During the Jewish holiday of Passover, it’s traditional for the youngest child to ask the four questions, seeking to understand the symbolism behind the story of the exodus from Egypt. “Ma Nishtana” they ask in Hebrew. Why is this night different from all other nights?
That phrase popped into my head as the Colonial Pipeline hack captured the headlines over the last two weeks. The professional hacker group Darkside (who thought there’d be a day when hackers operated like legitimate corporations?), infected portions of the Colonial Pipeline computer system with Ransomware, forcing Colonial to shut down operations. This brought gas shortages and significant price increases to a good portion of the southeastern United States. It’s little solace that Darkside just issued a media release saying they’re shutting down operations (hackers have PR staffs?)!
After Colonial paid a reported $5M in ransom to allow for restoration of operations, I kept asking if this time, things might be different.
Ransomware has been around since 1989. It was created by a biologist, Dr. Joseph Popp, who distributed 20,000 floppy disks to everyone who attended a WHO conference on AIDS. The “AIDS trojan” encrypted file names, hid directories, and told users they had to send $189 to a Panama address. While Ransomware didn’t hit the “big time” until 2013 with the first widely distributed Crypto-Ransomware, it’s been around for 30 years. Those of us in IT took notice but the rest of the world thought it would happen to somebody else, if they thought about it at all.
Will this attack that hit much closer to home change the way people act or change the way you and your staff operate? Will folks be extra cautious looking at emails they receive? Will it help you get that final approval from your organization’s leadership to replace legacy applications that still work but can’t be patched? Will this allow you to focus better on patch and configuration management? Or will folks still carelessly click on emails in a hurry to get to the next one; leadership still say that funding needs to go elsewhere; followed by you caving into the pushback from staff or customers that it’s either not the right time to patch, to make changes to the system, or inconvenient for users?
It’s Not Rocket Science!
80% of exploited vulnerabilities exploit system weaknesses identified back in 2017. The Colonial hack was not particularly sophisticated and probably originated when an employee clicked on a malware-infected email or by identifying weaknesses in third-party software. “Some of the biggest attacks we’ve seen all started with an email,” says Jon Niccolls of CheckPoint.
Let’s stop the insanity (doing the same thing over and over again and expecting different results) and change the thinking:
- External email is not a “birthright” for all employees. If it isn’t an absolute requirement for the job, don’t give it to them.
- Internet access is also not an inalienable right. Too often I hear businesses say “it helps with work/life balance” – there are other ways to accomplish this than providing risky internet access
- Security is inconvenient – get over it – people will change and adapt. Back in the late 19th century, wearing surgical masks, hoods, and gloves was quite a controversy in the medical profession and scoffed at by some. No physician would go without one today. People will get used to, and even expect, downtimes for patches, multi-factor authentication, and other good barriers to help the containment or prevention of infection.
- Learn how to sell security to leadership – become the squeaky wheel – show them the overwhelming evidence available on the compromises that happen due to outdated systems.
Ma Nishtana indeed.
Be safe. Be secure.