Although ransomware has been around for a while it keeps evolving and changing to fit our ever changing landscape. Currently ransomware is one of the biggest security problems in the internet and one of the biggest cyber crimes that organizations face today. With the ever changing landscape cyber criminals have been targeting IT professionals and more so MSPs. With MSPs serving many clients and required to report breaches or ransomware attacks they are a prime target. As an MSP you need to make sure you have a plan of attack (incident response plan) in case of a breech so everything is figured out prior to an incident. Watch as Michael and Ken chat about what is new with ransomware, needs for incident response plans, and how to keep yourself and clients safe.
Video Transcription
0:05
Hi, welcome everybody. Mark, we’re here from Australia. And of course we’ve got kin. We’re about to you today kin from Houston, Texas, even though I have Australia, my background, that I love that road, actually the gradation road, it’s a fantastic place, if you ever get a chance to come to Australia, check it out. And also I love America, great things to see there as well. But today, two aspects for you, obviously, America to Australia, want to talk about that age old subject of ransomware. It’s been with us for a while now. In fact, it’s getting quite boring, we all hear about it, we all know about it, but it keeps evolving, and it keeps changing. So what’s happening and what’s the experience at the moment, down here in Australia, we’re used to the old Halo, we can’t get to our files anymore need to pay money to get access to them. That’s pretty, pretty boring. What’s new, is, of course, the hackers are taking complete copies of your server, or firewall file. And they’re placing it up on the internet. And not just anywhere, but they’re putting it in the dark web. And of course advertising it for sale. And if you don’t pay your ransom, the data is out there. And if they don’t get a sale, your data is out there. Once it’s up there on the internet dark whether or not your data is out there and likely could one day get indexed by Google who knows or be made available to a competitor? Now why is this a problem? I know that every country has its own privacy standards. And we’re all a little bit different. Here in Australia, we have a thing called notifiable data breach, if your data happens to get out of your business, and it’s got any information about customers or staff or might be financial or medical, whatever it might be, once it’s out there, if you don’t report it, if you don’t put steps in place to prove that you’ve blocked that happening in future and contacted everybody whose data has possibly gotten out, you can get a massive fine. Why is that a problem. Some businesses can’t pay the forum, some businesses have to dissolve, they have to disappear. So no longer do they have this problem where they can’t access their files. But now everybody can access their files. What a small businesses don’t have the time for the paperwork, they don’t fill everything out, they don’t report it, or they don’t want to notify everybody, Hey, I got hacked, and my file was pretty bad. And while it was not up to scratch, and by the way, I’m vulnerable. So find a hack be happy again, they don’t want to do that. Or maybe the industry body they belong to just don’t encourage it. Who knows. In Australia recently, the people in charge of it, it’s called the Australian privacy principles, the people who run that, and now targeting the IT company, doesn’t matter whether your MSP break fix or that guy down the corner who helps fix the computer, they are now coming after the IT company to say By the way, this is data breach, your customer hasn’t reported it, why haven’t you. And that’s of course, putting us at risk. So not only is ransomware now a danger to your files being locked up, you can’t get them. But now your business is in danger, because government bodies may want to look at shutting you down. Because you’ve got to find a pay, or because you’re being negligent, or whatever it might be. And as the IT guy, it becomes your responsibility. You may have told customers put the right firewall in place, put the right monitoring in place, put the right antivirus in place, definitely keep all those records, make sure you’ve got them if this ever happens, but also be on top of your game, know your rules and get in touch with the people you need to if there’s been a breach, and make sure you step in and try and mitigate any further breaches, and try and work out what was breached. Some customers don’t even know what data was taken, or what data sits on their server. Now, this is very much alive, I understand is a local Australian thing at the moment. But we all know that trends get duplicated and copied. And even with this COVID-19 issue we’ve all got, we’re seeing how some things work in some countries, some don’t work in other countries, and then countries adopt whatever is working. So what is happening happening here may indeed happen in your backyard. How are you seeing things over there again, pretty much the same way as as what you described, Mike, although I have not heard of any msps or breakfast shops being approached by government entities to say, hey, it’s your responsibility. To report these breaches. What I have seen is that the original definition of a reportable breach was pretty narrow. It’s been broadened considerably now, to the point that any ransomware attack is by definition, a breach because the authorities know that the criminals certainly could have exfiltrated the data and whether they have put it up for sale or not they could have so that does by definition constitute a breach which is required to be recorded by most organizations. And there’s so many different reporting requirements between different government agencies, their standards, bodies, that sort of thing. One of the things that leads into is something that you and I have talked about among ourselves. But we haven’t really mentioned in one of these these broadcasts before, is the need for a true Incident Response Plan. And really, the incident response plan is much more than just the technology of how to clean up the malware and restore the files, that sort of thing. There’s a legal there’s a public relations, there’s a human resource resources, there’s the reporting requirements, a lot more that goes into it, that needs to be addressed before a breach ever happens. And one of the things I’ve been talking to some of my my graduates of my training about recently, is that could be another service that an MSP can provide to their clients, help them put together an incident response plan that hopefully like any form of insurance don’t ever need, it’ll just sit in a drawer, and maybe be updated periodically. But the point is, you don’t want to have to figure all that out when you’re in the middle middle of a crisis situation. So the, in the US, we have an organization called NIST, and is at the National Institute of security, security and technology, something like that. But they have developed what they call the the NIST cybersecurity framework. And that gives a great structure to the things that needed to be considered in cybersecurity overall. And it also makes a good basis for an initial response plan. So we can get into that in some more depth if you like. But that’s kind of the overall approach that I’m taking and recommending to my clients is that at least talk to their users about the need for a plan ahead of time. Yes, there’ll be some cost involved, but a whole lot less cost than if I don’t have an address ahead of time.
6:51
Yeah, just to add on that, as well, one of the things I found in Australia is, it’s a great benefit to contact your vendors and suppliers of various cloud products, we have had a client where they put all their accounting software, the interface with through a cloud interface into a company that was then hacked. Now the responsibility lies with the actual accounting firm, or their their software product, which I’m not going to name. However, the problem is, is that the client, it was their details that got leaked out. Now being accounting, it was text phone numbers, it was company registration numbers. In some states, as I say, in some cases, it was birth dates, driver’s license details, credit card details. So whilst this company could turn around and say, not really our problem, we signed a terms of conditions with the vendor, we’re protected by that they’re the ones that are in trouble. He was their data they got out there. And now they’ve got to deal with the cleanup until their customers to change their credit card numbers. And you can’t change your birthday, there’s a lot of things that get out there that you just can’t change. So you’re better off not getting in that situation in the first place. So along with your disaster recovery, testing, business continuity plans and things like that, you do have to have a little leaflet or a folder or something with plans, you’ve got to allow for the fact that your server might be offline, your computers might be offline, you can’t get access to anything you’ve scanned on to the server. So if your insurance documents are in PDF form on your server, you might not have access to them, you got to put together everything that you need pretend that every resource has been taken away from you. And you’ll now need to know who to contact, who to report to who the IT guy is, who everything related to the business is without having to resort back to your digital source of information. Now one of those things that’s also come out of the woodwork is denial of service. And again, this is denial of service, you can actually see servers and your workstations and your paperwork, denial of service. In here in Australia, especially we’ve all moved to a new broadband style network. And with that, we’ve moved all of our phones now that voice IP and sip. And of course, they’re all vulnerable to denial of service, you take down somebody’s router, it’s not just email they can’t send and receive. It’s not just Google and eBay for buying stuff. They actually lose their phone system. And of course, they can take down their website as well. You can take your business completely off the network, they are in the dark, they don’t exist anymore. They lose business. People can’t find them anymore. People can’t ring them they can’t is gone. Now how does that affect your business? So you have to think about my business is dark, I’ve gone completely dark. What do I do to get myself up and running? Where do I need to route my phone calls to How can I do that? How do I get access to my insurance documents and Okay, now here’s my disaster recovery plan printed out in a folder. I can grab it, and he’s the people I’ve got to report to for my notifiable data breach and things like that. So think ahead, think like someone who’s got something to protect, because as an MSP, you’ve got to protect your business. As evidence through the recent solar winds and connect wires and other big vendors out there. They’ve had little tiny issues, but Just call them little tiny issue, shall we? Because it’s your business to protect and as your customers business to protect. I don’t know about you, but I have businesses in all kinds of different structures. This is transport business and accounting, business and legal business.
10:16
And in one case, one of my legal clients was working on a high profile case. And the attacks against the router just escalated unbelievably, the incorrect password attempts to log on to their systems and get in. And if someone tries hard enough, they’ll find a way in is what they do. They try and find a way in, so you make sure you’re protected. And if all goes wrong, you’ve got something to fall back on to. Now there’s denial of service attacks we’re seeing, they are crippling here, especially in Australia. I don’t know, again, Ken, how’s how things over there?
10:50
Well, we’re not seeing as much of that yet. But it’s a pretty new trend here, it’s first, I first saw it mentioned in some of the trade publications I read and in the blogs and newsletters in the last couple of months. So it’s a relatively new phenomenon here. But one other thing that leads into Michael is the fact that, in the case of ransomware, where you don’t have backups, can’t get your data files back, there is certainly a case to be made for paying the ransom and hoping to get the data files back that way, which usually is a a pretty good bet. Statistically, with the major ransomware families, the average numbers out here are somewhere between 85 95% of them do in fact, provide a decryption key and a decrypter to get your data files back if you pay it. But if you have good backups don’t need to pay the ransom to get your data files back. I don’t see any case to be made for paying for non disclosure, or for protecting against DDoS. Because statistically, over half of those have gone ahead and done it anyway, even with the ransom has been paid. So I would say never pay the ransom just to prevent a DDoS attack, or to keep your your data from being revealed. Because there’s a better than even chance it’s going to be regardless. So that’s a little twist that actually financially works to the to the better one of the victims. Because I say there has been a relatively decent case to be made for paying the ransom, if you had to, to get your data files back.
12:24
Nobody wants to but looking back on a previous video that we did, where we touched on insurance. Now, obviously, we’re not sort of insurance agencies, so we can’t give you advice or anything like that. But with your own business, and your customers, make sure they’re looking to cyber insurance and make sure they know what that actually covers. With the changing way that ransomware and denial of service and everything is changing. I can’t predict what attack there will be next month, who knows what’s going to happen. We’ve heard of everything from ransomware, taking other video cameras and actually filming people putting little pin codes in on doors to be able to open secure rooms and things like that, because they can see the video feeds. We’ve seen all kinds of things. But one thing I do know is the insurance industry was not ready for the amount of claims have come through here in Australia. And so the actual premiums have gone up in price. And what they exclude has actually just hugely blown out of proportion, they exclude a whole bunch of stuff now, because I just know that it’s taking too much money out of their pockets. Now, because we don’t know what’s going to happen next week, next month, next year with ransomware. Make sure that you’re not locked into some sort of contract, which excludes too many things just read very carefully. But make sure you understand it as well. Because these these insurance policies are there to protect and help you. But at the same time insurance companies want to make money. And so if they can find a way out of paying out they will. So please, please, please be prepared. Think about this. I am going to get hacked. It’s going to happen. I don’t know when the Hell, I might go to some ringtone website to get a new ringtone on my phone, something’s going to happen at some point. So I’m going to put insurance in place for the worst case scenario. plan for that worst case scenario playing for no servers, no phones, no nothing. What do I do? basically think like you’ve just been put in the dark, make sure you’ve got everything to protect yourself, make sure you’ve still got income coming in to pay staff to make sure you can still pay the rent. Because even if you have to rebuild the server, and let’s say that your backups are destroyed, and you’ve got nothing and you’re starting from scratch, that’s quite a long process. You need to have money coming through the door to sustain your business and keep it going as an internet provider or as an MSP or a break fix guy or anything like that. We’ve all got a huge customer base we still serve. If they call you 24 seven doesn’t matter when they call you. If you can’t answer that phone, you can’t get them help to support you’re dead in the water. So think about that. Think about trying to protect yourself, and then replicate what you’re doing for yourself for your customers.
15:00
And they’ll love you for it. And that’s a scary topic. And I know when I was to talk about it, but it’s happening out there. So get in front of that curve ball, protect yourself, if you don’t protect yourself, you can’t protect them, and then use what you’ve learned to protect your customers. And there’s a lot of products coming out there now that there were security suites. And they include endpoints protection may include deep dark web searches, they include any all kinds of protections in browsers to stop your surfing, there are a suite of products, it’s worth looking at what solutions are out there, the technology is changing. antivirus is moving away from patent scanning, to more machine learning and behavior monitoring, and in the clouds, getting things like that, make sure that you’re putting the best products in for yourself. Because if you’re like me, you are using some kind of a help desk application, it does link into lots of customers, if it’s a solar winds, or a Connect wise or an auto task or something like that, if that gets hacked, all your data is available. And of course, these things are cloud based people can log in from anywhere in the world and get into this data. So you’ve got to think about where you’re exposed. And then again, once you’ve worked that out, transfer that knowledge to protect your customers. They’re also cloud based, probably, they’ve also got servers, and they’ve also got staff to feed and pay mortgages and things like that. So the ransomware really has evolved. And as you can see, there’s lots more to think about and things to protect yourself with. And I’m sure next time we speak, there’ll be even more changes and additions to the way this stuff is attacking in working. It’s curious that it starts in one country and replicates through the rest. Like I said, When something works, why not replicated?
16:38
it? Yeah, and yeah, one other piece just related to the whole issue of cyber insurance. One of the things that I’ve been trying to make sure that all my msps and then clients recognize is that if there is a breach, the first thing you need to do is ask the client, do you have cyber insurance. And if they do, then the insurance company takes it from there. And if you or I do anything at that point, and the insurance company comes in later, we’re liable because we have probably clouded up their their ability to do forensics or any of the things that they need to do. The insurance companies do have their teams put together with with the the techie experts, the different tools, the forensics and the investigators, the the disassemblers, the decoders, and that sort of thing. So we need to not touch anything, if there is cyber insurance involved.
17:32
I’m gonna say Good point, they say, well, we don’t know what to do, do whatever you can, which is rare that the insurance companies have had been through this enough time, as you say they’ve, they’ve had a lot more claims experience than they intended to, or expected to. So they’ve learned their lessons pretty well. So point is don’t don’t get yourself in trouble. By just automatically jumping in and trying to take care of the client, the best thing you can do to take care of the client is to let them talk to their insurance company and their their team of whoever, yes, it might cut us out on some project work. But it also cuts us out a whole lot of exposure and risk
18:11
I’m glad you mentioned that it’s actually something that I wasn’t intended to talk about. But I’m going to bring into this. I’ve had a bit of exposure to other msps, who have actually had their clients hacked, and who’ve actually had insurance company come in and audit and the msps. Now no longer look after those customers. Please don’t be lazy, please make sure you block any ports that need to be blocked, you turn off any RDP that needs to be turned off, that you make sure that you’ve put in antivirus, it’s monitoring up to date, what my experience has been is the auditors have come in as a third party, and they’ve said Who’s your IT guy, they should be on top of this. Your antivirus isn’t up to date, you’ve got every machine open to the world with RDP. And just through that document that they produce for the insurance company, which obviously gets the insurance company off the hook for paying the ransom, then of course, it comes back home to the climate shoulders, who suddenly have to forget the money themselves. They’re not now very happy with their IT company. And then they turn around and could possibly even Sue their IT company if the insurance company doesn’t do it for them. So please don’t treat security as an afterthought. Be proactive. Make sure that if you know there’s something that’s not happening, right, let’s say that they want a backup files, they to a backup files and day three, you haven’t fixed it, then there’s two days worth of backups, they can get encrypted and you can’t get back. You need to be proactive, you need to jump on this stuff. If any virus isn’t triggering properly, needs a patent update or whatever might be wrong with it. Or if you know that the customer is suddenly working from home and suddenly has 30 people all out there Remote Desktop being in and it to do it so quickly. You’ve had to break some rules on the firewall. You go in and tighten up and fix it up and make sure that there’s nothing going on that shouldn’t be because you
20:00
There’s anything found that you’ve done that’s not industry standard and not for his security. First, your name is done and come out in their document that they keep the insurance company. And you might be looking for new customers to fill a role of the old customer used to pay you money. So please, please, please security first think about that as well. I wasn’t intending to talk about that. But that is a recent experience of at least three msps I’ve spoken to in the last two months, where they’ve actually lost sizable business. And one of them their name actually got put through the Australian newspapers as well, because they were held liable for what had occurred. And they did make simple mistakes of leaving RDP open on port 3389. The default, which we all know is an absolute No, no. So please don’t also know that even changing the port doesn’t make much difference.
20:48
You can use all sorts of tools to stand for a port that lands in the right way. And this vulnerability, still an exchange and all sorts of other products, you can turn it in on the ports, get the banners from the products work out what service packs installed, there’s ways to do this stuff. So tighten it up. Make sure you doing security audits, there’s one more as well make sure that you know that the customer has gone out and bought their own switch you don’t know about and it’s managed. It’s got an IP and it can do fancy stuff. Or they’ve added a NASS with the Linux back end, it’s got a website on it. Make sure you know about that stuff, because you’re managing the network. And if something they’ve done breaks it for you. You need to be aware of it. You need to really keep on top of it. And speaking of tightening it up. Since we don’t have Harry riding herd on us today. We probably ought to wrap it up pretty quickly here. We’ve we’ve used up our time, but it’s been another fun one.
21:38
Absolutely, absolutely. Hey, look, you know, it’s my morning here. So I’m brightened JP a bit tiring there for you. So I understand that completely. But thank you for joining us. It’s been great. And I’m sure that you can see the experience across Australia across the world is a little different for everybody, to from the US right through Australia, for sure. Even if we get someone from another country on board even different again. But we’re all one big family. It’s global. What we experience. We’ll see it. So thank you for joining us, and I hope you learned some lessons from it. And obviously once this hits YouTube, put some comments on the video. let Harry know what you thought. maybe ask some questions.
22:16
Thanks, Michael. Thanks, everybody. See you next time. See you later.
