Chair:
Michael Gips – Principal at Global Insights in Professional Security (US) 

Panellists:
Luca Tenzi – International Security Consultant, Blusec SA (Switzerland)
Stevan Bernard – Senior Advisor, International SOS and former CSO at Sony Pictures (USA)
Terry Cutler – Founder of Cyology Labs and Internet Safety University (Canada)

Key points

Luca Tenzi compared today’s ransomware problem to physical kidnapping which had its heyday in decades past. Physical kidnapping would target one person and could drag on for months or years. Ransomware is more broad and complex, targeting multiple machines and systems. Adversaries rarely give victims more than a few days to pay, which ramps up the pressure. Italy and other countries addressed the issue by limiting or curtailing ransom payments lest criminals or terrorists be further emboldened. That policy can inform what we do today for ransomware. Addressing whether corporate security departments are actually equipped to deal with this problem, Luca says organizations are struggling to defend themselves because there are too many easy targets. Plus, not all IT people can talk to corporate security people, and vice versa. Pandemic business requires new openness, which runs counter to security’s desire to exert control. He says we can’t guard the fort because there are too many doors. For example, when he performs pentests, he finds that clients forget that each badge reader, camera, etc is a potential point of access.  Therefore an audit has to include everything.

Steve Bernard says that data is the new oil. In last 18 months we’ve seen a lot of companies become digital to survive the pandemic. Since they are newly digital, they haven’t taken the time to look at vulnerabilities. He says they should call a time out and do a gap analysis. Steve adds that with ransomware, adversaries don’t care who the victim is. They are attacking because it is extremely lucrative. He says that the top 6 ransomware gangs are in Russia, which provides a safe harbor. Also, ransomware is easily available on the dark web. In effect, you can get Ransomware as a Service. It will help you at every stage: accessing networks, negotiating, dealing with an insurers, and so on. Now culprits are looking to see who is insured, because they can pay more money. He adds that ransomware demands are changing. They are targeting staff members, whom they threaten with leaking their personal medical records if their company fails to pay.  Steve urges us to acknowledge that this is a global problem although most cases are in the U.S. We’ve got to do more together. It’s like a pandemic. He’s very concerned that people think it’s someone else’s problem. Addressing how to work with law enforcement, he recalled his experience with Sony when North Korea hacked the studio. They engaged the FBI on Day One. This was key to survivability of the company. The FBI has 90+ attaches around the world, and they have influence and relationships, which helped Sony immensely. Other branches of government have gotten up to speed on this, like the U.S. Secret Service.

Terry Cutler says that organized criminals, such as in the drug trade, used to have to travel, find a supplier, bring it overseas, maybe have it interdicted, deal with rival gangs, and otherwise face a lot of risk. Now they can hide behind anonymous proxy systems. They can be paid without being traced. He says anyone can buy a ransomware kit with tech support for $3,000 and share profits with affiliates. Some gangs earn $9 million in 3 months. Addressing whether companies should retaliate against these adversaries (without going through law enforcement), he says that the technology exists but there are legal limits. Warrants are often needed, which only law enforcement can obtain. When it comes to security’s ability to defend against ransomware attacks, Terry sees that many companies haven’t ever done audits, or they are locked in legacy systems, or think they are too small for criminals to want a hack. He emphasizes that protective step one is to get an audit done by a third party. Asked why backing up data isn’t a good enough measure, he says that companies often back up data on the same network, so it doesn’t help. Even if they back up to the cloud, if they try to restore 13 Tb from the cloud it will take a month. He says that organizations need multiple copies of backup that disconnect from the network afterwards, Even if a company can restore its data, adversaries can threaten to release your information, which could cause embarrassment or worse. Asked whether companies can recover payments like Colonial Pipeline was able to do, Terry said that we can figure out who owns the cryptocurrency wallet that payments go to. But given the young age of cybercriminals, it might be easier to find the kid when he shows up to high school in a Lamborghini.

Whether to pay the ransom or not depends on many factors, the panelists emphasized—applicable laws and regulations, ability to survive without that data, potential damage if data were to be revealed, and so on. It might be cheaper to pay the ransom than to pay the fine that would ensue under GDPR or other regulations should private data be published. Sometimes a company has no choice. For healthcare, it’s cheaper to pay bill than respond. In fact, so many companies are paying that a cottage industry for negotiators is growing.  Insurance provides some cover for now, but its days may be numbered. For example, at least one insurance company has announced its intention to cancel ransomware insurance, because reinsurance is too complex to get. The panelists agree that the best approach is prevention starting with a 360-audit, gap analysis, prioritization of issues, and continuous improvement of security hygiene incorporating anyone with access to the network.

Michael Gips
15th July, 2021