Dave Cain: Welcome to unsuitable on Rea Radio, the award-winning financial services and business advisory podcast that challenges your old school business practices and the traditional business suit culture. Our guests are industry professionals and experts who will challenge you to think beyond the suit and tie while offering meaningful modern solutions to help you enhance your company’s growth. I’m your host Dave Cain. If you’re a regular listener to our podcast, you’ll probably notice that we’ve dedicated quite a few episodes to the topic of cyber crime. Well, we’re at it again. Only this time was have a new warning and this is a big warning for all business owners. Ransomware is able to delete your VEEAM backups. Oops. That means your backups might not work or be fail-safe.
To tell us exactly what this new ransomware capability means to the business community, we are welcoming back Joe Welker, cyber security expert and a manager on Rea’s IT audit team. Welcome back to unsuitable, Joe.
Joe Welker: Thank you, Dave. Glad to be here.
Dave: Good. By my count this is your third stint.
Joe: Third stint, but first time with you, Dave.
Dave: We’ve had a lot of people request you.
Joe: Popular person.
Dave: What we like to do with you specially we understand you like to go to concerts. The Summer Concert Series is with us. What do you got on the agenda for this summer?
Joe: Kenny Chesney at Buckeye Fest and after that I have Kid Rock at the Hall of Fame concert. He’s with Toby Keith, but we’re primarily …
Dave: F-O-A-D. You like that song?
Joe: Yeah. I usually go to see the Kid. Missed out on the Columbus Metallica concert which I was disappointed in, but I’ll try again some other point. They’re in a bucket list.
Dave: Do you ever see The Clash?
Joe: Never seen The Clash. No.
Dave: Put that on your bucket list. Joe, on our podcast we challenge the traditional business suit culture, but I got to tell you we have a dress code. Put your shirt back on, would you?
Joe: Yeah. I wouldn’t do that to you. I’d taken it off.
Dave: As our viewers jump on the Rea YouTube station, by the time they get on you’ll have your shirt on.
Joe: That’ll work.
Dave: As you start talking about concerts, you get a little crazy. How do we go from that to talking about ransomware? This thing is going nuts and is continuing. Some of the things I’ve read recently have just been phenomenal. What’s going on with ransomware?
Joe: Well Dave, it’s very crazy. I think that’s a major concern for everyone whether it be the business that we have, governments, medical clients, even users at home. I mean everybody can be affected by this. It’s so worldwide. Your computers can be touched by anyone on the planet. It’s not like someone has to locally infect you, but people in China, people in the former Soviet Union countries, they’re all accessible to your outlying network. It comes down to those people who are pushing these things out in order to make profits for their businesses.
Dave: Let me challenge a couple of your comments there. Obviously it could infect anybody, but I have desktop antivirus software. Am I safe?
Joe: No, that’s older technology, Dave. The virus protection programs originally came about to protect you from the malware and those type of things. The problem is that some of these strings of malware and ransomware come out zero day viruses or zero day liabilities and so there hasn’t been anything developed for them yet to correct them or stop them. The problem is there’s no one single bullet anymore that is capable of stopping the ransomware and the malware. It takes a combination of things before you have anything that can come close to protecting you from everything and still you’re not protected because remember it only takes one click by one person in your company with rights, access rights, to a server to actually become infected.
There’s no one time, “Oh, I did it one time I’ll get by with it.” One time mistake and you’re infected.
Dave: Joe, I have a Mac and we all know Macs just don’t get viruses. Again am I safe from ransomware?
Joe: Well, that used to be the theory and it still is to a degree, but they’ve actually started to hit the Mac field too. You can see by googling that anytime you can see that the number of Mac infections are starting to crawl up.
Dave: Can they hit my phone, my smart TV?
Joe: A lot of the phones, Android phones and the Mac phones, Apple phones, yeah, are susceptible to the viruses.
Dave: I think the solution is we go off the grid.
Joe: Well, I’m all with you there, but that kind of takes you way back. I don’t think anybody wants to return to that. As a matter of fact, we had a client that their building exploded and one of the major problems they had when it exploded was there was no one within their company that remember how to do things manually when they did not use a computer system.
Dave: This ransomware and the developers of ransomware or the owners of this ransomware we’ve seen, heard it could be crime syndicates, could be the guy living in his parent’s basement. You just don’t know where these, and I’ll call them criminals, live or coming from.
Joe: Which they are criminals. Like I said though, you can get a guy in his basement that can reach out and touch your entity. You can get people in Eastern Europe to do it. We had a school that we were doing the audit for that they actually had a seventh grade student launch a Denial of Service attack against his school and shut down the entire school by launching that. All he had to do was go online to a Denial of Service website and pay $10 using a credit card to launch that Denial of Service attack. Basically he was doing it everyday for a couple weeks just to get himself out of class.
Dave: Pretty creative.
Joe: Very much so.
Dave: But against the law.
Joe: We used to have to go out and pull the fire alarm to get out of school like that. Now you go to the computer and launch a Denial of Service attack.
Dave: Or a stink bomb. The stink bomb used to work pretty well, didn’t it? You remember those days?
Joe: Very old school.
Dave: During the pep rally that was always kind of a good thing to do. In my mind I’m thinking this ransomware, the cyber criminals, they want to go after the big companies. The smaller companies are safe, aren’t they?
Joe: Well, I think after the target breach all major companies started to take a more proactive philosophy in protecting their data. They started implementing more and more different types of protection plans, monitoring of firewalls, using proxy servers, blocking sites using white listing, black listing. A lot of the major players and major companies implemented these type of services. Now it comes down to the medium size businesses, smaller companies, individuals. I mean they’re looking for quantity over quality. They’re looking for the number they can implement. There was a report at six hour period where 14 million ransomware emails were sent out in a six hour period.
I mean it takes nothing. There’s no cost involved to sending out the one or 14 million or 100 million and that’s just in a six hour period.
Dave: I could get in my email if I’m not careful, someone could send me a booby trap Excel file, Word file, PowerPoint.
Joe: All of the above. PDF files. Anything they can disguise to include an executable program in it. Yes.
Dave: Really as a business owner I need to take a very hard look, close look at ransomware defense and survival.
Joe: Exactly. Exactly. That should be part of their disaster recovery business continuity plans. As of right now ransomware is their biggest risk. It used to be hardware failure disaster which were very rare instances, but nowadays one of the main things or the very main thing is ransomware.
Dave: Now if there is an incident of ransomware and I’m held hostage, should I succumb to the demand? Should I pay? Do I have to pay? How do I get my data back?
Joe: Well, the FBI says don’t pay, but the FBI’s not in business. We had one company we worked with. They got hit with ransomware. They find out that none of their backups were any good and they had no option. They had to pay the ransom. It was either that or go out of business. When it comes to that point, you’re going to pay the ransom.
Dave: This sounds like a silly question, but if I have to pay, I have no other choice, I want my data back, how do I pay? Do I write a check? Do I give my credit card number? Do I use some eCurrency? How does that all work? What are the guarantees? Do I get a receipt?
Joe: Well, you like to have that. The thing that is involved is electronic currency called bitcoin. The first part of it when people started using that and I know several clients have had to purchase bitcoin, they have to go to a university setting to purchase it. It’s now available. You can go online and purchase bitcoin at some sites and it’s even gotten as far … I recently attended an auditor at a state conference where they actually were recommending Coinbase to be used to purchase bitcoin because it is a US-based company and has to abide by US laws. It’s just a matter of going to those type of organizations and purchase the bitcoin.
Dave: For ransomware hits obviously you’ve got to take a look at do you pay, don’t you pay. Can you get your data back? You have no guarantee your data’s coming back to you.
Joe: There is no guarantee. They pretty much assume themselves to be proper businesses and even up to some points will provide an 800 number service for you to contact them if you need assistance in making the ransom payment.
Dave: This is extortion at its greatest?
Joe: Pretty much.
Dave: Would I call law enforcement?
Joe: Yeah, usually what you want to do is contact law enforcement and let them know what’s going on. You want to make sure you disconnect that, any infected workstations or servers from your network. I know there’s been instances where it’s infected the entire environment, the work environment. I know there was a county that had to actually shut down because of it. Contact law enforcement. If there’s any possible breach that’s been done of data, personal data or medical data, you may want to contact your attorney to see what laws are applicable or what your company or business or government agency is required to report.
Dave: The potential for widespread crisis, easy for me to say today, widespread crisis is great.
Joe: It’s very much so great. I mean it’s just incredible where we’ve gone to. I tell many people and I think I may have mentioned this before on one of these sessions that it’s kind of like the Wild, Wild West because there are no rules right now. There are no rules out there to say, “You can’t do this.” We can’t find all the people because of the anonymity of the businesses and groups that are sending out the ransomware. A lot of them are located in China, Eastern Europe, Soviet States and we have no laws or no country assistance with finding these people.
Dave: Is it time to change the way we backup our data?
Joe: Again Dave, there’s no single bullet. You have to implement everything possible in order to do this. Changing the way we backup our data, yes. Thinking about the way we backup our data is very, very, very important. A lot of people go by the 3-2-1 rule where it says you have your primary production data and you should have a minimum of two backup sets. Now to me that’s very minimal. The two represents you should have two different types of media that it’s saved on whether that be drives, hard drives, tape, flash drives, CDs, whatever that be. Then the one represents one set of backup data that’s kept offsite and offline. There was a movement at one point for everyone to rush away from tape. Everyone went disk-to-disk backups.
That’s basically what VEEAM, Aperture, some of the main backup processors went to. They created this disk-to-disk environment. That’s why we’re running into the problem now is with this report several months ago that there was a version of ransomware that actually deleted the VEEAM backup, has caused this rush now to say, “Wow. We need some type of what they call air gap backup where there is a disconnect from your network.” That’s basically where you at right now is you need to provide those type of backups at one backup that is not part of your network.
Dave: Joe, I’m a little confused about this. I backup on the cloud, but now you’re saying that I also have to use different types of media as well as the cloud backup? Is that part of the 3-2-1?
Joe: If you’re using cloud, that would be considered a different type of media, yes. Again with cloud you need to verify with your cloud provider that your encrypted data will not just get synchronized right over top of your cloud backup because I don’t know that that’s one thing they’re looking for in that. That’s part of your due diligence is to check with that provider either by asking their representatives or reviewing what’s called their SOC report which is a service organization control report and see exactly what says in that report to make you sure that your comfortable with the backups that are being created of your data on their site.
Dave: In your terms you used the term encrypted. What does that mean?
Joe: Encrypted means that every file that is encrypted is secured with a key and in order to be able to access that you need that key. When you pay the ransom, basically that group will send you a key to input to actually unlock every one of those data files. Now encryption is intense. It’s not something that I can break, you can break, even the federal government, the US government cannot break encryption. If you remember back when they were petitioning Apple to provide their encryption coding so that they could get in that one phone of … There was a terrorist I think they were trying to access. Even the US government could not get to it, break the encryption. That’s the ease of this is you just encrypt everybody’s files and say, “Okay. Pay me and I’ll send you the key.”
In most instances they will send you the key. There’s been very few reported where they have not and that’s basically again because they look to themselves as a business. As long as you pay, they’re going to provide that key and let you unlock your data.
Dave: What kind of ransom dollars are we talking about if it’s … Is it hundreds of thousands? Is it thousands or all over the place?
Joe: It’s all over the place, Dave. It’s usually based on number of files, but in some instances I know there’s been … I’ve had just single workstations that have caused a thousand dollars to recover. I’ve also had clients that have paid $17,000 to recover their data. There was a hospital in LA that paid $17,000 to recover their data. We also heard of a firm that actually paid 500,000 to get their data back.
Dave: This is really truly a security threat. We don’t think of this as a security threat, but it is to each and every business.
Joe: Very much so.
Dave: Because you could get access to not only personal data, you could get blueprints, you could get trade secrets.
Joe: Exactly. Exactly. Once access has been gained, then sometimes it’s just a matter of what data they can discover on the system when they start poking around.
Dave: Joe, I think you ought to stop going to all these concerts and spend more time in developing ransomware defense and survival. You’re screwing around too much. Let’s go.
Joe: I’m thinking about giving up the IT stuff and become a roadie to be honest with you.
Dave: Let the roadies take the show, huh?
Joe: Yeah. I’ve actually worked for Peter Frampton on one concert so I’ve got experience in that field too.
Dave: You do? Where were you the roadie for Peter Frampton?
Joe: Yeah. Actually in Pittsburgh, Pennsylvania.
Dave: There’s another side of Joe Welker we need to uncover one of these days.
Joe: Yeah. I don’t think we can tell those stories.
Dave: Well, how do we combat these new cyber crime? What are the new cyber crime tactics? How do we combat those?
Joe: I think there’s just best practices that everyone needs to keep in mind. I made a list of them that I try to follow. I just kind of like to go through those if I can, Dave.
Dave: It’s all you.
Joe: I want to just start by saying the backup data services which is how you set them up, the accounts you use, should be dedicated accounts that are only used for the backup process. You don’t want your network administrators to have access to those. You want an account that is specifically for backups so that there’s only one or two accounts that has access to that data. Second, disable any end user access that may have access to those areas because you don’t want them definitely to have access to your backup data.
Dave: Give me an example of that.
Joe: Somehow a user base needed to recover a file and they gave them temporary access and forget to move the access back. User access should never be allowed to your backup areas. Third, do not leave your backup areas out of the domain. Actually assign it its own domain so that it’s not in the same domain environment. With the use of Microsoft Active Directory you actually setup a domain in order for users to be configured, devices to be configured and allowed access. Offline backups, physically detach the media whether used in removable hard drives, tape, CDs. Actually detach them from network or take them to an offline status. Your only true way of saving those and knowing they can’t be connected to is if they are disconnected.
Use advance technology which basically comes in the way of intrusion detection systems, sims. I’ve got one client that actually installed on each of their computers … He’s got a program that if a workstation starts to get encrypt data, it notifies him right away. Also, Microsoft has their AppLocker and there’s some third party applications that will actually not allow the running of any type of programs by workstations. You can use your Active Directory policies, an AppLocker or a third party application to complete those type of things. A big thing that we don’t mention enough of is user training. They’re your biggest threat really.
Dave: Our employees.
Joe: The employees. Yes.
Dave: Well, we’re too busy. We want information immediately. We don’t care about this stuff.
Joe: We do and a lot of this stuff comes in through emails with attachments or URLs. Actually did this myself not too long ago and was sweating bullets over it. I clicked on a site. I was looking for something. I clicked on a site and all of a sudden my mouse just started spinning and I’m thinking, “Oh my. I’m infected.” I immediately detached my computer and shut it down and was sweating bullets. It was real bad.
Dave: I think that was the tequila.
Joe: No. This was definitely a possible infection, but the sweat was rolling at that point because that’s all you need is for one of your IT guys to get infected.
Dave: Oh yeah.
Joe: You never live that one down ever. Fortunately when I brought the computer back up, nothing was encrypted. I let it run like that for an hour, an hour and a half to make sure that I was okay. Then I went back online when everything was okay.
Dave: Great. Well, thanks again for joining us on Unsuitable today, Joe. Our guest has been Joe Welker, IT audit manager at Rea & Associates with a specialty in cyber security. Listeners, if you’d like to learn more about what you can do to prevent ransomware from taking your company hostage, check out the resources we provided on our website at ReaCPA.com. While you’re there you can check out our new case study, how to survive a ransomware attack featuring the Jess Howard Electric Company, a Rea client located in Central Ohio. I’d also like to encourage you to subscribe to unsuitable on Rea Radio and iTunes for access to great business insight anytime, anywhere and on any device. Until next time, I’m Dave Cain encouraging you to loosen up your tie and think outside the box.