The A, B, Cs of staying safe online
Transcription:
Chip Barnett: (00:03)
Hi, and welcome to another Bond Buyer podcast. I’m Chip Barnett. My guest today is Howard Globus, cybersecurity, evangelist, founder, and CEO of IT-on-demand.com. And he’s dedicated to helping businesses and individuals stay safe while working in an, an evermore connected online world. With over 25 years of experience in cybersecurity, working with small businesses, entrepreneurs and families, Howard shares his experiences in his book, unpacked, cybersecurity essentials to protect your business and your identity. And today we’re gonna be talking about cybersecurity and why it’s important now more than ever for states, cities and other municipalities to be aware of threats and to be able to take action before, during and after an attack. Welcome to the Bond Buyer, Howard.
Howard Globus: (00:58)
Thank you. Chip.
Chip Barnett: (00:59)
Can you tell our listeners a little bit about yourself?
Howard Globus: (01:03)
Sure. I grew up working on and around computers. My dad brought home our first computer, ATT R S a D model one before we had a color television set in the house. Uh, I’ve worked with large companies like first Boston, which later became credit suites, first Boston, and eventually just credit suites and other investment banking firms, as well as Mount Sinai medical center. Alliance’s global corporate solutions and over a hundred small and medium size firms. My focus has been on how people use systems, how to make the system safer for a more secure and usable and hopefully all at the same time. And as you mentioned, I wrote UN hacked to offer tips and tools to stay safe in our online world.
Chip Barnett: (01:39)
Okay. That’s great. Let’s turn to cybersecurity for a second. What do you think is the most pressing problem today?
Howard Globus: (01:46)
Well, I think the most pressing cybersecurity issue is that people don’t know what, what to do when they get a spam email or a phishing email, for example, Chip, do you know how to respond to a phishing email?
Chip Barnett: (01:58)
No, actually I don’t.
Howard Globus: (02:00)
Right. So the response to a phishing email really depends on what it looks like, where it came from and what the business policy is. We need to make sure people are educated on how to spot the fakes, the social engineering tricks that, that they use and keeping in mind that the tools that we’re using to manage and maintain our systems are getting more and more advanced. There’s more artificial intelligence built into those tools that work around our own shortcomings. However, education is still critical and it’s important that we recognize that how the end user actually interacts with these things. So when I say education, I mean, making sure that everybody in the organization is fully aware of what types of scams and social engineering is out there. And that can take place the actions or triggers that are used to take advantage of the shortcuts that we use daily to operate and function in society.
Chip Barnett: (02:51)
Where do you think the biggest threats are today? Where are they emanating from? Is it state sponsored players? Or criminal enterprises? Or is it both?
Howard Globus: (03:01)
Well, in most cases, criminal enterprises have tacit, if not explicit protection of the state in December of 2021 Lloyds of London, put out a notice where they specifically stipulated that they were no longer covering the fallout of cyber attacks between nation states, this extended to operations that have major detrimental impact on the function of a state. So this is significant because the volume of cyber risk that Lloyds of London underwrites worldwide is huge, but also it hasn’t yet been tested. Many cyber criminal enterprises have operated with impunity from within Russia, if they explicitly do not target Russian government or Russian companies. So if we tease out the difference between the state sponsored versus criminal enterprises may be a distinction without a difference further to this point, the federal agency, Cybersecurity Infrastructure Security Agency, CISA, issued a shields up warning at the start of the Russian invasion of Ukraine.
Howard Globus: (04:02)
The warning didn’t explicitly stipulate, whether this was a, a criminal enterprise or a state sponsored enterprise. The warning itself was significant though. Shortly after that warning was issued the white house press secretary, and then the president himself noted the need to improve domestic cyber security and the role that Russia might play in cyber attacks. So this, I think really shows the various levels of threat actors that we’re dealing with and that the government, as well as private sector in the United States is beginning to recognize the type of disruptions that are occurring as a result of these types of attacks. So back to your question, I think we can’t look at this as state sponsored versus criminal enterprise question. I think we need to look at this as a big player versus small player. We have big players and small players that are taking shots. So we have to keep an eye out across the entire cyber landscape.
Chip Barnett: (04:51)
Why is it important for state and local governments to be prepared before an attack?
Howard Globus: (04:56)
State and local governments need to be prepared before an attack the same way that they need to be prepared before a hurricane, an earthquake flood or a tornado? It just makes good sense for continued smooth operation of government services. We don’t want the first time that a problem is looked at and considered to be during an active attack. There are key actions that should be taken prior to an attack. A short list would be things like having backups in place that are segmented from the production network, ensure there’s a disaster recovery and business continuity plan in place. Having hard copies of these plans available to keep stakeholders because during an attack, an electronic copy may not be available, maintain critical vendors and personal contacts, phone numbers, cell phone numbers, and an alternatively have a different communication plan in place outside of just texting or cell phones, because email, text or cell phone may be impacted during these types of attacks. Finally, having a rally or gathering point defined is important.
Chip Barnett: (06:00)
What should they be doing during an attack?
Howard Globus: (06:03)
Well, it’s important that when attack is discovered, we get organized focused. The first step is to bring the team together, unify them under a shared purpose to counter the attack. If we’ve planned for an attack, a cyber leader will have been designated. Now, if we haven’t planned for one, or we don’t have a plan in place, the first order of business is to designate a leader and bring together a plan from a working document or a template, then establishing communication and engender confidence that we’re going to get through this communication between the team is important and setting a confident tone. It should be noted that about 75% of systems that become compromised had up to date endpoint protection software running on their systems. So it’s important not to assign blame or worry about what could have done, been done to prevent this problem. There’ll be plenty of time after the attack is remediated deal with that.
Howard Globus: (06:56)
And to have those conversations, we wanna limit the damage that’s happening during an attack. We need to look at categorizing the severity of an attack, how many endpoints are affected. If we talk about under 20 endpoints, do we consider this a small event? If the attack is larger than that, do we look at this as a major event? The next thing to consider is, was data exfiltrated was data removed from the environment. This is a key question. If bad actors are seen in an environment, but no data has been exfiltrated, that’s a different scenario than if data has already started to be extracted. Next was a ransom specifically asked for, and if it was demanded, is it a substantial amount? If a ransom was requested and it’s in the thousands of dollars, that’s a much different conversation than if you’re looking at a million dollar ransom right off the bat.
Howard Globus: (07:47)
Next what’s the backup status. Are there backups available? Are they intact or spoiled, old or deleted? These are all questions that you need to ask when you start to categorize what’s the status of the attack. So in general, we view an attack on a timeline of six points, incursion when attack or first gets in establish persistence when they bur in. So they don’t get kicked out with a reboot of a server or resetting some service accounts, lateral movement, or escalation. The attacker moves from one system across multiple systems or into cloud resources. Data exfiltration with data is removed to either be sold or used as blackmail, ransomware, implementation, or detonation. That’s when files begin to get encrypted and systems start to no longer be accessible and finally extortion a demand for ransom or, or a requirement to have some kind of payment for the systems to remain online in a broad sense, a response framework of the following works out best first, we logged the incident. Second, we determine the impact. Third, we disconnect not turn off affected systems. And fourth, we communicate internally fifth, we engage a response team. Sixth, we engage insurance and seventh. We look at recovery notification may need to be provided at local state or federal levels. So the logging of all the actions taken during the incident response is critical as we move through the process.
Howard Globus: (09:18)
Finally, the most important thing to note is the closer to the beginning of the attack timeline. We can be the better, for example, prior to establishing persistence, or when we notice lateral movement within a system, if we can segment out and block attacks at that point, you’ll have a much better chance of preventing wholesale encryption or data exfiltration of the systems. That’s why the question you asked before, why is it important to prepare in advance of an attack? If we’re prepared, we have a better chance of successfully weathering an assault. If we’ve done tabletop exercises, which games out how cyber attacks may unfold, we can take plan steps rather than rushing in. As if we’re running into a burning building, we need to slow down and be methodical and contemplate what our next steps are. Very often in these types of attacks, we’re going to be required to retain some forensic evidence to assist in an investigation, to either mitigate the threat in the future or get some cyber insurance coverage taken care of.
Chip Barnett: (10:13)
What should they do after the attack?
Howard Globus: (10:15)
So we should take a moment and note that after the attack may mean 30, 60, or even 90 days after the incident first starts when preparing next steps after attack, consider that while dealing with an attack systems may have been disconnected, hard drives may have been photographed and removed for forensic analysis networks may have been segmented out or had hardware components removed. And after attack set of next steps really varies based on how much damage was done and how much forensic information is needed for reviewed by authorities or insurance companies. Ideally, we’d be looking to return the systems to the same working states. They were prior to the attack. That may mean just doing a restore to a known clean system, or it may mean purchasing all new hardware and restoring data from a month or several months ago, or even rebuilding from paper records are starting fresh.
Howard Globus: (11:11)
One of the keys is we don’t want to take a system that we are not sure is clean and reintroduce it into an environment just because we can just start the entire attack cycle all over again, costing time, money, and goodwill. It’s important that we have a high degree of certainty that we’re returning the systems to a clean state. We recommend engaging a forensic team with the experience and the tools to do a deep dive into systems to ensure that they’re clean. That way we can get back to normal operations as quickly as possible. Again, this could be very quick process or can be a very slow process depending upon the level of forensic material that needs to be retained and the budget to implement replacement systems.
Chip Barnett: (11:49)
Okay. And we’ll be right back after this important message. And we’re back talking with Howard Globus of IT-on-demand.com about cybersecurity. Let’s take a deeper dive for a second and look into some of the attacks that have happened already to municipalities around this country. Can you tell me about some of the things you’ve, uh, been seen happening?
Howard Globus: (12:12)
So some examples of some things that have happened in the, in the recent past the Atlanta city government in March of 2018 had a ransomware attack. That demand that was made of them was for six Bitcoin. Now at the time, that was about $51,000. The ransom wasn’t paid and the estimated cost of lost time investigation and restoring services is currently 17 million legal documents and police video footage was lost. The original estimate to harden the systems was $2.7 million, but the cost has since gone over $9.5 million. So that’s one example. Another example is in Collier, Tennessee, which was hit by a ransomware attack in 2019, this small city of about 50,000 residents was up and running in a few days. However, it took over a year to fully restore the systems at a cost of about a hundred thousand dollars.
Howard Globus: (13:13)
Now a little bit closer to the New York city area. The MTA of New York had the transit agency computer systems infiltrated in April, 2021 by a suspected hacker group based in China. The attack was spotted eight weeks later in late June of 2021. The attack is said to have not affected rider safety in any way, but a full analysis is still not complete. Now in this particular attack, no financial demands were made, but it is believed that this was a test by a nation state actor to infiltrate critical systems in the us. The 1,000-lawyer agency in New York city law department was compromised in June of 2021, a single worker’s week password allow allowed ransomware to spread throughout the agency. Over a year earlier, the agency had been counseled to implement full and multifactor authentication that is using a username, a password, and an, and an expiring token or key. This was not put in place. And the agency is still until today finding areas where files and data is encrypted and it’s not accessible. And a final recent example is in April of 2022, CISA issued a bulletin that industrial control systems were at risk empower generation of multiple mu municipalities throughout the United States, as well as other ICS systems that control communications and water supplies. Again, no financial demands have been made. However, the concern was heightened in part due, due to the ongoing Ukrainian war.
Chip Barnett: (14:44)
What sectors do you see at most at risk hospitals utilities?
Howard Globus: (14:49)
Well, we’ve seen an increase in risk across the landscape. The cyber attackers are not working through a list of targets, moving down the list one at a time. Rather, what we’re seeing is an increase in attacks and probes across all manner of systems from multiple controlled systems, nonprofit organizations, and corporate entities. If the organization has systems connected to the internet, there’s potential vulnerabilities and the attacks are increasing five years ago, we saw a attack that started with the UK national health service. That’s spilled over into Maersk Shipping. These, these incidents won’t be siloed by geographic region or functional industry in an interconnected world. The risk is greatest in industries and sectors where automation or technology has been used, but there’s been a technology debt building due to a lack of funding or remediation. For example, we still find Windows 95 and Windows XP machines and use in some sectors simply because of software that’s used to run. Critical systems has never been updated. Now, keeping in mind these systems haven’t been patched in years and prevent very weak links in a cybersecurity chain.
Chip Barnett: (15:56)
What about companies? They are the lifeblood of providing jobs and revenue for many states and cities around the country. What’s happening on that front?
Howard Globus: (16:04)
Companies are as vulnerable as municipal, local or state governments. There are regulations that are meant to enforce policies that do not necessarily impact government entities. For example, the New York state department of finance regulation, 23 NY C R 500 that was put in place for financial services. Companies requires policies such as multifactor authentication. A chief security officer needs to attest to the fact that these policies are in place and that officer and the board on the hook, if they certified that the policy is in place, but there’s a breach in policy. This is the same policy that was recommended, but not required for the New York city law department, which led to the encryption of millions of records in the city agency. However, that doesn’t mean that companies private or public are immune from problems. For example, JBS Meat Packing was crippled in early 2021 with a ransomware attack as was Colonial Pipeline as was Nvidia, the computer chip maker. If we learn anything from these incidents, it should be that no company agency, government or individual is immune.
Chip Barnett: (17:13)
Do you have any last thoughts for our listeners today?
Howard Globus: (17:16)
As noted education, ongoing and continuing education of employees, all personnel is critical to maintaining vigilance and offering up the first and frankly, best line of defense against the cyber warfare that we’re seeing today.
Chip Barnett: (17:31)
Thank you very much for that. Howard Globus, thank you very much for being here with us today.
Howard Globus: (17:36)
Thank you, Chip
Chip Barnett: (17:38)
And thank you to the listeners of this latest bond buyer podcast. Special. Thanks to Kelly Malone and Kevin Parise, who did the audio production for this episode for the Bond Buyer I’m Chip Barnett. And thanks again for listening.