Snake Oil Won’t Cure Your Security Illness

Part two in a three-part series about the information security industry money grab.

Introduction

NOTE: I covered some of these issues in my book; Unsecurity: Information Security Is Failing. Breaches Are Epidemic. How Can We Fix This Broken Industry?

In this series, I’ll focus on three types of money grabbers, those

  1. Who will do anything and everything for your money
  2. Those who sell snake oil
  3. Those who will sell you something regardless of it’s effects on your security.

There’s no doubt that the money grab is alive and well in the information security industry. Some companies and people in our industry will do everything they can to get their hands on your money. Some of them should get your money, while others should be put out of business because of their deceptive practices.

Clark Stanley’s Snake Oil

This stuff was amazing. A concoction, or “liniment” as Clark Stanley called it, that will cure just about anything; rheumatism, neuralgia, sciatica, “lame back”, lumbago, “contracted cords”, toothaches, sprains, swelling, etc. I don’t even know what half these ailments are, but I don’t know if I’d care either. This stuff will cure me of ailments I don’t even know I have, and it will protect me from future ailments. If I were alive in the 1890s, I might have bought some of this wonder juice.

When Clark Stanley started peddling his snake oil to the ignorant masses, there was nothing to stop him. There was no regulation to govern the safety and effectiveness of drugs until 1906. Nobody even knew what Mr. Stanley’s wonder-drug was made of until 1916, this was the year that the Bureau of Chemistry (later the Food and Drug Administration-FDA) tested Snake Oil and determined it was made from mineral oil, 1% fatty oil (assumed to be tallow), capsaicin from chili peppers, turpentine, and camphor.

People caught on, the jig was up, and Stanley eventually pled no contest to federal civil charges that were leveled against him.

Information security industry snake oil

There’s snake oil for sale in our industry. Don’t buy it. It doesn’t work (for you).

Thanks in large part to Clark Stanley, the term “snake oil” has become synonymous with products and services that provide little (if any) value, but are promoted as solutions to problems. The term is also used to refer to exaggerated claims made by salespeople.

You’d be naïve to think there aren’t products and services sold in our industry that don’t fit our definition of “snake oil”. There are two types of snake oil being peddled today, the kind that is overtly deceptive and the kind the covertly deceptive. Both are bad, and you need to watch out.

Overtly deceptive

Overtly deceptive snake oil is the kind that comes with claims that are so outrageous, you start to question everything you know about yourself. The claims seem so real, with seemingly genuine evidence, and fancy words, you ask yourself questions like “Could this possibly be true?” “Is everything I’ve known about these things been wrong?” “How could I be so wrong?” “Is my existence a joke?”

No, you’re not wrong. Your existence is not a joke. The claims are crazy.

Here are two recent examples.

World’s First Patented Unhackable Computer Ever

What?! Unhackable? This can’t possibly be true. Can it? Well, if we were to believe Pritam Nath, the CEO of MicrosafeX Company, then yes it is true. If you use your noggin and think about this for a minute, the answer is absolutely NOT! There is no “unhackable” computer. There is no “unhackable” anything. Mr. Nath is selling snake oil, and thankfully the jig was up before people fell for it.

You should read his claims on his Kickstarter fundraising page. The claims are laughable if they weren’t so sad and patently false. There were 36 reported “backers” of Mr. Nath’s snake oil before the campaign was cancelled. I’m guessing most of these people were in it for the fun, not because they took this thing seriously.

Time AI

Sounds cool. What is it?

AI is sexy, but if AI doesn’t get your juices flowing, how about “quasi-prime numbers”, “infinite wave conjugations,” and “non-factor based dynamic encryption and innovative new developments in AI”?

SOLD! Lots a big words solving cool problems that I don’t understand. Must be cutting edge stuff.

The company peddling this Time AI thingy is Crown Sterling out of Newport Beach, California. I’d never even heard of these guys before last week.

Last week, at Black Hat, Robert Edward Grant, the company’s Founder, Chairman, and CEO gave a talk titled “The 2019 Discovery of Quasi-Prime Numbers: What Does This Mean For Encryption?“. The talk was so overtly snake oilish that it prompted very strong reactions (outrage) from some people who were there.

Dan Guido, the CEO of Trail of Bits stood up during Mr. Grant’s snake oil pitch and shouted “Get off the stage, you shouldn’t be here!” “You should be ashamed of yourself!” Ballsy.

Here’s a video clip of the exchange.

Jean-Philippe Aumasson is a serious crypto guy, and the author of the book Serious Cryptography.

There was enough of an uproar to force changes at Black Hat, including removal of references to the talk from the conference website and a promise of better vetting of sponsored talks in the future.

More coverage:

These are two examples of obvious and overtly deceptive snake oil. There’s also the less obvious, covertly deceptive variety.

Covertly deceptive

Covertly deceptive snake oil is hard for the inexperienced and/or lazy security professional to identify. It’s the sort of snake oil where a salesperson or company claims that their product does something that it doesn’t or that it will solve a problem, but it won’t. This snake oil is hard to identify because you won’t know unless you know.

One tell for covertly deceptive snake oil is the prominent use of sexy buzzwords. Common sexy buzzwords/phrases include:

  • Artificial intelligence or “AI”
  • Blockchain
  • Digital transformation
  • Big data
  • Machine learning or “ML”
  • Nextgen
  • Data-driven

If someone uses a buzzword or phrase that you don’t understand, go find out what it means. Don’t just sit there and nod your head like you know. Discounting buzzwords and phrases won’t always work though. There are legitimate companies and products in the market using sexy buzzwords, but work as promised.

The key to protecting against covertly deceptive snake oil is to follow the advice in the closing (below); research, educate, and/or ask. Don’t ever rely solely on the opinions and research provided by the company or salesperson who’s selling, it’s biased.

Buyer beware

It’s you who makes buying decisions for you. No pressure, but every dollar you spend on security is one less dollar your organization can spend on fulfilling its mission, so you should get it right.

Don’t ever buy anything without doing one (or all three) of the following:

  1. Conduct in-depth research into the product and how it works.
  2. Educate yourself on the technology the product claims to use.
  3. Ask an unbiased expert for his/her opinion.

If we all made good purchasing decisions, the snake oil will dry up. You will need to do more work, but in the end it will save you.

Beware of People Who Do Everything

Part one in a three-part series about the information security industry money grab.

Introduction

NOTE: I covered some of these issues in my book; Unsecurity: Information Security Is Failing. Breaches Are Epidemic. How Can We Fix This Broken Industry?

In this series, I’ll focus on three types of money grabbers:

  1. Those who will do anything and everything for your money,
  2. Those who sell snake oil, and
  3. Those who will sell you something regardless of its effects on your security.

Sometimes the money grabbers grab your money intentionally, but rarely do they do it with malicious intent.

There’s no doubt that the money grab is alive and well in the information security industry. We’re in the midst of the Cybersecurity gold rush, and there are thousands of companies fighting for their piece of your pie.

Cybersecurity gold rush

First, a quick comparison between the famous California gold rush and our cybersecurity gold rush.

The California gold rush looked like this: $10 million in 1849, $41 million in 1850, $75 million in 1851, and $81 million in 1852 (peak). After 1852, the rush gradually declined until 1857, then leveled to about $45 million per year.

The cybersecurity gold rush looks like this: $3.5 billion in 2004, $114 billion in 2018, $124 billion in 2019, and $170 billion by 2022. We haven’t exactly leveled off yet, but that day will come.

The truth about the cybersecurity gold rush; if you’re not one who’s making money, you’re probably one who’s spending it.

Spending well or not

Ask yourself these questions:

  • How confident am I that I’m spending my information security dollars wisely?
  • Am I getting the most value out of every dollar I spend?
  • Where do I get answers?

If you seek answers from a money grabber, you’re in for a rude awakening. Maybe not immediately, but soon. Money grabbers are biased, they’ll give you answers with a bias to sell you something.

So, how can you tell a money grabber from a trusted source of good information? It starts with understanding who the players are in our industry.

The Players

There are four players (or roles) in our industry; manufacturers, vendors, partners, and practitioners. Each of the players serve a very important role in making our industry function, and one player cannot effectively exist without the others. Don’t fall into the trap of thinking that one player is any better than another, they’re all critical.

Let’s break them down.

Security Manufacturers

Security manufacturers provide innovative hardware and/or software designed to solve real-world information security problems. They are critical to the information security industry because they make the tools we all use to secure ourselves.

Security manufacturers have three responsibilities to our industry:

  1. Understand the problem they’re trying to solve enough to make an effective hardware and/or software solution.
  2. Make an effective hardware and/or software solution that solves a problem.
  3. Sell the hardware and/or software solution to people in order to make money.

The manufacturer obviously needs to make money in order to satisfy investors and stakeholders. They’ll also need the capital to make more products. Stop the cycle and the manufacturer dies.

All fine and dandy.

Problems arise when a manufacturer attempts to play other roles, like giving you non-product related advice. It only seems logical that the advice you’d receive would be biased by one of their primary motivations which is to sell you their products. A manufacturer wants to sell you things because they want your money. What they sell you might solve a problem, but if it doesn’t, that’s ultimately your problem. The worst practice is convincing you that you have a problem that in reality doesn’t exist.

Even if a manufacturer solves a problem for you, you need to ask yourself if it was the right problem to solve. Was the risk significant enough to warrant a reallocation of resources (personnel, time, money, etc.)?

A manufacturer is probably not the best place to ask your questions about where you should spend your next information security dollar. They’ll certainly have an answer, but it won’t be unbiased, and it may not be in your best interest.

Security Vendors

Security vendors are an interesting bunch. They don’t make products, they sell them. We need vendors though. We need them because they’re closer to our problems than most manufacturers, and they know products better than partners (up next). They give manufacturers a distribution and support channel, so the manufacturer can go back to what they do best, making things.

Vendors represent products made by the manufacturers, and probably provide support for the products too. Vendors are usually specialists in the products they represent and are the “go to” people for making sure your products operate the way their intended to operate.

Advice from a vendor might be closer to the truth, but it will still be significantly biased. Vendors get paid for selling products, and they only represent their suite of products. Vendors, like manufacturers, want to sell you something. Ultimately, they want your money. Solving problems will be limited to the products they carry and advice probably won’t take other creative possibilities into account. Security vendors usually don’t innovate much and are more likely to go with whatever the herd is doing.

Security vendors are the best place to go for advice about a specific suite of products, but are not the best place to go for unbiased expertise.

Security Partners

A true security partner is a consultant without bias, but someone without bias is a pipe dream.  The truth is, nobody is without bias, but good partners do their best to be a trusted advisor to clients with as little bias as possible. Good security partners who understand the importance of their role (in the industry and to their clients) are product agnostic. They strive to make recommendations based on what’s best for the client.

Partners also want your money, but they won’t make money if they betray your trust. Trust is what keeps them honest.

Advice from a security partner must be as unbiased and as objective as possible. Security partners are good at creating or finding innovative solutions to problems because they’re not tied to any specific product or suite of products. One problem with a security partner is they may not have the deep knowledge about any one particular product like a vendor or manufacturer may have. Partners try to compensate for this by establishing working (not selling) relationships with vendors and manufacturers.

Security partners are the best place to go for advice about solving your information security problems with as little bias as possible. A security partner would be the best place to start for answers to most information security questions.

Security Practitioners

The hard-working security people who bust their asses everyday to make their workplace and the world a better place. Security practitioners make (or influence) buying decisions and they’re the ones who live with the fruits (or consequences) of their decisions. Most security practitioners don’t have time to research everything and need others to assist them in fulfilling their own personal mission.

Security practitioners deserve, and should demand respect at all times.

OK, now you know the roles/players. Where’s the money grab?

Beware of People Who Do Everything

I’m speaking to the security practitioners now.

Wouldn’t it be great if you could go one place for everything? A one-stop shop. Seems like a great idea and a real benefit, but it’s ignorant to think that there wouldn’t be an undercurrent of bias that could hurt you and your organization.

  • A manufacturer is biased to sell you their products.
  • A vendor is biased to sell you something out of their suite of products.
  • A partner couldn’t even sell you products if they wanted to. A partner cannot be a one-stop shop even if they want to be.

If you’re comfortable with the bias and you’re comfortable with the inevitable waste of resources, you’ll be comfortable with the one-stop shop approach. It’s lazy and wasteful, but it’s your security program.

If you’re not comfortable with the bias and wasted resources, you might have a little more work cut out for you. The right thing is to use each player for what they were designed for. A manufacturer for buying their products, a vendor for buying from their suite of products and product support, and a partner for the best advice.

Problems come when a player doesn’t understand their own role. When a vendor tries to be a partner too or when a partner tries to be a vendor too. Worse yet is the player who tries to be manufacturer, vendor, and partner. If you didn’t know any better, the “we do everything” player has you by the neck.

In my experience, the most common offender of their role, almost like an identity problem, is a vendor. Many vendors grew their business through other means, maybe selling printers and copiers, maybe doing information technology (IT) work, or maybe reselling networking equipment. The vendor resells things, but as a matter of survival and as margins decrease, they look for new streams of revenue. One common stream of revenue is security consulting services where the market is relatively immature and where a vendor can realize more significant margins.

Two problems with the vendor who plays partner:

  1. The bias problem. I’ve already covered this, but it’s a significant problem. I’ve witnessed many occasions where a vendor has sold things to a client that were clearly biased by the fact that the vendor sells those products. It’s only natural that a vendor would sell products, but it’s the practitioner who pays the price.
  2. Good at some things, but an expert in no things. Nobody can be the best at everything, you can only be the best at one thing or maybe a few things. A vendor who sells copiers, installs Cisco networks, builds data centers, and recycles old equipment, is not likely to be an expert in information security. Information security requires a specialized skill set, and you will get what you pay for. Unfortunately, it’s the practitioner again who pays the price.

Vendors aren’t bad. Partners aren’t bad. Manufacturers aren’t bad. Things can get bad when one player tries to play multiple roles. These multi-role players do it because it’s in their best interest, not necessarily because it’s in your best interest.

Things can get bad for you when you play into a multi-role player’s hand. You wouldn’t know the difference unless you were paying attention. Spend every information security dollar like it’s precious, because it is. One wasted dollar is one less dollar to spend on other more productive and enjoyable things.

Before I close, and one last time, there is nothing wrong with manufacturers, vendors, or partners. They’re all critical. It just helps if you know who they are, and better yet, if they know who they are.

The UNSECURITY Podcast – Episode 39 Show Notes

HAPPY FRIDAY! You made it through another week. Did you survive or did you thrive? Hmm. Something to think about, I suppose.

Good week here for me, the folks at FRSecure and the folks at SecurityStudio. Most weeks are good weeks really.

I was in town all week, but not in the office too much. Came in for meetings, then excused myself for more writing. Most of my days are consumed by writing lately. Writing a few blog posts, a few articles, and working on the upcoming book.

I’ll leave it at that for now. Many exciting things to share, but we’ll be patient and let them take a little more shape before sharing.

Did you catch episode 38 of the UNSECURITY Podcast? John Harmon, the president of SecurityStudio was in studio and we had a great chat. John and I are working well and working closely together. It’s a blast!

This week’s show, episode 39, is a real treat. “Ben” comes back in studio to give us the lowdown on what he’s been up to. I’m excited for you to hear what he’s got to say. This show is released on Monday (8/5), so be sure to look for it!

On to the show notes…


SHOW NOTES – Episode 39

Date: Monday, August 5th, 2019

Today’s Topics:

Our topics for the week include:

  • Conversation with “Ben”
    • Research
    • Responsible Disclosure
    • Social Engineering (SE) Things
    • Team Ambush
    • DEF CON
  • Industry News

[Evan] – Hello listeners, and welcome to episode 39 of the UNSECURITY Podcast. My name, for those of you who don’t know, if Evan Francen. I’m your host for today’s show, again. Scheduling stuff for security people is always a pain in the ass, and this week is no different. We’re recording this show on Friday because I’m out of the office next week. This is still Brad’s vacation, so he’s out of hand for hosting. All this means that I get to host again! That’s cool, right?!

Brad will be back next week, and he’ll have a great show planned I’m sure.

Now, you don’t want to sit there and listen to this voice for an entire show, so I invited someone last minute to join me. I found “Ben”! Want to say hi to the listeners Ben?

[Ben] Ben does Ben.

[Evan] Ben, thank you for agreeing to join me, especially last minute like this.

[Ben] Ben does Ben.

[Evan] Ben’s not your real name, right? So why do we call you “Ben”?

[Ben] Ben does Ben.

[Evan] You were here back in episode 14 (February 11). It was a great talk then, and this one will certainly be as good or better. Ben, you live a damn cool life, at least as it goes for security people. You cool if we talk about some of the things going on with you?

[Ben] Ben does Ben.

Conversation with “Ben”

Topics to discuss with Ben include:

  • Research
  • Responsible Disclosure
  • Social Engineering (SE) Things
  • Team Ambush
  • DEF CON

[Evan] See, I told you. Ben does cool stuff, and a lot of it! We could have talked for hours, but we can’t do that here. Let’s close with some news.

Industry News

Plenty of news this week, but arguably the most talked about is the Capital One breach. Instead of what’s in your wallet, now the joke is “who’s” in your wallet. Seriously though, this was big news this week.

Here’s our news to discuss in this week’s show.

Closing

[Evan] – So, there you go. That’s how it is. Ben, a huge thank you for joining me this week. Best of luck to you and all of Team Ambush this week at DEF CON. You’re going to have a great time and I can’t wait to hear how things went. Also, as always, thank you to our listeners. The podcast continues to grow and we’re grateful. Keep the awesome feedback coming, send it to unsecurity@protonmail.com. If you give us something real cool, we’ll mention it. Without your approval of course. Wait. That’s not right. I mean WITH your approval.

If you’d like to be a guest on the show or if you want to nominate someone to be a guest, send us that information too.

Ben, how can people reach out to you? Or do you even want people to reach out to you?

[Ben] People can reach me through Twitter. My Twitter handle is @M1ndFl4y. I don’t post much, but you can reach me through a DM there.

[Evan] OK. Thanks again. Find us on Twitter for daily chatter. I’m @evanfrancen and Brad’s @BradNigh. Have another great week everybody!

According to Author, Some Corporations Have “Achieved Security”

A friend of mine brought something to my attention this week. He said he heard there’s a guy out there claiming there are unhackable companies.

Me: Unhackable?

Friend: Yep, unhackable.

Me: What?! No way man. This can’t be true.

Friend: Oh yeah, it’s true. Want me to send you a link?

Me: Absolutely. I’ve got to see this.

He sent me a link to a National Public Radio (NPR) show transcript. The show, All Things Considered, is hosted by Ari Shapiro, a well-respected journalist. Appearing on this show was Richard Clarke, promoting his new book, “The Fifth Domain”. For those of you who don’t know who Richard Clarke is, he was the National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the United States from 1998 to 2003, an impressive position. He also led a lengthy career with the U.S. government. Like most people in the government and most politicians, he’s well-respected by some and hated by others. Since leaving the public sector, he’s written a bunch of books and he’s been fairly active in speaking about information security (or as he calls it “cybersecurity”). You can read his Wikipedia page if you want to know more about him.

So, I dug into the transcript looking for the place where this wild unhackable company claim was. At this point, I’m still thinking my friend must be mistaken.

SHAPIRO: One line in the book stood out to me from somebody who was talking about election security but could just as easily have been talking about other aspects of cybersecurity. And the line is, our house was robbed, so let’s at least lock the door. The problem is there are so many doors in the United States – 50 states, thousands of counties, who knows how many private businesses. Each one of them is a target. So is it naive to think that anyone could prevent the house from being robbed again?

CLARKE: There are major American corporations that have achieved security – cybersecurity. They don’t like to attract attention to themselves. They don’t like me using their names, so I won’t. But there are big American companies that have done it. Ten years ago, when we wrote the book “Cyber War,” we said no company is safe. If the Russians or the Chinese want to get into your network, they can. Now we’re saying that’s no longer true.

Wait. What the hell does “achieved security – cybersecurity” mean?! Is he saying there are mysterious unhackable “big American companies”? If they’re unhackable, why can’t we know their names and why can’t we share the secret sauce that makes them unhackable with the rest of the industry?!

I can tell you why we don’t know the names of these unhackable companies, and it’s not because Mr. Clarke won’t share them or because they don’t like him using their names, it’s because they don’t exist!

How about the secret sauce, surely this can be shared. Ari Shapiro, being the very good journalist that he is, asks.

SHAPIRO: What do the companies that have not been successfully hacked have in common? What are they doing right?

CLARKE: The companies that are resilient spend more money on it and have a better governance model so that the guy in charge or the gal in charge reports to a much higher-level official. They’re not buried in the bureaucracy of the company. And in terms of just a raw metric, the good companies – the companies that are successful at this – are spending 8% to 10% of their IT budget securing their networks. There are banks in New York that are employing thousands of people and spending hundreds of millions of dollars each year.

Am I reading this right? The secret sauce is “more money” and a “better governance model”? Can’t be. There’s got to be more than that. Well, he goes on to say there are banks in New York who employ thousands of people spending millions of dollars. Banks in New York. Could this be a hint about one of these mystery companies. He also referred to people. There’s a problem now, once you bring people into the equation. Something that’s unhackable requires perfection, doesn’t it? If there’s a flaw anywhere, there’s a potential vulnerability. These people must be infallible. Do you think these are infallible people? They don’t make mistakes? What kind of people must these be?

Want an unhackable company? Find perfect, infallible people. That’s got to be part of the secret sauce!

Back to the money thing. How much money is “more money”? Surely if we throw more money at the problem, it’ll get solved. After all, we’re throwing billions of dollars at the problem every year. Mr. Clarke claims that the successful companies are spending 8% –  10% of thier IT budget on security. On average a large company (more than $2 billion in revenue) spends 3.2% of revenue on IT, but banks spend more like 7%. So, let’s take a $2 billion (revenue) bank. If they spend between $11,200,000 and $14,000,000 ($2 billion x 7% x 8 or 10%) on security, this will make them unhackable? How about J.P. Morgan? This is the biggest bank in New York. They had revenues of $109 billion in 2018. If they spend (or spent) between $610 million and $763 million on information security, did this, or could this, make them unhackable?

Hmm. Maybe, but we still got that people thing. He also mentions another requirement. The guy or gal running this unhackable security program needs to report to the top, like the CEO or even the board.

So far, we can glean that we’ll need the following for an unhackable company:

  • More money – somewhere between 8-10% of 3.2-7% of revenue, maybe even more.
  • Better governance model – report to the CEO or board.
  • Infallible people – perfect people

SHAPIRO: You’ve said the government has acknowledged that it is hackable and that companies have figured out how to get the upper hand and prevent themselves from being hacked. Why can’t the government learn the lessons that these companies have learned?

CLARKE: Well, I think part of the problem is the federal government, which has maybe 40 or 50 major departments and agencies, insists that they all defend themselves. I don’t think that should be the job of every federal agency. What we propose in the book is that the government create one single cybersecurity office for all the little agencies and departments that can’t do it. This is what’s done in the private sector. A lot of companies don’t do it themselves.

SHAPIRO: They outsource it. They hire a contractor.

CLARKE: They outsource it, and you pay them by the month. And you get the – you get them handling all of your security. That’s the way the federal government should do it.

Ooh, another hint. Outsource all your security. Lord knows, a third-party will most definitely treat your stuff as well or better than you will.

DONE! Want an unhackable company, do this:

  • Spend more.
  • Govern better.
  • Be perfect.
  • Outsource stuff.

Let’s Be Real Now

You sensed the sarcasm, right? Here’s the truth:

YOU CANNOT BE UNHACKABLE, EVER.

Anytime you hear someone claim that something or someone can’t be hacked, give it a long sideways look. Such a person who says such things almost instantly loses credibility with all of us who know better. To give Mr. Clarke the benefit of the doubt, he didn’t explicitly say that there are unhackable companies. He just sort of implied it. It’s also possible that I misunderstood what he was saying, but I read the transcript multiple times and came to the same conclusion. Could be he’s just trying to sell books too. Who knows for sure?

The goal isn’t to be unhackable. The goal isn’t to eliminate risk. The goal is to manage it. Eliminating risk would require perfection, and perfection isn’t possible. If anyone tells you different, he/she is a fool. Don’t take advice from a fool.

CALL TO ACTION UPDATE – Doing your part about civic ransomware

Does the all caps “CALL TO ACTION UPDATE” get your attention? It’s supposed to.

The facts:

  1. The call to action still stands.
  2. Our municipalities are still under siege.
  3. The ransomware threat has far from abated.
  4. Too many communities are under-prepared.

You aren’t powerless. You have options.

  1. You can sit there and do nothing, playing the victim.
  2. You can point fingers and complain, playing the critic.
  3. You can wait for somebody else to do something, playing the sluggard.
  4. You can be part of the solution by doing something constructive, playing the responsible citizen. In my opinion, this is the best option.

If you choose (or have chosen) option 4, pen an email to your local government officials. Respectfully ask them how they’ve prepared for an eventual ransomware attack. If you are willing and able, offer to help them if they need it. If you aren’t willing or able to help them, refer them to one of us who is willing and able to help them.

Follow the guidance in my previous CALL TO ACTION article or follow your own charge.

For those of you who choose to do nothing, you have no right to play the victim card or complain. You give up those rights, in my opinion.

UPDATE

Now for the update. Many of you have taken me up on the CALL TO ACTION. You have emailed your local government officials and you’ve shared some of their responses with us at unsecurity@protonmail.com.

Kudos to you for choosing option 4 (above)!

Here are some of the responses that have been shared with us, protecting the names of the innocent/guilty.

Response from small city in a rural area:

We are familiar with these attacks on cities and we utilize network security professionals to protect our systems.  We also utilize a firm to audit us and test for gaps or issues proactively as well as routinely backing up and storing our data off site to protect against ransom demands and other risks.

Not too bad. The resident followed up with the city to gain more insight and offer help. Nice work!

Response from a medium-sized U.S. county:

Thanks for reaching out. No organization can claim with 100% certainty that they are protected from any cyberattack. However this is a very front and center topic for <REDACTED> County, and many efforts have been taken to reduce our risk and exposure to various kinds of cyber attacks, including Ransomware.

The County does not have a defined policy regarding what they would do if faced with this decision (in fact none of the metro counties have one, last time I checked), but in my conversations with Administration I do not believe paying a ransom would be an option they would choose.

Hope that helps answer your question.

This is good to know, yes? Someone (why not us/you) should work with this county to address the issue, and while we’re at it, address the issue with all “metro counties”. Kudos to this county official for responding with some transparency!

Response from a mid-sized suburban city:

Thanks for the email. For the security of the City’s network and systems, we follow the recommendations set by the <REDACTED – state’s criminal justice system>. We also use a third party vendor that does penetration testing against our firewall to try to stay ahead of the malicious attacks. We conduct staff cybersecurity training with this third party vendor to ensure our staff is behaving appropriately as well.

OK, maybe not a great response, but a response nonetheless. Didn’t really address the ransomware preparedness question directly, but a conversation has begun. The resident will be following up. Making a difference!

Response from another mid-sized city:

Thank you for your email. The City of <REDACTED> has a multi-faceted approach to cybersecurity.  We have improved security both internally and externally.  While no system is immune from attack, we are actively scanning and patching for vulnerabilities.  A specific key to protecting against ransomware is to have good, frequent, and tested backups.  We maintain a healthy backup system and in the case of a ransomware attack being successful, could restore lost data as needed. It is our policy to not pay ransomware demands.   Our <REDACTED> has made security a top priority, and has taken many steps to enhance the City’s security posture.  This includes revamping the firewall and anti-virus infrastructure.  We continue to take cybersecurity very seriously, and are constantly striving to keep our data secure and protected against attack.

Not bad. Another conversation starter and another difference made, even if a small one.

Final Words (for now)

Responses from good citizens continue to come in to our mailbox (unsecurity@protonmail.com) and we’re encouraged by the actions some of you are taking! For those who haven’t yet reached out to your local government officials, get on it! Again, you can follow the guidance here if you want.

The problem isn’t going away. Here’s some recent news about ransomware and our local communities:

My other related posts in chronological order:

OK, the rest is up to you (or not). That’s the way it is.

CALL TO ACTION – Do Something About Civic Ransomware

Another city ransomware attack, another payment to the attackers. Another win for the bad guys, and another loss for the rest of us. The question is, are you going to do anything about it?

This time the news comes from Lake City, Florida. The 12,000+ citizens of the small(ish) northern Florida town will foot the 42 bitcoin (~$500,000) bill for the city’s poor preparation. Actually, insurance will cover the direct cost and the city only pays $10,000. Chalk up another loss up for U.S. cities (and their citizens). The money the attackers walk away with will most certainly be used to attack other victims, including other cities. Oh, and as far as insurance goes, we all pay a price in higher insurance premiums and limited coverage options. Insurance companies aren’t in the business of losing money.

The quote of the day; “I would’ve never dreamed this could’ve happened, especially in a small town like this” – Lake City Mayor Stephen Witt.

(BTW, I don’t view this as his fault. We, the information security community, obviously failed in reaching him with the message)

Additional details of this latest ransomware payment:

So, what are YOU going to do about this? Yes, you! When I refer to “you”, I’m referring to everyone/anyone, security people and non-security people alike. All of us are in this together.

Should we wait until your city gets hit, or maybe we believe in the false narrative that it will never happen to you/your city?

Will your mayor or local government official be quoted on the news, having “never dreamed” that such a thing could happen?

DO SOMETHING – START HERE

Earlier this week, I posted an article about an email that I was going to send to my city and county officials. I sent the emails a couple of days ago, but haven’t heard anything back yet. Not to worry, I’m determined (and so should you be).

One of the things I didn’t really expect was for people to follow my lead. It was impressive to read and hear about people who took this as a call to action. They’ve been inquiring of their local governments about ransomware protections too! That’s great news! So far, more than a dozen people have told me that they have written their city and/or county government. Some are even getting good responses back.

Here’s what I’m asking you to do:

  • If you haven’t emailed your city and county government officials (inquiring about their ransomware readiness), PLEASE DO IT.
  • If you’ve emailed your city and/or county government officials, but haven’t received a response within a few days. PLEASE EMAIL AGAIN. Stay engaged until you get an answer.
  • If you’ve emailed your city and/or county government officials, and have received a response PLEASE SEND THE RESPONSE TO US. You can send it to us through the UNSECURITY Podcast email address (unsecurity@protonmail.com).
  • No matter what you do, please follow these rules:
    • DO – Always be courteous.
    • DO – Always be respectful.
    • DO – Help if you can.
    • DO – Remember the goal, we are trying to help and we are trying to prevent more occurrences of the Atlanta, Baltimore, Riviera Beach, and now Lake City ransomware events.
    • DO – Ask us questions and make suggestions (unsecurity@protonmail.com).
    • DON’T – Try to answer questions that you don’t feel (or know you’re not) qualified to answer. Email unsecurity@protonmail.com, and we’ll find a good resource/answer for you.
    • DON’T – Use threatening language or insinuate threats of any kind.

EMAIL TEMPLATE

Feel free to use this sample email template that I used or create your own.

———-START EMAIL———-

Dear <INSERT NAME>,

I’ve been a resident of <CITY/COUNTY> since <YEAR>.

I have a quick question for you.

How can you assure me and other city residents that the <CITY/COUNTY> has taken the appropriate measures to protect its systems and data from a ransomware attack?

I ask you because there have been a rash of ransomware attacks that have hit city governments recently. The most current ones being the City of Baltimore (https://arstechnica.com/information-technology/2019/06/a-tale-of-two-cities-why-ransomware-will-just-get-worse/), the City of Riviera Beach (https://www.palmbeachpost.com/news/20190621/in-depth-how-riviera-beach-left-door-wide-open-for-hackers), and Lake City, Florida (https://www.cbsnews.com/news/ransomware-attack-lake-city-florida-pay-hackers-ransom-computer-systems-after-riviera-beach/). I hope we’ve planned well and will not pay a ransom (even through insurance) if/when an attack was to occur. Rather than reacting for such an occurrence, I’m hoping that our <CITY/COUNTY> has planned ahead.

Although I work in the information security field, I have no interest in selling anything. I’m just a concerned/interested citizen. If I can help, I will.

Thank you for making <CITY/COUNTY> a great place to live!

Respectfully,

-<YOURNAME>

———-END EMAIL———-

Let’s make this a way we can start fighting back against criminals who are fleecing our cities and our friends. This is only the start. Next steps come after getting responses.

Again, we are all in this together. Please be helpful, respectful, and courteous.

 

Ask Questions – Get Answers (hopefully)

Yesterday I wrote a pointed blog post about ransomware (Don’t Suck – Stop Paying Ransoms) and how it ticks me off when people pay a ransom to an attacker. This morning we recorded episode 33 of the UNSECURITY Podcast about the same subject. During the discussion with Brad on the show, I made the comment that I was going to email my local government officials to inquire about how they will avoid the same mistakes that the City of Baltimore and the City of Riviera Beach made.

Here’s the email that I wrote. I encourage you to write your local government officials too. Accountability is good for everyone.

I sent this email to my City Administrator and the County Administrator where I live.

———-START EMAIL———-

Dear <INSERT NAME>,

Hope you are well.

I’ve been a resident of <CITY/COUNTY> since <YEAR>.

I have a quick question for you. How can you assure me and other city residents that the <CITY/COUNTY> has taken the appropriate measures to protect its systems and data from a ransomware attack? I ask because there have been a rash of ransomware attacks that have hit city government recently. The most current ones being the City of Baltimore (https://arstechnica.com/information-technology/2019/06/a-tale-of-two-cities-why-ransomware-will-just-get-worse/) and the City of Riviera Beach (https://www.palmbeachpost.com/news/20190621/in-depth-how-riviera-beach-left-door-wide-open-for-hackers). As a citizen, I hope we’ve planned well and will not pay a ransom if/when an attack was to occur. Although I work in the information security field, I have no interest in selling anything. Just a concerned/interested citizen is all.

Thank you for making <CITY/COUNTY> a great place to live!

-Evan Francen

———-END EMAIL———-

I’m sharing this because I hope it will motivate you to do the same thing in your city and/or county. Please be helpful, respectful, and courteous. Once I get an answer back, I will probably offer free help. We’ll see.

Don’t Suck – STOP Paying Ransoms

So, in case you haven’t heard, we have this problem. Yeah, there’s this thing called ransomware, and it’s sort of all over the news.

    • Colorado-based NEO Urology paid a $75,000 ransom
    • Colorado-based Estes Park Health (EPH) – they had an incident response plan, but the insurance company paid the ransom. EPH paid the $10,000 insurance deductible for their ransom payment, but it’s not known how much the attacker’s ransom was.
    • Boston-based ResiDex Software – the ransomware attack was discovered on April 9th but was only disclosed this past week. ResiDex appears to have restored their systems from backup, not paying the ransom.
    • New York-based Olean Medical Group – they were hit this past week, and it appears they won’t pay the ransom. According to news reports “Olean plans to begin setting up a new system and will work to regain the encrypted records to populate a new computer system, helped by partner healthcare providers.
    • Seneca Nation Health System – calls their attack a “computer system failure” (the computer system wasn’t what failed, just sayin’). Not sure if there are plans to pay, but the CEO says “We are working feverishly to rebuild our system”.
    • California-based Shingle Springs Health and Wellness Center (SSHWC) – reported that their ransomware attack affects all 21,513 patients, but I don’t think they’re planning to pay the ransom. SSHWC is working to restore their systems by installing new servers and putting workstation upgrades on a “fast track”.

Then there’s this particular attack and response that caught my attention this past week.

The Riviera Beach City Council voted unanimously this week to pay the 65 bitcoin (more than $600,000) ransom.

At what point do we say enough is enough? What’s your excuse for not preparing or planning for a ransomware attack? It’s not like you don’t know that they’re a problem.

What would be your acceptable excuse for not planning for a ransomware attack?

Simple answer. There is no valid excuse. Stop looking for one and stop making sh_t up. If you’re offended, maybe that’s good. It’s the truth. You might have all sorts of excuses that you think are legitimate, but they’re all BS. You’ve run out of excuses. Regardless of being legitimate or not, here are some common ones that people try to pass off:

  1. Management support – you couldn’t get management to “buy in” and do the right thing. Sorry, not a valid excuse. Part of your job is to get management buy in, and you failed. If management has their heads so far up their @55, you should find another place to work where they will champion security. To management – get your head out of your @55, you’re not helping your company, your customers, your partners, or anyone else.
  2. Priorities – you have so much stuff on your plate, that you couldn’t get around to protecting yourself from ransomware. Hard to fathom how good information stewardship isn’t a top priority. I know you might have a thousand other things too, but ransomware protection should be near the top. If it isn’t, revisit your priorities and get to it.
  3. We don’t know how to protect ourselves – take the Ransomware Readiness Assessment that I mention at the end of this post/article or read some self-help articles online (there are hundreds of them).
  4. We have insurance – good for you. That’s probably prudent, but it will never make up for your lack of stewardship. When your insurance company pays, we all pay. Insurance companies aren’t in the business of losing money, so they’ll just jack up the rates and everyone will pay more. Simple economics, right?
  5. You need help – don’t we all? This isn’t as much of an excuse as it is an admission. It’s an excuse if you don’t do anything about it. There are hundreds of online articles full of good advice, and there are probably hundreds (if not thousands) of security professionals that would love to help. Heck, I’m not writing this article for my health. If anything, it’s probably bad for my health (you know, blood pressure and stuff).

Choices

If you get hit with ransomware, you have one of five choices:

  1. Take your chances by paying the ransom. This is a terrible choice (read below), but it is a choice nonetheless.
  2. Don’t pay the ransom and follow a planned and tested incident response process. Your incident response process should include investigation (looking for the source), containment, and mitigation (at a minimum).
  3. Don’t pay the ransom and struggle mightily because you didn’t plan well. Think Baltimore, Atlanta, and hundreds of other organizations that paid hundreds of thousands (or millions) of dollars in attempted recovery operations.
  4. Start over. Only differs from the previous choice because recovery efforts, in terms of data recovery, are no longer on the table.
  5. Shut down operations. Sadly, I’ve seen this more than once, and once was too many times.

There is only one good option among the five. That’s option #2, don’t pay because you can recover. You planned, you’re a good steward of the information entrusted to you (at least in this respect), and you serve your organization well.

The other four options are bad ones, but if you didn’t plan well, option #2 is off the table anyway.

The first option was the only one that considered paying the ransom, while the other four options did not. So, if you didn’t plan well, you must decide whether to pay the ransom or not.

Not paying the ransom

You either prepared well, or you didn’t.

  • If you did, then kudos to you. You’re more likely to be back up and running within a relatively short period, and your organization owes you a big debt of gratitude.
  • If you didn’t, you’re in for a doozy of a response. Get out your checkbook, because it’s probably going to get expensive. It might be so expensive, in fact, that your organization may not survive the ordeal.

The key is planning well! If you didn’t properly protect your data (air-gapped/offline backups, prudent access control, etc.), and if you didn’t plan, you’re a poor steward of the information that’s been entrusted to you. You should slap yourself (hard), update your resume, and maybe find another line of work. People have suffered and/or will suffer because of your poor choices.

Paying the ransom

If you planned (or think you planned), and pay the ransom anyway, take Estes Park Health (noted above) for instance, they claimed to have “incident response program”, but paid the ransom anyway (or their insurance company did).

What’s wrong with this picture?!

Maybe they thought they had planned but didn’t, or the maybe the plan just sucked. If you didn’t plan, or you didn’t plan well, you find yourself in a pickle.

We cited two examples earlier where the organization paid the ransom; Estes Park Health (EPH) and the City of Riviera Beach (FL). It appears from the news reports that one of the two might have had a choice in paying, while the other one did not appear to have a choice.

Estes Park Health (EPH) – the organization was hit by a ransomware attack on June 2nd. According to their own investigation, there was no data exfiltrated (common). The source of the attack wasn’t disclosed, but it was discovered (allegedly) when an on-call IT technician logged in from home and noticed files encrypting live, while he/she was on the system.

Sounds like just about everything was locked down; phones, network access, imaging files, etc. According to one news report, EPH had an “incident response program”, but determined at some point “the only way to restore the software in the clinic and the only way we were able to restore the imaging and so forth is because our insurance company paid the ransom money and we were able to get the keys to unlock those files.

No other significant details are available, like the type of ransomware used, how the ransomware got in, how much was paid, or what the “incident response program” called for. Two things are certain:

  1. The “incident response program” sucked.
  2. The criminals won.

Not only did the insurance company pay the ransom, they paid two ransoms! The insurance company paid two separate ransoms, as EPH discovered more locked files when decrypting its systems.

Riviera Beach City Council – on June 20th, it was reported that the Riviera Beach City Council voted unanimously to award attackers more than $600,000 for the privilege of accessing their own files. Attackers had broken in three weeks prior, and at some point, locked things up. The attackers held all/most of/some of the data entrusted to the city for ransom. Like most cases, the city had been working with “security consultants”, and it was determined the only way to decrypt the information was to pay the ransom.

The attack began on May 29th, when an employee at the Riviera Beach police department opened a malicious email. Initially, the city council decided to not pay the ransom, but due to the difficulties in restoring the operations, they eventually opted to pay.

Interesting isn’t it? By proxy, it’s the police paying criminals. Supposedly, the payment is being covered by insurance, but so what?

If you pay the ransom, you suck

People don’t like to be told that they suck, because it sucks to suck. Maybe not sucking will motivate you to change some things and be better.

There are at least four reasons why paying a ransom pisses me off, and why it should piss you off too:

  1. You fund future attacks (against me and my friends). What do you think the attackers will do with the money they collect from you? They’ll take some for their own enjoyment, then they’ll funnel the rest into making their future attacks more effective. If you don’t pay, they have no money. Simple, right? If you think this is only about you, you’re selfish. Selfish people suck.
  2. It shows that you’re not a good steward. Somebody entrusted you with information, and they deserve better. The information (in most cases) isn’t yours, it belongs to someone else. If you can’t take good care of it, you shouldn’t have it. If you need it to run your business, then maybe you shouldn’t be in business.
  3. Attackers win. You might not be as competitive as I am, but you have to admit that it sucks when some jerk beats you at something. If the game was fair and you lost to a good person in a straight-up competition (like chess with a buddy), that wouldn’t be so bad. Here, you lost to a straight up jerk face and there’ll be no gentlemanly handshake at the end. You got taken and you’ll have to just suck it up (or just suck).
  4. Money that can’t be used for good. Every dollar we spend on information security is precious. Businesses are in business to make money and/or serve a mission. Money diverted from either one of these two purposes, takes away from your ability to succeed. What could the City of Riviera Beach have done with the $600,000+ if it were spent on something worthwhile. Wouldn’t the taxpayers rather have a nice new community pool, better streets, a few more safety personnel, etc.? Nope.

There are more reasons why we don’t pay ransoms, see what you can come up with yourself.

Now what?

Get to work. Do what you can to protect your organization from a ransomware attack and plan for one if (when) it were to occur.

Don’t know where to start?

Try our free FISASCORE® Ransomware Readiness Assessment

There aren’t any strings attached, there isn’t any registration required, and it’s freely distributable through a Creative Commons License (so, share it too!). I whipped this thing up in early 2017 for a bank customer then forgot I had it.

Are there other obstacles in your way?

Identify the obstacles and figure out how to remove them, go around them, go under them, etc.

Need help?

Reach out to any number of us information security people. Many of us will help you, including myself.

Moral of the story is 1) prepare and plan, 2) DO NOT pay ransoms, and 3) we’re all in this together. Good luck!

Are Information Security People Arrogant?

I hate speaking in generalities, even though I do so often, but I’ve been thinking about something lately.

Are information security people arrogant?

This thought came to head a while back while I was visiting my mother. We were talking about life, and I was sharing some of my frustration in my line of work (information security). I was telling her that it frustrates me when people can’t seem to grasp the obvious.

She replied, “You’re arrogant. Plain and simple. You actually believe that people think the same way you do?”

My reaction to being called arrogant was a childish one (hindsight), so it’s fitting that my own mother called me out. I was offended. How dare she call me arrogant?! I’m frustrated that people can’t follow simple directions and basic logic. I’m not frustrated that they can’t figure out finite mathematics of anything!

Wait. Calm down. She’s right.

After five minutes or so of trying to defend myself against her attack (which wasn’t even an attack), I realized that I had no defense. She was right, I was being arrogant. I am arrogant. Actually, I have plenty of arrogance to go around. Not only do I have enough for myself, I have enough to share with my peers too, as we laugh together at the dumb things people do.

Thanks Mom!

Here’s the deal though, I’m not alone. Truth be told, there’s an abundance of arrogance in our industry. It seems as though some of the most esteemed information security people in our industry, or at least some of the ones in some high places, are full of arrogance.

Do we, as an industry, place a premium on being arrogant and full of ourselves? Good question. Scary thought, but I think there some truth here.

What is Arrogance?

Before I just start throwing words and accusations around any more than I already have, I should make sure I’m using them correctly. God knows, in our society we like to call people names and attach labels, regardless of accuracy or true meaning.

Let’s go to the dictionary and see.

Definition of arrogance is an attitude of superiority manifested in an overbearing manner or in presumptuous claims or assumptions.

Yep, I think I’m using the right word. Do you know of any information security people who have an attitude of superiority? Do you have an attitude of superiority, especially when referring to less skilled information security people or non-information security people (“normal people”)?

Is it manifested in any of these ways?

  • An overbearing manner
  • In presumptuous claims
  • In assumptions

If your honest, you can probably thing of times when you’ve been arrogant. How often you are arrogant is another question. It’s something we all need to keep in check. We can all stand a little more introspection, like looking at ourselves in the mirror.

Common examples of arrogance

Here are five examples of arrogance that I’ve either been a part of or heard in the last week alone:

  • Believing that you think what someone else thinks without asking.
  • Getting frustrated when someone else doesn’t understand what you’re saying, and maybe even believing that they’re less intelligent.
  • Telling someone what they think.
  • Griping about some “stupid” thing someone else did.
  • Calling or thinking someone is “stupid” for doing something that seems obvious to you.

None of these thoughts or actions are productive in our mission; making information security better (I hope).

Not All and Not Always

The downside in speaking or writing in generalities is the fact that I lump everyone together, even though I know there are exceptions.

  • Not all information security people are arrogant, but too many are.
  • Not all highly esteemed information security people (industry influencers) are arrogant, but some are.
  • Even the arrogant information security people are rarely arrogant all the time.

I won’t call out the industry influencers that I think are arrogant. That wouldn’t help the cause at all.

I will call out some of the humble and less arrogant ones people in our industry. These are information security industry leaders that I respect, and that I feel are more humble and modest. This is based on my observations, and you may know them differently than I do.

Here are (only) ten of my favorites (in no particular order) along with links to their Twitter feeds if you want to follow:

  1. Richard Bejtlich @taosecurity
  2. Aloria @aloria
  3. Tony Cole @NoHackn
  4. Roger Grimes @rogeragrimes
  5. Jane Frankland @JaneFrankland
  6. Dave Kennedy @HackingDave
  7. Dejan Kosutic @Dejan_Kosutic
  8. Chris Roberts  @Sidragon1
  9. Eleanor Dallaway @InfosecEditor
  10. Mikko Hypponen @mikko

NOTE: This list is based on opinion. My opinion. Not fact, but my opinion. I stated that this is my opinion three times (now four) because you are welcome to disagree with me! If you’d like to add to my list, please do!

There are many, many more that can be added to this list, but back to our problem, assuming there is one.

Humble Yourself

Arrogance is bad, and there’s no place for it in our industry. When we see it in others, we should respectfully call it out. When we see it in ourselves, we should change our attitude. If we can’t change our attitude, maybe we should get some help.

Are you honest with yourself? Ask yourself the question, “Am I arrogant?” Get in the habit of doing this regularly, and things will certainly go better for you and those around you.

That’s all for now. Thanks!