A Deep Dive into Ransomware Attacks and Negotiations

Welcome to the Cybersecurity Readiness Podcast

Series with Dr. Dave Chatterjee, Dr. Chatterjee is the author of

A Holistic and High-Performance

approach. He has been studying cybersecurity for over a decade,

authored and edited scholarly papers, delivered talks,

conducted webinars, consulted with companies, and served on a

cybersecurity SWAT team with Chief Information Security

officers. Dr. Chatterjee is an Associate Professor of

Management Information Systems at the Terry College of

Business, the University of Georgia, and Visiting Professor

at Duke University's Pratt School of Engineering.

Hello, everyone, I'm delighted to

welcome you to this episode of the Cybersecurity Readiness

Podcast Series. Today, I have the pleasure of talking with Art

Ehuan, Vice President of Palo Alto Networks, Art has extensive

experience in the field of cybersecurity. Having worked

both in the public and private sector to share a few highlights

of his work experience and expertise. As Vice President at

Palo Alto Networks, Art manages federal and international

customer relationships. He provides cybersecurity advisory

services to board of directors, chief information security

officers, chief risk officers and senior management of risk

mitigation. Art has also been retained as a cybersecurity

expert for matters that include Marriott, international, Capital

One, Equifax, Anthem, Sony and others. He has also been

involved in cybersecurity operations in organizations such

as USAA, Cisco Systems, and he has served with the Federal

Bureau of Investigation as a supervisory special agent in

computer crime investigations. Last but not least, Art is a

colleague of mine, at Duke University's Master of

Engineering in cybersecurity program, where he'll be teaching

a class on security, incident response, and resilience. Our

discussion today will focus on ransomware attacks. And I can't

think of a better person than Art to discuss this topic, and

more. So I'm sure we are all excited to hear from him.

Without any further ado, Art, welcome.

Thank you, Dave, appreciate the opportunity to

speak with you and the audience about what what I'm seeing in

the world of ransomware, which unfortunately, has exploded in

the past couple of years. And I anticipate will continue to grow

as the the threats to corporations continues to

increase.

Before we started the recording, you made

the statement that "companies keep making the same mistakes."

Tell us more about it.

Yeah, so you know, some of the basic things, some

of the the hygiene that you would expect to see in

organizations, for whatever reason, sometimes aren't done

right, so I'm specifically I'm going to mention patch

management, right? Because, I mean, attackers have several

ways of getting into an organization, you know, it can

be through a phishing attack, it could be through through, you

know, an attack on credentials. But another way, obviously, is

through vulnerabilities and systems. And if those system

vulnerabilities exist, an attacker can leverage that to

access the network. So that highlights to me the importance

of hygiene around patch management, you know, making

sure that you've got a vulnerability management

program, and that you implement it so that as vulnerabilities

are identified on systems, you're you're patching them in

in a timely fashion. Now, having said that, and having been on a

on the back end of corporations where I'd been CISO or acting

CISO, sometimes it can be difficult, right? Because

there's so many dependencies in in systems that maybe if you do,

you know, put a patch into a system without appropriate

testing, you're potentially going to break something where

your customers are no longer able to access your data. Or you

may create additional vulnerabilities. So you close

one vulnerability but you create additional vulnerabilities

downstream. So I do understand that you need to be careful when

identifying vulnerabilities and conducting patch management, but

there are vulnerabilities, certain vulnerabilities, like

the recent Log4j, that are so critical that you absolutely

have to patch those systems, especially on the perimeter. And

then I've been talking to companies here, since that that

Log4j vulnerability was posted in, you know, to me, it's one of

the largest vulnerabilities I've seen in a very, very, very long

time, just because of the potential for an attacker to

access the corporation with, you know, potentially leaving little

trace evidence, right. So, in my discussions with companies, I

mean, especially the large companies, they were immediately

looking at identifying where that vulnerability existed, and

then trying to patch it without breaking anything, at least at

the perimeter. And then now companies I see are now trying

to go in the back end, because this vulnerability, even if

patched at the at the perimeter, if it exists in your back end

systems, it's still vulnerable. And, you know, one of the things

that I do hear from, from organizations is, I don't

understand what my environment looks like a complex environment

on the backend, or some of these these questions come up, you

know, with customers that, you know, they need help, right,

they need assistance in identifying what the data flow

looks like, what the network looks like. So it isn't easy.

And I I will, I will always agree when, when the CISO says

it's hard, I absolutely agree it's hard. But there are certain

things that in my opinion, patch management, you just have to be

doing it right. Especially, especially critical

vulnerabilities. It's one of the things that we need to put, you

know, those those appropriate controls in place to protect,

you know, when a critical vulnerability is identified.

Fair enough, fair enough. So let's

back up a little bit. For the benefit of our listeners, if you

would explain what ransomware attack is, what's the threat

landscape Like? Who are the threat actors? That would be

Oh, absolutely. Okay. So I'll start with Yeah, what is

very beneficial.

ransomware. Ransomware is is a an attack, that a threat actor

will conduct and that threat actor, usually an organized

crime or some criminal group. And now, I'm not, I won't say

never going to be a nation- state, because you could

potentially have a nation-state masking their activity as a

ransomware attack when they're actually burrowing into your

infrastructure. But a ransomware attack is an attack that is

designed to encrypt systems encrypt data, so you no longer

have access either to the systems or your data. Now,

what's happened in the past, say year or two, is that the threat

actors as they've come to the realization that some companies

are able to recover on their own right, they're able to recover

their systems, because they do a real good backup process of, you

know, real good disaster recovery process, you know, and

thus, are not inclined then to to conduct negotiations with the

threat actor to pay them to get access to their systems, what

the threat actors are now doing is they've upped their game. And

by that, I mean, what they now do is along with encrypting your

systems and your data, they're doing now something called

double extortion. They're also stealing your data before they

encrypt it. And now they're forcing you to negotiate. Even

if you can recover your systems on your own, even if you can

recover your data on your own with your backups and your

disaster recovery business continuity plan, you are still

forced to negotiate a to get an agreement from them that they're

not going to post that, you know, customer data that you

know, protected health information out on the internet,

so and then now they've even increased that tempo, because

now the threat actors are going to triple extortion where

they're encrypting system data, they're stealing data. And

they're launching a denial of service attack on you so that

your businesses no longer able to function. And then we're now

seeing something called quadruple extortion, where

they're doing all three of those, but they're adding the

element that they're not communicating with your

customers whose data they have, and telling them your that your

customers or your patients, hey, we've got your data we breached

you know the organization and we're gonna post this

information to the internet. You might want to talk to you know,

your company that has this, that who, from whom the data we stole

and tell them to do the right thing and pay us, right. So, you

know, now they're putting that pressure on the company, because

now they're notifying the victims as well, that they've

got your data so. So they really, you know, upped their

game in, in a sense, because, you know, they're really forcing

an organization to negotiate and make some kind of payment to get

those assurances that, you know, they're going to stop that

activity. So yeah, the number of matters, I, you know, that we

see now, every year, they're increasing and they continue to

increase. I certainly, in as I look at the future, I certainly

don't see a future where I'm saying, hey, ransomware is going

to come down, there's just so much money to be made, right.

And these threat actors have identified that there's a lot of

money to be made. So it's, it's a very cost effective way to

commit crime and make make money.

I was just reading an article, where it

states that there's a severe increase in ransomware attacks,

that cybersecurity authorities from Australia, the United

Kingdom, United States, have published a joint advisory

warning of an increase in sophisticated high impact

ransomware attacks targeting critical infrastructure

organizations across the world. And that's what concerns me

means you don't want ransomware attack on anyone, individuals or

organizations. But I especially worried about the critical

infrastructure, you know, you were candid enough to say that

it's difficult, it's not an easy task, to be super protected, to

do the kinds of patch management and other things that needs to

be done. But having said that, given the severe consequences of

these attacks, what are you finding out there, both public

sector and private sector? What is the level of preparedness?

Yeah, so I think it's going to depend on an industry

Dave, you know, especially critical infrastructure, you

know, there's more regulation around financial services around

energy. So typically, organizations that fall under

some kind of regulatory regime, typically, you know, are putting

more of an investment in protecting the organization.

Also organizations where there's more Board involvement, more,

you know, governance and oversight, because, you know, in

my opinion, especially with, with publicly traded companies,

you know, they have a Board, for instance, if there's an engaged

Board, that's asking questions of the cybersecurity program on

a regular basis, that's gonna, you know, I think for the C-

level, that shows that, you know, the Board is very

interested in this, we, as the C-level, obviously have to also

support those types of activities and make sure that

they get the appropriate funding, they get the

appropriate resources that are needed. Now, again, there's

always outliers, right. So,and by that, I mean, you know,

companies, you know, they're, they exist, obviously, to, to,

to generate revenue, right? I mean, they, they produce a

product, or they provide a service and for the purpose of

generating revenue. Sometimes, you know, if you're in a

particular industry, and, and, and you're trying to make a

determination, do I, you know, do I put more money into cyber,

or do I put more money into customer satisfaction, you know,

that's sometimes that's a hard one, right? Because you've got

limited dollars, and, and trying to make that decision is

sometimes difficult, right? If you're the CEO, you know, you

want to do the right thing, make sure the company is protected.

But you also want to make sure that your customers are happy

and you're doing everything, you know, possible to, to provide

those either products or services. So, sometimes that's a

very difficult balancing act for, you know, executives, right

to, to have to manage, right, because in a perfect world, they

would, they would have enough funding for everything, but it's

never perfect world and there's always going to be that

push-pull inside of an organization, you know, the

site, really, the cyber organization is going to be

asking for money and resources, you know, and operations is

asking for money and resources and the CEOs, you know, got a

limited budgets to work with and, you know, he's trying to do

the right thing, you know, to maybe, you know, keep both

constituents happy, right. I make sure that I'm protected and

I make sure my, my customers are happy and and it's a It's a

balancing act. And I think that's why it's important, you

know, to have that governance and oversight with with, with

the board, you know, so that they can provide you know that

you know that that top level guidance to the organization.

You know, you talk about governance,

oversight, regulation. It brings to mind Sarbanes Oxley Sox. As

you might know, Sarbanes Oxley was introduced when fraudulent

accounting transactions were taking place. Yep. And there

wasn't that level of top management commitment to ensure

that those kinds of activities didn't happen. So it took

legislation to get senior leadership attention. Yeah. And

it's my hunch that we are going that way, even with cyber, there

are some regulations out there existing laws are being used to

regulate cyber activities or to provide reasonable oversight,

you know, but I almost feel that there's going to be a major

legislation which will come down the pipe, and that's going to

really get everybody's attention, because like you

said, it is a hard balance for the CEO. Yeah, yeah. But then if

you have that regulatory pressure, the regulatory burden,

that would force you to do the right thing when it comes to

cybersecurity competency, cybersecurity due diligence. And

I know, this is easier said than done, it's a great conversation

to have, but for people who are trying to make things happen,

it's a it's a tough ask. Given your experience, you know,

you've been industry you've actively engaged with the senior

leadership, have you seen any best practice out there, or any

exemplars where irrespective of the directors, irrespective of

Board oversight, there is a conscious commitment, it's like,

woven into the organizational culture, that we must create and

sustain a high performance Information Security Culture,

have you seen evidence of that? Oh, absolutely.

Yes, I certainly see it, you know, again, especially

with the large organizations that, you know, have, you know,

have a dedicated program, right. So, it is possible, I will say

that a cybersecurity program is a dynamic thing, right? It's a

living to me, it's a living thing, that that is always

changing as the threat evolves, right, because, as I mentioned

earlier with ransomware, right, you know, as as, as

organizations put up defenses, the threat actors, you know, put

up countermeasures, right to to get around those defenses. So,

cybersecurity can never be static. And and if it's static,

then I, I fear that a company may be is not, you know,

thinking about the, the, you know, the the, how would I say

the evolving nature of cyber threats, and because of the

evolving nature of cyber threats, you've got to have a

dynamic program and to me, a dynamic program, you know, you

would have one, you would have a program that follows a

recognized cybersecurity standard or framework and, and

I'll throw out, I'll throw out like the NIST cybersecurity

framework, right? It's been around since 2014. It's, it's, I

recently saw some statistics that over 50% of large

corporations are adhering to to that framework, right? Because

that framework gives you a baseline right? The NIST

cybersecurity framework is designed to establish a baseline

and then also assist an organization in determining what

is the future state of the cybersecurity program look like?

But what I really like about it is again, it's dynamic in nature

in that you never reach a state where you're completely happy

and I will never be breached because again, we've got to stay

dynamic, and there is NIST, you've got the the ISO 27001 two

series, you've got the the CIS 20. So there's a number of

standards out there but to me, when I'm looking at an

organization, I'm gonna say okay, this organization is, is

on track they're thinking you You know, they're putting that

security mindset. I look to see if they've got Are they are they

mapping to one of these recognized cybersecurity

standards? Now, you brought up the the regulatory regime.

Having worked with having worked with regulators in the past,

right been hired as a kind of an expert advisor to regulators,

when they're when they're conducting an investigation or

analysis of a regulated company. I will tell you, the regulators

are using the NIST CSF as their model to assess companies. And

then even more recently, the US Department of Defense, they,

they actually released a a something called the CMMC, the

Cybersecurity Maturity Models Certification. That is a

requirement for organizations that are doing business with the

US Department of Defense to follow the CMMC. In order for

them to be able to do business with the Department of Defense,

I would anticipate as I look at the the CMMC. As its

effectiveness grows, I potentially would forecast that

other agencies within the United States government, Homeland

Security or Veterans Affairs, I would see other organizations

potentially adopting this similar model where they will

say to organizations, if you're going to do business with us,

you have to go through this, this this accreditation, and get

certified in order to do business with us. So again, that

adds more of that kind of, you know, kind of a regulatory type

type spin for organizations that I would envision would, would

flow down to to to the corporate sector.

You're talking about frameworks, and

there are several out there. And I've had, I've had the

opportunity to review them when I was authoring my book. They're

all great frameworks. Yeah. But what I have found from my work,

is there's a significant variance in how these

organizations follow the framework. How disciplined is

their approach in following in complying with or following

through with the guidelines? You know, often I have seen, it's

like, let's check the box here. Yeah, you're supposed to offer

this kind of training, we have done it, move on, as opposed to

going deeper, and making sure the training is substantive, it

is year round, it is continuous. So that's where I have seen a

difference between having frameworks and the frameworks,

guiding cybersecurity operations, and truly following

the framework in a very disciplined and committed

manner. And there being some oversight to ensure that the

compliance is thorough, the compliance is meticulous, what

have you seen? Dave, I

will agree with you that, that I mean, to me a

framework is is only as good as the the implementation and as

good as the, the following of that framework, right? Because

yeah, so I completely agree with you. I mean, I've seen, I've

seen plenty of organizations that are, you know, that are,

you know, box checking, and they suffer a breach. Because when

you get past the box checking, they're not, you know, they

haven't actually implemented correctly, right. So, so it's

more than just checking the box, if you're just checking a box,

in my opinion, you're not meeting the, you know, maybe

you're meeting the spirit of the framework, but you're not

actually doing what you really need to be doing to ensure the

security of the organization. So, yeah, I mean, when I think

of frameworks, right, so, so PCI, right, that's a framework

for organizations that handle credit card data. I have seen

many, many, a organization that are PCI compliant, they've

checked off the box that have suffered breaches. And us you

know, the questions asked, well, they, they they've been

accredited, you know, by by an assessor and they, you know, all

the boxes are checked off, yet they still suffered the breach.

It's because we didn't do that deeper digging. Unfortunately,

so if, if you're just looking to hey, you know, I'm gonna follow

this and you know, so I can check off the boxes. Maybe in

spirit, you know, you're following the framework, but you

certainly are doing good Cybersecurity, you're you're

not, you know, you're not going deeper than just checking a box.

So I yeah, I, I can't tell you the number of organizations that

I've seen that have checked off the boxes and they still suffer

a breach. And then when you're doing the analysis, you you when

you dig in, it's like, okay, you checked off a box, but you

didn't do these things, you know, these, these, these things

underneath that box that does allow and contributed to the

breach to occur.

Exactly. In fact, talking about PCI

standard, it brings back memories of a major breach that

happened several years ago, I don't want to name the

organization. But there was detailed reports and of the

findings. And one of the very concerning finding was they were

warned by their auditors, that they were not in compliance with

most of the PCI standards. Yeah. And they did nothing about it.

Sure. So I'm sure all kinds of things are happening there. And

it again, goes back to what we started the discussion with.

Like, why are companies making the same mistakes over and over

again, you shared with us the challenges that senior

executives face. But at the same time, there is this reality of

ransomware type attacks that keep getting more sophisticated.

And it's a it's a game that's hard to win. Yeah. So going back

to ransomware attacks. Let's talk a little bit about what

does a ransomware negotiation look like? Not that I'm a fan of

ransomware negotiations. In fact, I think the recommendation

is not to negotiate. But please share with the listeners your

thoughts.

Yeah. So and I will agree with you, you know, I I'm

not a fan of paying a criminal to get access to your systems

and your data. I certainly, you know, don't support it, but

there are occasions where a customer will say I have no

other choice, I, my systems, my backups are encrypted. And you

know, I need my data in healthcare provider, right, you

can't be down. So there's certain industries that

absolutely cannot be down, they've got to be up, you know,

for public safety. And they've got no other recourse. So if

that occurs, then, you know, you you contact the threat actor,

and again, these communications are taking place on the the Dark

Web, right, they give you an address where you can contact

them, they tell you what they're looking for, you know, you you

get an understanding of you know, what kind of payment

they're looking to be made. And you know, it's a, it's literally

a back and forth, you want to have, you want to get a proof

that they really do have the keys, you know, you you provide

them with, with a file that's encrypted, then you know, the

contents of that file they get it they they unencrypt it and

send it back to you so that you know that indeed they do have

the key. You know, and then you're you're you're negotiating

a price, right, that everyone can agree to once that that

agreement is made, you know, payment is made in

cryptocurrency, you know, you name the cryptocurrency and you

know, payments made after you've got the the guarantees, you

know, from if they're if cyber insurance is gonna pay or, you

know, the law firms, the customer, and then you help with

the payment. One of the other things I need to real quickly

bring up as well though is if, if this is going to occur if if

contact with a threat actor is going to take place, at least in

the US, because of the you know, US Treasury requirements, you

know, a checks have to be made. And they're typically made by,

you know, the, the insurance company by the by the law firm,

to see if the the threat actor group is potentially a sanction

group. So, as an example, REvil was the sanction group. So, a in

a in American organization, American corporation could find

themselves in legal jeopardy. For instance, if they were to,

you know, make payment to to one of these sanction groups. So, so

checking, checking the sanction list to make sure it's not a

sanction group is going to be very important. But again, it's

that communication back and forth. Getting assurance that

indeed they have the key, making payment, getting a copy of the

key, analyzing that key to make sure it doesn't contain anything

that potentially is going to be nefarious try it, you want to

make sure that the key in using the key and potentially download

additional payloads and then helping the organization start

unencrypting. One of the things I want to point out that I think

a lot, especially a lot of executives, a lot of, I think

Boards, there's this view up there, okay, this happens, I get

a ransomware attack, we pay and, you know, we get the key. And,

you know, the next day, we're up in, in, in, in back in

operation. You know, unfortunately, that's, uh, I

want to dispel that myth that, you know, you get the key and

you're back in operation, you know, the next day, it typically

is going to take several days, even when you get the key.

Because, you know, you want to make sure that your systems that

you're recovering don't contain any backdoors. In some cases,

organizations are building a greenfield a clean environment

to go into. So it's, it's typically multiple days,

especially larger organization multiple weeks, multiple months,

as you're restoring backed operation. So, so even when

payment is made.

It is it is

not as quick as you know, I'm up and running the

next day, and everything is great. And, you know, I'm back

back to business, it's it's typically an effort, a long term

effort to to really get back to operations.

Good to know, thanks for sharing. So, in

your opinion, what is the best defense against ransomware

attacks? And you've already shared with us that, you know,

patch management is important, but that can be challenging.

What else should companies be doing to, you know, to reduce

Companies encrypting their own data, so that even if

a threat actor gets access to them, they're not able to do

the possibility of such attacks?

anything with it would be would be a great defense, having your

backups in an environment where, you know, it's it's not

connected to the to the network, having backups that are

immutable, so that they can't be changed. You know, one of the

first things that these threat actors do when they get into the

environment literally is where are the backups, they're looking

for the backups, because those are going to be some of the

first systems when they hit you with with a ransomware attack.

They're going after the backups, right? So if you can protect

those backups, it's absolutely, I think, very critical for you

to be able to restore operations on your own, if you can, you

know if you can do that on your own, because your backups aren't

impacted. And like I said, I mean, segmenting the network,

I'm a big fan of segmentation. Again, it's not easy, I'll be

the first ones again, having been, you know, in the CISO

seat, segmentation, especially if you've got a large network,

and you know, you, you've grown it, and it's never really been

properly segmented. It could be a multi year effort, right. But

I'm a big fan of segmentation. I mean, I, I worked with, worked

with a health care organization some time ago that suffered a

ransomware attack. And there were three companies under the

umbrella company, but because of lack of segmentation, instead of

just getting access to one company, they got access to all

three companies within the umbrella, because there was zero

segmentation, so segmentation, you know, you know, a robust

backup plan, where those are'nt acce. And not only that, a

robust recovery plan, right? That's just as important. You

know, testing your recovery is absolutely critical, right?

Because if, again, something bad does happen. Have you even

tested your recovery capability, so that, you know, you can

recover in you know, X amount of time of critical systems, so, so

there are certainly things that we can do. Because I'll be the

first one to tell you that there is no such thing as 100%

guarantee that anybody can make that a company is never going to

suffer a breach, right? Because it's just the environment is so

complex. We've got remote workers, you know, we've got you

know, we've got the cloud and the environment is just so darn

complex. That that is just very difficult for an organization to

say to to their C level or to their Board, hey, I absolutely

100% guarantee we will never suffer a breach. But you can do

things to minimize impact or or even better, make it hard for

for that in that group or that attacker, make it so hard that

you know what, they're just gonna move on to another

company. Right? Because you've made it too hard for them.

I'm so happy that you mentioned about

the importance of having offline backups. Yeah. It kind of

probably sounds a little too simple and trivial. But the way

I look at it is, you know, let's, let's take a personal

example. Our house could get destroyed in a fire. Yeah. So if

you think about the possibility, and then ask the question, what

all would I like, you know, to be protected, I don't want to

lose that stuff to fire. So kind of taking an inventory of your

priority items. Yeah. And then making sure that you've done

everything possible, whereby even in the event of fire,

you're not going to lose them. Yeah. Now, I realize that

there's a scale aspect to it, large organizations, tons of

data, located in all kinds of places, but even then, I think

some of these simple rules and guidelines can work very well,

if there is a concerted effort to prioritize, to identify

what's important, and then closely monitor how they are

being backed up, you know, testing the recovery

capabilities. So even in the event of an attack, they are

minimizing the damage. That warrants a question for you:

have you come across an instance where a company was a victim of

a ransomware attack, and they're like, doesn't matter, thank you

very much. We are we are all backed up, you're good to go?

Oh, yeah, has that happened.

It has happened. I have seen companies that have

have been in that situation where they're going to recover

on their own, they've got good backups, and they don't need to

be, you know, need to communicate with the with the

attacker. But as I mentioned, now, we're starting to see that

double extortion, right, where, where they're taking your data,

so that even if you can restore on your own, you now have to get

in communication with them to get an assurance from them. And

that's all it is, right? It's an assurance from them that if you

pay them, they will not release your data. Now, you, you may

ask, well, they still have your data, can you believe them? If

they say they're not gonna release your data, if you pay

them, you know, for the threat actors, their business model is

that such that, you know, they make an assurance to you because

you've paid that they are not going to release your data,

they're probably not going to release your data, right? You

can't say 100%. But, you know, their community is so small that

if a threat actor group does not follow through on on their

assurance, you know, the word gets out. And then other other

cybersecurity companies say, Oh, this group does, you know, even

if you pay them, they don't, you know, they still post your data,

that that destroys your business model. Right. So, yeah, the way

these folks think is that, you know, if you pay, they're there,

they're gonna follow through with with, with what they've

promised to you. And I'll tell you, I recall having a

conversation with a CIO, one time that he said, you know,

the, the the support that the threat actors were providing and

helping restore, he said, it was better than his own his own

organizations, IT support group, he said, you know, we'd asked

him something, you know, we were having trouble rest,

restoration, and they'd get right back to us. And, you know,

walking us through, he said, I mean, so it is a model design,

at least for the threat actors that if you pay, you know,

they're, they're gonna follow through with what they what they

promised as part of that payment.

But I've also heard that if you pay, you

are in that list, and they know that if you are attacked again,

you will pay again, is that true?

I did have an organization that, that in the

space, I want to say months, was attacked by three different

ransomware groups. They paid the first time and then literally, a

different group comes in the second time. They pay the second

time and then a third group came in the third time before they

were able to then get their environment so that they

couldn't be attacked again. So it happens. It does. It

certainly happens.

Very, very interesting. Concerning but

interesting. You mentioned cryptocurrency, you mentioned

cyber insurance. I have a couple of questions in that area. But

before I go there, we are aware of the Colonial attack, and how

the FBI was able to recover some of the ransom money. Given your

experience with the FBI, why is it so hard to get hold of these

criminals, and, you know, put them away?

Yeah, well, unfortunately, a lot of these

groups are, are out of the reach of American law enforcement, or

or, say Western European law enforcement, a lot of these

groups are in, in countries where we don't have the best

relations with. And, you know, if we indict someone, say the

Bureau, Department of Justice indicted a threat actor, if you

can't get you know them into your your control, in your

custody, then, you know, makes it difficult to, to be able to

to, you know, put these individuals in jail and kind of

show a deterrence. Right now, the deterrence factor,

unfortunately, is very low. Because, you know, it's it's

very difficult to have these individuals arrested.

That's tough. Yeah. So what is your

opinion about this thought that if crypto could be regulated,

that might help mitigate some of these types of attacks? Do you

have any thoughts on that?

Well, in in with crypto being regulated, I mean,

to some extent, it is regulated in the United States, right. So

so there are rules, you know, regulatory standards that have

to be followed in the United States, but how do you pass that

on to other countries, so that they have a better understanding

of who, who's signing up for these accounts, right. Because

if you can, you can, you know, the US we have, you know, the

the know, your customer laws, right, where you have to know,

you have to know who it is who's opening an account, you know,

those, those laws don't necessarily transfer over to

other countries where you, you may be able to sign up over the

internet, and you can, you know, be whoever you want to be. And

it just makes it so much more difficult to, to to identify

these individuals as to who they are. So I think more regulation,

probably will, will help. But it's got to be international,

just can't be the US saying, Hey, we're going to do these

things. Because, I mean, at the end of the day, cybercrime is a

it's a transnational crime, right? It is, you know, and I

look at it, you know, from from my time when I was in the FBI,

so, when I was in the FBI, we used to investigate bank

properties, right, I would go to a bank robbery where someone

would come in, and they'd hold up the bank with a gun, but

they're leaving all kinds of evidence, right, you know,

there's video cameras, there's, you know, DNA, potentially,

you're leaving, you know, you're leaving a lot of physical

evidence, you know, there may be a mark police units driving by

their silent alarms. So, you know, there's a lot of risk with

with a physical bank robbery. To this day, I think the FBI

closure rate on bank robberies, I want to say probably in the,

the 8080 plus percent, right. So if you brought a bank, you're

probably going to get caught arrested and thrown in jail for

a long time. With with cyber, you don't have to be on the US,

you don't have to be in the UK, in France, you don't have to be

anywhere near the country, that you're attacking and conducting

a ransomware, you can be virtually anywhere in the world

conduct that activity. And, again, if the rules are not

consistent across the globe, this is where we run into

problems. So if other countries don't recognize that these type

of criminals, you know, right now they're, say attacking the

United States, or they're attacking the UK, you know, they

could potentially turn on your country and attack you as well.

So I really think we're at the point where where a regime needs

to be put in place, you know, international standards on, on

cooperation on these types of cyber criminals is, I think,

absolutely critical.

Absolutely. I totally agree with you that

there needs to be a lot more cooperation globally. If we want

to have any success. Yes. Dealing with these cyber

criminals, like the examples you gave and if they are operating

from countries where there is very little regulation, they are

not being tracked or they are not being brought to justice.

Yeah, there's there's no reason why they won't continue to

engage in correct kinds of these kinds of activities. So true, so

true. In fact, I also want to take this opportunity to share

with the listeners one of the realities of securing an

organization. Art spoke to that, even in my book based on my

research and my work with companies, you know, I found 17

success factors. And they're associated with three,

high-performance information security cultural traits. And I

call these traits -- commitment, preparedness and discipline. And

each of these traits are associated with factors such as

for commitment, there's Hands-on Top Management, Joint Ownership

& Accountability, Cross-Functional Participation,

and I can go on, I don't want to provide you with the long list.

But the point I'm trying to make here is, it is no easy task to

manage these 17 factors. So it's, it's easy to blame and

maybe get rid of the CISO, and you make a point. And it's a

symbolic reaction. But there are just too many vulnerabilities.

And you have to really cover a lot of ground. And that's all

the more reason why I have been preaching about making

cybersecurity a distinctive competency, the extent to which

top management gives it priority, the chances of

effectively addressing these success factors are a lot higher

than if you just give up and say, oh, you know, what, we'll

deal with with it when it happens. There's too many

vulnerabilities, we don't know where to start. And I've heard

that from many organizations, your thoughts Art?

No, no, you're absolutely right. I mean, so

this, this is more than just a CISO problem. It's, it's a, it's

a corporate problem, right? Because you need the executives,

you need, you need the Board, you need the Executives, you

need the Management, and you need the employees to all be in

unison, in in how do we protect our company? And how do we

protect our company's information? Whether that be,

you know, employee information, customer information, r&d, you

know, it's absolutely crucial that it there's a, there's a, a

unified approach, you know, that is that is, you know, with

oversight from, from the Board with, with concurrence, you

know, from from senior management, with, with middle

management, implementing, and employees obviously, following

that, that, that plan that that's been developed, but to

say, Okay, we just leave it up to the CISO, and, you know, they

need to, they need to fix it. They're just setting up that

poor CISO for failure, it's, it's moved beyond CISO, so it to

move beyond the CIO, it's, it really is a corporate issue that

needs to be addressed at the highest levels of the

organization.

I think you're talking about the board

of directors, yeah. You know, providing oversight, requiring

senior leadership, to provide them with regular updates. And

there might come a time, hopefully, sooner than later,

where the CISO reports directly to the Board. To that extent,

the CISO function can operate as independently as possible. Your

thoughts? Yeah,

I Yeah. So I'm going to tell you, I'm going to always

be of the opinion, the the closer you can get the CISO, to

the CEO or to to the Board, the better that organization is

going to be because nothing is being you know, you're trying to

minimize filtering, right? Because I've seen CISO

organizations buried under under IT or Operations. And, you know,

when that happens, and you know, you've got, you know, you've

got, you know, the personalities involved. You've got operations

or the CIO, that, you know, I got to have, you know, I've got

to have the, the infrastructure, always running anything that's

going to slow it down, potentially, by by subsidiary

organization, you know, you know, not a good thing for me,

if I've got a budget, and I'll have to provide it to the CISO,

so that's a budget away from operations. So I'm a huge fan of

anything that will get that CISO as close to the CEO or the Board

as possible, so that they can have that that that influence in

effect on these very key either executives, or or, or, or board

members, right, so that they understand the risk directly.

It's not being filtered in any way when it's been reported.

Full true, so very true. And I think that

an organization that truly cares about security, it should be a

no brainer for the leadership to do exactly what you are saying

that let the CISO operate as independently as possible. When

I say CISO, I mean the team, and let them directly report whether

it's the audit committee or the board of directors. So there is

some independence to the reporting. And I think that that

would be a reflection of true commitment on the part of the

organization towards cyber diligence, cybersecurity

management. So I wonder why that's not the norm. But, you

know, it's, it's at least, I'm glad we're having this

discussion. Hopefully, folks are listening. Hopefully, some

actions will be will be taken. Yeah.

I don't know if you've seen. There's there's a

bill. I don't know if it's getting much traction. I believe

in the Senate, that will require publicly traded organizations to

have a board member who is knowledgeable on cyber. Again, I

don't know, I don't think it's getting much traction, right.

But I, for me, you know, from what I've seen in the past 25

years of working cyber related crime and working with

organizations and helping them protect themselves. I think that

that has some good viability, right. If you have someone that

understands cyber at the Board level, you know, they can help

in they can help the board and understanding the risk. Because

at the end of the day, right, it's it's about risk and risk,

acceptance. And, and, and understanding how that

potentially would impact an organization.

Absolutely means, of course, it is

desirable, that you have somebody who understands cyber,

you're at a certain level of depth. But I'd also argue that

even if you didn't understand cyber, we all know what's going

on. And I was talking to the CEO of a major corporation. And I

asked him, I said, I keep getting these research reports

that the senior leadership are not very willing to stay up to

date, and undergo cybersecurity training. And he says, I don't

know about other organizations, but in my organization, we

totally believe in continuous training, we are engaged. So I

asked him, I said, So what convincing is required for all

other organizations to do what you all do. And his reaction

was, I don't know why there needs to be any convincing, you

just have to read Wall Street Journal to see the consequences

of these attacks. So if that if that data is not compelling

enough for people to sit up and say, You know what, even if I

don't understand cyber, I'm going to make every effort to

understand as much as I can, or at least engage people and have

regular conversations, so I'm securing my organization. You

know, it's like sending your kids to school. I obviously

don't understand all the subjects the way the teachers do

who teach them. But I want my kid to do well. So I would take

every step as a parent, to provide oversight to provide

guidance to hire tutors, whatever it takes to help the

kid be successful. And I think if that kind of mindset

prevails, we will we would do a lot better.

Yeah, yeah. Yeah. I agree with you.

But I'd like you to wrap it up for us

with some final words. I so appreciate you coming this

afternoon to talk to us. So,

of course, ya know, so, so final word is, I mean, I

get it. It is cybersecurity is hard. If someone says it's easy,

I again, I would raise an eyebrow and ask, you know, how

can you think that, it is difficult. The environments are

complex, the threat actors are getting more and more aggressive

and sophisticated. But there are things we can do, right? We just

can't throw up our hands and say, you know, i i there's no

way I can defend against this. There are things we can do to

better protect organizations. There are there's messaging that

we can do with the C level and the Board to get them more

involved in understanding what the what the threat is. The

threat is to the organization. So I certainly will would never

say there's just nothing we can do. There are things we can do.

And I it's always going to be very important, in my opinion to

have a plan right, have a plan. Put that plan in place and

follow your plan.

Thank you again. Thanks for coming. It's

been a pleasure.

Thank you Dave, appreciated.

A special thanks to Art Ehuan, for his

time and insights. If you liked what you heard, please leave the

podcast a rating and share it with your network. Also

subscribe to the show, so you don't miss any new episodes.

Thank you for listening, and I'll see you in the next

episode.

The information contained in this podcast is for

general guidance only. The discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as-is basis with no guarantee of

completeness, accuracy, usefulness, or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization