Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, cybersecurity council at the law firm of Newman DuWors. Visit them at cyberriskopportunities.com and newmanlaw.com.

Jake Bernstein: So, Kip, what are we going to talk about today?

Kip Boyle: Hey Jake. Today, we're going to talk about ransomware defenses. I think this is a great topic for us because recently there's been a number of highly publicized ransomware attacks. In particular, a coordinated attack against 22 towns in the state of Texas, which we don't really know too much about. How was it coordinated? That information hasn't been released, but it's a big change in terms of the level of sophistication of attacks. But the big reason I want to talk about this is because I saw an article on the Dark Reading website and it's called, It Saved Our Community 16 Realistic Ransomware Defenses for Cities. The author is Sarah Peters, and it was published on August 30th, 2019. I've read it in detail more than once, and I do that because I just love learning about real cyber attacks.

Jake Bernstein: Yeah, me too. In fact, one of the things that was interesting about the one that the article's about, which is actually a remote town up in Alaska, is that it's another example where they paid the ransom.

Kip Boyle: Yeah. And boy, you don't want to get me started on that because paying the ransom, I'm so opinionated on that. We'll touch on it just a little bit towards the end of the episode, but it's a whole other episode entirely about whether you should pay the ransom. So the attack was actually from a year ago, the summer of 2018, and it was against a town called Valdez in Alaska. And yes, if you're old enough to remember the Exxon Valdez, we're talking about the same part of the country here. There's 4,000 people who live in the town of Valdez and you can reach it by driving your car out of Anchorage for five hours.

Jake Bernstein: Wow. That is a long drive. That's like from Seattle to Vancouver, Canada, and back again, or Vancouver inaudible.

Kip Boyle: Yeah. Well, it's definitely a long drive, but it's way more remote than Seattle or either of the Vancouvers happens to be. I think that plays into it, the remoteness of it. So there's some good ideas in this article, but what also caught my attention is that there's some really bad ideas in there as well. I felt like the article overlooked several very effective, low cost ideas and they were just overlooked completely. So I thought it would be useful for our listeners if we called these things out, the good, the bad, and the forgotten to help them become better cyber risk managers.

Jake Bernstein: I agree. So why don't we go ahead and start with the good ideas? And maybe if there are some bad ones, we'll save those for the end.

Kip Boyle: Okay. All right. So one of the good ideas in the article was data backups with versioning. I assume everybody knows what versioning means, but just to be clear, versioning means, is that your data backup solution would snapshot your files at different times at different stages of their development. So if you lost the most recent one, you could restore back to one that was, let's say one hour old, just as an example.

Jake Bernstein: Okay. So, that is pretty useful and that keeps your data safe from being encrypted by the ransomware. Is there any risk that the backups themselves will get encrypted? I know that's happening more and more.

Kip Boyle: Yeah, there absolutely is. So the idea with versioning is that if you do get a ransomware attack and the version of the file that's on your computer gets encrypted, the idea is you could go back into the data backup scheme and you could retrieve the last version that was not encrypted, thereby getting yourself more or less back where you started from. But yeah, the latest versions of ransomware are very good at discovering where your data backups are.

They will encrypt those data backups first. They'll do it silently, so you don't know what's going on, then they'll go to your computer and encrypt everything there. That's when they'll display the ransom notice. And then you go back to your data backups, you think you're good, but then you find out that all your backups are encrypted as well. The state-of-the-art for data backups now is to have an offline or sometimes called cold storage collection of your data so that there's a gap that the ransomware can't get to that data.

Jake Bernstein: So the state-of-the-art is basically what backups used to be totally?

Kip Boyle: Yeah. Way back in the day, backups used to be to magnetic tape in some form of cassette and would require a human being, although at one point it actually switched over to a robotic arm, to rotate the tapes. Then that got tiresome, and so people said, "Well, what if we just do them all online and then that a there's no tape shuffling and we can backup at the speed of the network? It was great as long as it lasted, but that technique, I think, is what's getting us into trouble.

Jake Bernstein: It is, yeah. Interesting. All right. So what else is on the list?

Kip Boyle: Okay. Another really great idea on the list is buy cyber insurance.

Jake Bernstein: Oh, absolutely. Hopefully everyone knows how much we like insurance. We've had guests, Chris Brumfield and Peter Marshall, entire show is about insurance. So yes, that is an unqualified... Well, actually nothing is unqualified.

Kip Boyle: Not in the lawyers world.

Jake Bernstein: Buy good cyber insurance.

Kip Boyle: Yeah, you got to buy good cyber insurance. And if you don't know what we mean by good cyber insurance, because there is bad cyber insurance for everybody in any particular situation, go back and listen to those episodes because I think Chris and Peter do a very good job of explaining why is this so difficult to get a good policy? So there you go. There are other good ideas in this article, but one of the things that really cloud at me is there are 16 ideas, and I couldn't tell if the author meant for them to be in priority order and-

Jake Bernstein: Probably not.

Kip Boyle: And even if she did, I don't agree with the priority that she put them in. So I just assumed that they were in a random order. Therefore, I said, "Okay, well, I want to prioritize this list." That led me to realize that I think there's some missing defenses.

Jake Bernstein: Such as?

Kip Boyle: Well. Jake, you know and I think our listeners know that I'm a big fan of the Essential Eight. That's published by the Australian Signals Directorate. You can just Google that right then and there and you'll get the information, all the background details you need to know about the Essential Eight. But the idea of the Essential Eight is to keep malware off your computer and ransomwares malware.

So it's perfect fit. But this article here in Dark Reading only mentions four of the Essential Eight. And the ones that are mentioned are data backups, which we talked about, security updates for operating systems, security updates for applications, and they also mention restricting administrator accounts. So, okay, we've got four, although in the article they were all lumped together in the same idea. So I just felt like we need to pull that apart.

Jake Bernstein: Yes, I agree. Although, do you want to go through the other four now, or maybe this isn't the time for that?

Kip Boyle: Yeah. I don't think we have enough time to go through the other four, let alone fully explain the four that were in there. But let's take a moment, call out two of the missing ones that I think are most relevant to decreasing your risk that you're going to get a ransomware infestation. The first one is two-factor authentication and the article didn't mention it at all. As I said, I've read the article several times and I didn't see them there. So if any of our listeners want to read the article and show me where it was in there, I'd love to know, but I didn't see it.

If it really wasn't in there, that's strange because ransomware often arrives by a phishing attack. And we know from the studies that Google have released this year, and I think last year they released another study, that two-factor authentication is the best defense against phishing. Their report says, "Even if you use SMS, text messaging to receive a one-time password, you're going to block 96% of the bulk email phishing attacks and you'll block 76% of the targeted attacks." That's pretty dying good.

Jake Bernstein: That's really good. For something that really has gotten pretty straightforward, I think that is a phenomenal crosstalk.

Kip Boyle: That's even accepting the fact that SMS is a terrible way to get one time passwords. Right. So, that's a good, I think, balance of the scales. So SMS isn't secure and yet it's still useful. That's why it's still with us.

Jake Bernstein: Well, I think we want to point out that when we say SMS isn't secure, we mean that it's scoopable, there's attacks to target the SMS system itself, but any two-factor authentication system is very likely to be better than none.

Kip Boyle: Yeah, very likely. Now, if you hold a lot of money in a cryptocurrency wallet, I wouldn't trust SMS at all.

Jake Bernstein: No, I wouldn't. We're not saying that SMS is an ideal or even... I think it's effective, but it certainly is vulnerable and it should not be used for anything truly sensitive.

Kip Boyle: Right, okay. It is effective in terms of phishing attacks. That's one thing that I think should have been in the article. The other thing I think should have been in the article is application whitelisting. The article does talk about the cousin of application whitelisting, which is blacklisting. So products like Carbon Black and Cylance, what they do is they maintain and curate a list of all the bad stuff floating on the internet.

IT's like the Center for Disease Control saying, "This is a list of all the cooties in the world that you want to stay away from, and here's a list of all the treatments and all the preventions for all those cooties." Blacklisting products, I think, they're just running out of steam. I really think the future is application whitelisting.

Jake Bernstein: Well, let's talk real quick about blacklisting. How is that really any different than old school antivirus? I think everyone knows that antivirus of course, is necessary, but it sure is not sufficient.

Kip Boyle: Right. Well, so it's different in the sense that there are enhancements in some of the latest so-called next generation blacklisting products. The addition of artificial intelligence, for example, behavioral analysis and that sort of thing, backed with machine learning. I'm not going to suggest that I understand all of the nuances and everything about artificial intelligence and whether it's good or bad, but I will say that it's not perfect.

The problem is that the reason why we need to enhance our blacklisting products with behavioral analysis and artificial intelligence is because the cyber criminals, they know that just blacklisting is not going to work. Every piece of malicious code they release now is mutated so that you can't fingerprint one and then be able to recognize them all. That happened a long time ago.

Jake Bernstein: Yeah, it did.

Kip Boyle: So, the blacklisting products are trying to keep up, but I just don't believe ultimately that they're going to prevail. I really think whitelisting is the answer.

Jake Bernstein: Okay. What's whitelisting? Let's talk about that.

Kip Boyle: Okay. So if you know that blacklisting is I'm going to maintain a list of things that are forbidden, then whitelisting is the absolute opposite. It's, I'm going to maintain a list of things that are approved. What's great about application whitelisting is, once you have your list of things that are approved, then you tell your operating system, if it's not one of these things, don't run it. And there are different mechanisms in application whitelisting to prevent it from being spoofed.

It's not perfect of course, but what's nice about it is that once you dial it in and you tell your operating system, this is all I want to run, it doesn't matter what malicious code shows up. It's not going to be able to run because the operating system will say, you're not on the list and like any good bouncer standing at the red velvet rope, you're not getting in.

Jake Bernstein: Right. No, that's excellent. That seems like a very effective mechanism. Are we aware right now that there are vulnerabilities in whitelisting? What would it take even theoretically to get through that?

Kip Boyle: Well, so application whitelisting is not impenetrable, so it depends on the technology behind the application whitelisting. Let me just give you a simple example. So, one way to do application whitelisting is to say only executable files residing in the following directories on the hard drive can run. Well-

Jake Bernstein: Okay. So that version is not particularly secure?

Kip Boyle: No, because if you can sneak an executable into a directory on the whitelist, then it'll run. Another way that you can do it is you can do digital signatures. Another way you can do it is wrap those digital signatures in certificates. So you can do X509 digital certificates. You can beef up the mechanism for knowing what's on the whitelist and blocking what is not. But cybersecurity is a arms race. It's a constant Tom and Jerry, cat and mouse affair. Inevitably, either an algorithm gets compromised or somebody figures out how to spoof a certificate authority.

There's going to be all these complicated attacks that are going to come up. But I still think application whitelisting has a lot of potential. Now, the other problem with application whitelisting is it's hard to do administratively, it's difficult to do. And I think emotionally, people have a hard time with it because just like people have a hard time standing at the velvet rope in the exclusive nightclub, it's like I want in. And if I'm not one of the beautiful people, you're not going to let me in and I don't like that.

Jake Bernstein: And I think that perhaps more than many other forms of security software whitelisting strikes me as one that's got a high potential for shadow IT or people trying to get around it or not using a system because they can't use their favorite note taking app or so. So the administrative burdens on whitelisting are high. The effectiveness is also very high.

Kip Boyle: Yeah, it is.

Jake Bernstein: It also depends on your culture. I think if you're in a small company, any kind of startup, it may not be the best idea at first, but certainly as you get to be a big organization, it may be one of the only ways to truly keep safe.

Kip Boyle: I think what's interesting about what you said is that application whitelisting as a control is available through Microsoft's active directory. So if you have an active directory environment, then you have application whitelisting built in. There are lots of great TechNet articles that are available to help you understand what your options are and what you can do. I just think that if it's available to you, you should at least know what it takes to do it. And if you decide you're not going to do it for whatever reason, okay, fine, but make it a rational choice.

If you're blocked simply by the emotions of it or the politics of it, then I would say, sharpen your pencil and come up with a really good rationale. Don't dismiss it out of hand. I really think that this is the future and I think more vendors are going to come along. And I think Microsoft's going to get better at supporting the version of application whitelisting that they already have. Anyway, I just think that blacklisting's got a real dark future and I think application whitelisting is the future.

Jake Bernstein: I won't even go there. All right. Let's talk about the two bad ideas now.

Kip Boyle: Okay. All right. So to round up the episode here, there were two quotes in the article that just really, I struggled with. The first one, it's a quote from somebody who is acknowledged as a cybersecurity expert by the author. The cybersecurity expert was trying to discuss the nature of cybersecurity in government and why it was different from cybersecurity in the private sector. And the quote is this, "We can have cybersecurity or we can fix a bridge." That is such a false choice. Oh my gosh, that is-

Jake Bernstein: That is, and you could replace, fix a bridge with any other business need. There is no difference between government and private sector. Cybersecurity is cybersecurity.

Kip Boyle: Yeah. I mean, in the private sector, I could say we can have cyber security, or we can upgrade our website, or we can have cybersecurity, or we could buy a new scheduling tool for our customer service teams. I'm not saying that this conversation doesn't happen, but what I am saying is that it's false thinking.

Jake Bernstein: It's also just plain wrong because you can draw a false choice between anything that requires resources, but cybersecurity is frankly not optional anymore for anyone.

Kip Boyle: It's not. When you think about our susceptibility to ransomware and that sort of thing, I would think that even if it did cost a little bit more, you could make a really good case that it would be justifiable based on the frequency with which this particular attack is being seen all over the place. Go back to the 22 towns in Texas. That's a watershed attack in terms of sophistication of attackers. I can't wait till the details come out on that because it would make a fantastic basis for a case to your senior decision makers that we've got to do better when it comes to cybersecurity. But if you look at the Essential Eight, another way that this whole idea of we can have cybersecurity or we can fix a bridge is false, is a lot of those things don't cost any money at all.

Jake Bernstein: Oh, yeah.

Kip Boyle: So it's bankrupt in that way as well. Restricting administrator accounts, that's purely a policy decision with some administrative work using two-factor authentication. Sure, there's expensive forms of two-factor authentication that you might want to use, but guess what, you can go out and get two-factor authentication systems for no money at all. So I struggle with it from that point of view as well.

Jake Bernstein: And I would say too that what's one of our favorite sayings on this podcast and in our professional lives is cybersecurity is not an IT problem. It's a management opportunity. This quote from a so-called expert makes the assumption that any kind of cybersecurity is just this hugely expensive endeavor, as opposed to just part of everyday business, which is what it actually is.

Kip Boyle: Absolutely. Absolutely. Anyway, that's enough of that particular... See, even your dogs don't like it.

Jake Bernstein: Well, fair enough.

Kip Boyle: That's enough of that particular quote. There's a second quote in there that really gets me going, and we're going to have to be careful here that I don't get going too much. So the police chief of the town of Valdez is quoted as saying, "Four Bitcoins in ransom was a good use of taxpayer money."

Jake Bernstein: I'm sorry. Say that again. Are there...

Kip Boyle: Yeah.

Jake Bernstein: That is frustrating actually.

Kip Boyle: Oh yes.

Jake Bernstein: Now to be fair, this is a gentleman who is police chief of a 4,000 person town in remote Alaska, which is to say that he might not be up on all the latest thinking and news related to cybersecurity, but-

Kip Boyle: Point granted.

Jake Bernstein: But, Kip, why don't you tell us why that is a such a painful thing to hear a government official say?

Kip Boyle: I have a whole list of reasons, but I'm just going to focus on one because we don't have much time. And it really comes down to this. If you think that funding North Korea's illicit nuclear program is a good use of American taxpayer dollars, then I guess I could see how you could support the police chief statement. I absolutely disagree.

Jake Bernstein: What you're really saying is that ransomware is performed by criminals or hostile state actors. So when you pay, you are either choosing to support crime, which is bad, or you're supporting a so-called rogue nation or just hostile state and-

Kip Boyle: Or a terrorist organization.

Jake Bernstein: Yeah, or a terrorist organization. I mean, either way, it's bad. This idea that, oh, four Bitcoins in ransom was a good use of taxpayer money. No, it was not ever. What would've been a good use of taxpayer money is having a suitable backup system.

Kip Boyle: Absolutely. Oh my gosh. Yes, I could have taken those four Bitcoins, the worth of that in real American currency, and think about all of the Essential Eight that I could have implemented with that. That's how I think about it.

Jake Bernstein: Yeah. So just FYI, as of the date of recording, one Bitcoin is about 11,000 US dollars. So, that's $44,000 that he had to pay. I think it would be difficult to spend a substantial amount more on just a basic backup system, particularly since a lot of competent default level software systems have it for free.

Kip Boyle: They have it for free and every software provider out there that's selling data backup systems is scrambling to make them ransomware safe. So all you had to do, I think, and anybody's welcome to tell me I'm out to lunch on this, but if you don't have a ransomware safe backup system, why aren't you talking with your vendor and saying, when's the version coming that is ransomware safe or where's the configuration guide that helps me reconfigure my existing system so that it is ransomware safe? So again, it just comes back to, I believe it's mostly a management issue.

Jake Bernstein: Yeah, and it usually is.

Kip Boyle: All right. Jake, any final words on ransomware or this particular news article?

Jake Bernstein: No, I think it's time to move on from this article and wrap up this episode.

Kip Boyle: I'm just going to get cranky if we keep talking about it for sure. All right. Well, that wraps up this episode of the Cyber Risk Management Podcast. Today we talked about ransomware defenses. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport and should incorporate management, your legal department, HR, and IT for full effectiveness. Management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So, if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk business strategy program. Find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.