Entrepreneurs might not realize how sensitive they really are to ransomware

The best listening experience is on Chrome, Firefox, or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The ransomware threat has scared almost everyone. A big unknown is the actual vulnerability of your organization to ransomware attacks. A cybersecurity company called Black Kite claims to have developed a way to assess your risk using open source information. To find out how it works, Black Kite security chief Bob Maley spoke with the Federal Drive with Tom Temin.

Tom Temin: Mr. Maley, nice to have you.

Bob Maley: It’s good to be here. Thank you for.

Tom Temin: OK. So tell us about this evaluation. And you did a pretty good assessment of federal contractors. We will get to that in a moment. But how can you determine a person’s vulnerability to ransomware attacks?

Bob Maley: So we collect a lot of data about companies that are publicly available on the internet, we do analysis for our clients. And last year some of our customers asked us, they said, could you find a way to see if our vendors are ransomware sensitive? We are seeing a very good increase in that. So we did it, we put researchers there. And we found out that there were a number of things bad actors typically use to break into businesses to run ransomware. So we developed an algorithm that looks at all of our data and pulls it out and gives us a probability. It’s a number from 0 to 1. So that’s what we did.

Tom Temin: A scale of 0 to 1, I guess that’s 100 points in there somehow?

Bob Maley: Yes, percentage.

Tom Temin: Understood. And what are the main vectors that ransomware has discovered? I thought it was pretty much phishing.

Bob Maley: Well, phishing is one of the two main things that happens. And there are some underlying things that make phishing more effective. These are technical things that have to do with the way you set up your email, their DNS settings, things that a lot of businesses just don’t care about. The second most important thing bad actors do, they search for open remote access ports, on your servers on the internet. This is what happened at Colonial Pipeline, for example.

Tom Temin: Understood. So old-fashioned hacking is still a vector. They don’t necessarily rely on the weak employee who clicks that link.

Bob Maley: Absoutely. It has been like this for 20 years. Ransomware was invented 20 years ago, but bad guys know better how to get it into our networks.

Tom Temin: Well, the implication here is that the companies you’re testing have to let you see which ports might be open. And that’s a bit of a scary prospect.

Bob Maley: Well, they don’t need to let us watch it, they’re actually open-ended that bad actors can see. That’s why it’s so concerning that he’s there for anyone who knows how to go out and look for these things. They can do it.

Tom Temin: And is it a basic cybersecurity hygiene measure, the closure of unused ports?

Bob Maley: Yes it is. I know, it’s interesting that the Department of Homeland Security created a website called “Stop Ransomware” a few months ago. And the top things they recommend you do to stop ransomware are things they’ve been telling people to do for at least two to ten years. They are therefore not new.

Tom Temin: You can probably cite the NIST Special Publication 853 page, where this particular tip is located.

Bob Maley: Yes I am sure.

Tom Temin: I haven’t memorized it. But I know it’s in there somewhere.

Bob Maley: It’s a pretty big document that I don’t have either.

Tom Temin: And a recent report you published showed the degree of vulnerability to ransomware in parts of the defense industry base in the Federal Contracting Community, tell us more about what you found there.

Bob Maley: So what we did was we looked at the top 100 by contract value in the DIB. And we have led these companies through our research. And we found out that there was a higher percentage of them who were also failing at those basic things that bad actors are looking for. And they were sensitive to ransomware.

Tom Temin: Can you give us some figures? Like you said there is a scale of 0 to 1, was the average above a certain point where it goes from “you are probably fine” to where you are in the territory at risk ?

Bob Maley: Yes, we saw that 20% of those first 100 were very sensitive. And that means there was somewhere over 0.60 in the Ransomware Susceptibility Index.

Tom Temin: And you mentioned open ports, and we talked about phishing attacks, is there another high vulnerability indicator?

Bob Maley: There are. So some of the things bad actors are looking for. They are looking for lead credentials. Credentials are user IDs and passwords that are for sale on the dark web. And we found that 42% of these contractors had at least one primary dark web ID in the past 90 days. And we saw that in patch management, there were a lot of servers that were running older operating systems that are usually targeted by bad ransomware players.

Tom Temin: We speak with Bob Maley. He is Head of Security at Black Kite. And of course, again, a basic hygiene issue is that I mean, ongoing diagnostics, ongoing monitoring, and remediation is now federal policy for many jurisdictions. And that’s for federal systems and you’d think contractors should follow the same best practices. But I want to talk for a moment about the fishing angle. And is it possible to assess whether a company is sensitive to phishing, because it depends a lot on its employees, their level of training, their sensitivity. And that would seem like a harder thing to come by than knowing if they’ve opened any ports.

Bob Maley: Well, yeah, it’s a bit more complicated. But some of the things that can make a business or entrepreneur a little more resilient to phishing is that there are technical things about the way their email is configured, it’s called DMARC, DKIM, SPF. These are things that you can do when they are registered, it makes the domain a bit more resistant to phishing. And what I mean by that is the top performing email companies like Microsoft, Google, and Yahoo and all of them are looking at this information. And when they see an email that doesn’t have these attributes, they say it’s a spoofing or phishing email, and they block it before it even gets in. In a company. So this is one of the things that we can see as companies that don’t have these things set up correctly. But it’s also one of the easiest things to fix.

Tom Temin: Yes, the DMARC standard is not something new. But it seems to have taken on increased importance in the age of ransomware.

Bob Maley: Absoutely. None of these things are new.

Tom Temin: Okay, so what should businesses be doing in the CMMC area, when everyone is looking at everyone’s supply chain or the American part of the supply chain? Everyone is looking in everyone’s kimonos here, it seems like it’s time to get down to the basics of directions coming straight from the government itself?

Bob Maley: Well, CMMC, that’s a complicated question. Now that 2.0 has been released, there are already some changes. And in reality, CMMC is a compilation of existing controls, there is really nothing new in CMMC. It is an effort to try to put in a single type of audit that the base of entrepreneurs, the DIB base, the 300,000 suppliers are subject to the same compliance regime. This is therefore the objective of the CMMC. While I think that’s a great goal, I don’t think CMMC will really have much of an effect in slowing down ransomware.

Tom Temin: Understood. And for some of those other technical issues like shutting down ports and making sure you’re running the most recent and patched versions of software, especially operating systems, but also some of the apps, I had thought that at this point in history, companies would have some automated means of doing this with a dashboard report on your operating system and your fixes. And that was sort of settled and forgotten, but it still feels like a lot of hunting and nailing to do.

Bob Maley: Well, it’s not so much knowing what’s in there. It is about understanding what the business implications are, whether you are going to apply patches or whether you are going to upgrade an operating system. Imagine that you are a technician responsible for patching systems and urgently telling your company that we need to upgrade this operating system because it is obsolete. It’s old, we can’t even get fixes for it anymore. And management will say: Well, can you guarantee that this is not going to break our apps? What kind of decision are you going to make? You cannot guarantee it. So often people just hope they don’t fall victim to it. And they continue to do business as usual.

Tom Temin: In the case of phishing attacks, where all they want is data return for money, is encryption a good protection against this?

Bob Maley: Well, no, this is protection against the second level of a ransomware attack. So there are two levels that occur. The first is that they encrypt your data and require you to pay a ransom so that you can decrypt it and use the data. Then they will sell your data as well. If it’s already encrypted, it sort of stops this second level of attack, but it still doesn’t give you access to your own data because they also encrypted it.

Tom Temin: So your best advice is to take the assessment?

Bob Maley: Yes, and keep it simple. It’s not the hundreds of checks in CMMC. Although compliance is important, and I understand why this is done. But think like the bad actors: address the things they use to get into your networks first, be proactive.

Tom Temin: Bob Maley is Black Kite’s chief security officer. Thank you very much for joining me.

Bob Maley: My pleasure.

Source link

Comments are closed.