Ransomware – Who is responsible?

Look in the mirror

85 percent of computer and network breaches involved a human element, according to Verizon’s “2021 Data Breach Investigations Report,” while over 80 percent of breaches were discovered by external parties. That is good news. Does that mean if each one of us could modify our behavior, then perhaps this ransomware and breach problem might go away?

Well… Everyone works under some kind deadline pressure. And if you are like me, you tend to procrastinate. To meet that impending deadline, we have to work quickly. So, when that application or operating system security update pops up, we have to push it away. Or the I.T. department applies the update. Of course that is the day our assignment, proposal, paper, or whatever is due for presentation or submission. If you work remotely, that’s when you notice that your organization’s system is crawling along slowly or the company network is unavailable. You have already forgotten about or quashed that warning you received updating your home or office workstation to the latest security patch. Or your antivirus program that has been interrupting you for days does it again. And that’s when a “Digital Pearl Harbor” is most likely to occur.

Our I.T. computer people and the information technology industry can’t fix this. Together with the leadership, we can.

There is no silver bullet or firewall that the computer/network security industry can set up to protect you or your organization from yourselves. Again, 85% of the problem it is a behavior issue.

When was the last time your immediate supervisor asked about whether you saw that operating system security update or antivirus update? When did your boss take an interest in that phishing training offered over lunch or online? Never? Well, there you go. Unless your entire organization takes the appropriate amount of interest based on their risk management processes, what can you hope to do to fix this? Or if you work for yourself at home or remotely for your company; when was the last time you made sure your computer operating system was updated, your cable modem or home router internal operating systems were updated?

Defend yourself!

Here are some examples of what that means in practice

  • If you receive a message with a link, particularly if it includes a sense of urgency (stating a package is about to arrive or that your credit card is going to be charged), avoid the impulse to immediately click on it.
  • If you trust the linked site, type out the link’s web address manually.
  • If going to a website you frequently visit, save that website in a bookmark folder and only access the site from the link in your folder.
  • If you decide you’re going to click a link rather than typing it out or visiting the site via bookmark, at least scrutinize the link to confirm that it is pointing to a website you are familiar with. And remember that it’s possible you will still be fooled: Some phishing links use similar-looking letters from a non-English character set, in what is known as a homograph attack. For example, a Cyrillic “О” might be used to mimic the usual Latin “O” we see in English.
  • If the link appears to be a shortened URL, use a URL expander service such as URL Expander or ExpandURLto reveal the actual, long link it points to before clicking.
  • Before you click a link apparently sent by someone you know, confirm that the person really did send it; their account may have been hacked or their phone number spoofed. Confirm with them using a different communication channel from the one on which you received the message. For instance, if the link came via a text or email message, give the sender a call. This is known as out-of-band verification or authentication.
  • Practice device compartmentalization, using a secondary device without any sensitive information on it to open untrusted links. Keep in mind that if the secondary device is infected, it may still be used to monitor you via the microphone or camera, so keep it in a Faraday bag when not in use — or at least away from where you have sensitive conversations (a good idea even if it’s in a Faraday bag).
  • Use nondefault browsers. According to a section titled “Installation Failure” in the leaked Pegasus brochure, installation may fail if the target is running an unsupported browser and in particular a browser other than “the default browser of the device.” But the document is now several years old, and it is possible that Pegasus today supports all kinds of browsers.
  • If there is ever any doubt about a given link, the safest operational security measure is to avoid opening the link.
  • a link apparently sent by someone you know, confirm that the person really did send it; their account may have been hacked or their phone number spoofed. Confirm with them using a different communication channel from the one on which you received the message. For instance, if the link came via a text or email message, give the sender a call. This is known as out-of-band verification or authentication.
  • Practice device compartmentalization, using a secondary device without any sensitive information on it to open untrusted links. Keep in mind that if the secondary device is infected, it may still be used to monitor you via the microphone or camera, so keep it in a Faraday bag when not in use — or at least away from where you have sensitive conversations (a good idea even if it’s in a Faraday bag).
  • Use nondefault browsers. According to a section titled “Installation Failure” in the leaked Pegasus brochure, installation may fail if the target is running an unsupported browser and in particular a browser other than “the default browser of the device.” But the document is now several years old, and it is possible that Pegasus today supports all kinds of browsers.
  • If there is ever any doubt about a given link, the safest operational security measure is to avoid opening the link.

Unless or until information security becomes a priority for society, including organizations and individuals we are heading for a serious setback to our way of life or even life itself

Here is where the reader will expect me to come up with a frightening scenario. I will not waste my time. Suffice it to say that unless we use fundamental risk management processes, then we will simply lose – and lose big – even lose life itself. Lose to nation-states, terrorists, criminals (sometimes sponsored by nation-states or terror organizations).

Here is how to begin to take cyber information security seriously

Start with the The National Institute of Standards and Technology (NIST) “Generally Accepted Principles and Practices for Securing Information Technology Systems”. NIST has been a government agency since 1901. This means that when one sees in lawsuits and insurance documents containing wording similar to: “Generally Accepted Principles and Practices” or “Industry Standards”, they mean NIST or other industry or business convention.

From there, it will be easy to understand what and how you and/or your organization need to begin your process to prevent a Digital Pearl Harbor that would impact, you and even society as a whole