Ransomware Prioritize Prevention Then Pursue Prosecution – Part 1

 

Noted Internet Security Expert, B. Franklin
Interesting Fact: 
Colonial Pipeline Earlier Management Ignored His Advice

Alex Younger, former head of the Secret Intelligence Service, penned an opinion piece in Saturday’s FT Ransomware attacks have to be stopped — here’s how.

Some 898 words long. Lots of good advice and interesting points.

However, he had but these 37 words (4%) on what I consider to be one of the key steps to resolving the problem.

It follows that governments can and should do more but not to the point of absolving individuals and firms of their own responsibilities. A surprisingly large amount of this is about getting the cyber security basics right.

The last sentence “names the issue exactly”.

I think this is the major problem.

By way of analogy, let’s assume a town where no one locks their doors, where people leave valuables in plain sight, where it’s common to leave the keys to one’s Maybach in the ignition, and the car in the driveway..

Now we could crackdown on those who buy stolen goods even those in other cities.

We could station a policeman by each house to keep guard.

Or, we could get as many citizens as possible to lock their doors and secure their property.

What this latter step hopefully would do is lessen the opportunity for crime.

And the amount of crime that takes place.

It also lessens the number vulnerable targets that one has to guard.

If we can take the above steps, then resources can be more focused.

Also and perhaps more importantly, with national security issues, one would I hope prefer to prevent an attack over  a successful response to the attack.

Is this the case with ransomware? That doors are unlocked, valuables unsecured?

First, some macro examples from an earlier post.

Two quotes from the FT. Italics mine.

1. Just a quarter of companies in traditional infrastructure businesses, including oil and gas, utilities and healthcare, were properly braced for an attack, estimated Matias Katz, chief executive of the cyber security group Byos.

2. The oil and gas sector has been criticised for lax cyber security regulation.

The above points are estimates not facts.

But it should be not only an “overdue wake up call” but also a “sobering fact” even if these are overestimates by a factor of two.

The companies making these estimates are companies selling security products and so may have a profit dog in the fight.

So let’s turn to recent comments by US Secretary of Energy. She is reported to have said that “hackers” could shut down the US energy grid.

Second, some individual examples.

Colonial Pipeline was penetrated through a VPN which was “not intended to be used” but not turned off. That system had single factor authentication.

In February 2020, CISA (Cybersecurity and Infrastructure Security Agency) published an alert on a ransomware attack on an unnamed US pipeline.

That alert mentions some of the same security failures as with Colonial Pipeline.

Lessons learned?

Wake-up calls unanswered?

Sobering facts insufficiently “sobering” to overcome the state of intoxication?

As well, you will note that many of the other failures mentioned in that alert are “basic cybersecurity”. The PC equivalent of locking doors, securing valuables, etc.

You will see this pattern of “rookie” mistakes in many of their alerts

Another study that ranks cybersecurity by country seems to confirm the above.

The US ranks 46^th out of 75 countries.

Some caveats:

1. This isn’t an apples to apples comparison. Rather it is an overall ranking across a broad gauge of metrics not just for ransomware. It includes attack attempts, infection rates on personal devices, etc.

2. But despite that drawback it does highlight the Willy Sutton Principle: One would expect the USA to be of more interest to hackers than many of the other countries on the list. And so more targeted. And so more in need of defense.

In Part 2, we’ll look at some other issues, not all of which relate directly to Mr. Younger's opinion piece.

The “Big Boys” Market – Ransomware Insurance

 

The Underwriter's New Suit

In the 3 June FT, Ian Smith had an article Cyber Premiums Jump in Face of Acute Threats.

Two quotes from the article and my reactions.

Surge in attacks prompts vigilant insurers to question clients closely about culture, attitude to security and training.

And 

Nor are insurers simply jacking up prices. They are also becoming more vigilant about controls at the companies to which they sell cover.

A big “shout out” for the use of “vigilant”.

The clear implication is that many, perhaps most, have been asleep at the switch.

If you’ve been following my “Big Boy” series of posts, you know I like to puncture the unwarranted myth of the imaginary “sophisticated” investor.

In that vein let’s reflect on Ian’s article using my own personal experience.

When I went to take out an insurance policy on Chez Arqala, my insurance company asked a raft of questions.

• About smoke detectors, their locations, and presence of fire extinguishers and other such equipment.

• I was also asked if we have a home security system, whether in addition to intrusion detection it also had a fire detection capability. Was it set to ring up the authorities? Who were the providers of the home security system?

• Did it have a back-up battery in case of power disruption?

• How far we were from the nearest fire station?

• Whether we stored any flammable or dangerous materials in the house.

• Other than the little people who live with Madame Arqala and me we were clean on that score.

No questions about culture, though. 

I guess he could tell just by looking at me. Or perhaps at Madame Arqala.

The decision to “write” the policy and the premium depended on our answers to those questions as well as our post code.

It boggles the mind that insurance companies writing cover multiples of that provided our house wouldn’t be asking similar questions for cyber cover.

And come to think of it, quite a lot more.

Apparently, they were not doing this.

Now to be fair, the general “take” on insurance underwriting standards is that only life insurance consistently makes a profit.

With other “lines” irrational exuberance and shoddy standards lead to highly cyclical swings in profits.

So much for the “big boys” of insurance. 

At least they are not an outlier among the "big boys"

Taking Responsibility A Key Step to Minimizing Ransomware Successes

If You Don't Answer Your Phone, 
Calls are not "Overdue", They're Ignored

Saturday's FT "Big Read" The cyber threat to America's beef discussed expert reaction to the ransomware attack on JBS.

I'm going to use quotes from that article to outline two acceptances of responsibility that are necessary, but not necessarily sufficient, to fix the problem.

Step 1: Corporate acceptance of responsibility (a) for its past failures and (b) to fix the problem.

The first quote.

Beyond the political posturing, analysts and cyber security experts say companies, government and other entities must treat the hack as an overdue wake-up call to not only develop adequate defences but also to develop a unified approach to dealing with the soaring number of attacks.

Sorry this is neither “overdue” nor a “wake up call”.

Let’s call it precisely what it is.

It is a failure to heed numerous warnings given over more than several years.

Until corporate managements admit that fact and take responsibility to act responsibly, there will be no solution to the problem.

The CISA (Cybersecurity and Infrastructure Security Agency) was founded in November 2018 (roughly three years ago). They published an alert on a ransomware attack on a pipeline in February 2020 (let’s call that one year ago).

The National Protection and Programs Directorate (NPPD) was set up under the DHS’s umbrella in 2008 with the mission of protecting the USA’s critical physical and cyber infrastructure. (That would be thirteen years ago).

If you look at the CISA website here, you will find a list of resources, including alerts, tips, training and webinars.

Notice that the first “alert” dates from 2009. (That would be twelve years ago).

And then there is the FBI’s ic3 unit which has antecedents back to 2000. And has issued warnings on ransomware for many years. Here’s one example from 2019.

Or maybe this memo from the DOJ in 2015.

Overdue?

The only thing “overdue” is the response to the warnings.

CISA also offers a free checkup service (no “death panels” as far as I know) for governmental entities and private companies that operate critical infrastructure:

1. Weekly vulnerability penetration scans

2. Web application scanning

3. Phishing campaign assessment

4. Remote penetration testing

It would be interesting to know how many private sector firms operating critical infrastructure have availed themselves of this service. And if not, why not?

Beyond efforts by the USG to ring the tocsin of alarm, the media has reported on the risks of hacking and ransomware for some time.

NYT Feb 2020, NYT 2017.

Or Fox News 2018. (Port of San Diego) Fox News 2018. (City of Atlanta incident -note this was described as a wake-up call).

I’m not a computer or cyber security expert, but even I knew of the risks to national security from hacking before Solar Winds and JBS. Or reliance on foreign manufactured components in computers, telecommunication systems, etc.

That’s not to brag, any moderately sentient person who reads the news should be able to figure this out, even one like me who focuses primarily on matters financial.

Captains of industry might well be expected to have even greater sources of information as well as staff who might fill in any gaps in their attention spans.

Additionally there are the firms who make a living in this field who have weighed in on the risks. Here’s a link to one. They mention the first ransomware attack as taking place in 1989. (That would be thirty-two years ago).

Another quote from the FT article.

The alleged perpetrators of the JBS attack have long been known to cyber security experts. Since February alone, the Russia-linked REvil group has been connected to almost 100 targeted ransomware attacks, according to cyber security specialists ZeroFOX.

Step 2: Government acceptance of responsibility to impose rigorous standards on entities critical to national security and enforce penalties on them for failure.

The second quote.

"Once again the notion that ransomware is a national security threat is ringing true. We need a fundamentally different approach to security,” says Sanjay Aurora, Asia-Pacific managing director for UK AI company Darktrace.

Indeed a new approach is needed.

That fundamentally different approach to security would involve abandoning naive beliefs about market efficiency. The market hasn’t solved this problem and isn’t going to.

The simple reason?

Corporations don’t want to spend the money directly or indirectly (the time).

Governments need to impose comprehensive and rigorous security requirements with substantial monetary penalties for failures to implement them.

Legislation that was passed and regulations issued regarding Business Continuity or Disaster Plans can provide a precedent.

The cybersecurity laws should allow in extremis the replacement of management and the cancellation of licenses/permits to conduct critical infrastructure business.

Note the dual approach to achieve the goal by threatening the single most important priority of each of the two key parties

• management’s retention of its sinecures and

• the value of shareholders’ investments.

That doesn’t mean if a company critical to national security were successfully hacked that it would necessarily be fined, its management removed, or the business turned over to another party.

What it should mean is that if a company hadn’t taken reasonable precautions, say to protect the operating system of its pipeline, then the hammer would come down in line with the severity of its failures. ​