The Cyber Pandemic Continues

TOM: Thank you, everybody, for coming to our Deeper Dive. We do these every Tuesday at 2 p.m. Central Time. Generally speaking, or quite often, we do a Deeper Dive on topics that are contained within what we call our main webinar, where we talk about threat actors and NIST Cybersecurity Framework and how important it is to do a security assessment and see where you are.

This particular one is a little different. This is where we are taking a look at the trends that IronTech and other security organizations learned in 2020 and applying it to 2021. If there are some of you that have been in last week’s Deeper Dive, and maybe even the webinar last week – I can’t remember, but I started expressing my concern about a cyber pandemic, similar to the COVID-19 pandemic. I did that on my own, and after doing some research on it, I’m not the only one worried about that. And that’s what we’re going to talk about today. So let’s take a look at a few things.

These are some statistics that we’ve come across that are very relevant going forward for the next few years. As of 2019, attacks on Internet of Things devices tripled in the first half of 2019, so it’s probably even higher now. Internet of Things is a big umbrella term for lots and lots of different things – refrigerators, your home thermostat, and industrial control systems. And if you’re in the water utility industry, those commonly go by SCADA.

SCADA Is a subset of industrial control systems, and industrial control systems, or ICS, is a subset of the entire Internet of Things. These are devices that don’t have Windows or Mac or iOS operating systems. They do have their own operating systems, but it’s all built into firmware that usually doesn’t get updated, is very notorious for not even having security built into them, having hard-coded passwords that are basically nothing more than a published backdoor to the device, and they are just now getting around to making those devices a lot more secure.

What’s really scary about that is the firmware culture, the software guys that work with firmware just simply aren’t accustomed to securing what we think of as software. Now, it’s still all software; it’s just some of it is embedded and that makes it firmware. That’s the only difference, in the languages maybe. But it’s still software. But they haven’t had this history of the past 30 or 40 years of having to worry about viruses. Well, now they are, and now they’re scrambling to react. So there’s a lot more of those. And actually, that’s going to get right into the cyber pandemic, too.

94% of malware is delivered by email. That means ransomware and other types of malware. Could be a payload to attack your SCADA, home thermostat, refrigerator, things like that.

On average, only 5% of companies’ folders are properly protected. What do I mean by that? What is the statistic referring to? You’ve got multiple users in your office. You know how you know how to go to a certain folder on your network for shared accounting files, shared marketing files, billing software, client files, legal files, client financial files? Of all of those all over the world, only an average of 5% of companies’ folders are properly protected with something like least privileged access. That’s an administrative control.

That means you don’t share a folder to everyone on the network because that increases your attack surface. I’m not necessarily worried about people seeing things that they shouldn’t. I’m not worried about my people, except 94% of malware is delivered by email. So if everybody has access to a shared folder and only two people need it and there’s 100 people in your company, that ransomware attack, I’ve got 98 more people that can fire off a ransomware attack that they’ve received through email.

So by using the principle of least privileged access and only giving access to those that need it, there’s only two people in the company that can fire off a ransomware attack on that folder. So that’s what that’s referring to.

95% of cybersecurity breaches are caused by human error. You’ve heard me give out this statistic a few times. I generally say over 90% of attacks are created by human error, but the studies sometimes are phrased differently, and different audience. At any rate, it’s generally accepted – I’ve seen anywhere between 80%, and this is the highest I’ve seen. Generally everybody assumes that it’s right around 90%. So over 90% of these breaches require a human being, a non-malicious insider, to help them do the breach. That’s what that refers to.

This one surprised me. 65% of these hacking groups, these criminal syndicates and nation-states, use spear-phishing as the primary infection vector or the attack vector. What is spear-phishing? Spear-phishing is a crafted email designed to attack a certain organization. Some of those can be automated, but almost always it requires research.

We frequently get spear-phishing attacks. Someone has probably researched it, and they have a list of everybody that works at a cybersecurity company all over the world, and now we’re experiencing spear phishes. But somebody did do some research at some point. That list is available on the Dark Web. It’s probably given away. Might be sold. I don’t know. Haven’t bothered to look. But it’s happening to all sorts of companies, not just cybersecurity companies. If you’re in healthcare, yeah, you’re on a list for being spear-phished. Also finance is real big, and that includes accountants. Finance and healthcare, I think that’s the two largest – well, outside of cybersecurity itself. Those three firms are the most likely to fall victim to spear-phish and other types of attacks.

This one is another one that I talk about in a roundabout way during the main webinar. Financial services take an average of 233 days to detect and contain a data breach. This is different than what it was just a few years ago. This is getting longer. I saw some other research where it might be a year or two years.

It goes back, if you remember for those of you that have seen the webinar – the ransomware attack, you find out within minutes, hours, or days. It doesn’t hang out for 230 days. But they’re also distributing multiple payloads, like a server backdoor maybe distributed with that ransomware attack, and it just sits there benign until another criminal organization or a nation-state decides to work through their list of servers to exploit that backdoor that was installed 6 months ago, or 9 months ago in this case, or a year and a half ago. So these are advanced persistent threats that remain undetected.

I have yet to go into a company that’s had a successful ransomware attack, install our software, and not find multiple payloads. And that is what that stat is talking about. If you’re an accountant – it doesn’t really matter, but say you’re an accountant on this call and you’ve had a ransomware attack. If a security company didn’t certify that network as being clean, chances are you’ve got other stuff just sitting there waiting to be exploited – or it’s being exploited right now without your knowledge. IT guys aren’t going to catch all that stuff. They don’t do what’s known in the business as post mortems.

The average cost in time of a malware attack is 50 days. That’s how much productivity loss you’re going to have, or that’s how much time it’s going to take you on average to recover from a malware attack.

One of those people that I discovered is the founder and executive chairman of the World Economic Forum. You guys that follow the news, you know they’re having that meeting in Davos, Switzerland right now. WEF is who puts that on, and this guy – there’s a couple of times in here – he’s German, so his accent is a little thick on a couple of things, but we’ll talk about what he says here after I play this video.

Klaus Schwab: We all know but still pay insufficient attention to the frightening scenario of a comprehensive cyberattack, which would bring to a complete halt the power supply, transportation, hospital services, our society as a whole. The COVID-19 crisis would be seen in this respect as a small disturbance in comparison to a major cyberattack. To use the COVID-19 crisis as a timely opportunity to reflect on the lessons of cybersecurity, communities can talk and improve our preparedness for a potential cyber pandemic.

TOM: What he’s referring to there is learn from the COVID-19 pandemic and apply that to a cyber pandemic that could be even worse. Much worse. Like a speedbump to hitting a brick wall. The World Economic Forum, one of the things they’re doing is trying to get people to think worldwide. There’s, what, 8 billion, 9 billion people on the planet, and everything happens with modern transportation and the internet. If something breaks out, it happens to all of us.

So the three things at the top of my mind are pandemics – the virus, human pandemic – cybersecurity, and then global warming. All of these affect all of us. It knows no nation-state boundaries. And the only way that we can protect ourselves is to think globally for these things.

What he said is that a cyber pandemic is probably as inevitable as a future disease pandemic. The WEF published some things that we can learn from studying this.

Lesson #1 is a cyberattack with characteristics similar to the coronavirus could spread faster and further than any biological virus. For example, if cyber COVID, so to speak, if a cyber pandemic mirrored the pathology of coronavirus, 30% of infected systems would not show any symptoms, but they would still spread the virus. Half would continue functioning, but the performance would be severely degraded, like staying in bed for a week, or ICU. 15% of the devices connected to the internet would be wiped with total data loss, requiring a complete system reinstall. And finally, 5% would be bricked, rendering the device itself inoperable.

Just that one, if 5% of all the devices – computers, servers, laptops, smartphones, Internet of Things – if just 5% were bricked, that would require 71 million new devices. So if this cyber pandemic occurs – and the United States just suffered the largest security incident in the entire history of this country in early December. It revolved around the SolarWinds Orion software platform, if you’ve been following the news. It was the largest one. It penetrated the nuclear part of our military and Department of Energy and a lot of private businesses. Microsoft had their source code – I don’t know what products, but their source code was accessed because they were using these so-called – they were really technical management tools, not really security tools. But they should be secure because of what they allow you to do.

If that was just a testing ground and this was coordinated attacks, they could bring these specialists together. Maybe just nation-states, or terrorist organizations or certain nation-states with certain terror organizations, could cripple the world’s society, economy, and everything in a matter of days.

Our way of life – if you deliver water and that water supply is interrupted, transportation is interrupted, the grocery stores are empty, you can’t buy any products – COVID didn’t really have an impact. Not that big of an impact. Just the people doing a rush for toilet paper and things like paper towels for COVID, and the Lysol wipes or whatever. But just imagine if there was no food of any kind, or water wasn’t there. All the banks are closed, shut down. You have no access to money. Your cellphone quits working.

They say that it could be a cyber lockdown so bad that the only social contact would be reduced to in-person visits, copper landline – because that’s not digital – snail mail, or shortwave radio. No television, no satellite, no GPS. And we’d all be in that type of lockdown until a digital vaccine is developed. There are a lot of people thinking that way. It’s not just me.

The economic impact of a widespread digital shutdown would be of the same magnitude or greater than what we’re currently seeing. And recovery from something like that would be extremely challenging because of the sheer number of devices and defensive mechanisms and mitigation strategies it would take. At least with humans, right now it’s pretty much a bunch of similar vaccines that are able to take care of it. If we don’t do it pretty quick and this thing mutates farther outside of what we developed the vaccine for, that may change. So it’s very critical that we get humans vaccinated, because the longer we don’t have the planet – and it’s got to be the whole planet – the longer the planet is not vaccinated, the more likely it is there’s going to be a variant that the vaccine won’t work against and we’ll be right back where we was. That’s similar.

So now, security companies and businesses and governments of all shapes, sizes, your personal family life, and everything, really need to take this seriously.

So, what do you do if you’re a business to prepare for this, or any cyberattack? Number one thing is to get a security assessment so you know what you’ve got to protect, where it is, what it is, and understand what your organization’s security maturity looks like. Does everyone in your organization reuse credentials? They use their pets’ names and their birthdate and year as a password? That’s not good enough. Does anyone get security awareness training in your organization? If they don’t, that’s not good enough.

Do you have a security-first environment that you establish through leadership? Because that’s what it takes. Good leaders of companies of all sizes know that it is very, very important to not put their heads in the sand and not just cross their fingers that it doesn’t happen to them. They’re leading the way. They’re putting in software and policies they’ve gotten from companies like us. But perhaps most importantly, they’re making everyone in their organization realize and appreciate how critical security is to the company’s survival. They’re not complaining about having to use a unique password everywhere they log in or that they’ve got to take this darn one-minute video training once a month.

A good leader, the best leaders, are saying, “Hey, we’re doing this and this is why.” Just like you’d lock the front door to the office. And if you don’t remember if you checked the door to see if it was locked, you know what you do? You turn around and you go back and double-check the door. That’s just what you do.

Good leaders are making sure that happens with cybersecurity, and they’re managing that security-first environment. Remember the least privileged principle? They’re implementing that. They’re talking to their IT guys. “Hey, do we practice least privileged access principles here? Do we do security awareness training?”

They are also implementing artificial intelligence and machine learning controls. They know that antivirus does not work any longer, especially for the number one threat that you are under. Everybody on this webinar, their number one threat is ransomware. And antivirus is simply ineffective, so they have to use a different generation of tools that uses artificial intelligence and machine learning.

The SolarWinds Orion attack that compromised our government, Department of Defense, Department of Energy, Microsoft, and all these government departments and other corporations – of all of those attacks, the ones that implemented the exact same technical control we put into our clients’ environment, if they implemented that EDR, they didn’t get compromised. All the ones that implemented the very same EDR that we put in your business did not get compromised. Even though it was the largest cybersecurity event in the history of the United States.

That’s what you get. That’s AI and ML controls. It’s not expensive. You’ve got to compare – it’s a risk analysis that only the owner or the CEO or the head honcho can make. If your primary job is accounting and paying for things, accounts payable, if your primary job is IT, you cannot make that assessment or make the call of whether your company can afford it or whether it’s a hassle to do multi-factor authentication. That is up to the CEO to make that call because a great leader understands all of the risk and strikes a balance between productivity, budgets.

But at least they know. When that news camera comes in there and they did have a breach and they were using a security company, they know why that breach occurred, and they understood the risk before it even happened. Now, maybe they made the wrong decision, but they did know the breach.

Then finally, you’ve got to monitor those industrial control systems like SCADA and other industrial control systems.

One of the things that we learn when we talk to prospects is that their sensitivity to this – they are doing good leadership things, and they do understand that protection costs money, and they understand the depth and the scale of these threat actors out there. After a breach, they can suddenly afford much, much better security.

Just to throw numbers out there, you can get 100 or 1,000 times better security for your organization for only 2 or 3 times more money. You can get that enterprise grade Fortune 100 cybersecurity protection in your company right now. You can afford it. I promise you. Because if you don’t, and if you have a breach, 40% of you are going out of business in 6 months if you don’t afford it and you don’t implement it properly.

Our biggest challenge is actually with the managers and those types of people, to get them to understand that security-first environment where you’re beyond the hassle stage. “Okay, we’re doing password managers. If you reuse your credentials going forward, you’re fired. If you don’t take this cybersecurity training, continuous awareness training, you’re fired.” Good leaders are going to coach and good leaders are going to communicate to the team why it’s important that they take that training and create unique sets of credentials and all that. That’s really good leadership right there.

Managers will buy this stuff and then just say, “You’ve got to go do this.” If they’re not good leaders as well, they’ll complain about it in front of everybody, and they won’t promote a culture of taking security serious. I’ve seen a lot of owners do that. Business managers and owners do those very things. So that’s actually one of our larger challenges.

Another challenge may be “I hope it doesn’t happen to us.” We go through a lot of myths on our main webinar. “We’re too small; why would anybody attack us?” If you’ve been through that, you know that they don’t really care who you are or how big you are. They don’t even know. They’re just playing numbers games. They’re blasting out a million emails and just hoping 2% pay a ransom. They don’t know who you are, don’t care.

So, a security assessment is the most important thing you can do, and it’s the very first step as a leader to understanding your risk. Give us a call. Get one scheduled. I don’t know – Kindsey, do we have a link?

KINDSEY: Yeah, let me throw it in there. My bad.

TOM: That’s okay. I didn’t even think about it. We’ve got a link where you can look at calendars to see what our availability is and get a security assessment on the calendar. It’s $495. If you’ve got a state association that you’ve been through one of our webinars, we can probably make some sort of adjustment on that because I think all the special code shave expired. I know they have, actually.

KINDSEY: Yeah, they have.

TOM: When we do a main webinar, we typically will expire a discounted rate by midnight that night or the next day’s midnight. But you’ve got to do that security assessment. It’s by far the most important thing, and it’s the first step in changing your environment from “I sure hope we don’t get hit, and I wonder what all of our problems and risks are” to “We’ve done a really good job of assessing everything, and I think we’re 99.99% protected.” And you probably will be if you’re using a security company to do it all instead of an IT organization.

That’s too big for this, and I’m out of time anyway, but there are fundamental differences between those two types of organizations. Some of the myths that I hear most often are from IT guys. “We’re too small.” I hear that from IT people. Professional IT people. I mean work for big companies. “You’re too small. I work for IBM. You’re too small to get hit,” at Bob’s floor shop or Mary’s accounting service. “Nah, you’re too small.” You ask somebody that works in a Fortune 500 company. “Nah, you don’t really have to worry about that too much.” That’s not true. It’s absolutely not true. You’ve got to worry about it just as much as anybody else.

Anyway, I hope you guys got something good. You can make this doomsday into a positive by getting a security assessment and getting some really good security in place.

Thanks for joining us. We’ll see you next week on the Deeper Dive series.