TWIET 446: The Wild Wild West of Cybersecurity

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

I agree with a lot of what was discussed around cyber security and recruitment. Those who know their subject are often lousy communicators and can’t write a decent CV; it might be better to sort out the good CVs and just look at the lousy ones. :rofl: OK, not really, but they shouldn’t be discounted out of hand.

As to the subject of insurance not paying out on crypto and other cyber attacks, I think this is a positive move. As long as the executives think, “oh, we’ve got insurance for that,” there won’t be any improvement. With health and safety, they have insurance for employee compensation, but they also have legal restrictions and guidelines on health & safety, and if they break those rules, they will be fined, which shouldn’t be covered by the insurance, and possibly the insurance won’t pay out, if the employer was negligent. This needs to move over into cyber security.

Accidents can happen, but if even the most basic precautions haven’t been taken, the insurance shouldn’t be paid out and the company should face prosecution under data protection laws. Only once they’ve taken things seriously and still fallen afoul of a zero day, that they had no chance of protecting against, should the insurance cover them.

Old and outdated equipment was the attack vector? Only got themselves to blame, no payout. Lack of employee training led to the user opening a phishing email and letting the attacker in? No payout.

Data leaked as part of the attack? Under GDPR, that should lead to a hefty fine.

If the equipment is all up-to-date, the employees have been trained and the attacker used some new, refined attack, yes, that is genuine bad luck and should be covered.

But executives shouldn’t be rewarded for corporate negligence.

And, as to backups, regularly test them! Do a full restore of key machines or restore some random files from a file server on a regular basis, to ensure that the backups are working, if you don´’t test, you only have a process, but you can’t say you have any backups!

Jim made an off-hand remark about Colonial and if they had had a proper backup, it wouldn’t have taken 12 days to recover…

Partly true, but:

  1. How long had the encryption been going on in the background? Did they have to go back several generations to find some files?
  2. You cannot just restore the data and carry on, business as usual after a ransom attack. You need to:
    a. replace all affected systems with fresh, known-good ones. That means at least a new OS image and fresh software install, before restoring the data.
    b. possibly replace physical hardware - one friend of mine was contacted by the German equivalent of the NSA and was informed that his servers had turned up on a dark net forum (i.e. IP addresses and information about the server, OS and credentials). Their advice was to shred the old system and install a new server!
    c. Once the new systems have been set-up, you can go through your backups and restore the data.
    d. Before you go back online, you need to ensure everything is patched and any security holes that let the old attack through have been closed.
  3. You need to thoroughly test the restored data, to ensure it is complete. Any missing data needs to be re-entered from hand.

Only once all of that has been done, are you really back up and running.

And it isn’t just the servers, you need to thoroughly check every device on the network. Is the malware sitting on a PC, tablet, industrial controller somehwere, just waiting to strike again.

You might be able to recover the data in a few hours, but having a trustworthy and working system is going to take days, no matter how good your backups are.

Brian made a good observation, that the US is looking to treat cyber attacks as terrorism. That is a good start.

He also said, that maybe companies should be required to report attacks. That is already the case in Europe, for any local or multi-national, if their data is compromised, and if the attacker had enough access to the network to encrypt the data, the data is compromised, they have 72 hours to report the attack to the relevant data protection authorities. Failure to report leaves them liable to fines of 25M€ or 4% of world-wide turnover, whichever is the greater.