Earlier this year, the National Institute for Standards and Technology (NIST) published updated recommendations for phishing simulations in security awareness training programs. We discussed it on our Community page soon after the updated standards were released, but the substance of the change bears repeating.
“Practical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear-phishing attacks, malicious web links.” – NIST SP 800-53, Rev. 5, Section 5.3 (pg. 60)
This update includes a recommendation for “no-notice” phishing simulations to be delivered at the beginning of security awareness training programs to more accurately gauge the readiness of a set of users to recognize a phishing attempt.
The thinking obviously being that letting users in on the phishing simulation game will heighten suspicion of their inbox and skew baseline results. This concern can be thought as a spin-off of the well-studied “Observer Effect” known in many scientific fields; observing the behavior of something necessarily changes that behavior.
While it might be tempting for a Chief Information Security Officer (CISO) or other IT professional to take high grades on a phishing simulation a sign of a job well done, that can be a dangerous conclusion to draw. Phishing tests that are too easy do little to address a problem that’s become one of the most common methods of entry for ransomware attacks.1 If IT professionals grade on a curve here, they’re doing very little to improve their organization’s overall cyber resilience.
Combatting this false sense of confidence about users’ ability to spot phishing attacks requires making sure simulations aren’t too easy to spot.
What makes a phishing simulation too easy?
After putting some thought into that question, NIST researchers published a paper last year in the Journal of Cybersecurity citing three key criteria for determining if a phishing simulation makes for good training.
According to the authors, “low click rates do not necessarily indicate training effectiveness and may instead mean the phishing emails” were:
- Too obvious – Either errors were too overt or these templates were running something akin to the Nigerian Prince scam. Either way, they won’t help an employee overcome today’s more sophisticated phishing attempts
- Not relevant to staff – We’re all busy at work. So deleting an email offering 25% off at Ed’s Golf Cart Repair Shop doesn’t mean a user is an expert at spotting scams. It just means there was nothing in the simulation that enticed anyone to click.
- The phish was repeated or similar to one that was – Phish me once, shame on me…but seriously, this drives home the importance of having a wide range of phishing templates. These programs work best when they’re ongoing, so it’s important to switch it up.
On the other hand, a phishing simulation is convincing if it does the following to some degree:
- Mimics a workplace process or practice
- Has workplace relevance
- Aligns with other situations or events, including those external to the workplace
- Presents consequences for NOT clicking (e.g., buy gift cards or we lose the client)
- References targeted training, specific warnings or other exposure
Tip: NIST has devised a weighted version of this scale, “the phish scale,” you can use to determine the difficulty of your simulations. A phishing simulation that has all of the above characteristics would be considered extremely difficult. That’s good, right?
Too much difficulty can be dangerous, too
Any security awareness training program that’s too difficult is liable to leave learners feeling put off, resigned to failure, or worse, coming away without any practical security learnings. This is especially true if users are punished too harshly for failing to spot a difficult phishing simulation.
Any program that’s both difficult and relying on a stick rather than a carrot for motivation runs the risk of:
- Reinforcing negative stereotypes of security training programs
- Encouraging employees to “game” the system by sharing information about tests
- Fostering animosity towards the organization’s overall security posture
- Inviting legal trouble from dissatisfied employees
For security awareness training to be successful, it has to be collaborative. Learners should feel like they’re part of something constructive, rather than just subjected to another type of performance review.
Hitting the sweet spot
Finding the appropriate difficulty level for phishing simulations is one of the reasons the initial, no-notice NIST recommendation is so important. It helps administrators establish baseline results that most accurately reflect users’ real understanding of phishing attacks. But we don’t recommend a training program be hidden from employees forever.
Instead, after initial results have been established, it’s better to announce the program publicly along with its goals, evaluation criteria and a point of contact for those interested in learning more. Once users are in the know, subsequent phishing simulations can focus on incremental improvements over the baseline results. As scores rise across the board, the difficulty can be gradually increased over time.
One essential recommendation: Always report publicly on positive results. Let users know they’re managing to catch more and more difficult simulations. Be as specific as possible, as in, “click-through rates dropped from A to B in this exercise.” This will help establish a sense of shared responsibility for organizational security and “gamify” the experience.
Calibrating your security awareness training is an ongoing experience. Don’t be afraid to adjust your simulations based on results. Happy learning.
Ready to establish your own successful security awareness training? Try us out free for 30 days.
1. Hiscox. “Cyber Readiness Report 2021.” (April 2021)
What do the terms artificial intelligence and machine learning mean to you? If what comes to mind initially involves robot butlers or rogue computer programs, you’re not alone. Even IT pros at large enterprise organizations can’t escape pop culture visions fed by films and TV.
But today, as cyberattacks against businesses and individuals continue to proliferate, technologies like AI and ML that can drastically improve threat detection, protection and prevention are critical. This is even more true as workforces continue to operate remotely in such numbers.
That’s why, for a few years now, we’ve been conducting surveys of IT professionals to determine their familiarity with, and attitudes toward, artificial intelligence (AI) and machine learning (ML). For the purposes of this report, we surveyed IT decision-makers at enterprises (1000+ employees), small and medium-sized businesses (<250 employees), and consumers (home users) throughout the U.S., U.K., Japan, and Australia/New Zealand.
As a result, we learn about:
- Baseline cyber hygiene, including what cybersecurity tools are in use and how they’re used
- General experience with data breaches and attitudes toward the safety of their data
- How many organizations use cybersecurity tools with AI components
- Whether IT admins feel that AI actively contributes to the safety of their organizations or is marketing fluff
We titled this year’s survey Fact or Fiction: Perceptions and Misconceptions of AI and Machine Learning and expanded it to include professionals in the enterprise, mid-market organizations and private individuals. It’s one of the largest and most thorough reports on the topic we’ve put together to date and is packed with interesting findings.
Historically, we’ve seen significant confusion surrounding AI and ML. IT professionals are generally aware that they’re in-use, but struggle to voice how they’re helpful or what it is exactly that they do. In Australia, for instance, while the bulk of IT decision makers employ AI/ML-enabled solutions, barely over half (51%) are comfortable describing what they do.
Nevertheless, adoption of AI/ML-enabled technologies continues to rise. Today, more than 93% of enterprise-level businesses report using them. Overall, slightly less than half (47%) call increasing adoption of AI/ML their number one priority for addressing cybersecurity concerns in the coming year.
Here are a few other key takeaways regarding enterprise attitudes toward AI/ML:
- Understanding is growing – But more education is still required, so vendors must focus on benefits of AI/ML in terms of the bottom line and an enhanced security posture.
- AI/ML are key to repelling modern threats – Especially for remote workforces, advanced technologies are emerging as a key component for ensuring uptime and availability for clients.
- AI/ML can differentiate a business – Buyers are looking to invest in their tech stacks to stay out of the headlines for suffering a breach. As understanding of AI/ML grows, more are looking for these capabilities in their cyber defenses.
For the mid-market and individuals, another theme has persisted through our studies: overconfidence.
Among IT professionals at businesses with fewer than 250 employees, almost three-quarters (74%) of respondents believe their organizations are safe from most cyberattacks. But 48% have also admitted to falling victim to a data breach at least once. Interestingly, despite their confidence in their cybersecurity, the same respondents also believe their security situation has been worse by COVID-19.
Other notable findings among small and mid-sized businesses include:
- They’re beginning to recognize they’re targets – SMBs are catching onto the fact that cybercriminals pick off weak targets and realizing this fact’s implications for their supply chains.
- Limited IT budgets must be spent wisely – Without the resources to hire full-time IT staff, it becomes critical that a security stack defends against all the most common forms of attack (and their consequences).
- User education is key – If a business can’t spring for top-of-the-line cybersecurity solutions, educating users on how to keep from enabling breaches can go a long way towards building a strong defense with relatively little investment.
Consumers continue to report abysmal habits in their personal online lives. Less than half use an antivirus or other security tool. Only 16% report using a VPN when connecting in public spaces and 48% have had data stolen at least once. On the brighter side, constant headlines concerning corporations leaking consumer data have made consumers wary about who they give their data to and how much. This healthy skepticism is a good sign as the next large data breach is likely just around the corner.
Some valuable learning from the consumer sector, and how it bleeds over into the corporate sector, include:
- Business breaches affect consumers’ data – And they know it. Consumers are wary of providing too much sensitive data to companies after being barraged by news of high-profile hacks and data breaches.
- Consumers ARE NOT taking proper precautions – Fewer than half of home users have antivirus, backup or other cybersecurity measures in place. In all, 11% take no precautions online. This finding is especially relevant if remote workers are using personal devices for business.
- Unsurprisingly, AI/ML knowledge is lacking – When paid IT professionals don’t understand the technology, it may not be practical to expect the average consumer to be. But consumers should do their research on the tech powering their protection before committing to a VPN, antivirus or backup solution.
For the report’s complete findings, including a breakdown of cybersecurity spending by business size, download the full report.
Ransomware attacks dominate news coverage of the cybersecurity industry. And it’s no wonder – with million-dollar payouts, infrastructure attacks and international manhunts, ransomware makes for exciting headlines. But its recent domination of the airwaves has been a long time coming.
“The first types of ransomware have existed for quite some time, going all the way back to the early 2000’s,” says Grayson Milbourne, security intelligence director at Carbonite + Webroot. Going through the history of ransomware, Grayson notes that it started as small time swindles “with the goal of getting you to pay 50 bucks.”
The ransomware we see today has evolved over the last 20 years to become the monster seen in news headlines. Instead of petty crooks, we now see criminal gangs that combine ransomware with worm-like capabilities that utilize a double extortion method.
In other words, “ransomware isn’t just a targeted model that you have to click on to fall for. Anybody can be attacked and breached,” explains Tyler Moffitt, senior threat analyst at Carbonite + Webroot.
The New Standard of Ransomware
Hackers not only steal and lock files away, they also leak data in the most damaging way if a ransom settlement is not reached. And the new brand of ransomware spreads through networks and across businesses so you might fall victim even though it was your colleague or business partner that clicked on the wrong link.
These new methods helped skyrocket the average ransom payment to almost $150,000. Even worse, most ransom payments end being around $50,000. The high average payment is buoyed by a few million-dollar ransoms, but most victims are small and medium businesses.
Luckily, the news isn’t all bad. Yes, ransomware has had years to evolve into the juggernaut it is today. But analysts, security experts and threat researchers have also had time to craft new tools to keep people and businesses safe.
“It’s so much better modernizing your infrastructure up front in the appropriate defense in depth,” says Jon Murchison, CEO of Blackpoint Cyber. For Murchison, security efforts cannot wait until an attack happens, they need to be adopted in advance.
But the right tools, Murchison says “will save you from a bad day or an existential day to your business.”
Then stay tuned for Carbonite + Webroot’s episode 3 in our series on ransomware.
Malware leaps from the darkness to envelop our lives in a cloak of stolen information, lost data and worse. But to know your enemy is to defeat your enemy. So we peered over the ledge leading to the dark web and leapt. The forces we sought are disruptors – without warning, they disturb our businesses and our connections to family and friends.
And darkness we found – from million-dollar ransoms to supply chain attacks, these malware variants were The 6 Nastiest Malware of 2021.
How malware disrupted our lives
These days, every major ransomware campaign runs a “double extortion” method, a scary prospect for small businesses. They steal and lock files away and they will absolutely leak data in the most damaging way if a ransom settlement is not reached.
Phishing continues to be key for these campaigns and it’s typically the first step in compromising a business for the nastiest malware.
This highlights the importance of user education – training users to avoid clicking these phishing lures or preventing them from enabling macros from these attachments are proven in stopping malware in its tracks.
While the list below may define payloads into different categories of malware, note that many of these bad actor groups contract work from others. This allows each group to specialize on their respective payload and perfect it.
This year’s wicked winners
- A persisting botnet with a cryptomining payload and more
- Infects via emails, brute force, exploits and more
- Removes competing malware, ensuring they’re the only infection
- The Nastiest Ransomware of 2021 that made headlines with supply chain attacks
- Many attempts to shutdown the REvil group have so far failed
- Their ransomware as a service (RaaS) platform is on offer to other cybercriminals
- Decade old banking and info-stealing Trojan and backdoor
- Disables protections, spreads laterally and eventually leads to ransomware like Conti
- Extremely resilient, surviving numerous attacks over the years
- Banking and info-stealing Trojan and backdoor
- Spreads laterally and listens for domain credentials
- Eventually leads to ransomware like Grief/BitPaymer/DoppelPaymer
- Longstanding ransomware group also known as Ryuk and likely linked to LockFile ransomware
- TrickBot’s favorite ransomware
- Will leak or auction off data if victims don’t pay the ransom
- White hat-designed pen testing tool that’s been corrupted and used for evil
- Very powerful features like process injection, privilege escalation and credential harvesting
- The customizability and scalability are just too GOOD not to be abused by BAD actors
Victimized by malware
The good news (I guess) is that last year’s average ransom payment peaked at $200,000 and today’s average is just below $150,000.
The bad news is that hackers are spreading the love and targeting businesses of all sizes. In fact, most victims are small businesses that end up paying around $50,000. Ransomware actors are getting better with their tactics, recruiting talent and providing a streamlined user experience.
The whole process is terrifyingly simple and for every one that gets shut down, two spring up to replace it. To top it off, supply chain attacks are becoming a massive issue.
Protect yourself and your business
The key to staying safe is a layered approach to cybersecurity backed up by a cyber resilience strategy. Here are tips from our experts.
Strategies for business continuity
- Lock down Remote Desktop Protocols (RDP)
- Educate end users
- Install reputable cybersecurity software
- Set up a strong backup and disaster recovery plan
Strategies for individuals
- Develop a healthy dose of suspicion toward messages
- Protect devices with antivirus and data with a VPN
- Keep your antivirus software and other apps up to date
- Use a secure cloud backup
- Create strong, unique passwords (and don’t reuse them across accounts)
- If a download asks to enable macros, DON’T DO IT
Discover more about 2021’s Nastiest Malware on the Webroot Community.
2020 was a year of immense change. One thing is for certain – the world collectively witnessed the increase of digital interconnectivity. We began even more to rely on the internet as a conduit to the world. The rise of remote access to businesses, entertainment and interpersonal connections surged. The death of distance accelerated.
The increased reliance on remote access provided cybercriminals with an opportunity to exploit any easily accessible vulnerability. The rise in remote access, compounded by the need to learn more about the pandemic, offered an optimal climate for cybercriminals to thrive.
In 2021, the 24/7 news cycle was filled with stories of cyberattacks. There was the infrastructure ransomware attack on the Colonial Pipeline in May 2021, which caused the company to cease operations for days. Also the attack on JBS USA, which fell victim to ransomware and threatened U.S. food supplies. In another instance, a malicious actor was able to breach the Florida Water computer system and temporally alter the water content by changing the sodium hydroxide levels. In each of these examples, cybercriminals capitalized on the collective vulnerabilities of individuals and businesses to target critical infrastructure.
The list goes on.
In our 2020 Webroot Threat Report, our security experts made a series of predictions related to the threat landscape. Let’s revisit some of these predictions to see how close we came.
What small and medium-sized businesses (SMBs) encountered
Tyler Moffitt, security analyst at Carbonite + Webroot, OpenText companies, reinforced the likelihood that, “SMBs will continue to be targeted: they have lower budgets and scarce security staff, making them attractive targets.”
Over the course of the last year, “SMBs continued to be the prime target of ransomware authors. Although they have clearly attacked organizations of all sizes, small businesses do appear to be the most targeted,” says Moffitt.
Is the threat landscape more of the same?
Grayson Milbourne, security intelligence director at Carbonite + Webroot, predicted that in the coming year, “Expect to see more attacks against less-developed nations—not to generate revenue, but rather to disrupt and destroy.”
However, in the last 12 months, “We witnessed law enforcement fighting back at the infrastructure of ransomware operators, like Emotet, which was taken offline early in 2021. Cybercrime is no longer a punishment-free crime.”
Milbourne also remarked last year that, “Deepfakes are going to become a major threat. As the technology develops, anyone could make a fake video of someone else saying something they did not and could effectively weaponize it for malicious (or political) purposes.”
“One prime example that occurred this year involved an Australian news deepfake. The deepfake showcased a bogus discussion of an obscure cryptocurrency that helped to bolster financial gains for the currency. A very clever technique,” says Milbourne.
Infrastructure as a target
Matt Aldridge, lead solutions consultant at Carbonite + Webroot, forecasted, “All forms of the energy sector will continue to be at serious risk. In addition, service providers make very lucrative targets for attackers, as they are a single point of entry into many businesses. Executives will continue to be the targets of BEC attacks, which will continue to evolve in sophistication.”
Unfortunately, the Colonial Pipeline ransomware attack in particular bore this prediction out. “We’ve also seen cyberattacks facing the energy sectors in Slovakia, Norway, France, Puerto Rico and South Korea, among others. All forms of the energy sector will continue to be at serious risk,” says Aldridge.
Where do we go from here?
Our increasing reliance on information technology has provided a climate for malicious actors to take advantage. This underscores the importance of being fully prepared for when a cyberattack or natural disaster affects your business. Milbourne projects more software-based ransomware supply chain attacks. Ransomware, unfortunately, is only the beginning. Businesses that want to remain operational and secure need to modernize their information technology and security infrastructures. This helps to mitigate potential litigation and fines.
Moffitt adds, “With privacy regulations like GDPR and CCPA in full effect, we are likely to see ransomware threatening to leak important customer data to increase the likelihood that businesses will pay, even if they have adequate backups in place and don’t need the files back.”
With all this in mind, it is important to manage and protect your business. In the 2021 Webroot BrightCloud® Threat Report, we illustrate how securing and protecting your business doesn’t have to be overwhelming.
With the right combination of backup, training and protection, businesses can collectively create a comprehensive and integrated approach to tackle evolving threats. By adopting a cyber resilience posture, businesses small and large can mitigate risks in the ever-changing cyber threat landscape. This multi-layered approach not only bolsters your brand, but also increases customer loyalty and improves the customer experience. A definite win-win.
When the Institute for Security & Technology’s Ransomware Task Force published its report on combatting ransomware this spring, the Colonial Pipeline, JBS meatpacking and Kaseya VSA attacks were still around the corner.
Nevertheless, the report took the danger presented by ransomware to both businesses and global security for granted. Already in 2020, according to the report:
- 2,4000 governmental agencies, healthcare facilities and schools had been hit with ransomware
- $350 million had been paid out ransomware actors, a 311% increase over 2019
- It was taking 287 days on average for a business to fully recover from a ransomware attack
Even given what we now know – that 2021 would feature some momentous ransomware attacks against physical and IT infrastructure – the report’s expert authors recognized the threat was dire. That led to them devising a “comprehensive framework for action, ”policy recommendations, in other words, for tackling the threat.
“The immediate physical and business risks posed by ransomware are compounded by the broader societal impact of the billions of dollars steered into criminal enterprises, funds that may be used for the proliferation of weapons of mass destruction, human trafficking, and other virulent global criminal activity.” -Ransomware Task Force, IST
While many of these would fall to law enforcement, U.S. and international governments to enact, the report makes for fascinating reading for anyone interested in ransomware. It also provides a number of helpful tips businesses of all sizes can enact to protect themselves against ransomware.
A key recommendation throughout is that business’ anti-ransomware policies “should be consistent with existing cybersecurity frameworks,” like those released by NIST, “but specific to ransomware.”
Luckily, it wouldn’t be long before NIST would publish its ransomware-specific recommendations for businesses. It just so happens, their recommendations look a lot like our cyber resilience framework.
Meeting NIST benchmarks
Earlier this summer, NIST released updated tips and tactics for dealing with ransomware.
The recommendations are split between actions users can take avoid infection and those businesses can take to quickly recover in case their compromised. This dual-focus approach to prevention and recovery aligns neatly with cyber resilience best practices (and similar thinking influenced our product roadmap).
On the preventative side, NIST advises:
- Using antivirus software at all times
- Keeping computers fully patched with security updates
- Using security products or services that block access to known ransomware sites on the internet
- Configuring operating systems or using software allowing only authorized applications to run
- Restricting or prohibiting the use of personal devices for work
It’s worth noting that blocking access to known ransomware sites is a recommendation that can be accomplished with network-level security. When paired with the strong recommendation to use antivirus software at all times, NIST’s recommended prevention measures already cover two key areas of focus in a cyber resilience strategy: endpoint security and network protection.
On the recovery side, NIST urges the following:
- Develop and implement an incident recovery plan with defined roles and strategies
- Carefully plan, implement and test a data backup and restoration strategy
- Maintain an up-to-date list of internal and external contacts for ransomware attacks, including law enforcement
Another core aspect of cyber resilience is the ability to recover data and return to business in the event of an attack. While natural disasters and unplanned outages were once the focus of these contingency plans, ransomware’s current popularity is another reason to ensure backup and recovery are accounted for.
NIST notes the importance of making sure backups are isolated from one another to prevent infections from spreading between them. For more information on configuring backups and meeting NIST’s other backup guidelines, check out our guide to disaster preparation, recovery and remediation.
Don’t overlook security awareness training
One aspect of ransomware prevention not mentioned by NIST is the importance of security awareness training. The RTF report cites a lack of understanding among business leaders as a contributing factor to its success and recommends increasing knowledge of the problem as a recommended objective.
But, perhaps because it’s seen primarily as a phishing-related problem as opposed to a ransomware-related one, NIST’s tips do not mention user education. We recommend this be added as a key component of a comprehensive ransomware protection plan – or any cyber resilience strategy, for that matter.
In a report by insurance firm Hiscox, phishing was by far the number one method of infiltration in ransomware attacks. Our data show that regular, ongoing training can help cut phishing by up to 72%. To tackle the root cause of ransomware infections, security awareness training should be considered an essential element of a cyber resilience strategy.
If you attended Black Hat this year, you couldn’t avoid the topic of supply chain attacks. From keynotes to vendor messaging to booth presentations, they were a ubiquitous topic in Las Vegas this year.
Supply chain attacks are cyberattacks targeting an upstream vendor for the ultimate purpose of compromising one or more of its customers. Cybercriminals are aware that, by compromising updates from trusted vendors, they can easily bypass installed security software to infect all customers that install it.
Essentially, compromising a software vendor allows damage to cascade down the supply chain to another supplier– a consequence sometimes known as the “waterfall effect” – to increase collateral damage against multiple targets.
Black Hat founder Jeff Moss even began this year’s conference with a few words about software supply chains.
“We all rely on the software supply chain,” he said. “We’re building tools and systems based on it. We’re trusting it. We’re hoping that people in the supply chain…are doing things to help everyone else in the supply chain. Because, if they don’t, everything we do is potentially vulnerable.”
“We all depend on the supply chain being fully immunized,” he continued, “and it’s not there yet.”
Now, “not there yet” is putting it mildly. A few recent, high-profile attacks bear recalling to demonstrate the scope of the problem.
For many within cybersecurity, the SolarWinds attack by what are widely believed to be state-sponsored cybercriminals was the most significant supply chain attack since the Cleaner attack of 2018 and a worrying reminder of the damage made possible by the tactic.
SolarWinds is a Texas-based IT management platform that unknowingly pushed a Trojanized update to a large portion of its some 300,000 customers. It’s believed that the attackers concealed their presence within the victim’s network for some time to ensure they could carefully select their next targets and preserve time for intelligence gathering.
While not widely known at the time, it’s now assumed that this wide-net attack was ultimately an effort to compromise a handful of high-value intelligence and governmental agencies. Second-stage infections were then pushed against these targets, plus some of the world’s most influential technology vendors.
Critically, this type of espionage-inspired cyberattack differs a great deal from moneymaking practices embraced by for-profit hacking groups. These broadly targeted attacks against suppliers cause widespread disruption without obviously disrupting a specific target.
Another supply chain attack targeted Codecov, a software development firm that makes tools for developers, in January 2021. Investigators told the newswire service Reuters that attackers were able to use the access they’d gained to breach hundreds of Codecove customers.
As was the case with SolarWinds, compromising Codecov may have presented access to other software vendors, which could have initiated the waterfall effect presented previously. The firm counts among its clients giants like IBM, Hewlett Packard and Atlassian.
The infosec researcher Matt Tait, who spoke at this year’s Black Hat on the topic of supply chain attacks, called the Codecov compromise an instance of high-volume disruption based on indiscriminate targeting.
According to the company, information stolen from customer devices was then sent to a third-party server outside of Codecov’s control, suggesting that espionage may have once again been the end-goal of the attackers.
Perhaps the most far-reaching supply chain attack conducted by a non-state actor in the history of the tactic took place this July. This time, Kaseya, one of the world’s largest IT management platforms, was compromised by the Russia-based hacking group REvil. Unlike in the SolarWinds and Codecov, this attack included a ransomware stage meant to deliver financial rather than intelligence returns for the attackers.
REvil targeted Kaseya’s remote monitoring and management (RMM) solution, known as Kaseya VSA, which is used to manage client machines from afar. Again, targeting was indiscriminate, but unlike with espionage actors, the ransomware gang could focus on maximizing financial returns of the attack rather than trying to avoid detection.
Describing the impact of this attack, the USC Berkeley infosec researcher Nicholas Weaver noted that, “Each victim is a small-to-medium-sized business that is going to, at best, find its computers unusable and, at worst, have all their data lost forever.”
In terms of the cascading effects of a supply chain attack, the Kaseya VSA compromise hit MSPs and their small business clients especially hard.
Like a technology that advances through state-sponsored R&D but then becomes available to a wider public, recent supply chain attack techniques were honed by state-backed actors but have now been adopted by more run-of-the-mill ransomware actors. This is bad news for MSPs.
While agencies like the FBI and CISA have been warning for some time that MSPs are likely targets of advanced persistent threats (APTs), the Kaseya attack seems to have crossed a threshold. The problem is a significant security challenge, and one that some think only vendors can solve.
But there are a few measures MSPs can take to enhance their defenses against supply chain attacks. These include:
- Layer cybersecurity defenses for both you and your clients. Supply chain attacks commonly evade defenses by sneaking in with a trusted update. But after the initial compromise, network security can block communication with known-malicious IP addresses to limit damage.
- Mandating two-factor authentication (2FA) wherever possible. While 2FA isn’t the end of security issues, it makes things more difficult for cybercriminals at every turn.
- Monitor for anomalous web traffic. Be wary of communications with previously unknown IP addresses, unusual application traffic and other out-of-the-ordinary happenings on your network. Consider following these steps to reducing the time to detection of a compromise if one occurs.
- Push patches and updates with urgency. Zero-day vulnerabilities often play a key role in advancing the spread of supply chain infections. Closing those gaps as soon as possible is an actionable step MSPs can take to protect themselves and their clients.
- Back up everything. One of the most surefire ways of reducing the leverage an attacker has over you and your clients is keeping multiple backups of critical business data. Cybercriminals can’t be trusted to restore data even after a ransom is paid, so don’t be left relying on them.
- Test your backup plan. The day disaster strikes is not the time to discover if your disaster recovery plan is well designed. Instead, simulate a worst-case scenario ahead of time and see if any gaps emerge.
As global cybercrime collectives continue to experiment with supply chain attack techniques, we should expect more indiscriminate, wide-net infections to make headlines. To prevent passing these infections along to their clients, vendors must take the lead in security their products and processes. But MSPs aren’t helpless in protecting themselves and their clients.
The issue at the heart of ransomware insurance will be familiar to most parents of young children: rewarding bad behavior only invites more of the same, so it’s generally not a good idea. But critics of the ransomware insurance industry argue that’s exactly what the practice does.
Ransomware insurance has by now long been suspected of excusing lax security practices and inspiring confidence among cybercriminals that they’ll receive a timely payment following a successful breach.
Exactly how widespread ransomware claims by businesses are is difficult to determine since companies don’t exactly jump at the chance to discuss their run-ins with ransomware publicly. But it’s safe to assume that claims have risen alongside an undeniable surge in ransomware attacks.
Another issue with the cyber insurance industry stems from the fact that paying a ransom is no guarantee that data will be returned. In our recent report on the hidden costs of ransomware, nearly 20 percent of respondents were not able to recover their data even after making an extortion payment.
The Paris-based insurance giant AXA broke new ground this year by announcing it would stop insuring against cyberattacks, citing a lack of guidance from French regulators about the practice. It’s worth remembering that the FBI “does not support paying a ransom in response to a ransomware attack.”
So, if U.S.-based insurers were to follow AXA’s logic, they too would stop covering ransomware payments. So far, few have. For now.
Doomed to be a short-lived sector?
The industry publication InsuranceJournal.com recently wrote in a post on its site that “pressure is building on the industry to stop reimbursing for ransoms.” Before ransomware went rampant, the article notes, cybersecurity insurance was a profitable sub-category of the insurance business as a whole. But those days may be numbered. The sector is now “teetering on the edge of profitability” according to the post’s author.
It’s well-known within cybersecurity circles that ransomware actors will conduct advanced research to determine if a potential target is insured. If so, it’s hardly a deterrent since it increases the likelihood a payment will be made.
It winds up being a self-reinforcing cycle. As ProPublica wrote in its study of the industry, “by rewarding hackers, it encourages more ransomware attacks, which in turn frighten more businesses and government agencies into buying policies.”
A commonly cited defense of ransomware insurance is that they not only protect against the cost of the ransom, but also against knock-on expenses from ransomware like downtime, reallocation of tech resources and reputational damage. We know from our own research that these costs can be significant, so there’s some validity to this argument.
But the real question the cyber insurance industry needs to answer is whether it can ever again be profitable. A recently released paper from the British defense think tank Royal United Services Institute (RUSI), titled Cyber Insurance and the Cyber Security Challenge, identified this as one of the key challenges to the industry’s viability.
That paper found that “there is arguably too little global premium to absorb losses from a systemic event.” In other words, the next NotPetya could sink the industry.
Ransomware on the whole has caused losses in the cyber insurance industry, not least because, “unlike the majority of risks insurers cover, ransomware attacks are both a high-impact and a high-probability risk.”
Addressing cybersecurity insurance shortfalls
Importantly, the RUSI paper in the end reported that it was unable to find empirical evidence that “cyber insurers may be unintentionally facilitating the behavior of cybercriminals by contributing to the growth of targeted ransomware operations.” While that fact undermines arguments that cyber insurers are a boon for ransomware actors, it doesn’t speak to the question of viability.
As with any nascent industry, ransomware insurance vendors have some tough issues to grapple with concerning how they do business. The “race to the bottom,” which RUSI describes as a combination of cheap premiums and loose restrictions on underwriting (not requiring basic cybersecurity measures as part of the deal, for example), represents the real risk to the industry.
Its possible cyber insurance companies could drastically reduce claims by mandating a cyber resilience posture as a condition of being insured. Like a higher life insurance premium for a career stunt man, organizations without robust cybersecurity in place (including defense plus backup and restoration capabilities) could be forced to foot a higher bill. While this is already standard practice among many insurers, industry regulation may be required to prevent the opening of a market for insurers with more lax baseline cybersecurity requirements.
At the very least, insurers should insist on three core elements of cybersecurity strategy before underwriting:
- Endpoint and network level security to guard against attacks. Devices secured with antiviruses and networks secured by DNS filters or firewalls should be the bare minimum requirement for protecting against ransomware attacks. Without them, ransomware actors are being invited in the front door.
- Mandated ongoing security awareness training for employees. User-enabled breaches remain one of the most common causes of a successful ransomware attack. Without addressing end users’ tendency to fall for phishing and other social engineering attacks, while ransomware actors may find the front door locked, they know there’s a good chance it will be opened for them by someone on the inside.
- Proven data backup and security protocols. Maintaining complete copies of mission-critical data is one of the simplest ways to undermine ransomware actors. By collectively removing this key piece of leverage, organizations can go a long way toward normalizing the non-payment of ransomware demands, easing the burden on cyber insurers.
Making the above the minimum standard for organizations would both minimize the damage caused by ransomware actors and increase the viability of ransomware insurance as an industry. By prioritizing cyber resilience over any one category of security, businesses can prevent breaches and get back to work easier when they do occur.
A cyber resilience strategy
“I have used a lot of different security products over the years, and I get approached by a lot of vendors,” says Pedro Nuñez. As president and CEO of New England based MSP IT Management Solutions, Nuñez is always on the lookout for products that go beyond just a traditional security operations center.
That’s what lead him to work with Webroot® Business Endpoint Protection.
“To make any kind of difference, you need a way to mitigate a security incident automatically.” It’s not enough to just monitor his clients’ networks and notify him if there’s a security incident. If that’s all a tool can do, it’s then up to his team to manage every incident manually – even the smallest ones.
And with over 85 clients, Nuñez needs time to focus on the most serious threats. The automation that comes with Webroot and its integration with Blackpoint Cyber means his clients’ endpoints, networks and even IoT devices are monitored for any anomalies. Once something is noticed, there’s no delay in automatically hunting down the threat.
“We effectively save up to 40 help desk hours a week, sometimes more” with the managed detection and response from Webroot.
That means when there’s a persistent attack on a server or when a client falls victim to a phishing attack, he has a head start on tackling the problem.
Protection in practice
Recently one of Nuñez’ clients, a municipality in Massachusetts, was targeted by a hacking group based out of Romania. The municipality was particularly vulnerable because of their old and out-of-date systems.
“The city would have been overrun with ransomware, but we started getting alerts right away from Webroot and Blackpoint,” Nuñez remembers. Since there was no delay in responding to the attack, he was able to get the ransomware under control so it couldn’t take over.
Even though it was a persistent attack, the security controls held up. The incident created thousands of tasks on individual devices, and it took weeks to fully stop. But in the end, the city experienced virtually no downtime. “There are a lot of city systems that can’t afford to go down, so making it through the attack without downtime . . . was a major win,” says Nuñez.
Businesses make their own luck
The next town over was also hit, but their security didn’t hold up. Their data was stolen, and they ended up having to pay a ransom. Smiling, Nuñez says that “The city that was my client can consider themselves lucky. But really, it wasn’t luck.”
His hands-on approach combined with the right tools saved his client from suffering a major incident.
For IT Management Solutions, the next step is end user training. Afterall, Nuñez notes, it no one had clicked the malicious email then the ransomware attack could have been prevented.
Watch Pedro Nuñez, President and CEO of IT Management Solutions, talk about his approach to cybersecurity.
Updated November 23, 2021
Dutch, Spanish and French were just the beginning of expanded language offerings from Webroot Security Awareness Training, with German and Portuguese added as of November, 2021! Stay posted to learn about expansions to more languages coming in the future.
A Global Challenge
The steady stream of cyberattacks seen throughout 2019 turned into a torrent over the last year – ransomware, phishing scams and data breaches are now at an all-time high. Of course, the growing cybersecurity threat isn’t contained to just one country. The effects are being felt the world over.
The National Cybersecurity Agency of France (ANSSI) is trying to tackle the 255% surge in ransomware attacks reported in 2020. Meanwhile Spain is trying crack down on malicious actors operating inside the country.
And in an interview with workers in the U.S., Japan, Australia and throughout Europe, 54% say they spend more time working from home now than they did at the beginning of 2020. The blurred lines between home life and work life leads to the use of improperly secured personal devices with ramifications being felt by small, medium and large businesses. But with cyberattacks at an all-time high, 63% of companies have kept their cybersecurity trainings at the same level that it was at the end of 2019.
Tackling Cyber Threats
Our networked world connects us to points all over, so it’s no wonder cybersecurity needs to be taken seriously across the globe. The fight against these threats is complicated, but most successful attacks share a common vector – the human factor.
Because of this shared element, security experts know where to focus their energy. In fact, research shows that Webroot® Security Awareness Training improves cyber resilience and helps defend against cyberattacks.
The truly global nature of cyber threats is why Webroot is expanding its language offerings for our Security Awareness Training. This training helps employees keep security top of mind so businesses become more secure.
Now offered in Dutch, Spanish, French, German, and Portuguese, our Security Awareness Training features native narration throughout. Other available options offer courses with only translated captions overlaid on existing content while our trainings convey important security information in an engaging experience.
Why Training is Critical
Often, attackers have a built-in advantage when they zero in on a target – they can practice. They can probe for different ways in and try a variety of tactics, like email attacks or SMS and voice phishing. And they only need to be successful once.
That’s why training is such a critical part of security. It levels the playing field by letting end users practice what they learn while they discover how to keep themselves and their business safe.
In March of 2020 schools throughout the United Kingdom closed their doors to try to stem the spread of the coronavirus. In addition to disruptions to the lives of students and their families, the pandemic put unprecedented pressure on IT departments across the UK and wider world.
Notoriously strapped for resources, many schools’ IT departments found themselves without access to server rooms and no way to troubleshoot for students and staff when grading, learning and teleconferencing applications encountered problems.
In 2020 this situation was unfolding around the UK, and why CloudHappi began searching for a solution for their clients. CloudHappi is a London-based provider of IT solutions tailored for the education sector. Determined to provide the best learning experience possible for remote students, the company began exploring opportunities for shifting the IT burden from on-premise servers to the cloud.
Unfortunately, many of the earlier solutions CloudHappi explored took up to 15 days to perform a complete migration, an unacceptable timeline for schools looking to establish some sense of normalcy as soon as possible. After finding Carbonite and its server migration solution, however, it was able to perform a complete migration for its first school within a single day.
As a result, IT operations for the school experienced fewer disruptions, applications were easy to access and unfortunate circumstances for students were made a little easier to handle.
Many reasons to migrate
Schools across the UK and United States are planning to open in the fall, notwithstanding uncertainty caused by the spread of the virus’s Delta variant. Vaccinations in much of the world are prompting workers to return to offices and life to start to resemble its pre-pandemic state in many ways.
But in other ways, it may never again. By some estimates, less than 35% of workers have returned to office spaces. Many companies don’t plan on requiring their workforces to come back at all. Some business leaders see remote work as a net positive, giving them access to larger talent pools, reducing pollution, freeing up time spent commuting for more productive tasks and cutting facilities costs.
Whether inspired by downsizing and office space or not renewing leases at all, there’s a good chance this shift in the workforce will require many more migrations from on-premise servers to the cloud. Not unlike in the case of UK schools, IT admins will require greater access to productivity solutions without the need for physical space in which to operate.
Aside from the flexibility of being able to access systems from anywhere, migrating to the cloud entails several knock-on benefits for businesses, whether MSPs or their clients.
- Streamlined management – By offloading server management to a public cloud like Microsoft Azure or Amazon Web Services, businesses capitalize on all the economies of scale these companies have built over years of innovation and investment. Given the resources at their disposal, most cloud companies dwarf the capabilities of small IT teams
- Enhanced security – With well-developed security policies covering things like firewalls, open ports and security teams dedicated to uncovering and patching vulnerabilities, public cloud companies often offer better security coverage than small IT teams. Even as bigger targets compared to a self-managed small business, available again give these companies the edge in terms of data security.
- High-availability – Migrating data to the cloud also puts high-availability data replication possible for businesses. While large public cloud operations are highly reliable, outages do happen. When they do, high availability cloud architecture can quickly search to an unaffected server containing byte-by-byte replication if an original happens to go down. Without a high-availability solution, to use our example of schoolchildren in the UK, video conferencing software may become inoperable and students unable to learn together. For a business, losing access to certain applications because of a cloud outage can spell disaster. If email systems or customer account portals become inaccessible the costs can mount quickly.
In a sense, COVID-19 accelerated trends in computing trends by years. While much work had been moving to the cloud for some time before the pandemic hit, the sudden need for a distributed workforce heightened its importance overnight. Luckily, migrating offers significant benefits for all types of organizations and looks to be well suited for the workforce of the future.
To learn more about the benefits of migrating to the cloud, visit the Carbonite Migrate page here.
Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the average ransom payment has ballooned to over $200,000.
But the true cost of ransomware can go beyond the headline-grabbing payments. The hit to a business’s reputation can be long lasting, as can the effect of protracted downtime. And over 15% of businesses never retrieve their data. Even more, some companies lose their data even though they pay a ransom.
That’s the bad news. The good news is that were gaining a better understanding of how ransomware attacks happen. Learning how ransomware sneaks into our personal and business lives is the key to protecting ourselves.
Risks to Small and Medium Businesses
In episode 1 of Carbonite + Webroot’s new series on ransomware, security experts, futurists and business leaders discuss the risks faced by small and medium businesses.
Before the latest surge of ransomware, some small and medium businesses could get away with thinking they weren’t a target. After all, the largest companies are the ones that can afford to pay the largest ransom payments. But the truth is there are only so many Fortune 500 companies to prey on.
Now with so many new victims of ransomware, businesses are turning to cyber security experts and asking why they’re a target. The short answer is … they aren’t. Small businesses fall victim to ransomware because of misconfigured systems, lack of proper security and human error. In other words, attackers sneak in by focusing their attention on vulnerable systems. They look for things like outdated firewalls and outdated servers because those gaps in security make for easy targets.
Protecting Your Data
Jon Murchison, CEO of Blackpoint Cyber, succinctly sums up why attacks happen, “It’s bad IT hygiene.” He’s seen municipalities attacked repeatedly because of holes in their network. He once fought off six waves of attacks, crediting Webroot’s capacity to hunt down malware and his ability to respond in real time. Without that, he guarantees there would have been a mass ransom event.
That’s why investing in cyber security is so important. With the explosion of ransomware, businesses that don’t protect themselves can fall victim to a ransomware. By establishing strong security measures, you can keep your company out of the next ransomware headline.
Acknowledging the Threat
Dr. Kelley Misata, CEO & founder of Sightline Security, says it’s an exciting time for technology, with the proliferation of IoT and mobile devices. But she adds, “people aren’t realizing that by interacting with that technology, they are putting themselves at risk for a cyber security event to happen.”
Dr. Misata has dedicated her career to helping others understand cyber security and teaching them how to adopt best practices in their own lives. Because ransomware attackers look for the easiest target, she tells her clients that “it’s not just how they protect their businesses, it’s how they protect their lives, how they protect their customers, and how they protect those around them.” Ransomware doesn’t just sneak in through our work computers and business servers. If our mobile devices are vulnerable, attackers will break in that way.
First Step in Preventing Ransomware
The first step in preventing ransomware is knowing who it targets and how it sneaks in. Big businesses make headlines, but small and medium businesses are increasingly falling victim to ransomware. And more and more often, ransomware piggy backs on our personal devices to sneak into our business lives.
Taking all this together will help you to focus your efforts when you invest in cyber security. Dive into expert analysis on 2021’s ransomware surge in our YouTube series: Ransomware 2021.