Repelling A Ransomware Attack: Author Greg Scott On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack
Use good password/passphrase management practices. Conventional wisdom says, use complex passwords with random characters, and store passwords in an online password manager. I disagree with conventional wisdom on passwords. Strong passwords with random characters are hard to guess — that’s good — but they’re also hard to remember, and that’s bad. Instead of passwords, use passphrases. Passphrases are harder to guess than passwords because they’re longer, and they’re easy to remember.
Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?
In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Greg Scott.
Greg Scott is a long-time technology and cybersecurity professional and published author. He spends his daytime hours helping the world’s largest open-source software company support the world’s largest telecom companies. Nights and weekends, he studies how attackers use the internet to plunder people in their homes and businesses. He lives in Minnesota with his wife, daughter, two grandsons, one dog, three cats, and other animals his daughter and grandsons occasionally bring home. Find more about Greg at his website at https://www.dgregscott.com.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Dysfunctional might be the best summary of my childhood backstory.
My mom married Joe Gent on Friday, June 13, 1969 at the Camelback Inn in Phoenix, Arizona. He was her fourth husband. I was two months away from my twelfth birthday.
Joe said he had been sober for three years. He gave me a copy of the AA book. I read it cover to cover. It said alcohol is poison to alcoholics, because one drink leads to the next, and the next after that, and before long, it’s right back in the gutter. But on their wedding night, Mom and Joe drank happy toasts and promised everything would be okay. Joe wasn’t really an alcoholic, he just liked to drink. I had a bad feeling that night because the AA book called that a rationalization.
We moved to Minnesota shortly after the wedding, and over the next several years, life at home descended into a private hell as alcohol addiction claimed my family. Drunken drama became part of day-to-day life and I needed a way to cope with the insanity around me.
A Twin Cities computer timesharing firm processed grades for local school districts and offered capacity on their systems for students interested in computers. I took full advantage. I spent hours every day holed up in a little room at school with an ASR33 Teletype, an acoustic coupler, and a phone, exploring everything this computer system had to offer.
One time, I found a golf simulation program and it piqued my curiosity. Computers in 1971 were the size of refrigerators and terminals were not portable, but I wanted to play computer golf at home. And so, I printed a copy of the program, brought the listing home, and followed the program instructions by hand. I used a paper notebook and pencil to track all the variables.
It took a whole weekend to play two holes of computer golf, but I got to know that program intimately, and that helped me learn how to write my own programs. In ninth grade, I wrote a program to help conjugate Spanish verbs. I wrote another program to give odds on upcoming football games and fine-tuned it in high school. I could have started my own gambling operation.
A professor from the University of Wisconsin at River Falls visited our Minnesota high school, and he dialed into his system to show us something. I watched him dial the phone and looked over his shoulder as he typed his login credentials, and shortly after he left, we dialed into his system and impersonated him. We found a chat room with a thriving underground market for login credentials for systems all over the upper Midwest, and we leveraged that professor’s credentials to gain credentials for lots of other systems. We explored everything we could find. Today, we would have gotten in big trouble for what we did, but in 1974, we were pioneers.
One day, I’ll write a memoir with lessons about overcoming my family circumstances. But for now, here is more about my mom. And Here is more about my biological dad, Doug Bean. I reconnected with him when I was a young adult. I’m glad I did.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Back in 1999, internet domain registrars charged a monthly fee to host DNS services. DNS — Domain Name System — translates names to IP Addresses. We use DNS every day to access Amazon, Google, Facebook, and any number of other internet locations.
Since I was already 20 years into a technology career, I wanted to operate my own DNS server and take the next learning step. But mostly, I didn’t want to pay internet domain name registrars a monthly fee for something I figured I could do myself. Registrars no longer charge a monthly fee for DNS, but back in 1999, it was $5 per month per domain name. And I had at least five domain names. And so I did my homework and built public-facing DNS servers in my basement so the world could find me.
All went well until one day in late 2000 when I tried to access my email and the response time was unbearably slow. About that time, my wife complained she couldn’t get to her Martha Stewart Web site, or anywhere else on the Internet, and what did I do to the computers this time?
I investigated and found my home network blasting a firehose of 65,000 byte ICMP packets somewhere. I had also had trouble logging into my DNS servers recently. I traced the problem to those servers.
My stomach knotted as I realized I was an attack victim. I felt violated, angry, and afraid all at the same time, especially when I thought about all the data I had squirreled away in various directories on computers all over my home network. Because if somebody was inside my DNS servers, what else were they inside? I wanted to strangle my attacker, but I had no tools or knowledge to figure out who to strangle.
I called some industry friends for help. I explained the situation and they laughed and told me that somebody had probably replaced the real login program on my DNS servers with a fake version designed to steal passwords for later transmission to the attackers. I had fallen for the oldest trick in the book.
The cure — wipe the hard drive and rebuild my DNS servers from scratch. And this time, keep them patched. The next recommendation: Call the FBI immediately because the IP address my system attacked belonged to the Brazilian National Government, and I could face legal trouble if I didn’t report it.
I called the Minneapolis FBI office and asked for somebody who deals with computer crime. The conversation sounded like a recording from a bad 70s hacker movie.
Greg: “Hi — I need to report a computer crime. Somebody broke into my DNS server and launched a denial of service attack against the government of Brazil.”
FBI Lady: “Wait a minute. Did you say D-E-S server?”
Greg: “No, a DNS server.”
FBI Lady: “Oh — D — N — S, OK. What did they do to your computer?”
Greg: “Somebody tried to use my computer to attack a computer that evidently belongs to the Brazilian Government.”
FBI Lady: “Okay, . . ., who did it? Do you have their address?”
Greg: “No. See, a DNS server translates names to addresses on the Internet. One of my computers is a DNS server and somebody out there on the Internet tried to use my computer to attack this other computer in Brazil.”
FBI Lady: “Okay, but we need to know who did it. We need a name or address or some way to find this person.”
Greg: “Well, I was kind of hoping you guys could help me figure that out.”
FBI Lady: “There’s not much we can do if we don’t know who broke into your computer. Don’t you have any idea how to find this person?”
Greg: “I wish. See, the Internet is a whole bunch of computers all around the world and they’re all connected to each other. Somebody on one of those computers found my computer and made it do this attack. Since all these computers are connected to the Internet, we don’t know if the attacker is next door or across the world someplace. But maybe they left some clues inside my computer to help track them down.”
FBI Lady: “Okay, let me get your phone number and somebody will call you back.”
Greg: (after giving my phone number) “Any idea when I’ll hear from somebody?”
FBI Lady: “No. They’re all pretty busy, ya know.”
I made that call at roughly 1 PM central time. I called again at 4:30 PM the same day. Nobody had any record or memory of my earlier call. Nobody would even take a report.
I wrote a regular magazine column in those days about a bald guy from Minnesota learning Linux, and I told the story in one column. It went live three months later, in February, 2001.
My phone rang a few days after the article ran. It was a manager in the Minneapolis FBI office and he wanted to troubleshoot. I thanked him for the call, but said I could not afford to shut down my life and wait three months for a callback from law enforcement. I had long ago wiped and rebuilt that system.
He went into CYA mode. He said that since I called on a Saturday (I really called on a Tuesday) I must have connected to a weekend operator. That was why they had no record that I had ever called.
Yeah. Uh-huh. My tax dollars at work.
I learned that, no matter what the PR websites say, law enforcement offers little value in cyberattack scenarios. Over the next several years, I would learn that lesson many more times.
The person most responsible for protecting my systems stared back at me in the mirror every morning when I brushed my teeth, and it occurred to me that other businesses probably faced similar threats. I could help. And that was when I decided to get serious about security.
Can you share the most interesting story that happened to you since you began this fascinating career?
Post 9/11 Shock and Awe
I listened to the United States invade Iraq on the radio in my car, driving to a potential charter school customer in rural northern Minnesota in March, 2003. I had met with the school director and staff earlier and they told me their biggest problem was finding qualified teachers. And so I cooked up an idea to do video learning. Contract with teachers in the Twin Cities for subject matter expertise, connect the teacher to the class over an internet video system, and use a staff member physically in the classroom to keep order.
COVID introduced video classrooms to the public in 2020. I dreamed up the idea in 2003, and drove ninety miles to pitch it to this charter school director. He didn’t show up for the meeting. His assistant said he left before our scheduled meeting because he didn’t like confrontation. My own private version of shock and awe.
But video over the internet opened too many possibilities for one mentally challenged charter school director to squash. Especially when so-called experts told me it was impossible. “It’s UDP. You can’t send UDP over the internet! It will never work!”
I made it my mission to prove the naysayers wrong. But first, I needed a video device I could afford. I found one at a St. Paul Chamber of Commerce meeting when a member company delivered a presentation about a communication relay service it offered for deaf people.
I visited that company and learned everything I could find out about the video device they used. Its price made it a thing of beauty, and so I ordered a pair from Frys Electronics Superstore over the internet. I checked my email at midnight a few days later and UPS said my package was in my local UPS facility, scheduled for delivery the next day.
UPS at Midnight
Eagan, Minnesota UPS office from Google Maps Streetview
Why wait? My local UPS facility is five minutes away by car and UPS loads trucks in the middle of the night. Maybe I could find somebody to locate my package. And so I drove over there. After midnight. And found an unlocked door.
I stepped inside and shouted hello. No answer. But an office light was on. Somebody tapped on a keyboard. I took a few more steps. “Hello. Hello?”
A voice behind me screamed. I jumped and yelled. And then she yelled. And I yelled again. Somewhere in all this, I turned to face her.
“How did you get in here?” She had fear and fire in her eyes.
“The door was unlocked.” Maybe this wasn’t such a good idea.
“What do you want?”
“Well, I was looking for a package.”
“You drove over here at midnight looking for a package? That’s what you want?”
“Yeah. I was hoping I could find it and bring it home tonight. I didn’t want to wait.”
Her eyes said relief. She didn’t have to spray me with chemicals.
She worked for the HR department and happened to be working late that night. And she had forgotten to lock the door.
We walked all over the UPS campus that night. The place looked like a Willy-Wonka chocolate factory, with conveyor belts everywhere. We didn’t find my package, but we tried hard. I thanked her and left. By now, it was so late it was early the next morning. UPS delivered it later that day. I wrote the nicest email I knew how to compose to her manager.
I demonstrated these a few times. Reactions were mixed. I learned that schools do not like pushing technology boundaries.
And then in early 2004, the US Marines sent my buddy, Mike, to Fallujah. Like me, Mike was an IT guy, and we committed to find a way to connect face to face over video while he was away. This was good for Mike because he could stay in touch with his family. And it was good for me because I finally found somebody who wanted it and I could prove the naysayers wrong.
Mike and I spent hours and hours and hours chatting over Yahoo Messenger. And after a few weeks, we were ready. Mike dialed my IP Address, my device rang, and… nothing.
It was maddening. He could call me, my device rang, but would not answer. Nothing we tried made it work. And there were no diagnostics to tell me what was wrong.
I didn’t figure out the problem until years later. Five years later, in 2009, I wrote a technical paper for how to do H.323 reliably. For tech people, the H.323 standard initiates calls over TCP port 1720 and then uses a set of high UDP ports for the video stream back and forth. But the standard doesn’t specify which UDP ports, and so every device vendor uses its own. H.323 and NAT also don’t get along well, and my device was behind a NAT gateway. And that was why Mike’s US Marine video device would not talk to my low-cost D-Link video device.
But I didn’t know any of this in mid-2004, and so I finally asked Mike what devices did the US Marines use? He said Polycom. Well, maybe I could get my hands on a Polycom device. And maybe Polycoms talk to each other better than they talk to the competition.
I called the Polycom toll free number and explained what we wanted to do, and to my complete surprise, the lady on the other end of the phone got excited about a post 9/11 marketing opportunity. After more calls and emails, Polycom agreed to donate a unit to our church if I would cooperate with any PR outreach Polycom wanted to do. I said yes on the spot.
But persuading the United States Marine Corps to say yes took some more doing.
Mike introduced me to his PAO. I didn’t know what a PAO was, but if she could say yes on behalf of the US Marines, that was all that mattered. I learned later that PAO means Public Affairs Officer. PAOs don’t have authority to say yes, but they influence the decision. I spent hours chatting with her during her work hours eight time zones away, and convinced her that Mike and I were onto something good. She agreed to recommend her superiors say yes.
It took a bunch more emails and phone calls and late nights, but the US Marines finally said yes later that summer. I signed papers on behalf of our church, and Polycom sent me a brand-new, $2500 V500 unit for free.
And that was when I found out about the next hurdle. Internet bandwidth.
I needed at least 256 kb per second. 512 kb or 768 kb or more would have been better The 144kb IDSL feeding my house wasn’t good enough. Neither was the 128 kb feeding our church. I needed a bandwidth solution. Fast.
I contacted every telco I could think of. I lobbied Chamber of Commerce people. I also contacted the St. Paul Saints minor league baseball team — maybe we could do something jointly. The St. Paul Saints said no. Most of the rest ignored me.
And then a sales rep with TDS Metrocom agreed to have lunch with me. Lunch turned into an entire afternoon talking about our project, and TDS agreed to donate a T1 to our church. TDS also put a T1 into my house. I had a sweet 1.544 mb of bandwidth. For free. Plenty to make this work.
Provisioning took several weeks, while I tinkered with my firewall to regulate the traffic. Thanks to Polycom PR outreach, the New York Times featured my project in a Thanksgiving, 2004 article. And thanks to TDS local PR outreach, the St. Paul Pioneer Press also wrote an article.
We went live on Sunday, Dec. 5, 2004. Mike and a few Marines attended church with us, inside a TV sitting on the sound booth shelf in the back of the church sanctuary facing the front. They were eight time zones away in a war zone, but for that hour, they were also inside our church with us. Camera crews from local TV stations jockeyed to get the best angle on our pastor delivering his sermon, and reporters held mics up to the TV to pick up any comment anyone in Iraq might have.
All the research, all the testing, all the lobbying, all the late nights, all the people who said it would never work — it all came together that day. Everything worked. I was ready to bawl my eyes out.
Two weeks later, we commemorated Christmas at our church by connecting a few other families. One family drove overnight from Wichita, Kansas to Eagan, Minnesota through a blizzard to spend a few video minutes with their son in Iraq. That day burned into my brain what these connections meant to the families.
For the next seven months, Mike sat in church with us every Sunday morning in Minnesota, Sunday evening in Iraq. In early 2005, a charter school needed to interview a new director candidate and approached me. The candidate was in Italy, the school was in Minnesota, and international travel is expensive. I connected them over the internet in a children’s classroom in our church.
Mike came home and we did our first public large group event with the Minnesota Twins on Sunday, July 3, 2005. The Twins donated a few suites and we scheduled private family meetings all day. Mike’s wife, Toni, found out one young man had a 12th birthday that day. Twins staff brought him out to the pitcher’s mound and His dad wished him a happy birthday from Iraq on the big screen. A stadium full of fans cheered. More than a few cried. I was one of them because my firewall directed all that network traffic.
We were at the St. Paul Saints on July 4, and more than 10,000 people interacted live with a few Marines on the big screen in the outfield.
We did events with the Minnesota Vikings, Minnesota Gophers, more with the St. Paul Saints, and others. One time, we got word a wife was about to deliver her baby. The Fairview Hospital network support team turned its network upside-down; we hooked that Polycom V500 to a TV, and her husband in Iraq was beside her bed over video when she delivered. A nurse told us later, the husband was so into the birth, she had to turn to the TV and tell him to shut up.
In 2008, Serving our Troops and I connected dozens of Minnesota National Guard families with loved ones in Kosovo. In May 2009, WCCO TV ran a story about my post 9/11 video conferencing efforts. A group putting together an event in Wisconsin called Tailgating with the Troops saw the story and contacted me. We connected 2500 Wisconsin National Guard families at an arena in Madison, Wisconsin in October to loved ones in Iraq. I made a video and it still makes me tear up.
Since shortly after 9/11. Tee It Up for the Troops operates golf events to raise money to help military families. We connected families in both private meetings and large group settings for eleven years. Here is a page with links to a few highlights. In 2011, Fishing For Life approached me to do livestream connections on top of a frozen lake for an event named Holes 4 Heroes. As of this writing, I still do them. With every year, we push the technology envelope farther. Here is my Fishing for Life page with links to highlights over the years.
Some people asked me why I did it. Others condemned me for doing it. They called me selfish, greedy, and other more colorful names. One person told me I had no business setting up video meetings because without a big company behind me, I had nothing to offer. And my ears still ring from the tongue-lashing from the Freedom Calls Foundation director.
The complainers forced me to examine my motives when they accused me of trying to profit on the backs of our military. And I did hope to one day profit from all the expertise I developed. I pitched video gatherings for political campaigns, tele-medicine, telecommuting, distance learning, and all kinds of other scenarios. Everyone either ignored me or turned me down. A few got mad that I would propose something as radical as working from home. Nobody considered that a global pandemic would force business to embrace telecommuting a few years later.
But no family paid one penny for any small or large group video meeting in which I was involved. I am proud of that. I never served in the military. I’ve never gone hungry. I live in a nice house in the suburbs. And I’m pretty good with technology. Here was an opportunity to use the talent God gave me to give something back to people who defend my freedom. That’s why I did it.
Financial profit would have been nice, but I accumulated memories I’ll treasure for the rest of my life. I still tear up sometimes when I think about that twelve-year-old’s 2005 birthday on the pitcher’s mound with his dad in Iraq. He would have celebrated his 28th birthday in 2021. He probably has a family of his own by now and might not even remember that day in 2005. But I remember it.
The technology I pioneered is obsolete today, but in the early years following 9/11, it was a lifeline to those families. I was privileged to share a few moments with them. The families made it all worthwhile.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
One day when I’m successful, I’ll share my secret to success.
My wife tells me I’m stubborn. I like to call it persistent. With the benefit of 10+ years of hindsight, the video story I shared above is a great persistence example. But there are others. Persistence comes in handy when troubleshooting technology problems.
Integrity is a biggie. Everyone claims integrity, but the practical reality is, I need people to trust me, and the only way to gain trust is, keep my word.
I’m a pretty good teacher. People tell me I have a knack for making technical topics understandable. This comes in handy with interviews in front of an audience. But because I’m a good teacher, many people think I’m also a good engineer. I’ve seen good engineers. I am not one of them.
Are you working on any exciting new projects now? How do you think that will help people?
I’m working on my third novel. My first two novels offer entertainment and great cybersecurity lessons. Book number three has a different theme because human traffickers also use the internet.
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?
Ransomware is popular today — and will stay popular for the foreseeable future — because it’s profitable. I live in the trenches, not in the boardroom, and so I see this stuff first-hand all the time. I am an authority because I’ve spent a long time fighting cyberattacks and I’ve learned a few lessons along the way.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?
Ransomware is really old-fashioned blackmail and extortion, mixed with 21st century technology.
Ransomware comes in two forms these days. In the first form, somebody invades a victim’s computer network, scrambles their files, and offers a decryption key for a “small fee,” payable in bitcoin to a hard-to-trace bitcoin wallet. In the second form, somebody copies the victim’s data and then promises not to share the most sensitive information in return for a small “fee.”
Sometimes it’s a bluff. I see emails all the time from attackers who claim they invaded my computer, captured my browsing history, and turned on my webcam during, well, private moments. They offer to keep those moments private if I send them money, otherwise they’ll share it with the whole world. Here is one sample.
Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?
Everyone should be concerned about ransomware attacks. Individual people with no money, no secrets, and nothing of interest to scramble, might still find themselves part of a larger attack against a juicier target.
Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?
It never hurts to get a police report. Insurance companies may need one. It can’t hurt to call the FBI, but based on my experience, don’t expect anything useful. When somebody attacked my customer in 2014, they called me first. It was a good choice because I recovered everything overnight. The local police and FBI would not have been interested because my customer didn’t lose anything.
If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?
Disclosure should be a top priority. If somebody scrambled every valuable piece of information in your computer systems and shut you down, tell the world the truth before even worse rumors and conspiracy theories fly across the internet. You’ll be embarrassed and ashamed, many will ridicule you, politicians might scream, and shareholders might demand your head. But if you have good backups and a good recovery plan, you’ll recover. And if you don’t tell the world, even if you recover all your systems, you’ll never recover the business because nobody will trust you ever again.
If somebody stole your sensitive information and threatens to expose it to the world, you need to tell the whole world first, before the world finds out from somebody hostile. The consequences will probably be bad, but the consequences will be worse if you stay silent or if you pay your attackers and trust them to stay quiet. Just ask the Uber former management team about paying off attackers.
While you recover your systems, put out regular status updates as new information becomes available. This will help manage the rumors that will no doubt fly around the planet, depending on how high of a profile this organization has. Too many organizations fail with disclosure because they don’t want anyone to know their weakness. But with their services down, the public already knows something is wrong, and so withholding timely information only further erodes trust.
Bring in experts to assess the situation and move forward with recovery. Bring in real experts, not politicians in nice suits pretending to be experts. In this crisis, you need substance, not flash. Make smart decisions based on facts, not speculation, and help your stakeholders make smart decisions by keeping them informed.
Should a victim pay the ransom? Please explain what you mean with an example or story.
Nobody paid any ransom when I fought a ransomware attack back in 2014 after an employee accidentally opened a malicious email attachment and launched a program that scrambled nearly everything important to that organization. But I was prepared. I had good backups and recovered overnight. What could have been a disaster turned into an inconvenience.
The key to winning against ransomware attacks is preparation. But as we’ve seen in the news recently, many organizations fail to prepare. If backups are inadequate, or recovery procedures don’t work, and with essential services shut down, some organizations may have no other choice than to pay the ransom.
Never take any option off the table in a crisis, but paying the ransom should be near the bottom of any checklist. And if the ransom is payment in return for silence from the attackers, then don’t pay. If the attackers stole your secret information, then it’s not secret anymore and, sooner or later, the world will learn those secrets whether you pay this time or not. So, face the disclosure consequences now and get it behind you.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
Poor email hygiene, lack of any software update strategy, failure to evaluate threats, failure to take threats seriously, lack of information-sharing with similar organizations, a top management attitude that IT is an expense instead of an asset, and a failure to realize that security is a process, not an event, all contribute to today’s ransomware pandemic.
Specific to scrambled-file ransomware, inadequate backups is far and away the most common recovery problem because the only recovery from a scrambled-file ransomware attack is restoring from backups. The Tewksbury, Massachusetts police department learned this lesson in 2014 when attackers scrambled both its computer systems and online backups and forced a police department to pay criminals to restore its law enforcement systems. Many other organizations, including more police departments, would learn this painful lesson the hard way over the next years. Recent headlines suggest many organizations still have not learned the lesson.
Many people think backing up to a cloud service will keep them safe. They’re wrong. Because if computer systems can find it, then malicious software inside those systems can also find it. Whether the backups are in the same room, the same city, or the other side of the planet doesn’t matter. Keep backups safe by keeping a buffer between systems and their backups, or on a small scale, at least keep a rotation of offline backup media.
Lack of a well-thought-out disaster recovery (DR) plan to quickly rebuild from bare metal also ranks high on the list. Even with backup copies of everything, recovery can still be a disaster if it takes too long.
Every organization should run periodic drills to recover everything from scratch. Better to find problems during practice than during an emergency with the outage clock ticking and the world watching.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
Join a movement to embrace open. See below for more on the “Embrace Open” movement. Bad guys spend all day probing good guys and all night collaborating to improve tomorrow’s probes. That’s why it’s always a race against time when we learn about a new security vulnerability — because by the time good guys learn about it, bad guys have already figured out how to exploit it. But instead of collaborating, good guys isolate ourselves behind a veil of secrecy. That’s why we keep making the same mistakes over and over and over again.
President Biden’s executive order about public-private partnerships and information sharing might be helpful if it does not devolve into a CYA exercise of checking auditor checkboxes. Instead of creating more checkboxes and paperwork, government and tech leaders should lead by investing in cybersecurity education and keeping the threat in the public eye.
Ok, thank you. Here is the main question of our interview. What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why? (Please share a story or example for each.)
Also see the video I uploaded at https://www.youtube.com/watch?v=dk23l9aIfYs
Five things aren’t enough. Ransomware defense needs seven tactical tips, a six-word strategic tip, and two good books.
- Practice good email hygiene. Learn how to recognize phishing scams because phishing is still the leading attack vector. Here are a few dozen phishy email samples. John Podesta, Hilary Clinton’s 2016 presidential campaign manager and President Clinton’s chief of staff, still has the best email hygiene failure story. He came home one night during the 2016 election cycle, tired, and found an email claiming to come from Google about updating his Gmail password. Except it wasn’t from Google. Podesta followed the link and gave Russian attackers his email password. That was one incident in a chain of events that led to the Democrats airing their dirty laundry on Wikileaks, and that may have changed the 2016 US presidential election outcome.
Poor email hygiene is on both sides of the political aisle. Apparently, Colin Powell, Republican former Secretary of State, also fell for a similar scheme.
- Apply updates quickly. Security is an arms-race, and responsible vendors fix security vulnerabilities as quickly as they can. But the updates are useless unless customers apply them.
Updates can be inconvenient. One time, I was in downtown Chicago on business and my Windows laptop decided to update itself right then and there before shutting down. I ducked into a bank lobby and sat on a bench for forty-five minutes watching it grind before jumping on the elevated train to the airport. I barely made my flight home.
Another time, I was driving and set my laptop in the passenger seat to grind through an update. Bouncing around in the car while updating was a mistake, and my laptop hard drive paid the price. Which proves even IT professionals sometimes make dumb IT choices.
But failure to update might have devastating consequences. Somebody stole private information about roughly 150 million Americans from Equifax in 2017 because Equifax neglected to patch an Apache Struts webserver.
- Learn how trust on the internet works because everything we do over the internet depends on trust. If Alice wants to spend money at Bob’s online store, Alice needs to make sure Bob really is Bob. Fortunately, both Alice and Bob trust Cathy. If Cathy says Bob is trustworthy, then Alice will trust Bob.
On the internet, Cathy plays a special role called a Certificate Authority, or CA. Every so-often, Bob must prove to a trusted CA that he’s trustworthy. When he does, the CA digitally signs a certificate that says Bob really is Bob. And so when Alice wants to spend money at Bob’s store, Bob shows his certificate to Alice to reassure Alice he is who he claims to be.
For a deeper look at trust on the internet, see my presentation on it.|
Another angle on trust is a new NIST (United States National Institute of Standards) framework called Zero Trust Architecture. It starts with six assumptions.
a. The entire enterprise private network is not considered an implicit trust zone.
b. Devices on the network may not be owned or configurable by the enterprise.
c. No resource is inherently trusted.
d. Not all enterprise resources are on enterprise-owned infrastructure.
e. Remote enterprise subjects and assets cannot fully trust their local network connection.
f. Assets and workflows moving between enterprise and nonenterprise infrastructure should have a consistent security policy and posture.
The Zero Trust Architecture is helpful because it makes realistic assumptions about how modern networks should operate. But the real world rarely follows theoretical architectures.
Supply chain attacks, including the SolarWinds attack in late 2020, turned trust over the internet upside-down. Government agencies and most of the largest organizations in the world use Solarwinds software to help manage their IT networks. But somebody attacked Solarwinds and compromised a software module. Thousands of organizations downloaded and installed the poisoned software, which exposed all of them to attack. Many became ransomware victims. Or data breach victims. Or both. More than a year later, we’re still assessing the damage.
Rigorous testing cycles would have been useless against the Solarwinds attack because the malicious software stayed dormant for two weeks, plenty long enough for typical enterprise testing cycles. The Zero Trust Architecture also would not have caught it because Solarwinds customers trust Solarwinds to oversee their entire IT networks.
No technological solution will eliminate supply chain attacks. The only solution is a culture change. Embrace open. See below.
But first, a few more tactical tips.
4. Use good password/passphrase management practices. Conventional wisdom says, use complex passwords with random characters, and store passwords in an online password manager. I disagree with conventional wisdom on passwords. Strong passwords with random characters are hard to guess — that’s good — but they’re also hard to remember, and that’s bad. Instead of passwords, use passphrases. Passphrases are harder to guess than passwords because they’re longer, and they’re easy to remember.
Good password/passphrase management also means not reusing the same one everywhere. An attacker used a neglected Colonial Pipeline password to shut down fuel delivery across the eastern United States for several days in 2021. The public doesn’t know how the attacker obtained that password; possibly from a repository of stolen social media passwords.
5. Keep good backups and practice disaster recovery.
With the rise of ransomware, backups are more important today than ever, even for home computer and cell phone users. Like most IT professionals, I could fill a book with war stories around backups. One time, I found myself in the middle of a ransomware attack against a customer. When my cell phone rang, I was 600 miles away from the customer and covered in sawdust building a deck for my mother-in-law. But I had good backups and recovered day-old copies of all the scrambled files overnight. Remotely. The customer lost one day of work. Good backups turned a potential disaster into an inconvenience. Nobody paid a ransom on my watch.
6. Tech tools such as antivirus subscriptions, inbound spam filtering, outbound web filtering for malicious websites, and others should play a role in every organization’s security strategy. Several years ago, I recommended a customer buy an antivirus subscription. They laughed at me. Until a compromised email flew around the organization and clogged everyone’s inboxes.
I spent fifteen years building firewalls before accepting a job offer in 2015. I built hundreds over the years, and every time I connected one to the public internet, within about five seconds, I saw automated probes from around the world targeting my system and the network behind it. When I say bad guys have plenty of automation looking for vulnerabilities, I speak from experience. Fight bad guys’ automation with good guys’ automation.
7. No matter how good the tech tools, old-fashioned, human awareness will always be the last and best line of defense against ransomware. We need to bolster it. I remember a bank vice-president who refused to acknowledge the difference between his bank internal network and the bank website. And a dentist who kept his patient X-ray images on a Windows XP system in a dusty cubicle and never backed it up. When I asked him what would happen if he lost all those images, he said he didn’t need computers to do dentistry. Then there was the store owner who didn’t want to clean the viruses from the store computer she shared on the public WiFi with her customers. And dozens of home computer users with devices polluted with thousands of viruses, downloaded from who-knows-where. Too many people spend too much time in denial and need to wake up.
8. Everyone should burn this six word bonus strategic tip into their brains. Care and share to be prepared. All the tactical tips flow from this.
One time, a busy organization leader asked me about how malicious software gets onto peoples’ computers. I started to answer and he interrupted me in mid-sentence. “Greg, just tell me what I need to know in twenty-five words or less.”
I walked away mad; why ask a question if you don’t want the answer? With billions of people connected to the internet, including millions of possible attackers, how does anyone present all the possible threats in twenty-five words or less?
But a few months later, “Care and share to be prepared” worked its way into my brain. A deeper level of perspective really does summarize everything busy people need to know. With nineteen words to spare.
Care enough about your own safety on the internet to really invest instead of talking about investing. Your information technology is an asset, not an expense, and attackers want to exploit your assets for their gain. People who fail to care about internet threats will continue suffering the consequences. Meet these threats by experimenting with different ideas to protect yourself. Learn, refine, and repeat. Share what you learn with others, demand others share what they learn with you, and set up a virtuous circle of continuous improvement.
9. And that leads to the final tip. Read two great books.
It’s a time-honored tradition to use fiction to present truth better than the news, and by 2014, I was frustrated with headline after headline about companies who allowed attackers to steal my personal information, and people who’s eyes glazed over then I talked about the thread. And so, I decided to do something about it.
I published Bullseye Breach: Anatomy of an Electronic Break-In in 2015 to show how Russian mobsters stole 40 million customer credit card numbers from fictional retailer, Bullseye Stores, and what an ad-hoc team in Minneapolis did about it. In 2019, I published Virus Bomb to show what might happen if a nation-state really does get serious about attacking our country over the internet. All of us really are on the front lines of the cybersecurity war, and that’s why real superheroes are ordinary people who step up.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
No architecture or set of tools or intellectual framework will stop ransomware, because security is a process, not an event.
Bad guys spend all day probing good guys over the internet, and all-night collaborating with each other to improve the next day’s probes. But good guys hide behind a veil of secrecy. That’s why we keep making the same mistakes over and over and over again.
Good guys can break that cycle by embracing open. Offer transparency to the world. Present your cybersecurity strategy at conferences, interviews, blog posts, and any opportunity. In return, demand transparency from everyone, including suppliers, customers, and other stakeholders.
Many will question my sanity for pressing this argument. After all, doesn’t publicizing security strategies to the whole world give away free information to bad guys? The short answer is no. Bad guys already know more than good guys about our networks. That’s why we’re suffering through a worsening global ransomware pandemic.
The debate about embracing open dates back to Alfred Charles Hobbs in 1853, or roughly 170 years ago. Hobbs was a famous locksmith of his day and he edited a book, Rudimentary Treatise on the Construction of Locks to educate the public about how mechanical locks worked. On the bottom of page 2, Hobbs said:
“A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by shewing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and they know already much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done. If a lock — let it have been made in whatever country, or by whatever maker — is not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to be the first to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance.”
2022 technology is beyond what few in 1853 could have imagined, but the issues around secrecy are identical. When 21st century good guys embrace open, we will harness the world’s collective wisdom to finally win against ransomware, data breaches, and other attacks. If Hobbs were alive today, he would be an internet security researcher.
How can our readers further follow your work online?
Contact me via my website. Or even better, just visit my home page, click the big red button, and fill in the form with your name and email address to sign up for my email list. I promise I won’t flood you with fluff.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!