA) to help mitigate social engineering attacks.
I believe there is more work in cybersecurity than could be possible fielded by qualified staff. I feel that Robotic Process Automation (RPA) will help offset the workload by performing deterministic task freeing up resources.
# Business Links:
Tennessee Cyber Hub
TCAT Shelbyville's ITIM program's interview with Fabian Wosar, CTO of EMSISOFT
Fabian Wosar, CTO of EMSISOFT is known as the most prolific ransomware killer in the world. We reached out to Fabian and asked him ten questions.
Steve: You’re the cybercriminal…Create ransomware or steal and sell data? Why?
Fabian: There can be a whole bunch of motivations at play. Some people are just interested in the challenge. They just want to proof that it is possible to break a system or to write malware for a certain system. Then you have people who just do it “for the lulz” or are somehow politically motivated. These people usually want to highlight certain issues or just want to have fun. The vast majority however, especially when it comes to ransomware, are financially motivated.
Decently successful ransomware groups make tens of millions of dollars each month. Gandcrab for example managed to generate 2 billion US dollars’ worth of ransom money within about a year.
Steve: Do you see patterns from the “cyber gangs” in the reuse of code when they program new ransomware or variants? Are these ‘gangs’ becoming smarter? Are they recruiting better programmers?
Fabian: It very much depends on the gang and campaign. Ransomware code is readily available not only on blackmarkets but also on places like Github. So the barrier of entry is somewhat low. There are also a whole bunch of “Ransomware as a Service” offers available, where everyone who is interested in getting into ransomware can just sign up, infect a bunch of people, and then get a cut of the revenue generated. That is how Gandcrab operated for example.
The gangs behind ransomware haven’t necessarily have become smarter, but they adjusted and changed tactics a lot. While in the beginning, ransomware very much was a home user problem, the focus has shifted towards companies in the recent years. Instead of spreading ransomware through spam, exploit kits and pirated software, attackers try to break into systems directly in order to encrypt them.
Steve: Are you seeing a collaboration of cybercriminals where opposing criminals are ‘teaming’ up with one another?
Fabian: There definitely is a lot of teaming up going on. Take a look at Ryuk for example, which is often deployed through existing bot infections. Whether the bot herders are behind Ryuk itself or whether the Ryuk gang is buying infected systems from the bot herders isn’t exactly clear. There is obviously also a lot of auxiliary stuff going on. It’s one thing obtaining a large amount of bitcoin. It’s another to turn that bitcoin into clean cash that you can use and buy things with. So the same organised crime structures that are involved in money laundering are present in cyber crime as well.
Steve: Is Microsoft keeping up with updates and patches and are you seeing more neglect from IT personnel?
Fabian: There certainly is a bit of apathy going on. Every couple of weeks there is a new big vulnerability threatening your security. It becomes difficult to keep up, especially when you have lengthy test cycles for new patches to make sure they work in your environment or if you rely on certified hardware and software, that can’t be easily patched without breaking the certification.
Outsourcing was often seen as a solution to this problem, but especially recently there have been attacks on MSPs, often with catastrophic results. We have seen cases where MSPs got hacked and thousands of their clients got hit by ransomware that was deployed through the RMM sytems used by those MSPs.
Steve: IoT and Network Area Storage is getting hit by Ransomware today. Do you foresee new threats that go into Automotive/Transportation, SCADA/PLC, Linux and Mac Oss that involve a more sophisticated Ransomware?
Fabian: We have already seen some of those cases. A while ago a bunch of PHPBB communities got targeted by a rather unique ransomware. They replaced the database driver on those communities with one that would transparently encrypt and decrypt all data during access. The forums continue to work fine, often for months, until the attacker pulls the key out of the driver, making the database inaccessible. Since the driver often has been there for months, backups may have already been rotated out. But even if they weren’t, a large portion of content that was added since the attack may be encrypted with no recovery possible. I would suggest [sic] more of these types of attacks in the future.
Steve: When did you first notice code in Ransomware had your name in it? Were you shocked? Is this something you are seeing more of? Are you constantly receiving threats?
Fabian: The first time it happened was about 3 years ago in a ransomware called Radamant. I wasn’t exactly shocked to be honest. I was more surprised and also a little bit proud. It’s the greatest form of compliment you can get in my line of work. It still happens occasionally in addition to ransomware authors contacting me directly on Twitter or in various online communities. The threats have become less, but they still happen occasionally. The biggest reason for that is that I am less public about my work and often help victims directly or provide information to other researchers who then release the decrypters.
Steve: Generally how long does it take to reverse engineer ransomware and provide keys if possible?
Fabian: That very much depends on the ransomware. But on average, it takes me less than 30 minutes to take the ransomware apart, find the encryption routines, and figure out whether the encryption scheme is secure or not. Writing a decrypter then takes another couple of hours ~ About 4 on average I would say. A lot of QA and testing goes into these decrypters. The last thing we want is damage the user’s files after all. So we tend focus on being careful instead of being the first. However, more often than not we are the first anyway.
Steve: Are you seeing more shady security companies who negotiate with the cybercriminals without the victim knowing?
Fabian: It continues to happen, yes. It’s important to drag these companies into the open and tell people what they are doing. People often think I am against paying the ransom under any circumstance. While that would obviously be the ideal, I am well aware that when it comes push to shove, people prefer to part with a large sum of cash rather than kiss their entire livelihood goodbye. So I am not against paying the ransoms per se, if there truly is no other way, and I also don’t think that a data recovery company should be ashamed of paying ransoms. Quite frankly engaging with a company that has experience with these types of negotiations can be quite beneficial. Not to mention that your accountants will probably prefer you paying a legitimate third party instead of buying bitcoins and sending them somewhere without any kind of invoice.
Ideally data recovery companies should just be honest about how they came up with the amount they charge their clients and outline exactly what they are doing. That doing so can make you hugely successful can be seen in the case of Coveware for example, who are very open about their processes and cost structure.
Steve: How did you get involved in Information Technology?
Fabian: I bought my first PC when I was about 10 years old. It didn’t take long until I got my first computer virus (Tequila.B). I was really fascinated by the concept, so I went into the library (sort of an offline Wikipedia for the young people out there ;)) and they actually had a bunch of books about computer viruses. So I got really into the topic, which led me to eventually learning assembly and Pascal programming and writing my own little anti-virus tools when I was about 11 years old. I never really moved away from that.
Steve: Finally, what is your recommendation other than the usual protection methods that someone can use to protect themselves against ransomware?
Fabian: Backups are by far the best protection. I recommend everyone who isn’t on some data limited plan to go with a cloud based backup solution. Preferably one that can operate using “zero-knowledge”, so that your data is encrypted on your system and the backup provider has no knowledge of what data is being stored on their service. Besides backups, practicing proper cyber hygiene is key. Stick to well known software and keep it updated. Don’t download and install software from places that aren’t trustworthy. Don’t have your data laying around openly on the internet. Have all access points to your network and systems protected using strong authentication (ideally based on certificates, not passwords; but if you have passwords, make sure they are of high complexity). Things like that.