Security Insights - Cybersecurity for Real-World Workplaces
Welcome to Security Insights, where best-practice cybersecurity meets the real-world risks facing workplaces every day. Ivanti's VP of Product Management, Chris Goettl, brings in a rotating cast of guests to discuss the strategies and tactics that truly matter to the security teams protecting organizations, agencies and businesses like yours.
Security Insights - Cybersecurity for Real-World Workplaces
Ransomware Risk Management 101
This latest ransomware pandemic is infecting end users and security teams alike, exploiting old vulnerabilities and forcing new risk management strategies.
Chief Security Officer Phil Richards reviews how organizations can avoid and remediate ransomware cyber attacks, including:
- Training employees to not open obvious phishing emails and links that make networks vulnerable to ransomware
- The security vulnerabilities of old or unpatched software
- The pros and con of having backups
- How to use credential management to combat privilege escalation
- Join the conversation online on LinkedIn (linkedin.com/company/Ivanti)
Adrian: Hi, everyone. Welcome to Ivanti Insights. Every two weeks, we'll be sharing our thoughts with you on the latest cybersecurity news.
I’m Adrian Vernon, your host for today. And here at Ivanti, I am Director of Sales Enablement. I recently joined Ivanti as part of its acquisition of MobileIron. Now, while at MobileIron, I hosted a podcast similar in format to what we'd like to do here with Ivanti Insights.
With me today, I have Phil Richards, Ivanti's Chief Security Officer. Phil, we'd love to know, what makes you tick? Give us your 15 second bio.
Phil: Hey, Adrian. It's good to be here. Thanks for inviting me. Love to talk to you about some security issues. I have been Ivanti's Chief Security Officer for the last five years. And prior to that, I've worked in different security fields and I've been the chief security officer for both financial services and healthcare organizations, which is great because a lot of our customers at Ivanti and MobileIron are in the financial services and healthcare space.
So I feel like I have somewhat of a connection to them having worked on that side. I have a feel for some of the things they might be looking for in the security space and that kind of thing. So then it ends up being really nice. Like I said, I've been here for five years and it's been just a great ride.
Ivanti is a fantastic company to work for. I feel like we're doing a lot of wonderful things, not only with our products but really trying to take care of customer data and protect the infrastructure as well.
Adrian: And here at Ivanti, we are growing by the quarter with the acquisition, a couple of months ago of MobileIron, who I was with, Pulse Secure, and we just announced that we're going to be acquiring Cherwell Software as well, so plenty of expansion occurring over here.
Now, Phil, you're based in Salt Lake City, Utah. I am up here in the San Francisco Bay Area, just outside of San Jose. One last personal question so people can get to know you. Tell us what you do when you're not thinking about cybersecurity, if that ever happens, that may never happen, but away from the office, tell us one fun hobby you do to try to relax.
Phil: I have four wonderful kids and one of the things that I'd really like to do is take them up skiing. Obviously, we live in Salt Lake City, so we have mountains and we get a chance to go skiing during the winter. And while I enjoy skiing, I really love it when I get to take my kids with me.
Sometimes these days as they're getting older, it's one or two, rather than all of them. It's funny. I feel like I messed up with the first two kids. I was a little bit less patient as a father and I think I turned them off to skiing more than anything else, but the younger two, I kind of got it figured out so they enjoy it very much. So we get to go up every once in a while and that's just a lot of fun.
Adrian: All right. The nice thing about having four kids, if you don't get it right the first time or the second time, you keep correcting midstream. I have been skiing one time. Being a California native, that was something I just never really got into making the weekend trip up to Tahoe. I'll tell you in the last few years, those trips have got longer and longer as the traffic lines have grown and grown.
All right. Why don't we shift gears here, Phil? Let's talk security now. So today, our focus is ransomware. Now, this month's edition of CISO MAG has the cover story titled Ransomware – A Pandemic Plaguing the Digital World
Now, for those not familiar with CISO MAG out there; it is positioned as the handbook for chief information security officers, CXOs, and every stakeholder wanting to keep the internet safe.
Phil, let me ask you: Ransomware – A Pandemic Plaguing the Digital World sounds ominous, sounds all threatening. How ominous is it and how fearful should we be?
Phil: That's a really good question. And a couple of things, first of all, on the negative side, on the ominous and fearful side, it absolutely is a very strong epidemic. Ransomware, over the last couple of years, has grown very appreciably. The average ransom now is not the $500 Bitcoin that it used to be. It's in the neighborhood of $200,000 and it usually shuts down an organization an average of 15 days.
Think about your organization; think about what it would mean to your company to be completely inoperable for 15 days. For a lot of companies, that's huge amounts of revenue. And if you can shave a few days off of that by paying a quarter-million dollars, turns out that a lot of companies are willing to do that.
And because of that, because of the insidious nature of ransomware to absolutely shut down your organization, there are more players in the ransomware space. They're plaguing more organizations. And as security professionals, we need to be so much more vigilant and so much more focused on what we need to do to protect our organization to avoid ransomware incidents. And then also we need to be focused on what we need to do to recover when ransomware hits our environments so that we don't have to pay a quarter-million dollars and we don't have to have our doors shut for an average of 15 days.
It's significant. I'm not going to say that it's not. But the other side is there are things that we can do as an organization to protect our company and protect what we need to do so that we can recover so that we can avoid those kinds of ransomware attacks.
And we're going to talk a little bit about some of those today, I think.
Adrian: And just to get back to ransomware, this article in the CISO MAG predicts... currently, ransomware is costing corporations globally, billions of dollars. They're predicting that in 2021, this could rise to as much as $20 billion. So this is big business for cybercriminals now, as you said, and it is growing seemingly by the day.
So why don't we dive in a little bit and say, what precautions can companies take so they don't find themselves held hostage by cybercriminals?
Phil: Well, there's a number of things that they can do. We tend to split it up into a couple of different groups. The first group is what can we do as an organization to prevent ransomware? And there are a few things that come up over and over again in terms of preventing ransomware that are really important.
The first is that your main line of defense happens to be your employees; social engineering, email phishing, and malicious email links is one of the major areas, one of the major vectors that the criminal organizations use to get into your environment.
Another one has to do with unpatched software. When you have a presence on the internet like just about every company does these days, having software that is old or unpatched leaves you vulnerable to people exploiting that software and getting into your systems.
So making sure that your solutions are patched, all of them, but of course, making sure, especially that the internet-facing components are patched and up-to-date is critical. So those are really two of the major pieces that we talk about in terms of trying to protect.
There's a number of prevention activities as well that we talk about, specifically making sure that you have backups. The problem with having backups is people believe if they have a backup, that they're okay. But you got to remember, the problem isn't necessarily not being able to recover that data. The problem is those 15 days that it takes you to recover that data.
So having a backup is great, but you need to be able to practice. How long is it going to take you to recover systems? When ransomware strikes, oftentimes you have to recover hundreds or thousands of workstations and servers all at the same time. So you're not just restoring data, you have to rebuild the environment and then restore the data on top of it.
That takes days not minutes. And it requires a lot of resources; something that you need to know how long it's going to take. You need to rehearse. You need to figure out solutions that can get you through that process faster from a recovery standpoint.
So let's talk about some of the other things that you can do that help from prevention. One of the big things is the criminals do is called privilege escalation. Privilege escalation is the concept of I've got low-level access to a system, so I want to get some better access. Or maybe I've exploited a spot on the internet for a company, so I have low-level access to one server that's internet-facing. But now, I want to be able to turn that into something that gets more insidious and climb into the end of the corporate directory and things like that.
One of the things that really helps in that space is what we call credential management, which we know commonly as passwords. Password strength, the capabilities around multi-factor authentication, and those kinds of areas really are important. And there's a lot of change going on right now in that whole credential management space. Anyway, it's a rambling answer, but there's a lot going on in this space.
Adrian: Let me ask you this; let's personalize this a little bit more. So I'm an average user on the Ivanti network now, so let me ask you this, what keeps you up at night as Chief Security Officer in thinking about the education and awareness of all of your users within the company?
What is it where you might say, "God, I hope Adrian doesn't do X," or, "I hope Adrian can educate himself in this way."? In your position, how do you address all of the users within the network and what they can do to help prevent this?
Phil: That's a great question and you're right. Oftentimes, our user communities are one of the weakest links. So one of the things that keeps me awake is how do I help our users, make sure they can get their job done, but at the same time, they don't expose our network to unnecessary risk?
One of the things that we do at Ivanti that I think is a really important thing is around this whole education idea, especially with respect to email. Of course, we have email solutions such as an email gateway that help our users by making sure that spam and, obviously, malicious emails don't get through.
But we also educate our users both by providing them training, and also, by my team actually sends out phishing campaigns to our users. So we will intentionally send phishing emails to our user community as often as six times a year. And we try to make sure that they are thinking about not clicking on emails. It's so important. That is one of the weakest links. So that's an area where we spend quite a bit of time.
Adrian, one of the things that you'll notice, welcome to Ivanti by the way, one of the things that you will notice is that you will get some emails that if you click on them, they will come back and say, "You've been phished," and come back with bright red and say, "You shouldn't have clicked on this. Here's what you should have done instead."
It gives us an opportunity to train those users during the day when they're most likely to be when their guard is down and that sort of thing. My thought is that those users are looking out for emails that my team might send them. That's just the same behavior as looking out for emails that the criminals are going to be sending them. So it's the right kind of behavior. We're trying to make sure that the users have some of that education and some of that training.
Adrian: Then how do you follow up on that? Depending on what percentage of users come back who actually wind up, clicking on it versus not, how do you then follow up in that regard? Let's say in the last phishing test that you sent out, how did we do as a company?
Phil: We typically do a little bit better than the industry average, and we rate that based on industry average. And what we do is follow up with users in a couple of different ways. First of all, there's a follow-up immediately. As soon as the user clicks on that email there, they're taken to some training so they can actually read, find out what they did, and everything like that.
Now, users tend to get panicked when they see something like that. They feel like, "Oh, I did something wrong. My job is in jeopardy,” and things like that. So they tend to close some of those opportunities. They might not read everything that I say because they want to just close it as quickly as they can, thinking that if they close it fast, we won't know that they clicked on it in the first place, which, obviously, isn't true.
So we do tend to follow up with users afterwards. We follow up more with repeat offenders. It turns out that there are some users... some of us are just natural-born clickers. We see something show up in our email and we can't help ourselves. We click on it.
So we follow up with those folks, make sure that they feel safe, but at the same time, educate them that. That education is so important. So we do spend a lot of time identifying who they are and following up.
Adrian: And that internal testing by sending out these messages for people who are unaware and seeing how the Ivanti employee, based on this example, how they respond to that is a key part of those education efforts?
Phil: It absolutely is. We really focus on helping our user community become aware of their own sensibilities, their own prejudices, their own habits that need to change you. You can't change a habit unless you become aware that it's a habit. And unless somebody tells you that that's a habit that's going to cause problems, they might not be aware of that.
So we try hard to make that awareness. And changing habit is really a keystone of that education.
Adrian: Well, I'm going to be on the lookout for those emails. And I'm going to make sure that I do not click. And coming from MobileIron, obviously, we had plenty of experience in the security realm with phishing, with smishing — the SMS version of phishing. We were familiar with that over in the MobileIron space.
We're just about reaching our time limit here, Phil. So as we look to 2021, where there is a forecast that ransomware could go up to costing corporations as much as $20 billion in 2021, your final thoughts about ransomware preparedness for this year.
Phil: There are a few different things that are really important. And probably the most important thing, besides some user education that we spent quite a bit of time talking about, has to do with incident management. Your organization needs to be focused on; what do we do if and when this kind of thing happens?
Ransomware can attack and destroy an organization or it can lock up an organization very quickly. So being able to respond quickly when systems are known to be infected, taking them offline immediately, having a process by which you go through to do that, making sure that your employees don't second guess those messages is really important. So you have to prepare for that.
You have to have an incident management crew that's responsible for that and making sure that they can quickly make decisions and that the organization will fall in line quickly. That's one of the more important things that you need to be able to do.
Adrian: All right, Phil. Folks, that's Phil Richards, our Chief Security Officer here at Ivanti. Phil, thanks so much for joining us today, and look forward to doing this again. And also bringing Chris Goettl, your partner in crime, our Senior Director of Product Management, who was not able to join us today, we'll bring him in here two weeks from now on the next Ivanti Insights.
Phil: Thanks, Adrian. It's a lot of fun.
Adrian: All right, folks. For Phil Richards, I'm Adrian Vernon. Thanks for joining us today. We'll be coming to you every two weeks with hot topics for IT professionals. Until next time, stay safe, be secure, and keep smiling.