Repelling A Ransomware Attack: Doug Barbin of Schellman On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack

An Interview With Ben Ari

Data protection, encryption, and backups. When an organization is attacked with ransomware, hackers get into the system, encrypt its data, steal the data, and then offer to give it back… for a price. If an organization has redundant backups of its data, the impact of that attack is greatly minimized, and the organization doesn’t have to worry about making a decision about whether to pay the ransom.

Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?

In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Doug Barbin.

As the President and National Managing Principal of Schellman, Doug Barbin is responsible for the strategy, development, growth, and delivery of the organization’s global services portfolio. Schellman is a leading global provider of attestation, compliance, and certification services. Since joining in 2009, his primary focus has been to expand the strong foundation in IT audit and assurance to make Schellman a market-leading diversified cybersecurity and compliance services provider. He has developed many of Schellman’s service offerings, served global clients, and now focuses on leading and supporting the service delivery professionals, practice leaders, and business development teams.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I was born in Maryland and grew up in Atlanta, though both of my parents are from Pennsylvania. Growing up I played the trumpet and was heavily involved in music. That continued at Penn State, where I played in both the jazz and marching bands. I was a dual major in accounting and criminology with aspirations to someday join the FBI. Following graduation, I joined one of the then Big 6 accounting firms’ forensic accounting groups in Washington, D.C. That’s what ultimately got me into security and on the career path I’m in. Forensic accounting became computer forensics, and investigations became security. Essentially, I switched from catching the “bad guys” to protecting people and organizations from those actors. From there, I went to a startup company Guardent in 2000 that was eventually acquired by Verisign and spun off to SecureWorks in 2009 when I ended up at Schellman, where you can still find me today.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I never really had that “ah-ha” moment that inspired my career in cybersecurity. Instead, I followed technology and industry trends that aligned with my interests. In the late nineties, when I was with PwC, I was working in forensic accounting as it began to segue into computer forensics because people found out that the best way to catch fraudsters and people stealing money was via their computers rather than traditional books and records. That prompted me to help a coworker stand up the first forensics practice at the firm, and from there, I settled into security. Along with a lot of eDiscovery, we worked on projects called executive lockdowns, where I would come in over the weekend before the CIO was going to be fired to take an image copy of their hard drive. That way, if they tried to sue or if anything else nefarious happened, we had all of the evidence preserved. Alongside my responsibilities on the executive lockdowns, the elite security team would come in to lock down the entire network and reconfigure the firewalls so the soon-to-be fired CIO couldn’t connect to the network anymore. I was really intrigued by that security team’s work so, in 2000, I left that firm for Gardent. There, I still did a bit of incident response and forensics, but I pivoted more to proactive assessment of the company and began doing much of the same type of work, like penetration testing.

Can you share the most interesting story that happened to you since you began this fascinating career?

One of the investigations that I was the lead for involved an internal employee hacking his companies email system and pretending to send out email from the CEO. After days of combing through the logs, I found an IP address that I was (very luckily) able to trace back to an employee’s home Internet service. I along with the general counsel interviewed the employee and provided him with the evidence from the email systems and network showing that the activity occurred from his house. He confessed! No dark rooms with spotlight but the closest I’ve been to an interrogation.

A lot of cases that I investigated dealt with crooked CFOs who were into some inappropriate things on the side and funded those activities with stolen money. There’s a joke that crime movies are all about sex, drugs, or money, and in reality, it’s true; it’s always at least two of those three. For example, I once caught a crooked CFO having an affair with a travel coordinator via deleted email records.

On a more positive note, as much as it isn’t a specific story, all the people I’ve met and places I’ve traveled through this career are what I find the most interesting. I’ve worked with clients in Europe, Israel, China, and Australia, which has helped my perspective on the global market because I think we can sometimes get a little siloed here in the U.S. You get such a great perspective because you work with global data centers and global cloud computing providers and the scale of things they need to track and pay attention to is amazing.

Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

Compassion: This industry tends to center around bad news. Whether you’ve been hacked, you didn’t pass an audit, or you have gaps in compliance, that bad news needs to be delivered. Delivering messages in the appropriate context that conveys the importance of what’s going on but also shows understanding of the human side goes a long way in forging meaningful relationships and earning respect from coworkers and clients.

Perspective: Having a unique perspective has been beneficial to me in my career, especially at Schellman. Many of my coworkers and peers here were doing assessments at Big 4 firms prior to Schellman, whereas I was running the managed services business at Verisign. I was being audited by those firms conducting SOC assessments, so I was on the opposite side of the table, which gave me a better understanding of the client’s point of view, allowing me to better understand and service them.

Adaptation: One of our core values at Schellman is “don’t stand still.” I like to move and adapt, and it probably frustrates people who are more process-oriented than I am, but it’s how I get my best work done and I am the most productive version of myself. I like to call it “professional ADD.” I’ve been with Schellman for 13 years, but it certainly doesn’t feel like I’ve been at the same organization for 13 years. The cultural DNA has been very consistent, but the company has transformed a good bit since I joined, and I did alongside it. When I first joined the company, we had about 18 people. Now, we have 500: a big difference. The ability to stay agile and reinvent ourselves every few years is what keeps me going.

Are you working on any exciting new projects now? How do you think that will help people?

We have tons going on … from a services perspective, we are constantly adapting to new compliance regulations and building that into our clients’ compliance programs. For instance, the SEC recently published new cybersecurity reporting requirements including notification of shareholders of a material incident in four business days. Four business days is super aggressive! That has never been seen before. There is also lots of new guidance from NIST around things like software security, ransomware, and more key security threats.

At Schellman, we are also making significant investments in technology. Specifically, we are optimizing the way we work and deliver assessments to our clients to operate more in an agile manner. Also, we’ve built APIs so that our clients can use their own workflow and GRC systems to share evidence with our auditor in a secure and efficient manner.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?

I think it’s tough for anyone to be an authority on ransomware because the attack patterns change frequently. My experience in the industry, conducting penetration testing, incident response, and computer forensics gives me the fundamentals to work through the problem. Dealing with ransomware at its core starts understanding risks and threats to an environment and then ensuring that an organization has the ability to respond.

In order to ensure that we are all on the same page, let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?

To start, ransomware is a type of attack that allows a hacker to encrypt a victim’s file system and revoke the organization’s access so that they can extract money in exchange for the data and/or restoration of access. The three main ways that threat actors get ransomware into an organization’s systems are:

Phishing: Someone poses as a legitimate institution, often through website ads or e-mails, and dupes you into providing your personal information.

Drive-by downloading: When a user visits an infected website unknowingly, at which point malware is downloaded and installed.

Poor patch management: Internet-facing servers or services with unpatched vulnerabilities allow remote code execution (RCE). When this type of issue is exploited, an attacker gains a hold on the organization’s infrastructure and then they can execute ransomware, or even pivot deeper within the network.

Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?

Everyone should be worried about and prepared for ransomware attacks. Businesses need to care about protecting their data, because a ransomware attack can cost them financially and damage their reputation, and individuals should be conscious of the safety and security of companies they give their personal information to. Across the industry, across the world, and across seniority levels, if you have something that a threat actor wants or sees value in, you are a target. With that being said, the industries that carry the highest rate of ransomware attacks are the healthcare sector, education, construction and property, and central/federal government, according to Sophos.

Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?

The call in the event of a ransomware attack should be to the organization’s incident response team based on their defined processes (assuming they have them). Once the attack happens, there’s no more time to plan, no more time to consult with a lawyer regarding disclosure obligations, no time to find the money for the ransom, and no time to sit down with your employees to discuss how to proceed. By investing in incident response, organizations can panic less and isolate the incident before it spreads. Once the incident is isolated and potential business disruptions are handled, organizations should turn to CISA and NIST for reporting requirements and then notify the necessary authorities.

If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?

Having good cyber hygiene in the first place would lessen the likelihood of any attack, so that’s my first recommendation, but having an effective incident response plan and recovery capabilities will make a world of difference. By investing in incident response, organizations will be able to immediately dive into their plan to work on locating and isolating the attack before it can metastasize and spread further. Without proper incident response, an attack could spread to any corner of the organization, meaning the organization will need to check its endpoints for vulnerabilities (and likely have to re-image them), sweep the servers for residual issues and unauthorized access points, and reissue credentials for impacted systems.

Should a victim pay the ransom? Please explain what you mean with an example or story.

I don’t think this is a black-and-white decision. Responsible business owners need to make those kinds of difficult calls. I of course don’t think that attackers should be able to make money off this, but there is more to think about than just putting money in the hacker’s pocket. Impacted organizations should always work with law enforcement to see if the criminals can be caught, the ransom be remediated, and the data be taken down. What it comes down to for me is: if I have employees and customers that are suffering because my company is unable to conduct business, I would weigh that against the cost of getting the encryption back. For example, if a hospital is hit with a ransomware attack, that truly has the potential for life and death consequences. On top of that, I also think about whether that threat actor will come back if I pay the ransom — I don’t want them to prioritize my business as a target because we paid the ransom before.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

The most common mistake I see is that organizations forgo preventative cyber hygiene practices. A well-rounded practice includes protecting the organization’s technology, educating its personnel, and creating data backups. Protecting the organization’s technology includes staying up to date on security patches, encrypting and segregating sensitive files, and using multiple lines of defense. The best practices for educating personnel include training on social engineering attacks and steps to make recognizing sophisticated attacks easier, such as systems automatically showing hidden file extensions. All data should be backed up in a separate, air-gapped system via an automated program that generates and encrypts those backups every day. While all organizations are vulnerable to ransomware whether they follow these best practices or not, those who do follow the best practices will be able to respond to and mitigate threats much quicker.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

I think that the government has taken a step in the right direction with the National Cybersecurity Strategy that was released in March of this year. The five pillars outlined in the strategy will greatly improve security for all businesses in the country. As for technology leaders, remaining compliant with the Cybersecurity and Infrastructure Security Agency’s (CISA) and the National Institute of Standards and Technology’s (NIST) most recent framework updates will also be key. I reviewed in detail the Cybersecurity Strategic Plan, CISA’s overall 3-year strategic plan, and the President’s National Cybersecurity Strategy and found a significant amount of alignment. At a high level, the three strategic goals of the CISA Cybersecurity Plan actually align with the White House’s Cybersecurity Strategy. CISA’s first goal of addressing immediate threats aligns with pillars 1 and 2 of the National Cybersecurity Strategy, which is to defend critical infrastructure and disrupt and dismantle threat actors. The CISA “Shields Up” Program is also a cornerstone of both strategies. CISA’s second goal of hardening the terrain aligns with pillars 1 (defend critical infrastructure) and 4, which is to invest in a resilient future. CISA’s third goal of driving security at scale really hits home with pillar 3 of the National Cybersecurity Strategy as it brings public and private sector groups together and ushers in widespread secure software development.

So, I think that great strides have been made this year with regard to implementing new regulations and standards. Now, we need to act on them and enforce them.

Ok, thank you. Here is the main question of our interview. What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why?

1. First and foremost is awareness and having people in the organization that understand the risks of ransomware, the threats associated with it, and how simply clicking on a bad email can trigger a ransomware attack via phishing. Organizations need to ensure that all employees are trained and educated on how to protect against employee-targeted ransomware attacks, as humans tend to be the weakest link of cyber defense. Organizations should train employees on how to spot and report phishing attempts and conduct regular testing to ensure employees are following best practices.
2. Second is ensuring your enterprise architecture and network are secured. Once someone clicks that phishing link, the attacker gains the first point of access and then can move around within the system. With secure enterprise architecture, if something gets compromised, it’s much easier to limit the attacker’s movement, and, in turn, limit the damage that they can do. For example, a lot of times companies that get hit with ransomware are not the ones that have cloud-hosted email. The ones who tend to run into more problems are the organizations that use an email exchange server on their internal network because it’s also connected to their financial and billing systems. I’ve seen instances of ransomware where they’ve gotten in and they haven’t been able to touch the cloud services or emails, but they were able to get into a financial system that was running on an older Windows server sitting in someone’s office.
3. Third is data protection, encryption, and backups. When an organization is attacked with ransomware, hackers get into the system, encrypt its data, steal the data, and then offer to give it back… for a price. If an organization has redundant backups of its data, the impact of that attack is greatly minimized, and the organization doesn’t have to worry about making a decision about whether to pay the ransom.
4. Robust monitoring practices are also key. Organizations need to have the capability to log the system and application-level activity so that if someone gets in, organizations can have a better look at what they are doing or did while in the system. The organization can then share with law enforcement to ensure the incident is handled correctly.
5. Alongside good monitoring practices, organizations must have a well-rounded incident response capability. When an incident occurs, the organization will be able to respond and guide its people on a standard process to organize, triage, and understand an event. For example, with the SEC’s new rule on reporting data breaches, organizations must report whether a breach is material within four business days. The only way to know if that breach is material is if the organization has a set process to follow and can define the actions that teams need to execute in order to fully respond to the event.

I know a CFO whose company was hit with a ransomware attack. Their Microsoft Office 365 materials were untouched, but the same couldn’t be said for their accounting servers, which were running on Windows 2018 hardware. Simply put, because of the outdated practices, they had to pay; there was no choice. This person thought of the families impacted by the company’s employees being out of work. When families’ livelihoods are on the line, the decision becomes easier — pay $100,000 to get the business back up and running or cause numerous families to be without steady income for an undefined period of time.

If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be?

I actively contribute to groups that sponsor awareness of and the fight against human trafficking. It’s such a horrible thing so I do what I can to help push that movement.

I’ve also worked with several nonprofits that help veterans get educated in their desired field of the workforce. Seeing the impact it’s had on them has prompted me to want to put efforts toward getting all veterans the tools they need to find success. It goes deeper than veterans even — I think that, as a whole, underrepresented groups have an especially hard time breaking into the technology industry, so any movement that gets more people gainfully and happily employed is one I can get behind.

I am also a melanoma survivor so the more awareness, funding, and research that can be applied to fighting and preventing cancer the better.

How can our readers further follow your work online?

You can find me on LinkedIn or you can follow Schellman on X (formerly Twitter), LinkedIn, and our blog.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!