Repelling A Ransomware Attack: Alexis Reardon Of Veza On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack

Educate your end users on the prevalence and impact of ransomware! Provide guidance on common phishing techniques and other forms of social engineering that may lead to credential compromise, and ultimately a ransomware attack.

Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?

In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Alexis Reardon.

Alexis Reardon has been selling cybersecurity solutions for over a decade with Oracle, Okta and now Veza working with CISOs and CIOs of Fortune 500 Companies. Throughout her career, she has been focused on data, data solutions, securing data, data integration and replication, Identity & Access Management, and Identity Governance. She volunteers within her local LA Community with the ISC2 Chapter and is a member of Dreamers and Doers. She resides in Southern California with her husband and two young daughters.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up Southern California. My parents always encouraged me to explore my interests, to be a life-long learner, and try new things outside of my comfort zone. I pursued some less traditional activities like springboard diving in high school and developed a lifelong love of skiing. My dad jokes that I was a strange child- my career ideas ranged from wanting to be a Vegas Card Dealer to Captaining a boat.

My mom and I took a trip to San Francisco for a school visit and I loved the excitement of being in a big city. I decided to go to San Francisco State University and majored in Communications. It proved to be a great decision. I got an internship at a startup during my senior year downtown giving me my first real job after graduating. I loved the city so much that I stayed for 13 years. Given that most of the things I enjoy doing are risky, I find it interesting that I ended up in the field of security.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I was living in San Francisco surrounded by the primary industries of tech, finance and wine. I began my career with a tech startup right out of college, pivoted to sell wine to restaurants in the city for a little bit, and returned to technology at Oracle selling their core technology stack. At that time, core data technology was Oracle’s bread and butter of the company. Notably, Oracle was founded on the relational database and was purpose built for the CIA. I was fortunate to work with amazing subject matter experts in cybersecurity. This was far more interesting to examine with my clients speeds and feeds of a database. I enjoyed the conversations around what could happen if one’s data was compromised. I enjoyed conversations regarding potential risks if one’s data was compromised.

Interestingly enough, I actually witnessed a live hack by Kevin Mitnick, the convicted and once imprisoned hacker who now consults and educates in this field. A few years ago, I also had the pleasure of hearing Frank Abagnale share his story first hand about how was he was able to get away with fraudulent checks and false identities. Leonardo DiCaprio played Frank Abagnale in the movie Catch Me If You Can directed by Steven Spielberg. I guess I enjoy the crime fighting aspect of cybersecurity. This topic just never gets old. This is the fastest growing and highly innovating segment of the tech industry, which affords interesting conversation and debate.

Can you share the most interesting story that happened to you since you began this fascinating career?

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

1. Curiosity and desire to learn- things evolve in technology so quickly and especially at a fast-paced, agile company like Veza, so understanding where we are and how far we’ve come changes by the month.
2. Genuine relationships with my customers and ensuring that their success is my success- if my customers are not successful or as successful as they want to be, I fail and our business fails. Having a good relationship with the client is the foundation of our communication and communicating expectations and desired outcomes clearly can make or break a successful rollout.
3. Collaborating with Subject Matter Experts to help solve individual customer challenges- I can’t solve everything myself, and cybersecurity is very much a team effort. I am surrounded by people with expertise that I don’t have so knowing who to pull into a conversation can completely change the dynamic of how an organization plans to utilize a strategy or solution.

Are you working on any exciting new projects now? How do you think that will help people?

I’m honored to be working for a Series C Data Security Company called Veza. This group is comprised of highly respected experts, that is, the Founders, Engineers, Marketing and Sales to our Investors plus our valued Customers. We are helping our customers protect the “Crown Jewels” of the company, which includes customer data. When prospects purchase Veza, they are making a conscious decision to understand the implications of what can happen to their data and intellectual property if it were to be compromised by internal or external threats and putting guardrails in place to ensure they limit their exposure as much as possible. By providing a platform that addresses use cases across privileged access to data, data access control, and cloud entitlements, Veza helps companies greatly reduce their risk of a ransomware and other forms of data breach by limiting the attack surface from a threat actor, but more importantly protect the trust their customers place in their hands. Customers need to share some amount of personal data with any company they do business with and often need to blindly trust that organizations are doing everything they can to protect what a consumer shares; organizations need to continue to investigate ways to protect their data with the same intensity threat actors press on to break in.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?

For more than a decade, I’ve been selling Cybersecurity solutions for a few major Silicon Valley based companies. AS part of my profession, I regularly interface with CISOs and CIOs of Fortune 500 Companies gaining firsthand knowledge from experts across industries with access to some of the best subject matter experts within this competitive space. Additionally, I continue to educate myself through listening to other thought leaders and outlets like the (ISC)² Chapter that I volunteer with.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?

To over simplify, Ransomware can infiltrate an organization or an individual’s accounts through phishing emails clicking on a link from an unknown sender impersonating), email attachments (opening an email attachment that is actually a form of malware or contains a malicious script), infected programs (plugging in a USB from an untrusted source which infects a PC with malicious code), navigating to spoofed websites (sites that are designed purposefully to look like legitimate websites with the intent of collecting passwords and personal information) with the sole purpose of locking one out to hold something of value for a demand of payment.

Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?

Everyone should be concerned about a Ransomware attack!

Large businesses employ teams of hundreds, possibly thousands of cybersecurity experts to focus on risks and threats. For added protection, they still carry a cyber insurance policy to protect their business. The cost of a breach can go much farther than the Ransom fee: leaked data, lost business, brand reputation, business downtime, Cybersecurity remediation costs and so on. Because of the massive amount of harm an attack can cause to a larger organization, attackers are getting into networks and moving laterally for weeks or months to find as much data as possible, building up the ransom demand value.

For an individual or a small business, a ransomware attack can be much more crippling putting a small business completely out of business or an individual into financial hardship, therefore an individual should still be concerned.

Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?

In my opinion, a cyber security expert is the first responder to the threat at hand. Continued extortion could occur, therefore, they need to focus on any continued vulnerabilities. Historically, cyber attackers are more illusive and difficult to track therefore, local authorities/FBI will be working on this for a long period of time. The FBI can only charge someone with a crime once it’s proven.

If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?

1. Educate your end users on the prevalence and impact of ransomware! Provide guidance on common phishing techniques and other forms of social engineering that may lead to credential compromise, and ultimately a ransomware attack.
2. Implement the Principle of Least Privilege anywhere data of any level of value resides starting with the most sensitive data. Example: Customer tables that include Personally Identifiable Information (name, phone, email, SSN, address, bank info, etc)- ensure that only a few members who absolutely need to access that data have access and then ask yourself if they need to create, read, update or delete privileges on that data. You will likely find that individuals are over permissioned and reducing their access drastically reduces your attack surface. Hackers are getting into personal and business accounts through compromised credentials and are specifically attacking individuals who they suspect will have access to raw data or apps where this info is held.
3. Ensure MFA is enforced everywhere and consider killing passwords completely and using high assurance factor types like biometrics (fingerprint or facial recognition).
4. Backups — Carefully plan, implement, and test data backup and restoration strategies — be sure to secure and isolate backups of important data.
5. If a ransomware attack does happen, utilize their incident response team or a cybersecurity firm to help them understand how the threat actor got access to the compromised system/apps/data, etc — ie “root cause analysis”.

Should a victim pay the ransom? Please explain what you mean with an example or story.

A majority of companies actually pay the ransom, “The State of Cyber Resilience Report” by Marsh and Microsoft estimates 72% of companies pay the ransom and over 75% of organizations have experienced a cyber attack.

This is a tough question to answer without understanding the full context of what was compromised: how sensitive the data is, if the backups are kept up in close to real-time, and is the business in an operable state, amount of data loss and overall just how resilient is your organization. Is there a business continuity plan in place? Has it been tested? Are you updating it regularly to respond to new threats and changes within your enterprise architecture?

For an individual, notifying the organization where the compromise happened to help get an understanding of what was truly done before considering payment is important. I have heard many stories of individuals believing that the IRS was after them or they needed to pay a large amount of money to get their identity back, which was all a scam in itself. Individuals should be very wary of anyone calling asking for money. Interestingly enough, I know an elderly person who was conned into sending $250k in cash in a duffle bag to a locker in Florida because he was led to believe his identity was stolen. Elderly individuals are the biggest target of these scams.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

Simply believing that they are secure. Cybersecurity realists all understand that it’s not a matter of if you will be breached, but when. It’s a ceaseless game of chess between hackers and cybersecurity strategists with new surfaces and dimensions of the game evolving. No single thing will make an organization secure, but the most common way an attacker penetrates an organization is through compromised credentials — especially the compromised credentials of a user with escalated permissions (ie privilege abuse). Most CISOs have come to realize that Identity and Access Management is a strategic initiative to really understand what individuals should have access to, but access is just the front door. Once a user is past the front door, what is a user authorized to do? This is a very difficult question to answer because this information lives in each application, data system, and in native IAM permissions so I recommend that cybersecurity experts focus on the authorization layer as a risk mitigation strategy.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

CISOs need to be represented on the Board of Directors so that risks can be addressed as they evolve and increased awareness amongst other board members exists. Provide security awareness tools such as training and simulated phishing attacks to keep your users alert. The most successful companies have people throughout the organization who care about security and see it as everyone’s responsibility to develop an eye for potential risks and threats. Don’t consider ransomware (or really any form of data breach/leaks) as just an “IT” problem — these are ultimately business problems that impact brand reputation and customer trust, and therefore are business problems. Once brand reputation takes a hit or customer trust is lost — your bottom line revenue will be impacted.

Ok, thank you. Here is the main question of our interview. What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why? (Please share a story or example for each.)

For Individuals: 1. Don’t share passwords 2. Use Multifactor Authentication anywhere it’s available- especially banking logins, and your email and use a stronger factor type like your fingerprint or facial recognition if it’s an option 3. Be wary of public Wi-Fi — don’t log into websites like your personal banking from an unlocked Wi-Fi at a coffee shop/airport/hotel 4. Watch out for social engineering- if you are answering game-style questions about the street you grew up on or the name of your dog- an unknown entity is collecting personal information about you 5. Watch for fake websites- they may be off by a single letter in the URL and look extremely similar to the real thing to attempt to deceive you

For Businesses: 1. Gain Visibility: You can’t fix what you can’t see 2. Identify cloud IAM and data store misconfigurations that expose sensitive data. Implement continuous compliance through automating the assignment and removal of cloud entitlements, especially for sensitive resources 4. Enable least privilege access to data

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

Education on cyber threats is essential. It’s like planning for an earthquake, the more we know, the better prepared we will be when there is an attack.

How can our readers further follow your work online?

www.veza.com

LinkedIn is great place for this!

https://www.linkedin.com/company/veza/mycompany/

https://www.linkedin.com/in/alexis-violon-reardon-7a95263/

This was very inspiring and informative. Thank you so much for the time you spent with this interview!