What lessons can we learn from the Colonial Pipeline ransomware event?
If your business falls victim to a ransomware attack or some other type of breach, how would your company handle recovery? In talks with business owners over the past couple of years, no one thinks too much about what recovering from an event looks like for them. At RealTime we hear “I’ll call you guys!” or “our insurance will handle it”, “our IT guy will deal with it.” Are these courses of action something to stake your business on? Let’s use a real world example happening now with Colonial Pipeline.
Blog: Todd Swartzman, RealTime Chief Information Security Officer
LET’S BEGIN AT THE END
Let’s go a bit out of order and focus on the end of these types of events, the recovery. After all, if your business falls victim to a ransomware attack or some other type of breach, eventually you will get to the recovery phase. In talks with business owners over the past couple of years, no one thinks too much about what recovering from an event looks like for them. At RealTime we hear “I’ll call you guys!” or “our insurance will handle it”, “our IT guy will deal with it.” Are these courses of action something to stake your business on? Let’s use a real world example happening now:
COLONIAL PIPELINE EVENT/RECOVERY FACTS
Event May 5, 2021
Took five days and there are still intermittent service interruptions happening.
Budget? Unlimited. This was a recover at all costs exercise.
Government help – there for the asking
Temporary lifting of regulations to help deliver product.
Colonial Pipeline paid $4.4 million in ransom within hours of the attack. They opted to pay the ransom because it was unsure of the extent of the breach. The hackers provided the company access to a decryption program following the payment, but Colonial Pipeline was not able to immediately restore operations with the tool.
HOW WOULD THIS COMPARE TO YOUR BUSINESS RECOVERY?
Do you have unlimited funding and is FedGov offering every assistance available to you?
Can you go 24x7 until it’s recovered? What about your primary business serving customers, who’s going to do that while all hands are on deck dealing with the current fire? If you have one IT guy, this isn’t realistic, even if they did have the requisite skills, and they probably don’t.
Do you assume you’ll only be down for a few days? Average time to recover a small business is about two weeks, but that can vary wildly.
CLOSING
CYBERSECURITY IS NOT JUST A TECHNICAL PROBLEM. IT’S A BUSINESS PROBLEM.
Use this as a lesson you can learn at someone else’s expense. Review your own controls, backups, response plans, insurance policy, and your budget to make sure that your plan is documented, understood, and most importantly is realistic.
CISA (Cybersecurity & Critical Infrastructure Agency) put out an alert on Best Practices for Preventing Business Disruption from Ransomware Attacks. And if you are curious, yes, Colonial Pipeline would be subject to adhering to CISA requirements as they are critical infrastructure.
Article link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
Dealing with a Cyber Insurance Claim
Paying the ransom doesn’t guarantee you’ll get your data back. These are criminals after all, and some are very professional, and some are careless. It may be that the attacker corrupted the data during the encryption process. To mitigate some of the risk, use a professional negotiator and Incident Response firm. The pros generally know which gangs and ransomware variants are reputable and recoverable and which are not. DO NOT TRY AND DO THIS YOURSELF.
BY TODD SWARTZMAN, REALTIME CISO
At RealTime, we highly recommend setting up an appointment with a breach coach through the insurance carrier. Use this call to better understand the process in case you do need to make a claim. Having a reasonable expectation on what the process looks like will take some of the stress off of you in the event you have to make a claim.
PAYING THE RANSOM
Paying the ransom does not guarantee you’ll get your data back. These are criminals after all; some are very professional, and some are careless. It may be that the attacker corrupted the data during the encryption process, or they never intended for you to be able to recover because hey, they are criminals. To mitigate some of the risk, use a professional negotiator and Incident Response firm - these are usually part of your cyber insurance coverage. The pros generally know which gangs and ransomware variants are reputable and recoverable and which are not. DO NOT TRY AND DO THIS YOURSELF.
Even if you do pay the ransom and you get the decryptor keys, and they work, the process to decrypt is pretty slow. This slow process is exacerbated by having to juggle multiple decryptors; the standard is one decryptor per machine, so if you have 500 computers and 20 servers, that is 520 unique decryptors. Some ransomware events have used unique decryptors per file share, or even worse, per file (probably due to mistakes during the encryption process.) Can you imagine dealing with a tens of thousand individual keys? That is basically impossible without serious automation and expertise on the part of the incident response firm.
Even if you manage to recover, you still are at risk of the criminals exposing your private data online, as an additional bite at that extortion apple. Why? The past 18 months has seen the threat of exposing your data online become commonplace.
A step everyone needs to take in any cyber incident is to have a professional confirm that the criminals no longer have presence on your information systems before you try and go live again. It’s a common tactic that the criminals will wait until you recover everything (whether you paid the ransom or were able to recover on your own from good backups) and then they hit you again, but this time they nuke your backups first.
If you do get to the point where you need to make a ransom payment in order to recover your data, make sure that you understand what the policy covers and how the process is supposed to work. In the past, the insurer paid the ransom directly, now some policies are requiring that the policy holder pay the ransom and then the insurance will reimburse the policy holder.
This opens up some questions such as: If the ransom is $500k and I have to pay it, where am I going to come up with $500k? And, since they want payment in bitcoins, how the heck do I buy $500k worth of bitcoins?
Coming up with the money might be on you, but the insurance breach coach and incident response team should be able to provide guidance on the whole payment process and bitcoin subject. Be sure to ask before you ever need to use that policy! Another thing to ask is about ransom negotiations: Will the insurer help with that? On this note, it may even be illegal to pay certain ransomware gangs – see OFAC advisory (PDF Warning).
CLOSING
What this should help you realize is that you want to take reasonable steps to reduce your risks of becoming a victim in the first place. Solid cybersecurity and a good backup strategy that will allow you to recover your data in a reasonable amount of time is a necessity these days. Not only is this generally a much faster way to recover than leveraging your cyber insurance (which can take weeks or months to fully recover from) you will save yourself a lot of stress. Questions? Let us know…
Cyber Insurance Sample Questions
The cyber insurance questionnaire(s) you fill-out may have some definitive questions that want Yes or No answer. Not all applications will have the same questions as each insurer and even many insurance brokers have their own questionnaires that they use as part of the application process.
EXAMPLES OF QUESTIONS ON A CYBER INSURANCE APPLICATION
The questionnaire(s) you fill-out may have some definitive questions that want Yes or No answer. Not all applications will have the same questions as each insurer and even many insurance brokers have their own questionnaires that they use as part of the application process.
You can ask the broker to help you better understand what these questions are really asking, and you can even add an addendum to better explain the answer to any questions that aren’t really a Yes or No given the question.
That policy questionnaire is an excellent (free) way to measure how your business is positioned as far as your basic cybersecurity, your controls, policies, your compliance status, etc. If you find yourself answering “No” to many of the questions, this is your opportunity to improve your security to better protect your business, and maybe help you get better cyber insurance premiums.
The questions being asked are proven steps businesses should already be taking to reduce their risks of a breach or ransomware event.
Here I’ve listed some sample questions that insurers may use to help them qualify your business (aka, how risky are YOU to the insurer) for cyber coverage; having these things in place will make it less likely you’ll need to use that shiny new cyber insurance policy:
Email Security
Do you filter emails for malicious attachments or links?
Do you strictly enforce SPF on incoming emails?
Do you train your email users to recognize phishing and other email based threats?
Do you use Office 365 in your organization
If yes, do you enforce MultiFactor Authentication for all Office 365 accounts?
Internal Security
Do you use Endpoint protection products across your enterprise? There may be choices or a listing of common products to help answer.
Do you use multi factor authentication?
For remote access?
Do you have a process to apply critical security patches rapidly?
Do you use web content filters to block potentially malicious content?
Do you use protective DNS services (Open DNS, Quad9, etc.?)
Do you provide your users with a password manager software?
Do you have a firewall with active security services such as Intrusion Prevention Services, malware scanning, or similar?
Backup and Recovery Policies
Are your backups kept separate from your network (offline) or in a cloud service designed for this purpose?
Do you use a cloud syncing service (e.g. Dropbox, OneDrive, Sharepoint, Google Drive) for backups?
Have you tested the successful restoration and recovery of key server configurations and data from backup in the last 6 months?
Other Ransomware Preventative Measures
Please describe any additional steps that your org takes to detect and prevent ransomware attacks.
Once you purchase a policy, you still have some work to do in order to get the most out of the policy and further reduce your business risks. Every reputable underwriter has resources that their policy holders can use to shore up defenses, create policies, and help train staff. Use them, after all, you are paying for it. Many have resources like policy samples, virtual CISO services, Incident Response Planning guides, courses on HIPAA and PCI, awareness training content, just to name a few.
Cyber Insurance - Application Tips
Your business is a target, whether you care to admit that fact or not.
Having a good cyber insurance policy is a safety net for your business in case of a breach, data loss event, business interruption due to a cyber event, assistance in a ransomware event, etc. Each policy is worded differently, and some policies won’t cover all things, or with the same limits.
Why does my business need cyber insurance?
Your business is a target, whether you care to admit that fact or not.
Having a good cyber insurance policy that helps mitigate some of your business risks is a safety net for your business in case of a breach, data loss event, business interruption due to a cyber event, assistance in a ransomware event, etc. Each policy is worded differently, and some policies won’t cover all things, or with the same limits.
[Contact your insurance broker to get the process started. If your agent doesn’t seem to be very conversant on this subject, a good agent will loop in a cyber expert from the underwriter.]
FILLING OUT THE CYBER INSURANCE APPLICATION
WHAT SHOULD MY MINDSET BE WHEN FILLING OUT THE APPLICATION?
Think liability. Your job isn’t to make your business look good to the broker or underwriter. Be 100% forthright with your answers and be sure to answer accurately. Ask the broker or underwriter to define their terms. What we commonly understand a term to mean isn’t necessarily what the insurer says that these policy terms mean, so be sure to get clarification. One policy I was working on included a 28-page document explaining the terms of their one-page proposal. Remember, what you think a term means may be quite different than what the insurer says that term means for their policy – go with the insurers version.
WHAT IF I DON’T KNOW THE ANSWER TO SOME QUESTIONS?
If you don’t know the answers to some of the questions, just tell the broker; or if you’ve been asked to answer the questions on behalf of a client, let the client know you don’t know the answer. This is especially important if the question is a legal or compliance type question. Your goal is to answer accurately, and it is critically important that you do so.
Here is why:
Cottage Health Systems got sued by their insurance company for failure to follow “Minimum Required Practices”. This is an example of what can happen if you have to make a claim and you answered inaccurately during your application. Cottage Health said they were doing something preventative relevant to the event, but they actually were not. READ MORE HERE…
TYPES OF QUESTIONS
The questionnaire(s) you fill-out may have some definitive questions that want a Yes or No answer. Not all applications will have the same questions as each insurer and even many insurance brokers have their own questionnaires that they use as part of the application process. Ask the broker to help you better understand what these questions are really asking. You can include an addendum with your responses to better explain any answers where a Yes or No isn’t the best answer.
That policy questionnaire is an excellent way to measure how your business is positioned as far as your cybersecurity, your controls, policies, your compliance status, etc. If you find yourself answering “No” to many of the questions, this is your opportunity to improve your security to better protect your business, and maybe help get better cyber insurance premiums.
The questions being asked are some basic, proven mitigations that businesses should already be taking to reduce their risks of a cyber event such as a breach or ransomware. Here is a list of some sample questions that not only will help you qualify for insurance; having these things in place will make it less likely you’ll need to use that shiny new cyber insurance policy.
True or false: You should reboot your computer every day
There are few certainties in life: Death, taxes, and turning your computer off and on when there’s a problem. This advice is usually the first tip you get from friends, family, and tech support. Rebooting your computer helps keep it running smoothly. It clears the memory, stopping any tasks that are eating up RAM. Even if you’ve closed an app, it could still tap your memory. A reboot can also fix peripheral and hardware issues.
Author Kim Komando
Special to USA TODAY
Published 5 a.m. ET Feb. 11 2021
There are few certainties in life: Death, taxes, and turning your computer off and on when there’s a problem. This advice is usually the first tip you get from friends, family, and tech support.
Rebooting your computer helps keep it running smoothly. It clears the memory, stopping any tasks that are eating up RAM. Even if you’ve closed an app, it could still tap your memory. A reboot can also fix peripheral and hardware issues. If your computer is still running slow, this one insider trick could definitely help.
So, how often should you be rebooting your computer? Let’s take a look at how rebooting can impact your system and when exactly you should be doing it:
Give your computer a fresh start
We recommend that you shut down your computer at least once a week. A reboot process returns everything to its bootup state, from your computer's CPU to its memory.
Many people will shut down their computer by holding in the power button. This way may cause additional problems. Tap or click here to see how to restart your PC or Mac properly.
Rebooting your computer involves two steps – shutting down the computer and then starting it up again. When you reboot/restart your computer, it will lose power during the process and start up again on its own.
Your computer itself will occasionally prompt you to restart it, usually after downloading an update. Newer machines need fewer restarts, but a major software patch usually requires one.
Reduce wear and tear
Your computer is full of moving parts. Its CPU, essentially the brain, has a fan. High-end graphics cards also need a cooling system. Though solid-state drives are becoming more popular, most PCs still use hard disk drives, consisting of spinning discs.
All of these components wear down over time and the longer you keep your computer running, the shorter their lifespan will be.
It's easy to fall into the habit of leaving it on to avoid having to go through the bootup process, but it will help you get more life out of your machine. If you are stepping away for a few hours or would rather not wholly shut things down, you can put your PC down for a nap.
Sleep it off
Sleep mode puts your computer into a low-power state. The fans will stop spinning and the hard drive will stop functioning, so things will get quiet.
With sleep mode, your computer’s current state stays in the memory. When you wake up your machine, your open apps, documents, music, etc., will be right where you left them. Tap or click here to see how your iPhone and Apple Watch can help you improve your sleeping habits.
To put your PC in sleep mode:
1. Open power options:
• For Windows 10, tap Start > Settings > System > Power & sleep > Additional power settings.
• For Windows 8.1 / Windows RT 8.1, swipe in from the edge of the screen, tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down and click Search), enter Power options in the search box and tap Power options.
• For Windows 7, tap Start > Control Panel > System and Security > Power Options.
2. Do one of the following:
• If you’re using a desktop, tablet, or laptop, select Choose what the power buttons do. Next to When I press the power button, select Sleep > Save changes.
• If you’re using only a laptop, select Choose what closing the lid does. Next to When I close the lid, select Sleep > Save changes.
3. When you’re ready to make your PC sleep, press the power button on your desktop, tablet, or laptop, or close your laptop’s lid.
On most PCs, you can resume working by pressing your PC’s power button. However, not all PCs are the same. You might be able to wake it by pressing any key on the keyboard, clicking a mouse button, or opening the lid on a laptop. Check the manual that came with your computer or go to the manufacturer’s website.
It takes less time to wake up a computer than it does to turn it on after a shutdown, but sleep mode still consumes power. To clear out bugs, memory leeches, nonfunctioning network connections, and more issues, a reboot is the way to go.
Learn about all the latest technology on the Kim Komando Show, the nation's largest weekend radio talk show. Kim takes calls and dispenses advice on today's digital lifestyle, from smartphones and tablets to online privacy and data hacks. For her daily tips, free newsletters and more, visit her website at Komando.com.