Archives For ransomware

datareviewAssessment Interviews Based on Actual Events

(The Names Have Been Changes to Protect The Innocent)

A couple of weeks I wrote an article on the ASSESSMENT FRAMEWORK – how to construct great questions for assessment interviews. But my readers have asked for more…

Everyone Wants a List of Specific Questions, However…

You Really Don’t Want A List!!!

Even if you think you want a checklist of questions (for your prospect) on the front end of an assessment, you don’t. Why?…

  • You’ll sound scripted and canned – these meetings turn to BORING fast…
  • Your list can be handed in – the custodians can take if up the ladder for you… Then what?
  • You need face time with asset owners. Half to reason for doing the interview is to build a hunger for the findings, and establish yourself as the expert…
  • You’ll miss the most important things – the stuff that comes up in conversation.
  • The list will keep you from demonstrating creativity, enthusiasm, passion, etc.

And if none of that makes sense, just find a way to watch a high-end consultant in action…you can’t replicate consulting expertise with a list!

So, while I am not going to give you a list, I can give you some scenarios…

If you’ve not read my previous article on the Most Powerful Tools You Have To Assess (Your Questions/Interviews) this probably won’t make much sense, so go back and read it first…

Meeting with C-Level Asset Owners

The executive (Asset Owner)  interview should be first (however, that’s not always possible).  Let’s call him Al.

I scheduled my meeting with Al through an email introduction with my primary contact (the IT Director). I have to assume my contact is joining us. But my agenda is to talk only to Al.

I’ll keep this so meeting so high-level, my technical contact will go to sleep halfway through the meeting. We’ve planned 20 minutes – 30 at the most. This guy does not have 60 minutes to spend with me on this. So I’d better be well prepared!

First 5 minutes – a quick overview of what we’re measuring.

We’re here to look at risk – kind of like a DR Business Impact Analysis, but more focused on data confidentiality, integrity, and availability.  Our end result will come in the form of an impact vs. likelihood graph…A quick sketch helps at this point. (Learn more about building Impact vs. Likelihood Graphs in Chapter 13 of The House & the Cloud).

“Would like you like to know what the odds are that your most important applications / data will be compromised, misused, or become unavailable at some point in the next 12 months?” – This is a great opening question…

Expect Al to be drooling a little – no one has ever asked this question from the provider side. Point it out on the graph – so he can see what you mean…this is not the Red, Yellow, Green light assessment…this is RISK ANALYSIS DONE RIGHT.

GATHERING DATA

Data Value – Things You Must Protect (Ideas for questions)

  • What applications are most important to this company…(I should know some of them by now, and listing will help get us going. But I want Al’s opinion here).
  • What makes them so important – prioritize, and find out what value means.
  • For each asset (Application or database), find out whether the privacy/confidentiality, integrity, or availability is most important. Chances are it’s a combination, or all three, but try to discern the hot buttons. (This is gold! It’s what Al really cares about, and your recommendations should focus right on what Al gave you in these first few minutes).
  • What happens when each of these are hit by some unexpected disaster, like RANSOMWARE, or just downtime?
  • What about downtime? How much can each of these systems stand? What happens when this system is down? What about that system? Do you have to send people home, does your stock price go down, do you lose money? How much? What does downtime cost?
  • How much data can you afford to lose? What’s that going to cost you…etc.

Threats That Really Exist

  • Who would want this data – explore this…are you more concerned with internal misuse or outsider threats? Are there people who would want this data? Why? Or are you more likely to get hit with Ransomware for money?
  • What about internal issues – how would employees benefit from this data? Is there some way for them to leak information for profit, like insider trading? Can the data be sold easily? Or are there layoffs coming, encouraging people to gather data for their next opportunity? Or disgruntled employees who would take the company down?
  • Have you had issues in the past? What about other kinds of system disasters or failures?
  • Al, we need some information about your company –  to better understand your risk equation.  Are there mergers or acquisitions in the works? Layoffs? What about pending lawsuits? What do you think your competition would do to get their hands on your R&D? Is your company about to announce new projects or inventions that others would want intel on -and, would break the law to get?

NOTE: in a recent CIO meeting with a major manufacturer, I asked the CIO if he thought his IT people would be able to answer any of these questions? He laughed shaking his head, with an emphatic “No”. I could tell he wished they even cared to know, but he and I both knew the truth…they don’t know, they don’t care, and they never will…

Think of each question as a launch point for dialogue.

This is not a teaching time, it’s a listening time. Be sure to reflect back to Al along the way – make sure you understand what he has said, and that he knows you’re tracking with him.

Stick to your 30 minutes, unless he insists on pushing you over…Respect his time, knowing this guy has a million things to do, and 150 sales people calling every day.

Bottom line – leave while he still likes you.

The Likelihood You’ll Be Able to Detect and Respond Before It’s Too late

Don’t let them give you a round-about non-answer here. But the truth is, Al won’t know. The temptation will be to push this off on IT. They should know.

But the truth is, the CISO and CIO both need to know…so I’m not asking IT, I’m asking Al…”Do you know?” “Should you know?” Expect, “No,..” and “Yes, I do want to know.”.

Moving To Power Users and Other Asset Owners

Plan on 30 minutes per person – have someone come with you to take some notes, or record this on your iPhone if possible…

In the early days I would have had an assistance writing shorthand – remember shorthand? Today, I use Dropvox…an app on my phone that downloads an MP3 to Dropbox.

Meeting with Power Users (The end-users who drive business with technology) makes even less sense to the end-user you’re meeting with, and maybe even to you the sales person.

The thing is, end-users are the weak link. But understanding them and how they work will go a long way in understanding their weak areas.

Start the same way you did with the execs…figure you will need to talk with several managers and knowledge workers (those who really use the systems and data to make this business hum).

  • What applications and data are most important to your business?
  • Who would want this data – outside the company?
  • What happens when you’re systems are down, or you lose a day’s worth of data?

Find out if they’ve had down time, data loss, etc. Who get’s upset, what do these people do to keep going or to recover?  You’re looking for the company view – like a gear falling out of your watch – how does it impact the entire business landscape?

Workflow / Data Lifecycle

Now for some line of business specifics…Bob the knowledge worker…

  • Bob, tell me about your job. Do you work at home, on the road, or always in this office?
  • Are you always using this laptop? Or do you use other computers from home or perhaps a tablet of smartphone?
  • Do your family members use these same devices?  (How, when, etc.)?
  • Who else enters data, deletes data, or just accesses data on this application? Anyone outside the company?  (I’m looking at the data – asset focused!  I want to know, who accesses this, from where, and for what?)
  • Who do you interact with online? Other departments, clients, suppliers, … and how – instant message, email, webinar, etc. And how do you exchange data? (I want to know how data travels – and were it goes).
  • I also want to know who deletes data, when, and why – and what must be saved, archived, etc.
  • What happens if this data gets into the wrong hands – like competition, or someone with ill-intent, like an angry co-worker or X-employee?

Heading Home To Meet My Consultants – The INTERVIEW w/ TECH

Most assessments start with technical people diving into systems and networks…big mistake.

Not understanding data value and data flow, it’s like checking out an electrical system without knowing the load requirements, environmental conditions, or uptime requirements.

Instead, do this…

  • Consolidate your data – data assets prioritized, workflow, relevant threats, impact issues…
  • Meet with your technical masterminds – Here’s what the company does, here’s what matters, here’s how they work…what would need to be true for this to be secure???
  • We are looking at three things: Confidentiality, Integrity, Availability.  Your tech team needs to know which of these three matter most to the client….but they may also have their own opinions. For instance, the client may not have named RANSOMWARE as a major threat, but your tech team will surely bring it up!
  • Going through the systems piece by piece, your team’s job is to come up with the security controls that must be present to keep this company as secure as it needs to be – based on their data value, uptime requirements, data loss requirements, compliance, etc.

Once this is done, your team can head in, network diagrams in hand, to see how well this company measures up. Suddenly this assessment feels more like a Gap Analysis than Vulnerability Assessment. The good news: Gap Analysis is easy to report on … here’s what you said you need, here’s what you have, here’s the gap…

Time to put together findings, present to asset owners, and be prepared to draft your remediation recommendations…A deal much more likely to close.

© David Stelzl

PS. For more on how to conduct these interviews, see Pg. 194 – 200 in The House & Cloud

Over the past 12 months I’ve spoken at dozens of executive lunch meetings

Ransomware is one of 7 major trends I’ve used to wake people up to their need to assess risk.  

Over 90% of my listeners – ranging from small business owners to CIOs, admit that their firm has not had a risk assessment done in 12 months!1-hc-book-ad-3-0a

When asked what the FBI recommends – most understand the FBI recommends not paying.  But when asked what the FBI will then do to help them get back to business, I get a blank stare. The truth is, the FBI’s recommendation is meaningless, because the FBI has no ability to restore the data. The victimized company is left without data.

Security manufacturers have recommended backing up data. Great…but when I ask my audience how long it might take to restore data, again, I get the blank stare. It could take weeks. Can the doctor afford to keep his patients waiting while he restores? Can the CPA, in the midst of tax season ask his client to hold on? The answer is no.

Do your clients have the ability to detect this intruder before it locks them out? Is there a tested response plan in place in the event that one is hit? Do your clients know what this really is, and what to expect in the coming 12 months?  They all need to face this reality.  Check out more on how to  get people to listen – it’s in my book, The House & the Cloud.

© 2016, David Stelzl

IMG_6236Your Client’s Data Value Demands a Response

Last week I spoke at the Oklahoma Technology Symposium at The Cox Convention Center downtown, and then again to business leaders at the Gailaria Country Club north of the city. (Thanks to AnchorPoint Security and Check Point Software.)

The value of your client’s data is rapidly growing, and this was central to both of my presentations.

The Proof is in the Ransomware

People are paying the ransom. They can’t afford not to. Just this morning the WSJ reported another incident, this one related to the Leavine family NASCAR race team. They only paid $500, but $500 for what? The true cost of a breach like this is much greater. The FBI estimates the total cost per incident to be around $333,000! And the incidents of ransomware now four times what they were last year.

If you’re not talking to your clients about ransomware, now is the time. But more than talk is needed. They need answers.

Start by assessing their exposure to this type of attack. Can your client detect it coming in with their current security set up? My guess is that most can’t. That’s a managed services offering right there. Few companies will have the expertise to do this internally. They also need user awareness training. One place to start might be my latest book, Digital Money. It will be out by the end of this month!

The fact is, more data is being created, and just about every business is down when their computers are down. Data defines just about everything, including all of their clients, R&D, projects, finances, etc. Without their data, they’re out of business. What’s that worth?

encryptionAre You Protecting Your Clients From Ransomware?

This is likely one of their biggest threats – but if all you do is basic firewall management and backups, this attack won’t be stopped. Ultimately your client should be asking you – how did YOU let this happen.

Not that your client’s will all pay for more intelligent security, but it’s your responsibility to tell them – let them make the financial choice, knowing the risk they are taking.

Zepto is new – it’s dangerous.  It’s a varient of the Locky Ransomware, reportedly responsible for encrypting files at three major US hospitals;  Kentucky Methodist, Chino Valley, and Desert Valley.

This month, researches estimate that this one attack was carried to over 140,000 systems in just a few days. As social engineering evolves, people are tricked more often. Getting an email from your boss or higher level executive demands a response. And when there’s an attachment, it’s hard to call upstairs every time just to make sure it’s real.

This type of attack is gaining momentum – it’s highly profitable. And to date, the only consistent recommendation is to maintain good backups. But restoring dozens or even hundreds of systems could put a business on hold for days or even weeks.

In the case of Locky, one report estimates a group of hackers earning somewhere in the neighborhood of $12 Million in  single month! Software developers building these attacks may be earning up to $100,000/month!  This is big business and it’s not going away.

So What Should You Be Doing?

First, understand that basic firewalls and anti-virus software are not stopping these attacks. So you can continue to say things like, “My clients are too small to pay for more security,” or you can get real with them and let them know they can afford to take the risk. Like buying life insurance or equipping their homes with updated alarms, they may choose not to. As long as you’re making the right recommendations, you’ve done your part.

Second, start looking into “Detection” technologies – security technology that detects. FireEye was early to the market with sandbox technology, but today, there are similar solutions built and priced for almost any size business.

Finally – backups are still your fall back plan. I’m always amazed to see how many small businesses continue to limp along with outdated back up technology…they claim it’s just too expensive to upgrade. If you’ve read, The House & The Cloud – you know why. Without the Impact vs. Likelihood graph sitting in front of them, they don’t understand their risk. Without that, how can they make a decision to spend more? They can’t.

© 2016, David Stelzl

 

 

 

 

 

 

 

fbicomputerDo you sell managed services?

Can You Protect Your Client’s From Ransomware?

The fact is, ransomware is doubling year over year, and this year looks to be a high growth year for this gnarly beast. Last month things changed when Hollywood Hospital forked over $17,000 in bitcoin to the perpetrator. It would seem that they had no choice. But look what’s happening…

It Used to be That Ransomware was Targeting the Small Businesses

Today, LA Times reports two more hospitals hit this past Friday.  “Chino Valley Medical Center in Chino and Desert Valley Hospital of Victorville, both part of Prime Healthcare Services Inc., had their computer system compromised on Friday by a cyber attack,” according to the article.$1 HC Book Ad

Fred Ortega, a spokesman for Prime Healthcare, acknowledged the attack saying, “Nothing was paid and no patient or employee data was compromised.” And according to this report, neither hospital has paid.  However, ransomware is not designed to compromise data – instead it just locks out the doctors. Can these hospitals recover?  We won’t know for at least a few weeks… but my guess is, they won’t get their data back. And even though the FBI does not recommend paying, they probably need their date back. It’s fine for the FBI to say, “Don’t Pay!”, But the FBI doesn’t have a problem…

MSP and Security Sales are NOT About Your Product

MSP and Security Sales are about protecting your clients from unexpected events. The fact is, most of your prospects think they are okay. But when ransomware hits it will hurt. It’s time to educate business leaders on what’s happening out there. While the story is probably not news to them anymore, the likelihood that they will be hit is.  That’s your edge. If you can show them why it is likely, and help them measure their preparedness, you might have an opportunity. My guess is, you will.

© 2016, David Stelzl

 

foxJust Returned From An Interview With Fox News…Apple Has Been Hit!

Apple has finally been hit by ransomware. Here’s what you need to know…

The reporter had heard things like, Apple can’t be attacked by malware! Wow, is that wrong. True, Microsoft gets hit more often, but there are instances of Apple Malware out there. This is reportedly the first fully-baked ransomware attack on Apple – discovered over the weekend.

The first thing you need to know is, “your prospects think they’re protected by firewalls and passwords”. They’re not.

This attack has nothing to do with either. The only defense, had one of your clients downloaded the BitTorrent Software (Transmission) that was infected, would have been a managed data collecting type security program.

Arctic Wolf, out of Sunnyvale is a great example.  Some UTM firewalls, like Check Point Software, with the appropriate detection functions turned on would also have detected it. And you would have had 3 days to respond, if the technology didn’t block it.

What Software Are We Talking About?

The software is Transmission 2.90.  It’s a peer to peer software client that uses the BitTorrent protocol to move data.

Nearly 50% of the traffic on the Internet today is BitTorrent in some form or another. A lot of it is used for illegal stuff like pirating movies.  But it’s also used by Facebook, Twitter, Government Agencies, Video Game Companies, and more.  It’s only the Transmission version 2.90 that’s a problem, and the Transmission company has already released 2.92.

What’s important here?

It’s the detection / response message. Ransomware has been around for about 10 years. The past three have seen tremendous growth.  Three years ago there were about 100,000 instances reported. Last year that went to 600,000. The biggest ransom paid so far, that I know of, was the $17,000 dollars paid last month by Hollywood Hospital. Lives were at stake, so they paid it.  Most of these attacks target smaller businesses.

Statistically only about 3% of those infected pay, but experts agree that the number is much higher. That’s all that are reported. The hospital, by law, had to report this attack. Many small businesses will pay it and move on.

Your Opportunity Is Now

Get out to your clients now!

They have a couple of days before encryption happens if they’re infected, but chances are they use Microsoft, not Apple, on the desktop.

But even if they don’t use Transmission Software and Apple, it makes sense to recommend an assessment – chances are they have something urgent. You just need a reason to show them.

Remember, scanning isn’t enough. You need some data collection. Move them to UTM Firewalls, add ongoing monitoring services, and remind them, this was Apple and Transmission. Tomorrow it will be Microsoft and something they use every day.  When it hits, no one will be able to save them. They’ll either lose data or pay the fine. The more they pay the fine, the more criminals are going to do this.

© 2016, David Stelzl

 

 

malwareWhat’s the Likelihood I’ll be Hacked Over the Next 12 Months?

That’s the question every business leader should be asking.

The answer – it’s likely.  Over the past week two of my kids have been hit by fraudsters. Neither ended up paying, but both were initially confused. Had it not been for the constant security awareness training that happens in our home, they might have paid the bill.

It could have been malware, but in this case it was a pop-up.  “Call Our Support Desk Now!  You’ve been infected by malware,” the message read. My 20 year old son had one on his iPad; my 21 year old daughter had one on her company laptop. Both came by inadvertently clicking on a pop-up ad.  In my daughter’s case, she did call the number to see what was up (her system was completely frozen at this point.)  The technician on the line wanted to access her system, which is no longer on any Apple support contract. For $250 he promised to set her up on an annual support agreement and remove the malware on her system.

At that point she called me in to talk with him.  First I asked him how he knew we had malware on this system.  He reported that he had received a message from our system telling him.  I probed further to understand what he was planning to do to fix our computer. His explanations were technical but vague. I asked him about malware, bots, and signs of intrusion.  He wouldn’t tell me specifically what the problem was. So then I started asking about remediation steps. Was this a scan, patch, firmware upgrade, etc. He couldn’t explain. It was clear he didn’t know what he was talking about, but he was adamant that we needed a solution. Finally I said, how do I know you work for Apple. He explained that his firm, BTS, was contracted by Apple for this type of support. I took down his number, thanked him, and called Apple. He was a fraudster.

In my son’s case, he simply called Apple support directly, ignoring the phone number on the screen. It too was fraudulent. Apple gave us the right tools to scan both systems to clear them of any adware or malware. And, using Apple’s chat software, the entire process was free.

Your Client’s Don’t Know Any Better

The problem is, your clients don’t know any better. What are the chances they would call and pay?  They’re working hard, trying to get through their day, and suddenly a message pops up, and like my son’s tablet, the system is locked. Apple walked my son through a hard-reset to get back to functionality. How many of your clients would simply call the number and pay the support fee?  Sure, if they work for IT, they’re probably savvy enough to do the right thing. But what about the countless office workers, especially those working in small businesses without dedicated IT support people?

Fortunately, in our case it was a simple hard-reset. It could have been ransomware, malware installed through a support link, or some destructive virus. The point is, your clients are highly likely to be hit with some sort of fraud scheme, malware, or ransomware in the near future. If all you provide is basic managed services, or possibly firewall support, these attacks will continue, and your client is likely to pay for it. Educating them on this is the first step. But then, every one of your clients really does need someone to monitor, detect, and respond to these types of problems. They will only get worse over time.

© 2015, David Stelzl