Our reliance on technology for almost everything makes understanding cybersecurity more important than ever. Data breaches and cyber attacks are on the rise, but knowing the basics can help protect yourself and your organization.
In an episode of TheCybersecurityInsider.com podcast, Yigal Behar engaged in a free-flowing conversation with Seth Melendez, owner of WareGeeks Solutions, and Steve Magnani, cybersecurity consultant at Altria.
Their discussion touched upon cybersecurity topics: Military Leaks, Data Breaches, Backup And Recovery, Ransomware, NIST SP 800, and more.
US Military Leaks, Misinformation & the Ongoing Cyber War
The discussion kicked off with the recent leak of classified U.S. intelligence documents. The leaked documents detailed Ukraine’s combat capabilities and U.S. analysis on China and other nations.
The leaked documents first appeared on the Discord platform, shared by a user on a server called Thug Shaker Central (ref), and then ended up on a second Discord chatroom, known as End of Wow Mao Zone (ref).
Seth worried about the potential for misinformation within such leaks, stating, “You never know what’s going on with these intelligence agencies.”
Both Yigal and Seth recognized that this incident was part of the ongoing cyber war between nations, each constantly trying to gain intelligence on the other. The leak, while serious, is not seen as a cause for panic, as both nations are already investing heavily in cyber warfare. “They’re already mad, they’re already trying to go after us,” said Seth.
KFC Breach Fallout
The conversation then shifted to the fallout from a January breach at KFC, which forced the closure of 300 UK locations (ref). Seth pointed out that the breach stemmed from the same issues cybersecurity professionals constantly preach about: weak passwords and outdated systems.
New Jersey Police Department Ransomware Attack
During the discussion about data breaches, they broke the news about a ransomware attack on a New Jersey county police department. Seth emphasized the need for mechanisms to stop such attacks quickly and the role of backups in recovery. “If they don’t have backups, they’re screwed,” he warned.
Recovery Time Estimates
To drive the backup and recovery point home, Yigal discusses the challenges of recovering data from USB backups.
Here are some of the key takeaways:
- It would take a while to recover from USB backups for a 100 GB backup.
- It would take an entire year to recover from USB backups, even with USB 2.0 speeds of 480 Mbps, for a 10-15 TB backup.
- Recovering from the cloud would be faster, but the host suggests that shipping the drives to the affected site may not be a realistic option if the original hardware (the enclosure) is not functioning.
According to Yigal, it’s unrealistic to expect to recover large amounts of data so quickly because the process of exporting to drives, shipping, and then restoring would take too long, especially in a time-sensitive recovery situation. “It’s going to take you again days,” he stressed.
So, what’s the solution when such cases arise?
Backup & Recovery Case Studies
Yigal then shared two case studies featuring jewelry stores that experienced data loss.
Jewelry Store with Hardware Failure
A jewelry store experienced an issue with their HP storage system leading to a situation where their virtual machines were no longer accessible. Fortunately, they had backups stored both on-site and on USB drives.
To get everything up and running, Yigal’s recovery team followed a series of steps. Initially, they restored the machines from the on-site backups onto a network-attached storage (NAS) device.
Next, they brought in a VMware host server to the store premises. Finally, they connected the recovered machines from the NAS to the VMware host. This process took around five days to complete.
Yigal and his team convinced the client to have a cloud backup for all their virtual machines, ensuring that the jewelry store could fully resume its operations.
Now, if this was a ransomware attack, Yigal highlighted these key points:
- Backup Option: The backup served as a substitute for paying the ransom. This enables the customer to retrieve their data without giving in to the attackers’ demands.
- Minimal Data Loss: The customer experienced a setback of five days’ worth of data loss compared to the potential loss of paying a huge ransom.
- Cloud Recovery: Although cloud data recovery was considered, the customer had unsuitable applications for cloud hosting. As a result, the data recovery was done on-site. According to Yigal, if the recovery had been done entirely from the cloud, it might have taken around two days instead of five.
Seth asked what did Yigal and his team do to the old equipment. The old equipment was left with the customer “collecting dust”.
Jewelry Store with Ransomware Attack
In another incident, a jewelry store in Georgia was hit by a ransomware attack. Yigal shared that this ransomware incident had occurred during an Exchange server migration project.
The client had an Exchange server that needed upgrading to a recent version. During the migration process, they encountered issues with the Active Directory leading them to rebuild it from scratch. Once the migration issues were sorted out, the IT manager noticed a blue screen on one of the hosts running Microsoft Hyper-V.
It turned out that Yigal and his team discovered a text file indicating a ransomware attack that was demanding payment to regain access to the encrypted data. The ransomware was identified as Eight, a malicious program that’s a variant of the Phobos ransomware. It took 16 hours to detect it and 71 days of remediation.
Not only that, Yigal and the team had shipped a storage device with backup capabilities to the customer as an additional backup measure. But the ransomware had also encrypted the data on this backup storage device. The client’s website was also compromised during that time.
Since the ransomware had encrypted the files, the decryption key was not available. Good thing the client had cyber insurance, but they had to pay the ransom of $25,000 to the hackers to get the decryption key. Even after the recovery, it took Yigal’s team two months to rebuild everything again from scratch which cost another $25,000 from the client’s out-of-pocket expenses.
In this case, here are some key takeaways (or lessons learned):
- On-premises backups are not immune to ransomware: Even having an extra on-premises backup device did not protect the data, as the ransomware was able to encrypt the backups as well.
- Backup media must be regularly tested: The client’s backup tapes had not been used in 10 years, making them unusable.
- Some clients may be hesitant to use cloud backups: Despite Yigal’s recommendation, the client was unwilling to use cloud-based backups and cited trust issues. Overcoming customer concerns about cloud security is important.
- Replace outdated technology: The client was running an older version of Microsoft Hyper-V (2012) for their virtual machines, which created compatibility issues. Seth suggests that as clients’ software gets older (five to seven years), it’s a good idea to increase pricing and to include clauses in contracts that require clients to update their software and hardware. According to Seth, “Once you sign the contract, the argument is no longer there because it’s already in the contract, forcing them to get new equipment and a new OS (operating system).”
- Backup requirements should be contractually defined: Backup requirements should be clearly defined in contracts to ensure customers have a comprehensive backup strategy in place before starting a project. As Seth advised. “Force them to do a backup.”
But how was the ransomware able to get in?
It’s not from accessing porn sites, phishing emails from an African prince, or social engineering. Seth pointed out, “I would assume something was left open—you have a port that was open.” Any device with an open port that’s connected to the Internet is vulnerable to such attacks. Just look up Shodan, which is a search engine for devices with open ports.
Business Resiliency, Disaster Recovery & Access Control
The conversation then moved on to Steve, who shared how he’s helping out at Altria regarding a supplier management program. The program is six years old and needs a refresh.
Steve was analyzing the data stored in Archer (GRC) and performing assessment reviews of various suppliers to Altria.
Yigal asked him what were his key findings during the assessment reviews. According to Steve, the findings include:
- Business Resiliency and Disaster Recovery: Steve stated that this is the biggest area where companies fail.
- Access Control: This is where password management comes in, which is also a major area of concern.
- Vulnerability Assessment Control: This refers to security weaknesses within a system that unauthorized individuals can use to access information or resources. According to Steve, this poses an issue among companies.
- Documentation: Many companies lack documentation for their controls, testing, and other security measures.
Transition to NIST Version 5
The conversation then turned to the struggle of companies transitioning to NIST 800-53 Rev. 5, the latest version of the National Institute of Standards and Technology’s guidelines for securing information systems (ref).
According to Steve, certain companies are opting to delay the switch until next year with some managers prioritizing short-term progress—even if it means postponing full compliance with the latest NIST version.
Regulatory Challenges Facing Banking & Auditing Industries
Speaking of compliance and regulations, Steve noted that the U.S. Securities and Exchange Commission (SEC) has put forward regulations that call for SOC (Service Organization Control) reports to validate controls.
This change is expected to lead to a rise in the workload for consulting companies such as PwC, Deloitte, and others that conduct these audits as they will now be required to validate controls instead of just assessing them.
Steve also discussed the news regarding legal actions being taken against KPMG, Goldman Sachs, JPMorgan Chase, Morgan Stanley, and Bank of America for their audits of Silicon Valley Bank (SVB). The auditors approved the SVB audit two weeks prior despite the bank’s issues (ref).
Furthermore, Yigal touched on concerns regarding stress tests. Federal stress tests only tested banks for interest rates going down, not up (ref). This is why banks passed the tests but still faced issues when interest rates rose unexpectedly. According to Steve, SVB did not have a Chief Risk Officer from April 2022 until the rest of the year (ref).
These series of events evince the need for stronger risk management and compliance, a point echoed by cybersecurity experts like Seth, who wryly noted, “Well if they did it all right, we wouldn’t be employed.”
AI & the Future of Cybersecurity
Steve then moved the discussion to using AI tools, like ChatGPT. Yigal and Seth showed excitement for these tools as they recognized their potential to change the industry.
However, they pointed out that AI won’t fully replace cybersecurity experts, as human expertise and oversight will still be important. Seth surmised, “We’re not going anywhere. Certain parts of the industry may disappear [like] certain low-level coding, certain low-level scripting, but even more intricate coding is not going anywhere.”
Closing Thoughts
The podcast episode ended with a lighthearted chat about the recent Pentagon document leaks, Edward Snowden, and staying alert to the constant changes in cybersecurity threats because as Steve said “we don’t know where it’s coming out next.”For more cybersecurity tips and insights, subscribe to The Cybersecurity Insider podcast (also available on YouTube, Apple, and Spotify).
This time it’s a free conversation with my friends Steve and Seth bringing some new thoughts to you.
Ransomware
Backup And Recovery
NIST 800
and other subjects.
Thanks for watching
@TheCybersecurityInsider
Host – Yigal Behar
