Repelling A Ransomware Attack: Chuck Lewis of Sentient Digital On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack
Be careful with what links you click and what files you download. Unless you are 100% sure that something you are running on your computer is safe, it is best to not download or use it. This can be an easy way for a hacker to obtain your data and information. Everything I’ve discussed above supports what trouble clicking on links can bring into the enterprise. This is where extensive training is needed to help employees understand how critical this is. There is also a technical solution that can assist. Email servers can be configured to prohibit all types of email attachments.
Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?
In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Chuck Lewis.
Charles “Chuck” Lewis joined SDi in May 2019 as the Senior Cybersecurity Specialist/Cyber Manager and leads a team of cyber professionals that support the U.S. Navy Military Sealift Command (MSC) for all aspects of the U.S. Navy Risk Management Framework (RMF) cyber processes.
In his role at SDi, specifically from April–September of 2020, Chuck led the Cyber Team in full accreditation of seven RMF packages, providing Authority to Operate for all seven, and through use of the Navy RMF process, Chuck and the Cyber Team successfully completed Systems Categorizations, System Security Control Sections, Security Control Implementations, and Assessment & Authorizations tasks. The team verified all security testing using Security Testing Implementation Guides (STIGs) and analysis of all scans using the Assured Compliance Assessment Solution (ACAS) tool. Some ATO packages required remote testing in Norfolk, Virginia with assets physically in San Diego, California due to COVID-19 nationwide restrictions.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in the Tidewater area of Virginia. No matter where you live in Tidewater, you’re close to the ocean. My mother loved the beach and the ocean so I guess I got salt water in my veins at an early age. I’ve spent my whole life enjoying the ocean and all it offers including surfing, kiteboarding, paddleboarding and beach volleyball. I love the beach, the ocean and all the sports each has to offer.
The Tidewater area is a huge military town and a large percentage of economic opportunities are tied to the military industrial complex. I started my work career in the local public shipyard and have worked for the military in some capacity my entire career.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I graduated from Old Dominion University in Norfolk Virginia and my business degree was focused in management information systems; back then computers were starting to make their way into everyday life. When I started my career path into computers, cybersecurity didn’t exist. My technical proclivity was an Oracle Database Administrator. The security work I had to do in the Oracle Database opened the path to information security (INFOSEC) as it was called back then. Within the Computer Specialist realm I currently occupied, INFOSEC was created and I made the official switch in 2005. It was all very new and we were figuring it out as we went. Our first technical computer audit started in 2003 and it paved the way to what we now call cybersecurity. I’ve been in some aspect of cybersecurity for the last 19 years.
Can you share the most interesting story that happened to you since you began this fascinating career?
The main focus of my cyber career has been Compliance and Governance. This part of cyber is heavily focused on system documentation and what is called Risk Management Framework (RMF) Assessment & Authorization (A&A). We create RMF A&A system packages that include all the hardware software and network gear that actually defines a system. We certify the systems so they are allowed to connect to the Department of Defense Network Information (DoDIN). It is a very involved process. At the beginning of COVID, we had a system in San Diego, CA that needed a full RMF A&A. Because our team is required to perform all technical testing we were scheduled to travel to San Diego to perform all the test batteries. All travel had been cancelled and we had to certify this system remotely, from 3000+ miles away. Our customer expressed grave concerns that the system testing could be performed remotely, but my amazing team proved successful. We were able to get this A&A package certified and achieved the required steps to allow this system full authorization to connect to the DoDIN. The complete endeavor was a huge challenge; this effort was the number 1 priority for our customer. It wasn’t easy but we got it done.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each? Trust, Truth & Integrity. As the team leader you can only be as good as the team you build. To have a strong team you must train them and then give them every opportunity to succeed. In our world of cybersecurity there are several industry recognized certifications. The Certified Information Systems Security Professional (CISSP) from the International Information Systems Security Certification Consortium (ISC2) is the GOLD standard for seasoned security professionals. One must have 5 years cyber experience to even sit for the exam and you must be sponsored by an active CISSP holder.There are several recognized certifications for those junior cyber warriors with 1–5 years experience. It is encouraged to seek those junior certifications on your way to securing the CISSP.
Truth is a required trait because we deal in absolutes. The truth of this moment will be the truth in six months. If I speak the truth now and get asked the same question in 6, 9 or 12 months and speak the truth then, I’m confident our answers will look the same.
Integrity is related to truth. In our world, integrity refers to the accuracy and completeness of data. Integrity also lives within the person. Our assessments and testing results must speak the truth, whether the news is good or bad, and bad news will not get better with age. Our assessments must be driven by integrity, it doesn’t matter who the authorizing official is that reviews our results. That authorizing official may be a low-level reviewer, a CIO of a command, or some other high-level reviewer. Our reviews must speak the truth, by the best trained staff, with the integrity that we can defend and support our assessments no matter the level of scrutiny.
Are you working on any exciting new projects now? How do you think that will help people?
Taking our customers to new technologies is the most exciting project for the near term. Moving our government partners to the cloud, utilizing the security of the cloud and increasing the capabilities the cloud offers, is part of our future. Working in/with the cloud in conjunction with our government partners offers increased confidentiality, availability and integrity.
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?
I work for Sentient Digital, Inc. as the Senior Cybersecurity Specialist/Cyber Manager, leading a team of cyber professionals. Also have over 18 years of experience working with Information Assurance, Assessment & Authorization, systems analysis, and Oracle database management and security support for DoD, NAVSEA, the U.S. Coast Guard, Program Office — Information Technology, and Military Sealift Command.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?
There are several different types of ransomware attacks that people should be aware of. One of the most well-known is a crypto ransomware which encrypts data and files, making it not able to be accessed without a key. Another type is scareware. This is essentially a fake software that claims to have found an issue with your computer and asks you to pay to fix it. A third type is a locker, which locks the user out of their system. It typically displays some sort of ransom demand and may include a countdown in order to increase the victim’s urgency. A fourth type of ransomware is doxware, which threatens to expose user’s personal or company information. Many victims will panic and pay the ransom to avoid their private information being shared. This type of ransomware can sometimes disguise itself as law enforcement warning about illegal activity on the victim’s computer.
Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?
While individuals should take the necessary precautions to protect themselves online, companies in the healthcare and education sectors were the greatest targets of ransomware in the past year.
Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?
Unless you are in immediate danger, ransomware attacks should be reported to the government. Victims can report incidents to the FBI, CISA, or the U.S. Secret Service.
If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?
The first thing a company should do is locate the affected network and take it offline. If this is not possible, then locate the cable and unplug the devices or remove them from wifi to isolate the attack. This will make it so the attacker isn’t able to track their activity as closely. Next, the company will want to keep track of the unaffected devices and systems so that they can be used for restoration. Document what has happened and report it while keeping your team informed of next steps.
Should a victim pay the ransom? Please explain what you mean with an example or story.
It is usually not a good idea to pay the ransom because in most cases, victims’ data will still be partially corrupt even after they pay the ransom. A recent study found that of companies who experienced ransomware attacks, only 8% received all of their encrypted data after paying the ransom. Additionally, paying ransom does not stop a company from being attacked in the future, in fact, it might encourage more attacks because the company will appear as though they are always willing to pay ransoms.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
Some of the biggest mistakes I see companies make in terms of cybersecurity are re-using passwords, sharing passwords, emailing unencrypted data, having unencrypted data on their phones, and not sharing data policies with employees. All of these mistakes can make a company much more susceptible to an attack.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
Tech leaders can help limit the frequency and severity of ransomware attacks by encouraging their companies to follow cybersecurity best practices and creating a culture in which all employees take responsibility for cybcersecurity.
Ok, thank you. Here is the main question of our interview. What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why? (Please share a story or example for each.)
- Educate your employees on how to spot the first signs of an attack. For example, if the only people that are able to recognize attacks are your IT employees, you will not have as much success in stopping them as if your entire staff is educated on the topic. From what I have seen lately, educating the entire staff is extremely important. Ransomware attacks have become more successful because they are bypassing firewalls and defense in depth. The attackers are using clickbait. Clickbait can be a phishing attempt or some other method used by the attacker via any method that the unsuspecting user clicks on such as a website, a video, a photo or some other type of executable that deploys the attacker payload.
- Have a data recovery plan. This can take different forms, but having a plan incase of an attack is extremely necessary for any company. For instance, if your data is attacked, you will be less inclined to pay the ransom because of the plan you have in place. Data recovery can have many facets. First, how critical is your data, and what impact can it have on your company’s ability to do business. My first data recovery live exercise was conducted 19 years ago.This exercise was conducted for a financial institution where the leaders said we could not go for 24 hours without the ability to process financial information. The in-depth analysis revealed all information could be re-created in other areas and re-processed to create a point in time recovery. It was further revealed our processing requirements had to happen every 7 days, every 21 days and every 30 days, not in 24 hours as the initial assessment said. Data recovery, coupled with a sound business continuity operations plan, may reveal similar requirements for your organization. The more critical your data is, the more dispersed the data storage requirements may have to be. Also, it is important to keep point in time recovery options for your data. Is my stored data in one place or do we have stored backups away from the day to day processing, and away from the part of the enterprise that was hacked?
- Use antivirus software to protect your data. For any company, it should be essential to invest in technology that is able to protect against ransomware attacks. This can save a company large amounts of time and money by putting extra precautions in place to protect their data. Enterprise antivirus solutions will help with what’s known. The ZERO DAY vulnerabilities keep us from total protection because we don’t know what we don’t know. Also, antivirus solutions are part of the corporate defense in depth. Clickbait that is clicked on by an employee by-passes all of those defenses because the email or video already sits on the desktop or laptop behind the firewall. Once that payload is clicked on, all the defense in depth has already been by-passed.
- Be careful with what links you click and what files you download. Unless you are 100% sure that something you are running on your computer is safe, it is best to not download or use it. This can be an easy way for a hacker to obtain your data and information. Everything I’ve discussed above supports what trouble clicking on links can bring into the enterprise. This is where extensive training is needed to help employees understand how critical this is. There is also a technical solution that can assist. Email servers can be configured to prohibit all types of email attachments.
- Back up everything. Make it a habit to back up all data and important information onto a separate device. In case of an attack, this will make your recovery plan go much easier. Back up everything and use distributed back ups. Don’t keep all of your eggs in one basket and make sure you know what backup data is good and what backup data is not. Yes, backups are important, but your recovery solution is also very important. You must also know if you can successfully recover by performing live recovery operations. If you have not tested your recovery solution, there is no way to know if it will actually work.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
If I could, I would inspire a movement for everyone to use anti-malware software on all of their computers. Lots of individuals do not think they will ever fall victim to an attack, but the reality is that just about anyone is at risk. It is always best to invest in the right protections now in order to save your data and information down the road.
How can our readers further follow your work online?
You can follow my work through Sentient Digital’s website and blog.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
Thank you!