Ransomware, Stop Focusing on the Symptoms!

Once again, a ransomware outbreak (WannaCry) has dominated the media headlines, and cybersecurity vendors are scrambling to capitalise. At the time of this writing, the top 3 (non-paid advertising) spots on Google to the search phrase ‘ransomware’ are 2 vendor ads, and one ad for cyber insurance. All but one thereafter on page 1 results are doom and gloom / blamestorming ‘news’ stories. The one exception? Good old Wikipedia.

This is the exact same thing that happened the last time there was a ransomware attack, and the time before, and is the exact same thing that will happen the next time. Because there will be a next time.

From the Press’s perspective, this is just what they do, and you’re never going to see headlines like; “NHS Goes 6 Months Without a Breach!”, or “Acme Co. Blocks Their 1,000,000th Attempted Hack!”. Only bad stuff sells, and frankly no-one gives a damn about cybersecurity unless they’re a victim, or they can make money off it.

I have dedicated many blogs to the criticism of cybersecurity vendors for being little better than ambulance chasers. This blog is no different. So let’s be very clear;

Ransomware is NOT a TECHNOLOGY problem!!

If your organisation is the victim of an attack, 99 times out of 100 it’s entirely your fault. Either your people, your process, or a combination of both were inadequate. And I’m not talking about your security program not being cutting-edge/best of breed, I’m talking about it being wholly inappropriate for YOUR business. It does not matter what business you’re in, you have a duty of care to know enough about security to address the issues.

Yes, the bad guys are a$$holes, but we’ve had bad guys for millennia and they will always be part of the equation. Security is, and has always been, a cost of doing business, so suck-up and take responsibility. And if you aren’t even doing the security basics, not only will technology be unable to help, but you deserve what you get.

Harsh? Yes, absolutely, because the basics don’t bloody well cost anything! Not in capital terms anyway. It takes what I, and every other like-minded consultant out there have been preaching for decades;

Common sense!

  1. Don’t keep your important files on your computer –  Keep your data on external encrypted hard drives and/or cloud drives. If it’s not ON your system, you can’t lose it. In a perfect world you can Forget the Systems, Only the Data Matters;
  2. Patching – Your systems would have been immune from WannaCry if you had installed a patch made available by Microsoft in MARCH! I could rant for hours about this one, but there’s no point. You know you should be patching your systems, and if you don’t know that, you are clearly not from this planet. Your laptop or your PC is just a means to manipulate the data. Ideally you should completely reinstall your PC/laptop every 6 months to ensure that you have only 1) the latest and greatest versions of everything, 2) no extraneous crap you no longer use/need, and 2) no hidden malware;
  3. Back-Ups – I don’t care how little you know about computers, if you have one and are online, you damned well know you should be backing up your data. And not just to one location, several locations. Everyone from your operating system, to your bank, to your grandkids have told you about back-ups, so there’s no excuse.  External hard drives are cheap, and the online Cloud drives are numerous. Use them all. Yes, I know this is different for a business, but not much;
  4. Don’t open every attachment you get – I feel stupid even writing this one, and it’s not just me talking from a position as a security professional. This is me talking from the position of someone who can read.

So from an organisation’s security program perspective, if you’d had 4 basics in place, WannaCry would not have been an issue:

  1. Policies, Standards and Procedures – The dos, don’ts, how-tos, and what-withs of an organisation;
  2. Vulnerability Management – where patching sits;
  3. Incident response – where back-ups sit; and
  4. Security Awareness Training – self-explanatory

SOME technologies can make this stuff easier / more efficient, but fix the underlying processes and people issues first. That or get yourself a huge chunk of cyber insurance.

[If you liked this article, please share! Want more like it, subscribe!]

‘CEO Fraud’ Is The CEO’s Fault

Whichever way you look at it, the > $2Bn lost in ‘CEO Fraud’ is the CEO’s fault. Maybe not so much the first couple of cases (the ‘zero-day’ ones), but from that point forward, falling for such an obvious scam is indicative of broken processes that all point back to the CEO.

Even one of the most basic tenets of security; that of split-knowledge and dual-control, is all that was required to prevent these attacks! NO-ONE, including the CEO, should be able to authorise these transfers, and NO-ONE, not even the CFO, should be able to perform one.

Not for all transfers obviously, but when we’re talking hundreds of thousands to tens of millions, how was a single person able to proceed without sufficient checks and balances? For God’s sake, a simple CALL to the CEO’s mobile would have sufficed!

So, in the several thousand companies that have fallen for this scam, we can make several assumptions:

  1. The CEOs are above the processes of other employees – I have to believe that the transfer of [for the sake of argument] $100K requires the completion of a form of some kind. That form is then signed by the requestor, and forwarded on to finance for action. In every case where the fraud was successful, the process began with nothing more than an email.
  2. The CEO is ‘God’ –  In this particular case, an accountant transferred $480K based on an email, then only became suspicious when asked for a subsequent $18 MILLION. Seriously? It didn’t occur to the accountant to call the CEO just to make sure? Is the CEO THAT unapproachable that s/he won’t take a 20 second phone call for $480K!?
  3. There is zero oversight on the finance departments – As in the above case, there were clearly no checks and balances in place to confirm authorisation of a transfer, and no-one below the accountant thought to question their own actions based on largely undocumented request? Just following orders were they? What does THAT say about the company culture?
  4. The Information / Cyber Security program is a shambles – Even the most basic Security Awareness & Training programs have sections on social engineering and fraud techniques, and no matter how well a thief did their homework, these emails should have been a huge red flag. How is it that people with such enormous impact on a business (i.e. finance) have no training in cyber security basics / essentials?
  5. The organisations have zero ability to address the prevailing threat landscape – How easy would it be for the information / cyber security departments in these organisation to send out ‘mandatory-read’ emails to all-staff warning them of the ‘new’ threat? How do mitigation techniques not make their way into business process after a significant change in the threat landscape?

The saddest part of all this? This type of fraud is ON THE RISE!! Despite the significant press, despite > $2 BILLION in losses, organisations all over the world still haven’t taken appropriate action.

My most used phrase; “Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities. If the organisation fails to achieve [enter any goal here], it’s the CEO’s fault, and no-one else’s.“.

In this case, replace “[enter any goal here]” with “immunity from email scams” and apply it the assumptions above. We can determine that;

  1. the CEO’s vision for the organisation does not include an appropriate security program – If they can’t even take care of their own MONEY, what is the chance they can take care of your sensitive data?
  2. the CEOs put themselves above the company values – No company that I know of has ‘Do as I say not as I do.’ as a published value, but clearly the rules do not apply to these folks.
  3. the direction of any organisation is towards its goals. Obviously. How does the loss of hundreds of thousands of €/£/$ and the sheer embarrassment of falling for this attack add to the company’s bottom line?
  4. unfortunately security is up there with ethics when it comes to CEO priorities. They are a cost of doing business, not fundamental processes that add significant ROI when done properly.

The better CEOs who have been victims will look at the root cause of their incident, point their finger squarely in the mirror, and fix it. The rest will fire the finance person and leave themselves open for the next threat. The best CEOs led their company by example, and didn’t fall for the attack in the first place.

Which do you want to be?

[If you liked this article, please share! Want more like it, subscribe!]