Home Posts tagged ransomware
Cybersecurity Special Coverage

Defense Mechanism

 

The numbers are staggering. According to Cybersecurity Ventures’ 2022 cybercrime report, the cost of cybercrime is predicted to hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025.

The impacts on businesses are already well-established. According to security.org, one in every six businesses that fell victim to cyberattacks faces ransomware, and about half of them pay the ransom. And according to a report last year by Security Intelligence, the share of data breaches caused by ransomware grew 41% in the previous year and took 49 days longer than the average breach to identify and contain.

A study conducted last year by Positive Technologies among financial organizations, fuel and energy organizations, government bodies, industrial businesses, IT companies, and other sectors found that cybercriminals are able to penetrate 93% of company networks and gain access to local network resources.

Such breaches, obviously, affect personal data. In 2020 alone, data breaches exposed more than 37 billion personal records, 82% of which came from only five breaches, security.org notes. Data breaches affect not only companies and organizations, but also the people whose information is in the exposed records. And identity-fraud losses in 2020 cost its 49 million victims $56 billion in total, or roughly $1,100 per victim.

“Cyber insurance premiums are climbing, and it’s becoming increasingly difficult for companies to afford or obtain coverage.”

Clearly, the threat is real, and growing. Here are a few trends to consider when looking at the cybersecurity landscape, and what tech media and organizations are saying about them.

 

Rising Threats, Rising Liability

With the rise in cybercrime has come increased risk for businesses, and that means a much larger cybersecurity sector. According to security.org, the global cyber insurance market was worth $7.8 billion in 2020 and is likely to grow into a $20 billion industry by 2025. About 75% of all cyber insurance premiums are for businesses, and the rest for individuals. But that could be shifting as well.

So, too, is the responsibility companies bear for their own data security, Forbes projects. “Cyber insurance premiums are climbing, and it’s becoming increasingly difficult for companies to afford or obtain coverage,” the publication notes. “To negotiate insurance premiums and better risk coverage, businesses will be required to present evidence across a broad spectrum of security areas in order to prove compliance with leading cybersecurity standards and best practices.”

Organizations will begin to conduct enterprise risk assessments that highlight the maturity level of their cybersecurity program and proactively address any underwriting concerns, it continues, noting that risk assessments can help determine decisions around insurance gaps, limits, and coverage.

“With the distinct possibility of a global recession on the horizon, we expect to see ransomware attacks spike in 2023. However, larger organizations in regions heavily impacted during the ransomware boom are the most prepared for this wave after investing time and money in fighting back.”

As for those internal efforts, Forbes also notes that cybersecurity has become too complex for many organizations to manage on their own, and most companies don’t have the skills or resources to manage a full-fledged security operations center (SOC). For these reasons, many businesses will be forced to think creatively and could decide to outsource their day-to-day security operations.

Locally, one such SOC is being developed at Springfield Union Station, part of a state- and federally funded project announced in November to establish a Cybersecurity Center of Excellence at the site, which will also include a ‘cyber range’ for training.

Mary Kaselouskas, vice president and chief information officer at Springfield Technical Community College (STCC), which will manage the center, noted recently that “a lot of companies don’t have the resources for a fully operational SOC, or can even afford to have managed SOC operations,” so the need for a local SOC is clear.

 

Zero Trust on the Rise

One way businesses are increasingly curtailing cyber threats is through a concept called ‘zero trust.’

According to IBM, the idea, developed by John Kindervag in 2010 while a principal analyst at Forrester Research, is a broad framework that promises effective protection of an organization’s most valuable assets. It works by assuming every connection and endpoint is considered a threat.

Essentially, a zero-trust network logs and inspects all corporate network traffic, limits and controls access to the network, and verifies and secures network resources. A zero-trust security model ensures data and resources are inaccessible by default, and users can only access them on a limited basis under the right circumstances, known as least-privilege access. The strategy also authenticates and authorizes every device, network flow, and connection.

“As hybrid work became a way of life, more organizations have started adopting zero-trust frameworks, meaning all users, apps, and devices that request access are assumed to be unauthorized until proven otherwise,” Security Intelligence notes. “Organizations with a zero-trust approach deployed saved nearly $1 million in average breach costs compared to organizations without zero trust deployed.”

 

Connecting the Globe

Perhaps no cybersecurity trend has been bigger in the last several years than the scourge of attacks related to the supply chain. Analyst firm Gartner predicted that, by 2025, 45% of global organizations will be impacted in some way by a supply-chain attack.

“Cyber criminals look for organizations or industries teetering at the edge and then make their move to tip them over,” said Charles Henderson, an IBM global managing partner and head of IBM Security X-Force. “Last year, we saw that with manufacturing — a strained industry viewed as the backbone of supply chains. With the distinct possibility of a global recession on the horizon, we expect to see ransomware attacks spike in 2023. However, larger organizations in regions heavily impacted during the ransomware boom are the most prepared for this wave after investing time and money in fighting back.”

Global threats often require a global response, which is why, last year, the U.S. State Department announced the launch of the Global Emerging Leaders in International Cyberspace Security (GEL-ICS) Fellowship, in partnership with the Meridian International Center.

The fellowship will support the development of a diverse global network of future cyber policy leaders who share the U.S. and other partners’ vision for cyberspace, and is designed to equip emerging leaders from the governments of these foreign partners with the knowledge and global connections to be advocates of the framework of responsible state behavior in cyberspace, as affirmed by the United Nations General Assembly.

The first cohort of 20 to 25 government officials will engage in a year-long program on international cyberspace policy in 2023. Fellows will visit Washington, D.C., New York City, and San Francisco to engage with U.S. and international leaders from government, industry, and civil society. They will also participate in a series of thematic webinars to support continuing education and foster networking among the fellows and stakeholders.

Additionally, fellows will reconvene on the margins of the 2023 Internet Governance Forum hosted in Japan to mark the end of the program. With each year, fellowship alumni will form a growing, global network of proponents for a stable and secure cyberspace for future generations.

 

Good Time for a Job Search

If there’s a plus to the increasing cyber threat landscape, it’s an explosion in job opportunities. Even at a time when the IT industry is seeing massive layoffs, cybersecurity appears to be a safer harbor than other tech careers.

The global cybersecurity workforce grew to encompass 4.7 million people last year, reaching its highest-ever levels, according to a workforce study by ISC2. However, the same study found there is still a need for more than 3.4 million security professionals, an increase of more than 26% from 2021’s numbers.

The U.S. Bureau of Labor Statistics projects similarly robust need, estimating that the number of cybersecurity jobs will grow by 35% between 2021 and 2031. According to Cyberseek, of those 3.4 million professionals needed globally, about 770,000 opportunities are in the U.S. alone.

Cover Story

Beyond the Firewall

The recent spate of high-profile cyberattacks, many involving paid ransoms featuring six or seven zeroes, has brought an ongoing, and escalating, problem even more to the forefront. Businesses are being advised that the problem needs to be managed — before the worst happens. That means having a detailed plan involving many layers to keep things safe.

 

As he talks about cybersecurity, Charlie Christianson, owner of CMD Technology Group, equates that art and science (mostly science) to an onion.

By that, he means it has layers — many of them — with each one being important to the desired end in this matter: keeping one’s data, business, financial information, and perhaps life and livelihood safe.

“The goal isn’t to have one be-all, end-all product or solution that’s going to protect you — it’s a variety of things,” he explained. “It’s about trying to put as many layers between the threat on the outside and the asset, which is at the core.

“Most people understand the firewall discussion,” he went on. “But what they’re starting to understand is that it’s not just the stuff that protects you — it’s your staff, it’s your people, it’s the training, it’s the education, it’s the policies, and having all that in place.”

Christenson, like everyone else in this business, has been making this onion analogy — or whatever phraseology they use to get their points across — quite often these days. That’s because cybersecurity — mostly in the form of high-profile, as in very high-profile, attacks — has been in the news lately. Again. Or still, to be more accurate.

These attacks have come one after another: the Colonial Pipeline, the steamship service to the islands in Massachusetts, the meat company JBS, and many others.

Collectively, what these hacks have shown that businesses across all sectors are vulnerable, and this isn’t a problem for other people to worry about.

That has always been the case, said those we spoke with, but the recent spate of cyberattacks and the relentless coverage of them have served as a needed wakeup call for business owners of all sizes, most of which — the number varies depending on who you talk to, but it’s at least 50% — are simply not ready to handle or respond to the kind of attacks seen lately.

Charlie Christianson

Charlie Christianson likens cybersecurity to an onion; both have, or should have, many layers.

Which brings Christianson back to his onion, and Phil Bianco to diabetes, or type 2 diabetes, to be exact.

“It’s always easier to prevent diabetes than to treat it after the fact,” said Bianco, chief technical officer with Melillo Consulting, which has three offices in the Northeast, including one in Springfield. “It’s the same thing with security — it’s always easier to manage things prior to the incident and be prepared for that and act appropriately.”

Elaborating, he said there are many elements to the process of managing before something bad happens, everything from having your system assessed so that vulnerabilities can be identified to acting on the recommendations listed in that assessment; from training employees on how spot suspicious e-mails to knowing what to do and whom to call when your system is attacked.

And while Melillo and all other firms in this business sector will do remediation — coming in after the hack and putting things back as they were, to the extent possible — and “stop the bleeding,” as Bianco put it, businesses would find it much better, and cheaper, if they hired the same company to handle preparation and prevention and work to eliminate the cuts that cause the bleeding.

“The goal isn’t to have one be-all, end-all product or solution that’s going to protect you — it’s a variety of things. It’s about trying to put as many layers between the threat on the outside and the asset, which is at the core.”

The high-profile cyberattacks of the past few weeks are an indication of how widespread the problem is, but they are also misleading to some extent, said those we spoke with, because they have involved mostly larger businesses and entities with very deep pockets, as evidenced by the size of the ransoms they paid. The sobering reality is that small businesses are a more attractive target because they are likely to be less prepared for such an attack.

“Cyberattacks are really a numbers game, and small businesses are less likely to invest in the cybersecurity practices, so they’re seen as low-hanging fruit,” said Lauren Ostberg, an attorney with the Springfield-based firm Bulkley Richardson (and a member of BusinessWest’s 40 Under Forty class of 2021), who helped spearhead the launch of the firm’s cybersecurity practice.

Lauren Ostberg

Lauren Ostberg says small businesses, many without IT teams or sophisticated cybersecurity systems, are low-hanging fruit for hackers.

“And these attackers also sell each other pre-made malware, so less sophisticated attackers can just send out 100 different phishing e-mails, see what sticks, and then attack there,” she explained. “So nonprofits are at risk, small- to medium-sized businesses are at risk, and, in most cases, they don’t have the insurance to back them up to minimize that risk, and they don’t realize how vulnerable they are.”

Everyone should now understand just how vulnerable they are, said those we spoke with, adding quickly that some remain slow to take action and adjust to what is a troubling new world order. Those who don’t adjust do so at their peril, said these experts, adding that recent events show just how easy it is to be attacked, and how painful, costly, and time-consuming it is to repair the damage that’s been done.

 

What the Hack?

As they talked about those behind all the cyberattacks going on in the world right now, those we spoke with used a wide array of descriptive adjectives to let people know just whom they’re dealing with.

Words like sophisticated, diabolical, persistent, and relentless were used early and quite often, as was another that should get the hair up on every business owner: automated.

“It is only a matter of time before any organization falls victim to one of these attacks,” said Joel Mollison, president of Westfield-based Northeast IT, who said this inevitability shouldn’t prompt paralysis, but instead well-thought-out action to prevent (to the extent possible) such an attack, and then recover as quickly and painlessly as possible if an attack does occur.

“It’s always easier to prevent diabetes than to treat it after the fact. It’s the same thing with security — it’s always easier to manage things prior to the incident and be prepared for that and act appropriately.”

Mollison puts it in clear perspective, if anyone wasn’t already sure.

“Typically, we find that most organizations have basic security measures in place, but rarely understand their level of potential exposure or impact on operations during such an event,” he said. “The ability to recover from one of these events varies widely based on size of the organization, data volume, and locations of data and services. Even in the best-case scenarios, this process can take many days or weeks.

“Business operations are almost always crippled to a marginal capacity while systems are recovered,” he went on. “The financial impact, even without having to pay a ransom, is often devastating, and most cyber liability policies are underfunded, which compounds the problem. There are also compliance, reporting, and legal factors that are part of the recovery process that are often overlooked.”

Stan Bates, director of Business Development for Melillo, agreed. Relating some recent and current cases his firm is handling, he said they effectively communicate how widespread the problem is, what issues and problems are confronting business owners, the costs involved (and there are many of them), and the direction this matter is taking.

Joel Mollison

Given the sophistication and persistence of today’s cybercriminals, Joel Mollison says it’s only a matter of time before any organization falls victim to an attack.

One involves a large nonprofit in the healthcare sector, he said, adding that this client found out the hard way all that can be involved with returning things to the way they were before the attack.

“It got hit really hard, and they called us to help fix the situation,” Bates recalled. “They were hacked, they put their system down, they were out of e-mail, they were out of just about everything you can think of. The sad part was they weren’t prepared to know what to do, and to top it off, their insurance company forced them to use their security group, which had a limited knowledge of their network, and pay for those services, while also paying us to come in and help those guys understand what they had and fix it.

“They’re up and running,” he went on. “But it took about two weeks.”

Another case involves a small machine shop in the Hartford area, he said, adding that this small business has been informed that, if it wants to keep getting contracts from the federal government, it must meet a series of guidelines regarding cyberattacks and being fully prepared for them. “It’s going to run about $4,000 to $5,000 a month for us to monitor and secure his system and hit the score the federal government is telling him to hit.”

 

Something’s Phishy

These anecdotes are just some of many that help tell the story of how cybersecurity is becoming a huge issue for business owners and managers, one they can no longer ignore — not that they could really ignore it before.

Indeed, such sobering messages have been delivered with increasing frequency over the past several weeks as the high-profile attacks — and the ransom payments that include six and sometimes seven zeroes — come with increasing regularity. And they have certainly stimulated some interest within the business community, and also government offices and nonprofits, to be ready, or at least more ready.

“The conversations have changed. In the past, there were certain people you could talk to until you were blue in the face, and it was purely a dollars-and-cents discussion: ‘you want me to spend how much in a firewall, or this piece of software?’ Now, it’s ‘what can we do?’”

“The conversations have changed,” Christianson said. “In the past, there were certain people you could talk to until you were blue in the face, and it was purely a dollars-and-cents discussion: ‘you want me to spend how much in a firewall, or this piece of software?’ Now, it’s ‘what can we do?’”

Ostberg agreed. “People are taking the matter more seriously, and they’re taking me more seriously when I tell them they have to plan for cybersecurity incidents,” she said. “I’ve noticed an increase in concern, especially about ransomware, which can really cripple a business.

“The Massachusetts regulations and the advice I give my clients provide a lot of good ideas about ways to prevent or mitigate some of the risk that would be caused by some of the hacks we’re seeing,” she went on. “And it’s focused on building layers of prevention.”

At or near the top of any list of prevention measures is training, specifically involving the detection of phishing e-mails, which comprise the entry point for most of the hacks that occur today, according to those we spoke with.

Melillo Consulting

Members of the team at Melillo Consulting, from left, Phil Bianco, Doug Morrison, and Stan Bates.

As they talked about these e-mails, they summoned some of those same adjectives as they tried to convey just how sophisticated they have become.

“The phishing is getting more elaborate, and the social engineering that goes behind it is far more advanced than what we’ve seen in the past,” said Doug Morrison, practice director for the Development Operations team at Melillo. “It used to be that the e-mails were intentionally easy to sleuth out, because that way they could weed out the people they didn’t want; they wanted the people who were easily fooled to click on the link. But now, it’s getting very elaborate and very difficult to tell real e-mails from the fake e-mails.”

With this level of sophistication, Bianco said, it really is only a matter of time before someone makes a mistake and opens the door for a cyberattacker. But training and knowing to be on alert and skeptical of everything remotely suspicious are still critical to help minimize such incidents.

“Know who you’re doing business with,” he said. “Trust an e-mail if it’s someone you’ve done business with in the past. And if it isn’t someone you’ve done business with in the past, be skeptical of that; if you’re in question, send it over to your IT team, and let them take a look at it. If they see a bad e-mail, they can tell you immediately, ‘hey, we’ve seen this before, this is not something you should work with — please delete this or quarantine this,’ or, if they haven’t seen it, they can send it on to an anti-spam or anti-virus protection service that they’ve engaged with, and that individual or group can look at it across multiple things that they’ve seen.”

In dealing with suspicious e-mails, Bates cited his own firm as an example of the kind of rigorous training that can and should go on.

“We do quarterly training — each employee has to take a test and pass it,” he explained. “It’s terribly difficult, but it instills in your mind some of the things that are going on out there. Just the other day, we got hit, but everyone in the organization was smart enough, because of their training, to delete before they opened.”

 

Backup Plan

Because of the seeming inevitability that these sophisticated phishing attacks will succeed, businesses of all sizes need to have all the other layers of that onion to fully protect themselves from attacks — the training and the policies, in addition to the hardware and software.

“You have to have all the other layers in place because you simply cannot rely on humans not to click on e-mails at the pace that they’re required to do,” said Morrison, noting, as others did, that subsequent layers include a firewall, backing up all information, and encryption of information.

As noted, there are layers to backing up information, said the experts we spoke with, noting that the best solution is to isolate the backups as much as possible from the main network.

“Most companies do back up, but these malwares that do ransomware are pretty sophisticated,” Bianco explained. “The average time that that individual has compromised your network is typically a month or more. And in that month or more, they can go through and encrypt your backups as well as your production-installed system, your code bases, and things like that.

“Know who you’re doing business with. Trust an e-mail if it’s someone you’ve done business with in the past. And if it isn’t someone you’ve done business with in the past, be skeptical of that.”

“And they have a pretty sophisticated map of what your environment looks like, so we’ve been working with customers to do what’s called air-gabbing backups,” he went on. “Once that infrastructure is backed up, it’s completely separated from your network, so it can’t be encrypted.”

Christianson agreed, and noted that such independent, often off-site backup systems need to not only be in place, but be monitored as well.

“We’ve all heard the stories … people think they’re backing up for a long period of time, only to find out that, when they need it, the backups are not working,” he said. “That’s why people are starting to realize that it’s really important to have these systems monitored in some fashion, and that there are multiple layers.”

As for whether to pay that ransom … most consultants, and lawyers like Ostberg, certainly recommend against that practice, although that hasn’t stopped many of those who have been attacked from paying out millions in Bitcoin.

“One of the things that’s just awful is seeing people pay the ransom,” Christianson said, “because that’s not the answer. You’re just encouraging them to come back — and they will come back, not to mention the fact that they give you the key and you get your data, but you have no idea what they dropped in there and left for a back door.

“Honestly, in some cases, the only way to know is to reformat it, reinstall it all, scan the heck out of the data, and bring it back from the ground up,” he went on. “Or, manage a good disaster-recovery backup plan.”

Which brings him all the way back to that onion he referenced at the top. It should have many, many layers, he said, with more added as they become available and necessary, because what worked and what was enough a few years ago probably isn’t enough now, and certainly won’t be enough a few years and maybe even a few months from now.

That’s how quickly and profoundly the scene is changing when it comes to cybersecurity and protecting a business, nonprofit, school system, government agency, or household from those who would do it harm.

Managing the problem is all-important, said those who spoke with, but what’s most important is managing it before the worst happens — because doing so can often prevent the worst from happening.

 

George O’Brien can be reached at [email protected]

buy ivermectin for humans buy ivermectin online