Beyond the Firewall
The recent spate of high-profile cyberattacks, many involving paid ransoms featuring six or seven zeroes, has brought an ongoing, and escalating, problem even more to the forefront. Businesses are being advised that the problem needs to be managed — before the worst happens. That means having a detailed plan involving many layers to keep things safe.
As he talks about cybersecurity, Charlie Christianson, owner of CMD Technology Group, equates that art and science (mostly science) to an onion.
By that, he means it has layers — many of them — with each one being important to the desired end in this matter: keeping one’s data, business, financial information, and perhaps life and livelihood safe.
“The goal isn’t to have one be-all, end-all product or solution that’s going to protect you — it’s a variety of things,” he explained. “It’s about trying to put as many layers between the threat on the outside and the asset, which is at the core.
“Most people understand the firewall discussion,” he went on. “But what they’re starting to understand is that it’s not just the stuff that protects you — it’s your staff, it’s your people, it’s the training, it’s the education, it’s the policies, and having all that in place.”
Christenson, like everyone else in this business, has been making this onion analogy — or whatever phraseology they use to get their points across — quite often these days. That’s because cybersecurity — mostly in the form of high-profile, as in very high-profile, attacks — has been in the news lately. Again. Or still, to be more accurate.
These attacks have come one after another: the Colonial Pipeline, the steamship service to the islands in Massachusetts, the meat company JBS, and many others.
Collectively, what these hacks have shown that businesses across all sectors are vulnerable, and this isn’t a problem for other people to worry about.
That has always been the case, said those we spoke with, but the recent spate of cyberattacks and the relentless coverage of them have served as a needed wakeup call for business owners of all sizes, most of which — the number varies depending on who you talk to, but it’s at least 50% — are simply not ready to handle or respond to the kind of attacks seen lately.
Charlie Christianson likens cybersecurity to an onion; both have, or should have, many layers.
Which brings Christianson back to his onion, and Phil Bianco to diabetes, or type 2 diabetes, to be exact.
“It’s always easier to prevent diabetes than to treat it after the fact,” said Bianco, chief technical officer with Melillo Consulting, which has three offices in the Northeast, including one in Springfield. “It’s the same thing with security — it’s always easier to manage things prior to the incident and be prepared for that and act appropriately.”
Elaborating, he said there are many elements to the process of managing before something bad happens, everything from having your system assessed so that vulnerabilities can be identified to acting on the recommendations listed in that assessment; from training employees on how spot suspicious e-mails to knowing what to do and whom to call when your system is attacked.
And while Melillo and all other firms in this business sector will do remediation — coming in after the hack and putting things back as they were, to the extent possible — and “stop the bleeding,” as Bianco put it, businesses would find it much better, and cheaper, if they hired the same company to handle preparation and prevention and work to eliminate the cuts that cause the bleeding.
“The goal isn’t to have one be-all, end-all product or solution that’s going to protect you — it’s a variety of things. It’s about trying to put as many layers between the threat on the outside and the asset, which is at the core.”
The high-profile cyberattacks of the past few weeks are an indication of how widespread the problem is, but they are also misleading to some extent, said those we spoke with, because they have involved mostly larger businesses and entities with very deep pockets, as evidenced by the size of the ransoms they paid. The sobering reality is that small businesses are a more attractive target because they are likely to be less prepared for such an attack.
“Cyberattacks are really a numbers game, and small businesses are less likely to invest in the cybersecurity practices, so they’re seen as low-hanging fruit,” said Lauren Ostberg, an attorney with the Springfield-based firm Bulkley Richardson (and a member of BusinessWest’s 40 Under Forty class of 2021), who helped spearhead the launch of the firm’s cybersecurity practice.
Lauren Ostberg says small businesses, many without IT teams or sophisticated cybersecurity systems, are low-hanging fruit for hackers.
“And these attackers also sell each other pre-made malware, so less sophisticated attackers can just send out 100 different phishing e-mails, see what sticks, and then attack there,” she explained. “So nonprofits are at risk, small- to medium-sized businesses are at risk, and, in most cases, they don’t have the insurance to back them up to minimize that risk, and they don’t realize how vulnerable they are.”
Everyone should now understand just how vulnerable they are, said those we spoke with, adding quickly that some remain slow to take action and adjust to what is a troubling new world order. Those who don’t adjust do so at their peril, said these experts, adding that recent events show just how easy it is to be attacked, and how painful, costly, and time-consuming it is to repair the damage that’s been done.
What the Hack?
As they talked about those behind all the cyberattacks going on in the world right now, those we spoke with used a wide array of descriptive adjectives to let people know just whom they’re dealing with.
Words like sophisticated, diabolical, persistent, and relentless were used early and quite often, as was another that should get the hair up on every business owner: automated.
“It is only a matter of time before any organization falls victim to one of these attacks,” said Joel Mollison, president of Westfield-based Northeast IT, who said this inevitability shouldn’t prompt paralysis, but instead well-thought-out action to prevent (to the extent possible) such an attack, and then recover as quickly and painlessly as possible if an attack does occur.
“It’s always easier to prevent diabetes than to treat it after the fact. It’s the same thing with security — it’s always easier to manage things prior to the incident and be prepared for that and act appropriately.”
Mollison puts it in clear perspective, if anyone wasn’t already sure.
“Typically, we find that most organizations have basic security measures in place, but rarely understand their level of potential exposure or impact on operations during such an event,” he said. “The ability to recover from one of these events varies widely based on size of the organization, data volume, and locations of data and services. Even in the best-case scenarios, this process can take many days or weeks.
“Business operations are almost always crippled to a marginal capacity while systems are recovered,” he went on. “The financial impact, even without having to pay a ransom, is often devastating, and most cyber liability policies are underfunded, which compounds the problem. There are also compliance, reporting, and legal factors that are part of the recovery process that are often overlooked.”
Stan Bates, director of Business Development for Melillo, agreed. Relating some recent and current cases his firm is handling, he said they effectively communicate how widespread the problem is, what issues and problems are confronting business owners, the costs involved (and there are many of them), and the direction this matter is taking.
Given the sophistication and persistence of today’s cybercriminals, Joel Mollison says it’s only a matter of time before any organization falls victim to an attack.
One involves a large nonprofit in the healthcare sector, he said, adding that this client found out the hard way all that can be involved with returning things to the way they were before the attack.
“It got hit really hard, and they called us to help fix the situation,” Bates recalled. “They were hacked, they put their system down, they were out of e-mail, they were out of just about everything you can think of. The sad part was they weren’t prepared to know what to do, and to top it off, their insurance company forced them to use their security group, which had a limited knowledge of their network, and pay for those services, while also paying us to come in and help those guys understand what they had and fix it.
“They’re up and running,” he went on. “But it took about two weeks.”
Another case involves a small machine shop in the Hartford area, he said, adding that this small business has been informed that, if it wants to keep getting contracts from the federal government, it must meet a series of guidelines regarding cyberattacks and being fully prepared for them. “It’s going to run about $4,000 to $5,000 a month for us to monitor and secure his system and hit the score the federal government is telling him to hit.”
These anecdotes are just some of many that help tell the story of how cybersecurity is becoming a huge issue for business owners and managers, one they can no longer ignore — not that they could really ignore it before.
Indeed, such sobering messages have been delivered with increasing frequency over the past several weeks as the high-profile attacks — and the ransom payments that include six and sometimes seven zeroes — come with increasing regularity. And they have certainly stimulated some interest within the business community, and also government offices and nonprofits, to be ready, or at least more ready.
“The conversations have changed. In the past, there were certain people you could talk to until you were blue in the face, and it was purely a dollars-and-cents discussion: ‘you want me to spend how much in a firewall, or this piece of software?’ Now, it’s ‘what can we do?’”
“The conversations have changed,” Christianson said. “In the past, there were certain people you could talk to until you were blue in the face, and it was purely a dollars-and-cents discussion: ‘you want me to spend how much in a firewall, or this piece of software?’ Now, it’s ‘what can we do?’”
Ostberg agreed. “People are taking the matter more seriously, and they’re taking me more seriously when I tell them they have to plan for cybersecurity incidents,” she said. “I’ve noticed an increase in concern, especially about ransomware, which can really cripple a business.
“The Massachusetts regulations and the advice I give my clients provide a lot of good ideas about ways to prevent or mitigate some of the risk that would be caused by some of the hacks we’re seeing,” she went on. “And it’s focused on building layers of prevention.”
At or near the top of any list of prevention measures is training, specifically involving the detection of phishing e-mails, which comprise the entry point for most of the hacks that occur today, according to those we spoke with.
Members of the team at Melillo Consulting, from left, Phil Bianco, Doug Morrison, and Stan Bates.
As they talked about these e-mails, they summoned some of those same adjectives as they tried to convey just how sophisticated they have become.
“The phishing is getting more elaborate, and the social engineering that goes behind it is far more advanced than what we’ve seen in the past,” said Doug Morrison, practice director for the Development Operations team at Melillo. “It used to be that the e-mails were intentionally easy to sleuth out, because that way they could weed out the people they didn’t want; they wanted the people who were easily fooled to click on the link. But now, it’s getting very elaborate and very difficult to tell real e-mails from the fake e-mails.”
With this level of sophistication, Bianco said, it really is only a matter of time before someone makes a mistake and opens the door for a cyberattacker. But training and knowing to be on alert and skeptical of everything remotely suspicious are still critical to help minimize such incidents.
“Know who you’re doing business with,” he said. “Trust an e-mail if it’s someone you’ve done business with in the past. And if it isn’t someone you’ve done business with in the past, be skeptical of that; if you’re in question, send it over to your IT team, and let them take a look at it. If they see a bad e-mail, they can tell you immediately, ‘hey, we’ve seen this before, this is not something you should work with — please delete this or quarantine this,’ or, if they haven’t seen it, they can send it on to an anti-spam or anti-virus protection service that they’ve engaged with, and that individual or group can look at it across multiple things that they’ve seen.”
In dealing with suspicious e-mails, Bates cited his own firm as an example of the kind of rigorous training that can and should go on.
“We do quarterly training — each employee has to take a test and pass it,” he explained. “It’s terribly difficult, but it instills in your mind some of the things that are going on out there. Just the other day, we got hit, but everyone in the organization was smart enough, because of their training, to delete before they opened.”
Because of the seeming inevitability that these sophisticated phishing attacks will succeed, businesses of all sizes need to have all the other layers of that onion to fully protect themselves from attacks — the training and the policies, in addition to the hardware and software.
“You have to have all the other layers in place because you simply cannot rely on humans not to click on e-mails at the pace that they’re required to do,” said Morrison, noting, as others did, that subsequent layers include a firewall, backing up all information, and encryption of information.
As noted, there are layers to backing up information, said the experts we spoke with, noting that the best solution is to isolate the backups as much as possible from the main network.
“Most companies do back up, but these malwares that do ransomware are pretty sophisticated,” Bianco explained. “The average time that that individual has compromised your network is typically a month or more. And in that month or more, they can go through and encrypt your backups as well as your production-installed system, your code bases, and things like that.
“Know who you’re doing business with. Trust an e-mail if it’s someone you’ve done business with in the past. And if it isn’t someone you’ve done business with in the past, be skeptical of that.”
“And they have a pretty sophisticated map of what your environment looks like, so we’ve been working with customers to do what’s called air-gabbing backups,” he went on. “Once that infrastructure is backed up, it’s completely separated from your network, so it can’t be encrypted.”
Christianson agreed, and noted that such independent, often off-site backup systems need to not only be in place, but be monitored as well.
“We’ve all heard the stories … people think they’re backing up for a long period of time, only to find out that, when they need it, the backups are not working,” he said. “That’s why people are starting to realize that it’s really important to have these systems monitored in some fashion, and that there are multiple layers.”
As for whether to pay that ransom … most consultants, and lawyers like Ostberg, certainly recommend against that practice, although that hasn’t stopped many of those who have been attacked from paying out millions in Bitcoin.
“One of the things that’s just awful is seeing people pay the ransom,” Christianson said, “because that’s not the answer. You’re just encouraging them to come back — and they will come back, not to mention the fact that they give you the key and you get your data, but you have no idea what they dropped in there and left for a back door.
“Honestly, in some cases, the only way to know is to reformat it, reinstall it all, scan the heck out of the data, and bring it back from the ground up,” he went on. “Or, manage a good disaster-recovery backup plan.”
Which brings him all the way back to that onion he referenced at the top. It should have many, many layers, he said, with more added as they become available and necessary, because what worked and what was enough a few years ago probably isn’t enough now, and certainly won’t be enough a few years and maybe even a few months from now.
That’s how quickly and profoundly the scene is changing when it comes to cybersecurity and protecting a business, nonprofit, school system, government agency, or household from those who would do it harm.
Managing the problem is all-important, said those who spoke with, but what’s most important is managing it before the worst happens — because doing so can often prevent the worst from happening.
George O’Brien can be reached at [email protected]