The Next Frontier in Terror: Cyber & The Case for Compliance Education to Mitigate Risky User Behaviors
An MLAW Paper Written the Day WannaCry Swept the Globe May 12, 2017
DISCLAIMER: Originally published 5/12/17. This article was adapted from an MLAW paper. No part of this should be considered investment, legal, financial, or any other type of advice. It is offered for informational purposes only. If you have legal questions, please consult an attorney. ***One section marked was updated December 2019, to clarify the critical nature of timely & consistent patch application policy as denoted in the Congressional Reports post the Equifax investigation.
Cybersecurity? Just Smile & Wave
When I speak with respect to cybersecurity and compare it to a Public Health Epidemic, most people’s eyes slowly glaze over as they look at me and nod, others smile and wave, a la Madagascar Penguins. To explore the need for cyber education, first, we discuss a cyber attack that is unfolding in realtime today; then, we discuss the importance of engaging education and highlight a cast of risky characters. We continue by examining the motivations of hackers and terrorists alike, examine ‘Wannacry,’ and finally, I pose questions on remedy and redress, which parallel best practices in education. Modeling off same could easily be applied to fuel cyber knowledge and value retention.
Ransomware: A Paralyzing Paradox
What is Cybersecurity and how does it relate to ransomware? Why is it the next public health epidemic, and most importantly why should you care? Before delving into the latest ransomware attack, which inspired this paper, the importance of a proper cybersecurity protocol must be established and understood within the larger context of terrorism and the thematic motivations of such.
One way to examine cybersecurity is via a public health approach as it relates to violence, as these same 4 basic steps of violence prevention can easily be adapted for an organizations’s overall cyber health.  As defined by cybersecurity expert, Kaspersky, Ransomware is defined as predatory software whose chief objective is extortion via coercing the victim to pay to un-encrypt a target’s data, hard drive, other files, or restore access privileges.  For those who find this difficult to conceptualize, Malware Bytes, another industry leader, walks through the process in a highly informative video illustrating the devastation of each file being independently encrypted.
Engagement & Education: Building Awareness
A daunting challenge, but where to start? The first step on the journey to compliance is education to foster awareness. Comprehensive education on the prevalence, vectors, and risk to which concerted efforts utilizing best practices for prevention in cybersecurity creates a foundation where value can be hardwired into every employee to invoke a widespread culture of adoption/compliance. See also We Scare Because We Care. A paramount feat to say the least, given that cyber engagement can be difficult due to its abstract nature and plethora of misrepresented, ‘understandings.’
Abstractness Fuels Extraction
The cyber world is difficult to conceptualize much less analyze for most people. The abstract nature allows for myths of cybersecurity to spread like the hottest Hollywood gossip.  With data breach in any respect, including the realm of ransomware followed by the inevitable reputation risk, which subsequently follows, the potential damages to any organization targeted are difficult to misunderstand.  However, shockingly many still have not internalized the well known, ‘it is not if, but when,’ mantra of the cybersecurity community, but rather favor the childhood defense, ‘not me.’  Therefore, in order to change this fundamental misnomer, we must educate, and just as in any education initiative, in order to properly educate, a thorough assessment of current practices and proficiencies a thorough risk assessment must be conducted. 
Risky Behaviors: Superstition Pigeon Holes & Confounds
One issue in any technology compliance initiative centers upon changing the superstitious beliefs of users. Even well-meaning users may not easily see their risky behaviors. Misinformation, myths, and irrational ‘understandings’ through the heuristics of their negative experiences only reinforce these superstitious users’ beliefs or cognitive biases. At its most fundamental, these behaviors are akin to B.F. Skinner’s pigeon.  The article in industry publication TechRepublic by Jamie Henriquez, a tech veteran with extensive IT experience, 10 Habits of Superstitious Users, humorously illustrates some key ‘risky users’ who must be remediated. However, to make this a bit more relatable, I offer a twist on his personifications by re-naming these stereotypic individuals as exaggerated storybook characters, built to engage, given that cybersecurity can be a less than engaging topic if it is not presented properly.   Along the same lines, below is a video that also sheds light on computer literacy, these are behaviors that most people have committed and do not even realize the irrationality thereof; I practiced a few myself prior to taking this Cybersecurity course. See Teaching Computers to Parents-Foil and Hog (1:00), which references the, ‘Nigerian Prince,’ and phishing a key tactic in ransomware attacks.  Tools such as this provide the meat per se of any training session to be engaging. Please note the suggested opening, ‘hook,’ was described in my other article, We Scare Because We Care. This first article sets the stage for cyber to be laden with value through extreme engagement. 
A Cast of Characters to be Mitigated
Risky employees? Yes, this may seem shocking given the ample screening that every company completes throughout their hiring process. However, these angelic creatures work among us, and if you look in the mirror, you may even be one, two, or more. This phenomenon is understandable given the abstract nature of technology and the ubiquitous misunderstandings, the only remedy thereof is education beginning with awareness. Henriquez begins by describing how some users address technology as a whole noting,
“For some users, the computer is unfathomable — leading them to make bizarre assumptions about technology and the effect of their own actions. Here are a few irrational beliefs such users develop.” 
The Magical Thinker of Unicorn-topia:
“..the users who have memorized the formula for getting the computer to do what they want but have no clue how it works. As in magic, as long as you get the incantation exactly right, the result ‘just happens.’ The unforgiving nature of computer commands tends to feed this belief. The user whose long-running struggle to connect to the Web is resolved by, ‘Oh, here’s your problem, you left out the colon…’ is a prime candidate to develop this superstition.
This user can be unaware of their technology surroundings and is a prime candidate for a phishing attack where font characters can be easily concealed or domains redirected in an effort to extract data or provide an entrance into the organization.
The Worry Wort With Update Avoidance
“Exercising caution when it comes to upgrades is a good idea. But some users go well beyond that, into the realm of the irrational. It may take only one or two bad experiences. In particular, if an upgrade causes problems that don’t seem to be related to the upgrade itself, this can lead to a superstitious fear of change because it confirms their belief that they have no idea how the computer really works — and therefore no chance of correctly judging whether an upgrade is worth it or just asking for trouble. Better to stay away from any change at all…” 
As we all know from Equifax and the multitude of references to patches within both the House and Senate reports, timely and consistent patch application is imperative to a proper cyber protocol. In many cases this application requires the user to accept the restart/reboot and update. Those Worry Worts with Update Avoidance offer an engraved invitation to bad actors and malware that exploits same. (This section was updated December 2019, to clarify the critical nature of timely & consistent patch application policy as denoted in the Congressional Reports post the Equifax investigation.) 
The Button Slammer & Cult-type Loyal Pop-Up Follower AKA: But it made me
“They treat the computer like a recalcitrant child who just isn’t paying attention or doesn’t believe they really mean it. Users may get the impression that this superstition is justified because the computer sometimes does seem to be ignoring them — when it fails to execute a double-click because they twitched the mouse or when they have inadvertently dropped out of input mode.” 
Other phrases from this Pop-Up Follower are:
“There’s something wrong with the company server.”
“What makes you think that?” “Because, when I try to log in, it says server not found.”
“Why did you click on that pop-up? It said I had a virus and I must immediately.”
Furthermore, as evidenced in my article Cyber MO, any initiative or cultural change needs comprehensive buy-in that likely comes from creating personal value, which likely stems from education in one form or another. However, the value proposition in cyber is only realized if the content is engaging and internalized. Once value is established, compliance will increase because it is a given. Your compliance department now is on its way to creating a culture or basic expectation of proper cyber compliance.
As WannaCry continues to unfold, the points herein are driven home. In other words, most employees did not wake up on Friday, and say,
“Well, today, our cybersecurity will be tested, so I need to make sure I backed up and encrypted those uber-important files and Personally Identifiable Information (PII)/Personal Medical Information (PMI) of clients.”
Likely, most also had not even pondered if the millionth security patch released was applied appropriately. Yet, it is also highly probable that these behaviors offered malware a portal into destroy. While it can be one act, it is more the culmination of a lax compliance culture that allowed the vector.  Before we turn to the serious and disturbed motivations, here is another video that can be used to engage and offer perspective on where learners of all walks, whether employees, peers, or colleagues, are in their journey of cyber education and awareness.
Solution: Just Add Value
After a brief review of some key problematic behaviors, we turn the discussion to defining terrorism, then, we link this understanding to cyber behaviors through the lens of how to achieve mitigation via education. In short, how can we change these risky behaviors and the accompanying potential damages in in the most efficient manner? One way is to use the educational philosophy and, ‘just add value.’ Offering value is correlated with behavior change and a culture of compliance.
Motivations: Ransomware Parallels Terrorism
Many times cyber attacks are executed as an act of Terrorism, as the objectives are the same, i.e., to invoke random fear and watch the chaos and collateral damage. To better understand, we turn to a brief overview on the history of terrorism, then link this to ransomware further highlighting the need for proper education.
Enter Terrorism: Driving Value of Cyber Education
Cybersecurity warfare can only be fought with comprehensive compliance initiatives utilizing both efficacy and sound policy surrounding risk analysis. The above-outlined miseducation gains even more traction when added with education on the motivating factors of terror. According to Margie Britz, renowned cybersecurity expert and author of Computer Forensics and Cybercrime: An Introduction,
“…terrorists are motivated by a strong desire to invoke fear, chaos, or massive disruption on a population. However, despite the longevity, there are multiple definitions that throughout history, still have evolved little clarity.”
Terrorism: A Brief History
The word terrorist traces back prior to the French Revolution. Yet, there is no all-encompassing definition, rather there are many different iterations of same. As the etymology suggests, terror or fear is inherent to the terrorist’s actions. Besides fear, the state of terrorism is precipitated by an unjustified, random, opportunistic, or symbolic event, which serves as a warning. If the mechanism is coercive, disruptive, or intimidating, it fits the rudimentary definition. Id.
The act itself is merely the message. The goal is the intense psychological manipulation and damage, which ensues in the aftermath. There are several basic elements that comprise all acts of terror: Transmitter, Recipient, Target, and Message. However the end goal and motivation are the distinguishing subtleties. It is important to understand that the message is not the goal, the goal is the impact on the audience that witnesses the carnage, which ensues and the lasting psychological terror and fear, hence the name. Since the motivation is both willful and malicious, experts categorize terrorism via the motivation that drives the act of terror rather than the act itself. Below are examples of terrorist categorization and a summary of the defining characteristics. Id.
- Individual: (Uni-Bomber) Individually motivated terrorists act alone and have a general dysphoria with society at large. This motivation is characterized by a narcissistic view of the terrorist achieving fame and notoriety or becoming the chosen one to ‘right the wrongs of society.’ Id.
- Nationalistic: (Irish Republican Army) Nationalistically motivated terrorists share the vision of rising against the collectively oppressed society. These groups have greater longevity. Id.
- Political-Social: (Animal Farm) Political-Social motivation is evidenced in Animal Farm, which is a satire that depicts the rise of the Soviet Union leadership of the Russian Revolution. Animal Farm is a good example that illustrates the cycle of power as this type’s motivation predominantly concerns uprising against those in power. Id.
- Religious: (Jihad/ISIS) Religiously motivated terrorists are both the most prevalent and dangerous type. Like the individually motivated terrorist, they also believe they are chosen. However, unlike the former, the religiously motivated terrorist acts to become a martyr. They create their terror in the name of their leader for the collective ‘good’ and as an offering to their deity. While ISIS has executed multiple assaults, previous to our class, I had not realized that ISIS also targets individuals.  For example, on April 28, 2016,
“ISIS-linked hackers have targeted about 3,000 ordinary New Yorkers in a cyberattack, posting their personal information online and announcing, ‘We want them #Dead,’ the I-Team has learned.
One of the victims …[an 88 year-old] …spoke with the I-Team exclusively Thursday, telling of how the FBI visited and told him that his name was on the list posted Sunday on the private channel of a pro-ISIS group called the United Cyber Caliphate.” Id.
- Environmental: (Animal Liberation Front) This group takes protecting nature to an extreme through arson and other methods to disrupt those whom they feel are impeding environmental initiatives. 
‘Wannacry’ & the Terrorist Disruption of a Global Society:
Given the goal of terrorism is to disrupt and cause intense chaos while doing so in order to make the message ring clear, ransomware fits the bill. This became increasingly clear as I watched WannaCry sweep through throughout the globe today. Healthcare entities were likely attacked as they tend to have outdated security, and hold a great deal of PII and PMI. The disruption of these legacy systems can be life and death in some cases, and given the sensitivity of same, this is data that must be restored.  These facts are also echoed in the article, World Hospitals Across England Report IT Failure Amid Major Cyber Attack. The article highlights that many hospitals have outdated security and the malicious software works by exploiting a flaw in Microsoft software that was described in NSA documents stolen from the agency and leaked publicly by a criminal group called Shadow Brokers. Id.
“Microsoft released a patch fixing the flaw, but it was apparently applied inconsistently, with many computers continuing to be unprotected. The malicious software — called ‘ransomware’ because it encrypts systems and threatens to destroy data if a ransom is not paid — is spreading among computers that have not been patched, experts said.
‘The most exploitable industry in the world is the health-care sector,’ said Tom Kellerman, chief executive of Strategic Cyber Ventures. He said the industry is chronically hobbled by regulation and insufficient investment in computer security.” Id.
Many Questions Surround the Ransom in Ransomware
Many bad actors demand payment in Bitcoin. Since one of the only ways to pay the ransom is Bitcoin, what if the victim/company does not have a Bitcoin Account? What if the account cannot be created in time? What happens to the data? Will it be intact? It has been breached, where does that leave the consumer and their coordinating privacy rights?
Limited Resources & Prioritization
Moreover, despite skyrocketing health care costs, IT infrastructure is not the first place that this new “Fee for Value” industry, which evolved from the “Fee for Service” model of care eagerly invests. Again, where are we as consumers left? With the Affordable Care Act (ACA) on the fiscal chopping block, which would stop access to care for so many, ultimately, how safe is our PII/PMI? .
“The ransomware, called ‘WannaCry,’ locks down all the files on an infected computer and asks the computer’s administrator to pay in order to regain control of them. Researchers say it is spreading through a Microsoft Windows exploit called ‘EternalBlue,’ which Microsoft released a patch for in March.
A hacking group leaked the exploit in a trove of other NSA spy tools last month. ‘Affected machines have six hours to pay up and every few hours the ransom goes up,’ said Kurt Baumgartner, the principal security researcher at Kaspersky Lab. ‘Most folks that have paid up appear to have paid the initial $300 in the first few hours.’ Sixteen National Health Service (NHS) organizations in the UK have been hit, and some of those hospitals have canceled outpatient appointments and told people to avoid emergency departments if possible. Spanish telecom company Telefónica was also hit with the ransomware.” Id.
Disrupting attacks are everywhere, but why are they so popular? The answer is in the albeit, satanic butterfly effect of terrorism and its catastrophic aftermath. You simply do not know what data will be unleashed, where the breach will go, what it will cost to the global economy, nor who will be hit next. This roulette wheel of terror is the goal. Cybersecurity is emerging quickly and evolving at exponential rates. Catching these bad actors is one of the most difficult tasks. From outdated machines to unused/incorrectly applied patches, and low encryption standards, everyone is at risk.
Day in the Life, AKA Anatomy of an Attack: Not All Hackers Are Coders
A chilling video that illustrates how the stereotypical, ‘hacker,’ is not what you think. Ransomware moves markets, crushes careers, and terrorizes employees and consumers alike. The following video walks through the mind of a Social Engineer, highlighting how they use the sales team to gain intel to create the perfect Trojan Horse. 
Closing Thoughts: Gravity & Realtime Remedy & Redress
Every hack brings a pang of fear, as I can scarcely remember my own passwords. I readily rely on ‘Have I Been Pwnd’ to monitor whether my email was breached.  However, malware, ransomware, and Denial of Service (DOS)/Distributed Denial of Service (DDoS) are everywhere. The only way to combat these vulnerabilities are through comprehensive Cybersecurity and Data Privacy Awareness, plus a thorough Risk Mitigation Plan including engaging education. While I have not seen any research to this end to date, it would seem that using educational philosophy and the critical window of value after a fake attack, would be the perfect time for a customized tutorial to pop up and educate on what that person failed to see.
Yet, when I speak to many Chief Security Officers (CSOs) or the like, they cite that the only thing that happens when a phishing test is failed is that an email is sent to the employee’s supervisor & IT. I argue that this is not a cogent way to incentivize a culture of compliance. It is akin to a punishment with no opportunity for realtime remedy and redress. While the discussion today centered on ransomware, cyber education includes, but is not limited to phishing, malware, the critical nature of timely updates, spoofing, spear phishing, whaling, & the ‘Internet of Things’ including security surrounding Bring Your Own Device (BYOD). A video of the latter can be found here.
These criminals are crafty and not all are motivated through financial means. Watching the above videos sends shivers down my spine. What is the cost of a breach to a company, an individual, a population? Where does that information lead? One never knows; that is the crux of the attack, sheer terror. From (PII) to (PMI), the ramifications of a breach are difficult to actually comprehend. Currently, the best advice now: update, encrypt, and backup early & often. Everyone should have auto-updates enabled. You never know who is sitting at the coffee shop next to you, if they are compliant with updates, or what public health risk (in Cybersecurity) they pose. It may sound a bit dramatic, but Cybersecurity has been compared to the dangers of Unprotected Sex. Since the new threat to Cybersecurity is spreading, we must be proactive and encourage compliance at every step.
 Britz, Marjie. (2004). Computer Forensics and Cyber Crime: An Introduction (2nd Edition); see also https://www.researchgate.net/publication/234830648_Computer_Forensics_and_Cyber_Crime_An_Introduction_2nd_Edition/citation/download