Ransomware is Dead – 15 Minute Podcast
In this webinar we’ll discuss the following:
- Update on the Ransomware Epidemic
- Security Challenges
- Where Cloud Solutions fit for Best Practices
- Ransomeware Case Studies
Listen to the podcast:
Hi, this is Bob Healey executive vice president with Evolve IP and thank you for joining our webinar series ransomware is dead why recovery is the best prevention. In the presentation we’re going to discuss an update on the ransomware epidemic, we’re going to talk about security challenges, we’re going to discuss where cloud solutions fit for best practices, and then we’ll also review some use cases.
For the bad guys unfortunately ransomware is A an easy business to get into, B provides immediate payout, and C offers an ongoing revenue stream. For the purpose of today’s discussion we’re going to assume there’s familiarity with the Deep Web and maybe even with the dark web. Right so you have the visible surface web where most activity happens on the World Wide Web, but then you also have the Deep Web right, the Deep Web is estimated to be about times larger than the visible surface web. Within the Deep Web though is the dark web, which is the portion of the Deep Web where a lot of criminal activity happens anonymously and the dark web in May of was added to the dictionary in some ways providing some validity to its reality.
Some quick facts about ransomware rates are Gartner estimates about two and a half million successful ransomware attacks last year. They also estimate that the frequency will double over the next few years. Trend Micro surveys that 53 percent of companies have been a victim. It’s even higher in the healthcare industry and 60 percent of those surveyed say that employees are their biggest risk. That’s a theme that we’re going to reiterate and hear more about as this presentation moves on and last year there was over a billion dollars of payments made.
We conducted a very comprehensive study in the healthcare industry with a firm called ID agent and what they do is they monitor the deep dark web for email vulnerabilities and credentials available for sale by the bad guys. What we found was of all the vulnerabilities and credentials for sale 76 percent of them had passwords associated with them. In a separate study ID agent also found that 75 percent of people will either recycle or use a variation of the same password across multiple systems and multiple websites. So with all the credentials for sale on the deep dark web very often passwords are associated with them and people use the same or similar passwords across multiple systems.
Another study was conducted by an organization digital citizen’s alliance and it was focused on the .edu domains and what they found was there was over 14 million credentials available on the dark web. Right and they published the domains and how many compromised or vulnerabilities that were there. So the key point here is this information is not secret it is out there and available by the bad guys.
If you remember back to LinkedIn announced a data breach 6 and a half million encrypted passwords were posted and then four years later there was an announcement of an additional 117 million vulnerabilities that were posted. Now though those passwords may have been encrypted there’s publicly available websites that allow you to de encrypt passwords and often these encryption keys become available years after the original vulnerability and coming from their blog when all this happened you know they stated you see that last bullet point there. They began to invalidate that had not been updated or changed since that breach. So what you see here is a pattern people are the biggest area of susceptibility, passwords are available for sale, and people use similar passwords across multiple sites.
If you go back to the last slide just for a moment right so there was a breach on a social site, people use very similar passwords or recycle their passwords, and then with the very guys do is ages run algorithms at the speed of light in order to try and gain access to different systems with different networks. So no wonder that compromised credentials was the number one area of data breach in 2015. So how do you stop someone with valid, but stolen credentials from getting into your network? All right, so the overarching question is really can you can you prevent ransomware?
We’ve talked a lot about people being the biggest area susceptibility right and human error comes into play as well right. Phishing scams they play on people’s inherent flaws right so everyone’s familiar with the with a Google email that the Google Docs scam most recently right. The dark web was being discussed on broadcast news right and you know during the election season last year you know there’s a lot of news reporting that the DNC hack was not a very sophisticated measure rather it was simply a phishing scam right. So employees and people are your largest area of susceptibility and scams unfortunately are everywhere in life.
We’ve talked a lot about the theme of people being susceptible in this presentation right and some of the quotes that you see here reiterate that right. So half of all breaches are the result of insecure employee behavior, even trained staff close to a third of them will open a fished email within an hour right and the bad guys are targeting smaller, and smaller companies because they’re less sophisticated. According to the former FBI Director Robert Mueller everyone will be hacked at some point.
We talked about on an earlier slide in the presentation how the number of ransomware attacks are expected to double over the next few years’ right and if you think about the high volume of vulnerabilities and credentials that are available. If you think about the high percent of people that use similar passwords across multiple sites, no wonder ransomware is going to double and it’s exponentially increased over the last few years’ right. It’s very difficult to keep ransomware out of your network when bad guys have what looks to be valid credentials.
So we used a phrase no broken glass found right so it’s very easy to detect when someone breaks your window on your door and tries to come into your house right, but when someone seems like they have valid credentials that’s very difficult to prevent right. Stolen credentials are the easiest path in, people are your biggest risk, and attacks are doubling and they’re targeting smaller firms right. So can you truly prevent ransomware or an attack that is the question? Can you?
Earlier we showed a quote from the FBI, which in essence said everybody will be hacked at some point right. The other things that the FBI says you know as a best practice for protection are you need to back your data up regularly. You need to frequently verify the integrity of those backups, you need to secure those backups, but most importantly you need to isolate those backups from the computers and the networks in which they protect. That’s the key, you need to have isolation so you can recover when ransomware or other attacks happen.
So following through a net theme from the FBI right in addition to what they say you obviously need to have proactive threat intelligence. Active security management is critical right, but most important you need to have a very strong reactive posture, you need to be able to recover right. So you need to have the secure off-site backup and replicated data, you need to have the ability to recover that data from multiple points in time, and you need to have a plan that guarantees you continuity right. That’s because nobody can 100% prevent ransomware 100 percent of the time. We need to be able to recover from it.
As part of that strong reactive posture right we have this continuum that you see on the slide here right so as you work left to right what you end up with is the more you are moving your data both backup and replication off-site into a cloud with recoverable servers the more you are increasing your survivability and the more recover ability that you have. If you think about that prior so I write the more you move from left to right the more recover ability and survivability that you had right. At the end of the day that’s what’s most important. Can I recover and can my users access to data right. So the more you need to have that window be less than four hours like that recovery time objective is less than four hours the more you need to have the right side of that continuum with services that are backed up and replicated in a cloud off of your premises with recoverable servers that are easily accessible by your users.
So again let’s talk about best practices right. So you need to have in production data center backups, a copy of those backups off-site at an ultimate data center cloud or not, replication of your data in an off-site location, and have multiple points of recovery because you may need to go back two to three days to find the right point in time that you have to recover from right a clean copy of your data. You also need to have recoverable servers available to you in that off-site data center and if complying to the consideration you need to ensure that that data center whether it’s cloud or premises based has compliance consideration and most important your users need to have the ability to access those servers right. So when you do all of this, you truly do make recovering from ransomware or other attacks human error or infrastructure failures a very manageable event and in essence make ransomware dead.
This slide here is a pictorial view of what we talked about in the last slide as far as that best practices right. So top right hand corner would be your primary data center and in the bottom that you see there is office users and remote access. Now that primary data center might be in your headquarters, but for pictorial purposes its off-site there right. So you have your production servers on you’re your primary data center, you have the storage obviously, and then in data center backup for quick file restores. What you then need to do is make sure you have a copy of those backups in an off-site location, potentially a cloud environment, along with replication that data and again most important is recoverable servers in that environment, along with the ability to access those servers right. That work needs to be done before an incident happens.
Okay, so let’s talk about a few use cases here right. So a ransom or attack where ransomware is alive right. So you know very ancillary attack happens in environment with a combination tape and low-end cloud backup, but no cloud or off-site server infrastructure to recover to right. In that scenario you know the customer was able to restore their files on their premises five, six files at a time and it took them about seven days to be partially operational and 14 days before they were fully operational. All right so now the real question is, is that acceptable? Is that an appropriate means of recovery seven days for partial in two weeks for full?
This next situation looks at a scenario where half of the data was just as we described earlier in a presentation right and the other half was very similar to what was on the last slide there right. So when there was a corruption of the sand, which caused him to lose access to her data it within two hours the data that was replicated and available on recoverable servers in the cloud was accessible to the end users, the remainder of the data was only 75 percent restored after two weeks. So again, if you think about the last two scenarios the data that was replicated and backed up in the cloud with servers available to recover – is almost instantly available to the end users.
This third scenario here was a compromised via an email account, which we’ve talked about several times – about people being the biggest area of vulnerability right and all of the data was as we discussed replicated in the cloud with available service to recover – right. In that scenario though the customer is able to restore all other data within ninety minutes and they were able to find the most appropriate point in time to recover – right. So there’s maximum data recovery with minimal business interruption and end-users were able to access the data within an hour and a half.
In summary let’s just talk about a few of the themes that we discussed here in the presentation right. So people are our biggest area of susceptibility, credentials are available, and we cannot 100 percent of the time prevent ransomware right. So we need to have a proactive threat intelligence we need to actively manage that security, but we need to have a very strong reactive posture, we need to be able to recover. No broken glass found right. How do you stop someone with what looks like valid credentials from entering your network? Ransomware is dead, it is a very manageable event when your data is easily recoverable from multiple points in time and your users can access it in very short order. Thank you for joining our webinar today this is Bobby Healey with Evolve IP.