Repelling A Ransomware Attack: Jerry Hsieh of Splashtop On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack
Undergo a thorough risk assessment. Hire specially trained third-party experts to conduct them. I have often seen that people are not 100% with their own assessments.
Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?
In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Jerry Hsieh, head of security and compliance, Splashtop.
Jerry Hsieh is head of security and compliance for Splashtop, a secure remote access and support software company. He has more than 20 years of experience in IT management, security, and compliance.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born and raised in Taipei, Taiwan and immigrated to the U.S. in 1996 to pursue my education. I began my university experience with limited understanding of English and zero computer experience but worked hard to become fluent in both by the time I graduated early with my master’s degree.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
In 2003, there was a major SMTP DDoS attack, which stands for Distributed Denial of Service Defense, at the company I was working for. The purpose of this type of attack is to disrupt businesses by rendering key resources unavailable. This event affected almost everyone, regardless of what mail server you were deploying. Thousands of SMTP requests were flooded to the server, and as a byproduct, servers were unable to accept legitimate SMTP connection requests. Business operations were interrupted, email communications were halted, and no business deals were able to be closed.
At the time, I was an IT manager and personally had to sleep in my office for a week — right after my wedding — to mitigate its effects. I witnessed firsthand the chaos this created for people and businesses. That was the moment I became interested in cybersecurity.
Can you share the most interesting story that happened to you since you began this fascinating career?
Well, one of my dream jobs as a child was being a physician. I was fascinated with the idea of saving someone. But that career path was too hard — it’s one of the many reasons I have so much respect for doctors — so I committed to Information Technology.
Then, at one point in my career I became the IT Director for a medical device company that helped prevent neonatal blindness in newborns. It was extremely satisfying work, and one day I realized that being an IT professional is not much different than being a physician. Doctors ask questions to diagnose; IT professionals look at logs and error messages to diagnose. Doctors prescribe medication or perform operations to heal patients, and IT patches up systems and replaces hardware to bring systems back to life. So, in a way I get to be a technical physician, minus malpractice lawsuits!
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
- The most important trait is to manage expectations from 360 degrees. IT is on the frontline of the technology and security challenges faced by organizations. Learning what people expect is important to being able to deliver a realistic expectation. Getting everyone on the same page prevents burnout among IT professionals and helps to keeps initiatives progressing efficiently.
- Build a strong team and support them. Nurture the people you hire and help them to develop their careers. Everyone has a dream career path and motivations beyond their paycheck. People need purpose and to feel valued. Utilize the talent you have and often times, you will see the sky is the limit.
- Be humble and keep learning. No one knows everything and new technologies are invented every day. Staying on top of trends and being open to learning from others is super important, so you know what’s going on out there.
Are you working on any exciting new projects now? How do you think that will help people?
Yes! We have some exciting things on our Splashtop roadmap for this year. Without revealing too much too soon, I can tell you the project I’m working on involves the combination of user authentication, authorization, and secrets management — a true Zero-Trust Network Access (ZTNA) approach.
In order for businesses to be successful today, they adopt a multitude of specialized cloud-based services to handle this function or that. Imagine the multitude of connection points: each employee has multiple accounts and not all of them support single sign-on — and some of the technology is outside of IT’s control. How to manage user authentication and authorization is more of a challenge now for IT than ever. This project could solve the problem.
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?
I have more than 20 years of experience in IT management, security, and compliance. I currently head up security and compliance for Splashtop, a leading secure remote access and support software company. I’ve lived my whole life assessing risk and it has prepared me well for this career.
In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?
Ransomware is a malicious attack that can lock or encrypt an organization’s data or individual’s data on a server, in the cloud, or on a computer system, requiring a ransom payment to unlock or decrypt the data and files. Ransomware can compromise an entire network and has the potential to debilitate an entire organization and its supply chain. Some of the most commonly used ransomware are:
- Crypto Ransomware: The most well-known variant. It encrypts data and renders it inaccessible.
- Scareware: Claims to detect a virus on your computer and manipulates users into paying to “solve” the problem.
- Leakware: Essentially blackmail. Leakware comes in many forms. For example, you may receive an email claiming to have access to your webcam, contact list, and even daily activities. In order to sell the bait, emails may include a password that you used years ago (that was probably easily found from the darkweb) to make people panic and pay the ransom.
- Lockers. This shuts down your system completely. Instead, it displays a lock screen with ransom instructions.
Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?
In my opinion, both. Ransomware has been a threat for years, but its growth has been exponential more recently because of the evolution of the digital landscape, expedited by the pandemic. During the first half of 2021, global attack volume increased 151%. For cyber gangs, businesses tend to have higher value but are harder to penetrate, but private individuals can be considered low hanging fruit. Regardless, it’s important to note that most ransomware attacks begin with an individual clicking on a link they shouldn’t or criminals using an easy-to-crack password. So, whether an individual is using a work-issued or personal computer, the same best practices apply.
It’s also worth noting that businesses of all sizes and in all industries can be a target for ransomware. In fact, ransomware groups now have their sights set on small and medium-sized businesses for three reasons:
They don’t necessarily have internal security support and know-how.
They often use out-of-date and/or unpatched software.
They haven’t considered themselves at risk since most of the attention is on the big, high-profile businesses and organizations.
Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?
As a private individual, the FBI recommends contacting law enforcement and the local FBI field office for assistance and to file a report. If you are a business, I recommend engaging with cybersecurity experts and legal counsel to assess, and work with law enforcement to remediate the situation. It is also worth mentioning that the recent Strengthening American Cybersecurity Act requires critical infrastructure operations and owners to report substantial cyberattacks such as ransomware to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and within 24 hours of making a ransomware payment.
If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?
Great question. After an attack, there’s a certain amount of retrospection required, but it’s also important to be proactive and avoid future risk. To start, organizations should:
- Classify their data and design a backup strategy
- Encrypt their backup data and keep it offline so to be able to restore it later without the risk of paying ransom or having it leaked
- Conduct restoration tests
- Perform drills; exercise to prepare for the worst
Repeat the steps above and make it better each time.
Should a victim pay the ransom? Please explain what you mean with an example or story.
Most experts, including law enforcement agencies, recommend not paying the ransom for several reasons:
- It encourages the attackers
- Victims may even suffer repeat attacks
- Payments can increase
- Paying doesn’t necessarily mean the data is recovered
- The FBI says that paying can be illegal
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
- Treating all data as equal. I’ve seen that people tend to mess up data classification and safeguarding. Often, people don’t know what they are protecting. Without knowing the value of the data, you don’t have a corresponding strategy to protect said data and are subsequently vulnerable to ransomware attack.
- Not prioritizing end-user training. Most data breaches are caused by phishing — whether it is a compromised system or a user account. A well-trained employee reduces the risk greatly.
- End user authorization and privilege control. People often think authentication is the key to security. However, without proper authorization and privilege control, users might have access to data and information that they do not need and are not authorized to see, which can be dangerous.
- Misconfiguring a virtual private network (VPN). The traditional VPN does not have adequate control over who or what device can connect to the network. VPNs are legacy technologies and are relatively easy to configure but are often exploited because there is no standard way to set them up, operate and distribute access.
- Relying on old (legacy) technology. Many companies rely on outdated systems because of cost, such as the combination of a VPN and remote desktop protocol (RDP) for employees working remotely. Remote employees typically use VPNs and RDP to remote access the systems they need on the network to perform their work, but these tools were never meant to manage remote employees across a range of devices. More modern technologies exist that are designed for better security.
- Thinking a firewall is all you need. A firewall often gives companies a false sense of security. And now that our perimeters have expanded and morphed, a firewall doesn’t solve security problems, especially if hackers are getting more creative with phishing techniques. The weakest links are usually employees, and most compromises are caused by a simple error, such as an employee clicking on a harmful link, saving or downloading a malicious file, using a weak password, or forwarding something.
- Skipping backup. While it may seem like a no-brainer, many organizations often overlook this step. A frequent backup strategy is essential, especially to protect financial data, intellectual property, source code, email. As organizations define a backup strategy to protect their data, it’s best to start with securing mission critical data first. Backup plans may involve cloud-based backup services or offsite storage. A third-party backup application can help simplify and automate the process.
- Forgetting patches. This step often gets skipped. Security updates and patches are a part of daily technology life. It’s important to regularly patch and update everything: operating systems, applications, firmware, devices.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
Investment. Most organizations do not have dedicated security personnel, and often, they hire multiple IT personal and hope each can dedicate part of their time on security. Security is a full-time job and budgets should be carved out to have the needed knowledge, whether in-house or by engaging with a security consulting firm.
Here is the main question of our interview. What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why? (Please share a story or example for each.)
Train yourself and your employees, furthermore, test them. I can’t emphasize enough that humans are the weakest link in cybersecurity. NordPass reports that most commonly used password, with a count over 103 million, is “123456” which takes less than a second to crack. A combination of frequent employee training and strong security practices, such as single sign-on and two-factor authentication, can go a long way.
Undergo a thorough risk assessment. Hire specially trained third-party experts to conduct them. I have often seen that people are not 100% with their own assessments.
Design and test your backup, Disaster Recovery, Business Continuity, and Incident Response Procedures from the result of the assessment.
Red/Blue/Purple team exercises to test your strength and procedures. Writing a procedure is similar to writing a movie script. It’s nearly impossible to be perfect on paper, you need to run through the plan and put it into action. My security motto is: There is no best, only better. Repeat the testing and improve the procedures.
Stay current with cyber news — subscribe to newsletters, check Twitter and forums — you will be surprised what you can learn.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be?
I spend my days immersed in technology and cybersecurity, so I know what people and innovation are capable of. Yet, there are close to 900 million people today who do not have access to safe drinking water. If I could inspire a movement, it would be to take a step back and focus our collective energy toward finding solutions to solvable issues that prevent equal access to life-sustaining resources — not only for people, but also for animals.
How can our readers further follow your work online?
The best way will be following Splashtop on LinkedIn, Twitter and Facebook.
https://www.linkedin.com/company/splashtop
https://www.facebook.com/Splashtop
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
