Repelling A Ransomware Attack: Mark Kirstein of Cosant Cyber Security On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack
Keep your software up to date. In other words, patch your software. There are thousands, probably millions of software programs available. Some are old. Many are very complex. People discover new vulnerabilities all the time. Once discovered, these are widely publicized among cyber security professionals, but also among bad actors. The bad actors quickly jump into gear to exploit the new vulnerability (assuming you’ll patch it soon). If you don’t keep your software patches up to date, you’re a sitting duck.
Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?
In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Mark Kirstein, Vice President of Customer Success at Cosant Cyber Security.
Mark is vice president of customer success for Cosant Cyber Security. In this role, he leads Cosant’s efforts to help clients plan and implement cyber security plans to protect their company and stakeholders.
Mark has a unique combination of technical and business experience, backed up with BSEE and MBA degrees. He has held roles as CEO, sales & marketing, research and computer design for both corporate and startup-level companies. Mark is a Certified Information Security Professional (CISSP).
After starting his career designing computers and computer chips for aerospace applications, Mark shifted to become a technology analyst at a semiconductor research company in Scottsdale Arizona. He covered a broad range of topics ranging from semiconductors, networking, mobile phones and SaaS applications. Ultimately, Mark elevated to the CEO of the company, and lead a management buyout and subsequently a sale of the company. Shifting through technology executive sales roles, Mark ultimately joined Cosant Cyber Security to help small and medium businesses implement structured information security programs. This position gives Mark visibility into dozens of organizations and often a front-row seat to security breaches ranging from ransomware to business email compromise.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Growing up in Anaheim California, before it was more broadly known, I often told people I grew up in Disneyland. That wasn’t far from the truth since I’ve likely been to Disneyland over 1000 times, often as part of my high school marching band.
College was hard-core techy stuff, getting a BSEE in Computer Design from Cal Poly University. I started my career designing a computer for an experimental satellite, and then designing computer chips for the Boeing 777 Avionics Information Management System.
Finding myself more interested in the business of technology than the technology itself. This led to being a technology and market analyst for emerging technologies, helping enterprise-level companies plan their market development strategies. I worked on technologies such as USB, Bluetooth, 3D graphics and Wi-Fi years before any of these technologies emerged to support products in the market. Within 2 years at my market research company, I was in a closed-door meeting with Andy Grove, CEO of Intel, with no more than a dozen of my analyst peers.
As a successful analyst, I was promoted until I ultimately became the CEO of the market research company, In-Stat. I lead a management buyout of the company to take it private, and then subsequently sold the company.
Post-acquisition, I transitioned into a sales consultant role for technology companies. Among my clients was Cosant Cyber Security. The opportunity to help companies address cyber security was so compelling, I joined the startup shortly after, and have been VP of Customer Success since 2019.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
What inspired me initially was the amazing growth and demand for help address cyber security risks. In addition, my exposure to Cosant helped me bridge my technology roots with my executive leadership and customer-facing skills. I went “back to my roots”, in many respects. My background gave me both the experience and knowledge to quickly secure the CISSP, which is often regarded as a CISO-level certification in security.
Once in cyber security, you’re quickly faced with an altruistic reality. I had insider insight into a company that was defrauded into wiring nearly $800,000 to an overseas account (they became a customer). A lady who owned a piano teaching business was taken for $20,000, a tremendous amount of money for her small business. I helped her pro-bono.
Incidents like these motivate me to continue helping companies secure their businesses and reduce risk to their stakeholders.
Can you share the most interesting story that happened to you since you began this fascinating career?
A larger client of ours, who have a relatively mature infosec program had a software vendor who was captured by ransomware. Our client had already identified the supplier as high risk and implemented compensating controls. When the suppler was ransomware, our client’s Incident Response plan kicked in and we managed the incident with barely a speed bump. Unfortunately, the 20-year-old, 50-person software supplier was out of business within days of the ransomware event.
While it’s tragic what happened to the small software company, we were delighted and proud of how our direct client navigated the incident.
You are a successful leader. Which three-character traits do you think were most instrumental to your success? Can you please share a story or example for each?
The first is confidence and positive outlook. Shifting from a deep technology education in electrical/computer engineering, to a technology market analyst was an enormous leap of faith. I convinced the hiring CEO that since I understood semiconductors at an engineering level, I’d make a good analyst. I felt an enormous level of “imposter syndrome”. But it worked. I had to quickly learn to write and communicate effectively (not common traits for engineers). I quickly developed a confidence (and a bit of naivete) that “if I make the product that I’m responsible for successful, I’d ultimately see the reward.” My naïve confidence was rewarded. My product grew, and I was promoted, and given 3 products (and management of the people producing them). I lead these products to growth, and kept getting promoted. Among the key success drivers: I figured out email marketing and e-commerce early than most, in about 1997. What started as a $300K revenue stream (we were a small company), grew to nearly $5M in under 2 years.
The second character trait is determination. I tested and delivered determination with the management buyout I referenced above. My market research company was a subsidiary of an enormous, multi-billion-dollar global publishing company. The broad US publishing business was facing a transition to digital advertising and seeing legacy revenues shift rapidly to Google and other digital entities. After years of aggressively addressing this transition, the publishing company decided to divest nearly all their US properties, In-Stat included. However, when they couldn’t find a buyer for my market research company, I was faced with either a shut down or a risky management buy-out. I chose the latter. I secured financial backing, secured buy-in from employees and our corporate ownership, and negotiated all of the transaction details. We closed the deal two days before the parent company pulled the plug on more than a dozen US businesses, and thousands of employees. We were saved for the moment, but had a short window to establish 100% autonomy, secure all customer relationship and sustain profitability. Determination and fearlessness (at least externally) we the vital traits that led to success.
The third character success trait is commitment to personal growth. I had already demonstrated personal growth moving from a technology-centric engineer to a business manager and leader. However, I didn’t realize how much growth I could still achieve in interpersonal and communication skills. My time as a sales trainer at Sandler Training taught me the system and process behind observing, understanding and motivating people at an entirely new level. It required tremendous humility and behavior change to apply the underlying psychology and skillset. And it set the stage for my entry into Cosant and customer-facing role helping new clients.
These three traits combined have been vital to my growth and success as a business leader and consultant for dozens of companies relying on Cosant to help them become more cyber secure.
Are you working on any exciting new projects now? How do you think that will help people?
We’re working on so many exciting projects, it can be difficult to isolate just one. However, I’ll single out one specific client/project as an example. We’re helping a very advanced artificial intelligence (AI) Software as a Service (SaaS) company achieve both security and compliance. They have enormous opportunity across a broad range of industries. Among them is dozens of applications within the Department of Defense. Their amazing AI software is in high demand, but to engage the enterprise-level clients, and DoD clients, they need CMMC certification and FedRAMP. We’re leading the info sec program that will enable the company to achieve revenue in the millions, tens of millions or more. It’s so exciting to be an enabler of ground-breaking technology, while also helping to ensure both the intellectual property and business operations are protected from cyber threats.
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?
It seams perhaps redundant with some of my stories above, but in summary, I have a computer engineering degree from a top university, and decades of technology consulting and leadership. My direct experience with security included working on networking, Internet and SaaS technologies, as well as video surveillance, watermarking and digital rights management. This experience and education enabled my achievement of CISSP certification, and ultimately working with dozens of companies to implement their information security programs.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?
What’s commonly called a ransomware attack is the end result of several potential vulnerabilities. There are dozens of specific vulnerabilities that a bad actor can take to exploit these vulnerabilities. Without getting into the specific tools or vulnerabilities, the big categories include the following:
- Exploiting unsecured ports or connections. For example, a recent analysis by Threatpost identified that unsecured Microsoft Remote Desktop Protocol (RDP) connections accounted for over half of the ransomware attacks they analyzed.
- Email phishing is among the top exploitations as well.
- Software vulnerabilities (i.e., unpatched software) is a continuing threat, where we find a never-ending stream of vulnerabilities that are discovered and then exploited.
- Lastly, and perhaps the most simple: bad or reused passwords. By the way, “Football123” is NOT a good password.
Once the bad guys have found a path into your system or software, their next step is to elevate privileges and encrypt the data for a ransom demand.
Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?
The first thing to consider for this question is that most ransomware attacks are not specifically targeting you as either a business or a private individual. Unless you are a large enterprise, or have particularly sensitive or valuable data, such as a defense contractor, the bad guys are unlikely to TARGET you.
Most successful attacks are more like fishing with a net than hunting with a rifle. The bad actors, many of which are sophisticated operations and not random hackers, are casting a wide net. Their sending phishing emails hoping the un-trained employee will click. Their scanning hundreds or thousands of networks with a specific exploit hoping to find a vulnerability. Given the odds and low likelihood of businesses actively protecting themselves, they “catch” a lot of fish in the net. Then they only have to decide if ransoming you is worth their time, and how much ransom to ask for.
Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?
So much of the response to a cyber security incident is specific to the particular company. However, I’ll generalize as much as possible. We advise our clients that the first call should go to your attorney. Ideally, you’ve already talked to your business attorney and asked about their capabilities in cyber security. More than likely, they’ll refer you to an attorney that specializes in cyber security and ransomware. You want to have this referral in your hands ahead of time, as when you’re responding to a live incident, timeliness is critical.
More broadly, all businesses need to develop and incident response plan in advance. If you wait for an incident, you’re going to make mistakes and waste time. In your incident response plan, you’ll line out exactly who to call and in what order.
We advise calling your attorney first because there are many legal, regulatory, notification, liability and timing considerations. You also have to consider forensics, and it’s easy to make mistakes. Quickly after consulting your attorney, you’ll likely be calling your cyber insurance company. They have great resources and experience navigating live incidents.
If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?
There are certainly important things to do in a ransomware incident. As noted above, the Incident Response plan lays out each step. Typically, the topline things to do are 1) Contain the event. You have to make sure that the compromise and impact is halted at what ever stage possible. 2) Diagnose. You have to understand the compromise and be careful not to make things worse (shutting down systems may result in data being rendered unrecoverable). You also want to consider forensics and not destroy evidence. Your IT infrastructure is a crime scene. 3) Recover. We need to close the vulnerability, then restore systems. This may be paying the ransom, rebuilding servers, and restoring data from backups (if you have them).
Should a victim pay the ransom? Please explain what you mean with an example or story.
There’s no simple or easy answer to this one. Many, in law enforcement will advise to never pay ransom, as it encourages more ransomware (broadly). However, if it’s your business at stake, you have more tactical concerns.
In addition, if the bad actor is a nation state, it may be illegal to pay the ransom. After all, much of the ransomware payments may be supporting rogue states, or terrorism. There are federal laws governing financial support to them, even in the case of ransomware.
Beyond the thoughts above, it’s important to analyze your exposure and liability. Security professionals categorize risks into three categories: Confidentiality, Integrity, and Availability.
Confidentiality is key for personally identifiable information (PII), personal health information (PHI), Intellectual property (IP) and more. Even if you have restorable backups and don’t pay the ransom, the confidentiality is lost. And each of PII and PHI have legal and liability issues.
Integrity goes to whether you can rely on the validity of the data, even if recovered. Financial and health data can be permanently compromised by integrity uncertainty.
Availability is about your ability to continue operating your business. If your data or infrastructure is locked up, your services and products may no longer be operational. You may not be able to make payroll, or pay suppliers. If you’ve done a business continuity plan, you’ve likely identified the critical business functions for your organization, and identified how long you can survive without them. Then you’ve built your infrastructure to ensure resilience within these parameters. Functional backups are key, particularly if availability is the primary concern.
For the example of these, I point to the story I used above about the 50-person software company that went out of business within days as a result of a ransomware attack. They clearly did not have the resilience required, and didn’t plan ahead. Their principal concern would likely be availability, since their data was not particularly sensitive for PII, PHI, or other reasons. Integrity was likely non-critical as well. However, availability was critical to our client, and therefor critical to the software supplier. Their maximum tolerable downtime was obviously less then 3 days, since they were compromised on a Saturday and out of business by Tuesday. They didn’t even have the chance to evaluate whether to pay the ransom. The downtime, resulting in their customers isolating themselves from them, was too severe to recover from.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
The number one mistake is easy. It’s denial. They think it won’t happen to them, so they don’t adequately prepare. In an analogy, we compare cyber security to a house. Far too many businesses don’t even lock the doors. Forget about motion or infrared sensors or even remote monitoring, the door isn’t even locked, and neither are the windows.
The top “5 things you need to do…” noted below are only the basics of “locking the doors”. These include bad passwords, unpatched software, and clicking on nefarious links.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
There’s actually many, many resources available from the government to help secure your environment. The National Institute of Standards and Technology (NIST) publishes a lot of valuable information. Cybersecurity and Infrastructure Security Agency (CISA) also has volumes of information and resources, and is getting more as major cyber-attacks have galvanized lawmakers. Perhaps more publicity aimed at smaller businesses would be one additional recommendation.
However, the bigger responsibility falls on the business owners themselves. We can add “cyber security breach” to death and taxes. They are nearly certainties. Businesses need to prioritize basic preparedness. Either use the available resources from NIST or CISA (it will take effort on a do-it-yourself basis), or contract with someone who can help them, like their managed service provider or security consultant. The basics aren’t hard, and at least get the doors locked.
Ok, thank you. Here is the main question of our interview. What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why? (Please share a story or example for each.)
Here’s my top 5. There are more, but these are the absolute minimum.
- Use complex, unique passwords. Despite years of warnings from experts about simple passwords, or re-using passwords, this is still one of the most common vulnerabilities. How do we know? Two simple examples.
First, we can easily run dark web scans for our clients based on their URL. What do we see? Unencrypted passwords uploaded from dozens of publicized breaches. This is not the user who exposed their password, but some company/site they use that was compromised, and then the data published to the dark web. We see “Football123”, and any number of similar, simple passwords. More important in this case is the user may have the same password for multiple sites. The bad actors routinely grab these public passwords from the dark web and then try them on your bank account. If you reused your password, you’re compromised.
Another example is much more significant. The SolarWinds compromise that garnered so much attention and has ramifications far broader than we have time for here, was reportedly traced back to a simple, bad password: “solarwinds123”. With today’s computing power readily available, any simple password can be “guessed”.
Sub-recommendation here: Use a password manager, like LastPass or Keeper. They have exceptionally strong encryption and will generate strong, unique passwords. The you need to protect your password manager password carefully, and turn on Multi-factor Authentication.
2. Turn on Multi-factor Authentication (MFA) on every single sensitive application you can.
MFA is pretty wide-spread at this point. When you have to use your password, and input a code from a text message, that’s MFA. Nearly every bank, financial institution and rigorous software application has MFA available. You just need to turn it on. Proprietary applications and infrastructures are a bit more complicated, but it’s nothing that you’re MSP can’t support easily. Tell them to. The examples above would both have been thwarted by MFA.
3. Reset your default passwords
All of your basic computing devices have a default password; routers, firewalls, etc. The bad guys already know what the default password is for each manufacturers’ devices. If you don’t reset your default password, you’ve left the door wide open.
Simple example here: We helped a small machine shop set up their first information security program. Prior to us helping them, they managed their own computers, Wi-Fi and local network. When we asked “did you change your default password on the router”, they responded with “what’s that”. There’s no shaming here. They are not in IT, and didn’t have a complex IT situation. On the other hand, the only thing that stopped them from being compromised and ransomwared is that no bad-actor managed to stumble upon them.
4. Keep your software up to date. In other words, patch your software. There are thousands, probably millions of software programs available. Some are old. Many are very complex. People discover new vulnerabilities all the time. Once discovered, these are widely publicized among cyber security professionals, but also among bad actors. The bad actors quickly jump into gear to exploit the new vulnerability (assuming you’ll patch it soon). If you don’t keep your software patches up to date, you’re a sitting duck.
5. Last, but certainly not least. DON’T CLICK THE LINK! This one is all about security awareness and training. Phishing emails are sent out all the time. They are enticing and tricky. The safest option is to never click any link in an email. Sometimes that’s not possible. So, first recognize that no unsolicited email will ever REQUIRE you to click. Consider the source, and look at the URL. Second, even people and entities you know might be compromised themselves, and thus the integrity of the email is lost. Look carefully at the URL. Call the sender to verify. If it’s a company’s URL you recognize, go to the site yourself and navigate to the target. The main point, learn to be vigilant and careful.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
Each of us should find someone to help each day. Don’t ask for, or expect, anything in return. Just help one person with your talents, experiences and resources.
How can our readers further follow your work online?
Connect or follow me on LinkedIn. https://www.linkedin.com/in/markkirstein/ or visit www.cosant.com
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
