Cybersecurity isn't just a concern for large corporations. It's vital for businesses of all sizes. It's essential for companies to know how to protect sensitive data, restore from backups, and regularly test their systems with internal pen tests to keep their teams safe. Today's guest is Bryce Austin. Bryce is the CEO of TCE Strategy, a cybersecurity advisory firm. They provide vulnerability scans, penetration tests, fractional CISO services, and incident response services. He is also a professional speaker on ransomware. Bryce is the fractional CISO to many companies, including one on the S&P 500.
We talk about the key aspects of cybersecurity for businesses, and how to be proactive with patching, training and strong password management. He shares his experiences with major cyber incidents including ransomware, phishing and the Target breach, and how defense in depth, backups and financial controls are key. Bryce also mentioned the use of password managers, regular vulnerability scanning and external monitoring to increase cyber resilience. We share practical tips for all businesses to protect against ever changing cyber threats.
“Ransomware attacks are often a months-long process. They involve recon, elevation of privileges, and taking out backups. If your defenses aren’t in place, it becomes a race against time.” - Bryce Austin Share on XShow Notes:
- [00:59] Bryce started TCE Strategy in 2016. It's their goal to keep their clients one step ahead of cybercriminal risk.
- [01:32] He has a degree in chemistry. Technology was just for fun. He ended up working in the payroll space which was ripe for cyber security concerns.
- [03:00] He was really pushing cybersecurity and then their company was purchased by Wells Fargo. It ended up being amazing training for starting his own cybersecurity business.
- [05:24] Bryce shares how he was affected by the Target security breach. He ended up unemployed and was deeply affected by food stamp requirements for his family.
- [07:34] He wanted to make sure he would never go through this again and started his company.
- [08:19] His public speaking began in 2011.
- [09:17] He was indirectly affected by the Target breach, and he also shares his indirect personal one.
- [12:59] Bryce was actually spearfished in 2018.
- [14:36] Incident response is when something happens from a cybersecurity standpoint and damage has occurred. Oftentimes data is encrypted. This is a ransomware attack.
- [17:18] Bryce tells the story about how a hotel was hacked and a large payment was able to be intercepted.
- [18:31] Phishing attacks are where someone clicks on a bad link.
- [20:38] His biggest Christmas gift was none of his clients getting hacked.
- [21:05] They also had a ransom demand where they had to pay a million dollars.
- [23:02] If they would have been looking harder this wouldn't have happened.
- [26:26] Issues with hooking up to the Internet and having default passwords.
- [28:07] Why it's impractical to make ransomware illegal.
- [31:12] Even criminals have a reputation to uphold and usually hand over the encryption key.
- [33:56] Bryce talks about some of the preventative things that people can do.
- [34:47] Be proactive and have diligent patching.
- [35:37] Don't use the same passwords over and over. Use a password keeper.
- [36:54] Have offline backups.
- [38:09] Follow all processes and procedures when moving money. Use unique passwords.
- [39:27] It's important to encrypt your backups.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Bryce Austin (612) 730-9897
- Bryce Austin on LinkedIn.
Transcript:
Bryce, thank you so much for coming on the Easy Prey Podcast today.
I appreciate the opportunity, Chris.
Can you give myself and the audience a little bit of background about who you are and what you do?
Absolutely. I started a company called TCE Strategy back in 2016, which stands for Technology and Cybersecurity Education. We try to keep our clients one step ahead of real-world cybercriminal risks so that they do not end up in the headlines in a negative way about something bad that happened to their company because of cybercriminals.
That’s really concise.
Of course there’s a lot more to it than that. There is a bit of a backstory here. My degree is in chemistry, I thought I was going to be a PhD chemist. Two years of grad school cured me of that notion, had always been in technology for fun.
I used to sell computers at Best Buy. I hacked into my high school’s computer system. I don’t even know if you call it a network at that point, but I remember when I finally got in, all of us students had blue screen backgrounds and the teacher had a red screen. When I guessed the computer teacher’s password and my screen turned red, I thought, “I’m getting expelled.” I think I was able to log out in time, which is good, but that’s a separate story.
I got into technology after dropping out of grad school and found a liking to it. I ended up in the payroll space, which is ripe with cybersecurity concerns. You think about what payroll does, it takes a big pot of a company’s money and moves it into a bunch of little pots. Your employees, your taxes, their 401(k), their healthcare savings, on and on and on. What a wonderful place for a cybercriminal to hide.
Find one of our clients that work with a thousand employees. Make up a janitor. See if anyone notices. Wait till one of our law firms runs their quarterly bonus run for eight gazillion dollars, change all the ACH numbers to your bank account and never be seen from again. These were not hypothetical issues we were dealing with back in 2001.
From 2001–2004, I pushed a lot more cybersecurity with the small company I was with. Then we got bought by Wells Fargo. We got big. We got really big really fast. I thought I was working myself out of a job, but in 2007 they named me CIO of the line of business, so sometimes things work out.
Wells was very, very strict when it came to cybersecurity. They were a bank and they had ATMs in the 80s when people were hopping up telephone poles, putting on butt sets, and figuring out how to talk to the ATM to release money. They had a long history at this.
They wanted us regulated one step down from a nuclear missile silo, and that wasn’t compatible with the payroll space at the time. They wanted every client to have multi-factor authentication regardless of size. A great idea, but in the mid-2000s completely incompatible with what customers would accept.
From 2004–2012, I ended up pushing back on corporate, probably 75% of the time when they wanted cybersecurity this or that, saying it doesn’t make sense for our scenario and here’s why. And the other 25% of the time, mama Wells had a good point and I needed to convince the CEO of my line of business that we needed to do this and find the money.
What an amazing stomping ground and amazing training area to later on start my own cybersecurity company. The reason I did it is because I was at Target in 2013 and 2014 when we lost 40 million credit cards. I was not in cybersecurity at the time. I was running the technology programs that would touch the stores themselves, things that would change the team member experience and the customer experience.
Some things were mundane. Scales in the deli, new wifi systems, but some things were front and center to the future of retail, like buy online at target.com, pick up in a store. How do you do that? How do you integrate the systems to make all that work?
Well, one of my teams was running that and it was fascinating. It was great. We launched it on black Thursday 2013, and it was successful. It was exciting and it worked. At the same time, cybercriminals that penetrated the point of sale system—likely before I ever started—flipped a switch and began exfiltrating credit cards, millions per day out of our system, and we didn’t know.
When the FBI and the Secret Service came knocking on the door, then we knew. A couple of days after that when Brian Krebs blew the story of the world that everybody knew. I actually had a chance to meet him at a conference several years ago we were both speaking at. He talked about how he toiled in obscurity as a journalist until he broke the Target story and then his world exploded. Funny. Mine too, Chris. I could relate to that very directly about worlds exploding.
My family went from bonus checks to unemployment checks, and it was a life-changing experience. What happens is when something like that hits you and you didn’t expect it coming, you batten down the hatches and you eliminate all financial spend that you can. You see how long a runway you have—mine was not huge—and you ask for assistance.
I’m grateful to say the government has a lot of it. It’s hard to talk about, but I think it’s important for people to understand that cybersecurity is real. It doesn’t exist in an ivory tower. We live in a patriarchal society, so men are supposed to take care of themselves, but in Minnesota, we have what most people call food stamps, or it’s called WIC—women, infants, and children—because men don’t need that kind of help.
My wife and my two-year-old—she was pregnant with number three at the time—all qualified, so three of us did. But in order to get on food stamps—it’s wrong with the Department of Agriculture, if you can believe that—what they do is they want to prove the efficacy of their program. So if you’re under five or are pregnant or a nursing mother, then they want to do blood draws to look at your hemoglobin rate and what have you, and to prove that nourishing young children with healthy food leads them to have much more productive lives and be better members of society, which I fully believe in. But my kids were perfectly healthy. I was simply unemployed.
What the Department of Agriculture demands you do is to take blood draws. For my wife, that’s inconvenient, but she’s a grown woman. But when you do that with a two-year-old and you see them pull blood out of their body because daddy doesn’t have a job, it changes you. It changes you. I was angry. I was upset and I was hurt, and I decided to do something about it. I wanted to help other people not fall victim to what my family had because some cybercriminals halfway around the world thought they could make a quick buck.
That’s how I started the company. We do a lot of things. We do incident response, and I’m sure we’ll be talking about some of that because that’s exciting. But we do general cybersecurity assessments from the public sector to the private. Recently did a water district down in Florida. I can’t say which one, but it was interesting.
We do internal and external penetration tests. We do fractional Chief Information Security Officer services. Essentially, if your company had a part-time accountant or attorney, well we do that but as head of cybersecurity. We do vulnerability scans, both internal and external. We do incident response, and I do some professional speaking on behalf of the company at conferences all around the world.
Fun.
It is a good time.
How long have you been doing public speaking?
I started in 2011. Wells was actually pretty open to it. They had to be very careful with what I was allowed to and not to say, so I had to go through a lot of layers, but they would let me do it, which I appreciated.
I went to Target. Now Target was a great company to work for. I have nothing bad to say about them. They have a billion-dollar marketing budget. I’ll tell you, when I asked could I public speak, it was like talking to the hand. It was like, “Sit down computer boy. This isn’t what you do.” So that was the end of that.
But then in 2014 after that ended, I picked it up in more earnest. I’m now a member of the National Speakers Association, and have spoken in 35 or 40 US states, in Greece, China, and Tokyo. It’s been a lot of fun.
Cool. I want to ask you the question that I prepared you for, and I ask a lot of my other guests, particularly those in the cyberspace and the counter-fraud and counter-scam space. Have you ever been a victim of a cybersecurity incident? Scam? Fraud? Personally.
Yes and no. Indirectly of course I was from Target, but that isn’t personal. What I will say is this: A number of my clients have either me or someone on my team have one of their email addresses because we’re negotiating with vendors on their behalf, because it makes things more simple.
Well, my clients who are willing, run simulated phishing emails. They do it hopefully on a monthly basis; that’s what I recommend. But a couple of them started letting me know, and it occurred to me that isn’t fair. That if anything, I’m a high-value target as a fractional CISO, so don’t tell me.
I have had two times in the last eight years where I absolutely 100% did click the link. If any of you are familiar with the Pwn2Own contest, the whole point of that contest is all you have to get your victim do is click a link and then you get five minutes to try to backhack their device. Well, I failed it twice.
I wouldn’t say that that was a personal cyber attack necessarily, but when you’re in this space, it does show the importance of defense in depth. Because if I can fall for it, anybody can.
Other than that, I’ve had a number of times where my credit cards have been compromised. Thankfully, that’s only inconvenient; it isn’t the end of the world. I did have one person send me an email in 2018, the first time I ever got really spearfished.
It said, “My name is professor so-and-so out of the University of London. We have this big conference coming up. Our keynoter just dropped out. Would you please fill in?” It sounded a little too good to be true because it said, “We will pay for you and your spouse if she’s interested to come over; happy to pay your full speaking fee. Please let us know.”
Well first, in the academic world, that’s not how life works. No one pays your full speaking fee and that you’re lucky to get half. But there were some little things that I think the AI world would have caught. First, it ended with “blessings to you” on the email. Now there’s nothing wrong with that, but out of a university that context is unusual. I should have seen Professor so-and-so, he, him, his. See that follows the context. So that was a red flag. And it came from a Gmail account.
Now the Gmail account looked legitimate—I have a Gmail account—but I would’ve expected it to be a .edu. I asked my team to find the guy’s real account. The professor was real, found the real account, and emailed him. The whole thing was a scam. Someone had targeted cybersecurity speakers with this scam. I got close to falling for it. I keep trying to think how was he going to monetize it.
That was going to be my question. Clearly there was spearfishing, but what were they going to try to get you to do?
First, my thought is, normally when you do these kinds of gigs, it’s half down, half when you arrive. When you do international gigs, they tend to send you money via the Swift system. I’m guessing he would’ve wanted a bank account, then worked with a corrupt bank to suck money out as opposed to putting it in. That’s one option.
A second could have been blackmail. Could have been I fell for it. He got me, and then said, “Well, here are the list of your clients because some of them are on your website, and here are the list of their executives because I found them on LinkedIn. Either you pay us $10,000 or in 24 hours, an email’s going to go to all these people about just what a fraud you are.”
There are a couple of angles they could have taken, but what I will say is that the fact that I was spearfished in 2018, I don’t have delusions of grandeur. I’m not Bruce Schneier who’s testified in front of Congress. And the fact that someone took the time to do something that targeted, that if it can happen to me, it can happen to you.
That’s crazy that they would target you on the speaking gig side. That, to me, seems relatively benign, unusual, and maybe that’s the whole reason why something like that works. If they had gone after your accountant, that’s normal, that’s expected, that’s planned for. But a fake speaking gig is not high on the list of…
No, and that’s fair. I think we have a lot of very bright people with either very jaded pasts or very challenging moral compasses to understand. If only we could get them to use their abilities for the brighter side of the force. But I think the number of folks looking for a creative scam, almost as a pastime, as a means of monetary gain but also of entertainment, it becomes a hobby. I think that’s how you get those esoteric sorts of hits where someone is very specifically targeted in a very odd niche, and normally you don’t see it coming.
They’re like, “Hey, I wonder if I could get this person to click on a link.”
Absolutely.
In terms of incident response, what is incident response and how does it normally go down?
Incident response is when something bad has happened from a cyber criminal standpoint and damage of some sort has occurred that is typically either a direct financial loss, wire fraud transfer, fake invoice, that kind of thing. A… Share on XIncident response is when something bad has happened from a cyber criminal standpoint and damage of some sort has occurred that is typically either a direct financial loss, wire fraud transfer, fake invoice, that kind of thing. A loss of sensitive data. You’ve had data exfiltration of some sort, and my company’s worked a number of those.
Or a ransomware attack, which could also have exfiltration of data. Most of them nowadays do, but the definition of a ransomware attack is someone gets into your company and if you don’t have any data, they can easily monetize, like credit card numbers, or healthcare data, or what have you.
Well, you have a lot of data that’s important to you. Let’s put it on a personal level. I lost my grandmother a few years ago and I have some pictures of her a few weeks before she passed. If someone took those from me, I would have a deep loss.
Well, companies have that too. Some individuals, they have data that it isn’t sellable, but boy, they really either want it for emotional reasons, or from that company, they need it to be able to do business. Like, who ordered what parts from them that they need to deliver, if you’re some sort of manufacturing company.
Well, a bad guy will get into your network and will encrypt the data. What encryption means is you take the data and you essentially turn it into gibberish. And unless you have the magic decoder ring, you don’t know how to get it back. Because of a lot of fancy math that people like Bruce Schneier know and I just nod my head, you can’t get it back without that decoder ring, unless they have done something wrong in how they encrypted the data. So that’s a ransomware attack.
How do they start? Well, there are a couple of common attack vectors. The biggest wire fraud that my company worked on was heavy into six figures. It was against a client who had rented a big, big area at a hotel.
The head of marketing was running it; that’s common. This is a publicly traded company. They didn’t run it through the accounts payable department. The person that was running the marketing deal got an email from the hotel, legitimately from the hotel, saying, “Please pay us, and here’s the account,” and so on and so forth.
Well, the hotel’s email had been hacked, unbeknownst to my client. There was a bad guy listening in on the finance person at the hotel. What happened is the bad guy realized that there was a bunch of money about to change hands. So any email the real person at the hotel sent, didn’t really go out.
It went to the bad guy who could then hit the forward on as usual button, or the, hold up, hold up just a second. We’re going to do some fancy footwork because the bad guy had control of the email account. It was legitimately that account. It just wasn’t the guy who should have been driving the car, who was driving the car.
What he did is he changed the bank account information on the email as to where it was supposed to go. My client never picked up the phone to validate it was accurate, and they sent hundreds of thousands of dollars to the wrong account. Then a few weeks later when the hotel called and said, “Where’s our money?,” my client said, “What are you talking about? You paid us 17 days ago.” Well, the money was long, long, long gone. That’s often how these things happen from a wire fraud standpoint.
From a ransomware standpoint, the most common infiltration is someone falling for a phishing scam. Someone who either has local admin rights to their computer because too many people do, or someone that is in the IT team, or someone that has a computer that hasn’t been properly patched. There are vulnerabilities where any user could elevate themself to be an administrator.
From a ransomware standpoint, the most common infiltration is someone falling for a phishing scam. -Bryce Austin Share on XThey get a bad link in an email, or they get a malicious attachment that gets to the filters, and they open that attachment, or they click that bad link, and then a bad guy has their hooks into a computer. At that point, it becomes a race against time.
How quickly can the bad guy elevate themselves to be either a local administrator or even better, a domain administrator, which means they can control all the computers at the company, and then it’s pretty easy to start a ransomware attack? Versus how quickly can the IT team at that company detect that something bad has happened here. “Our antivirus is yelling about folks trying to move laterally.”
We may have systems called SIEM solutions (Security Information Event Management), and they should have alarm bells start going off about this. But if you don’t detect it in time, the bad guys will do a number of things in very specific order.
First, they will try to elevate privileges. Then they will try to enumerate your network to understand how it works—where your servers are, your workstations, where your data, what your large applications are, all that good stuff. Then they will look at your backups. How do the backups work? Where do they go?
They will then take out the backups, preferably very quietly. They’ll just stop the jobs, and then they will delete the data stores that have that backed up data on them, and then do a secure wipe over it. As soon as they know you have no backups, then they run that encryption software that lights up all of your data and turns it into hamburger until you pay up.
How quickly can they do that process?
I’ve heard of it in as little as 20 hours. That is extremely unusual, Chris. Normally, this is a months-long thing in my experience.
It’s the sort of thing where they’ll do lots of groundwork and then execute things in batches in the middle of the night when no one’s looking?
That’s a lot of it. I don’t know when this is going to run, but we are recording this shortly after the holidays, and my biggest Christmas gift was none of my clients got hacked over Christmas or New Year’s because yes, they will do a lot of recon and they will spring their trap at 2:00 AM Saturday morning. Or at midnight Christmas Eve. Or when they know you are on a skeleton crew. That’s exactly right.
The biggest one that my company worked on had an initial ransom demand of over $8 million. They had us good. We ended up having to pay over a million dollars. That hurt because it was almost certainly Russian organized crime. Advising a client to indirectly put bullets in Putin’s gun was one of the hardest professional things I ever had to do. But we had 800 jobs on the line and I didn’t see another way out, and we did what we had to do.
But the way that that one went down was very interesting. First, it wasn’t a phish, what I said normally happens. This one, they had a Microsoft email server, an Exchange server facing the Internet. They had not yet gone to O365. Running your own Exchange server is a really bad idea. It’s like trying to distill your own gasoline. You need to leave that to the big boys. Don’t do it yourself.
There was a nasty patch that came out in July 2021 for Exchange servers. Well, as soon as a patch comes out, it’s often easy to deconstruct that patch and see what it does.
“Here’s what we fixed, everybody. Here’s what’s broken.”
It’s a beacon. If we were in Humvees in Iraq, and you’ve got a row of 10 of them, and 3 of them have a big welded plate on some spot of the Humvee, well if I’m a bad guy, I’m going to try to find a Humvee without that plate and that’s where I’m going to shoot. As soon as the patch comes out, you can reverse engineer it and see what it did.
In August of 2021, a bad guy found the unpatched server, compromised it, installed a persistence tool called Cobalt Strike, and then he patched it. The bad guy patched the server to close the barn doors behind him, so no other cyber criminal will get in.
Then what we think happened is whoever did that sold it to a different cyber criminal group that does the enumeration of the network, that looks to see how juicy a target this is. Then they may have sold it to yet one more that did the actual ransomware attack. It was a seven-month process, start to finish.
If we had been looking hard at the antivirus tools and such for about three weeks before it went down, it was blatantly obvious something was wrong. We didn’t have a service that was monitoring antivirus 24/7 that would pick up the phone and say, “Houston, we have a problem.” That’s one of the things that my company advocates for. Having antivirus is great as long as someone’s looking. Hiring a third party to do that is one of the important pieces of defense, in depth.
Having antivirus is great as long as someone’s looking. Hiring a third party to do that is one of the important pieces of defense, in depth. -Bryce Austin Share on XI know the US government has talked about the possibility of making ransomware payments illegal, because whoever the money’s going to, you’re giving money to criminals in one shape or form, whether it’s the proverbial kid in a hoodie in his mom’s basement in Nebraska, or if it’s Russian organized crime, which is probably much more likely these days. What are your thoughts if that million-dollar payment actually became illegal? Because then you have a million dollars or 800 jobs.
I think it’s impractical. We have a lot of laws on the books now that try to incent good behavior. But there are a couple of issues here, Chris.
First, laws do not change behavior. I want to say that categorically. A law itself does not change behavior. A law plus enforcement of the law, plus adequate penalties for breaking the law, those three things in combination will change behavior, but it takes all three.
A law itself does not change behavior. A law plus enforcement of the law, plus adequate penalties for breaking the law, those three things in combination will change behavior, but it takes all three. -Bryce Austin Share on XWe can’t have legislators write on a piece of paper, “Well, it’s illegal for you to do this and the problem’s going to go away.” That will not work. There has to be significant money spent to enforce that law.
My opinion is that if we took that money trying to enforce the law of no ransomware, and instead pivoted it towards, we can’t be selling internet-connected devices that come with a default username of user and password to password. We can’t sell devices going to the Internet that have an out-of-date operating system but known vulnerabilities and no way to patch them. Currently those things are legal.
We are living in the same world that we were 100 years ago when radiation was becoming a thing and we were understanding it, and people were selling elixir of radium. To sell everything and fix everything from gout, to goiter, to constipation, to restoration, to the marital impulse. Except it was poisoned and it was killing you. It just looked good in the bottle.
Well, our internet-connected world has some bright spots. I don’t want to say everything you buy is inherently insecure because that isn’t true. But there are a number of things out there that are genuinely destructive because when you hook them up to the Internet, a couple of things are happening.
First, you have broken down every geographic border on the planet. The whole world is dancing on the head of a pin in cyberspace, and you don’t have laws of the US to protect you. The defense becomes more one of your problems as opposed to something the government can help with the way they do with automotive safety or aircraft safety or what have you. That’s the first big issue that comes with that.
The second one is a little more nuanced. When we buy these devices, we do it with the thought that they are going to serve a certain purpose, and that’s the only purpose that they can do.
In the world of computers, that isn’t the case. A computer does whatever someone can trick it into doing. They are completely morally agnostic. We’re buying these devices and we’re thinking, “Well, this is designed just to turn my lights on and off when I use an app from my phone.” They don’t realize that what it could do is be programmed to send a tremendous amount of traffic over the Internet to one specific target, and render it completely non-functioning.
That’s what happened to the eastern seaboard of the US in 2016, was something called the DynDNS attack, where 100,000 security cameras, just standard video cameras with username of admin and password of password, ganged up on this part of the world wide web called DNS or domain name resolution, and they took out a company called Dyn that ran that.
Unless you had secondary DNS servers for your website, like Google or Amazon or Yahoo, or any of the big ones, you couldn’t get to those sites. That was because people bought these insecure products that they thought were just a security camera. No, they’re not. Every time we buy one of these, we’re buying a candle. That candle has the potential to burn your or someone else’s house down.
To get back to your original question, I think the thought of making ransomware payments illegal sounds great on paper. Completely and totally impractical.
If we look at history, governments have two fundamental flaws with cybersecurity right now, in my opinion. First, they don’t follow it as strongly as they should. The Office of Personnel Management breach in 2015 against the US Government’s HR department was a stunning example of it. We lost five million people’s fingerprints that were kept in our unencrypted database. It’s hard to issue people new fingerprints.
In my opinion, that was a loss of life event because there were people that were covert spies likely in that database. If a foreign government got a hold of that list, there are probably people that aren’t here anymore as a result of it. People making laws that don’t apply to them, I have a real problem with. I think that’s one part of the issue.
The second part is that when it comes down to the real-world practicality of a given law, when you’re in a desperate situation, you have to do things that are the least risky, and often a very risky thing is the least risky thing that you can do.
The example I love to use on stage is if one of my kids had a bad accident. I know the hospital is 10 minutes away, I know how to get there, I have a working vehicle, and I think the kid is in a spot where they could apply direct pressure to whatever had happened.
Would I break every possible traffic law and still try to be safe? If the light’s red, well, if no one’s coming, I’m going and I’m going to save my child. And if someone was to question me, or even if I had a ticket, so be it. I was in a situation, I made the best move I could at the time, and I did defend my position.
Well, when you’ve got 800 people who are working for a company or you give $1 million to cyber criminals, you can’t legislate your way out of that. Until we have a world government, which I do not see happening in my lifetime, the only way that you can legislate your way out of that is to ensure that the world is playing by roughly the same rules. And we have an abysmal track record doing that.
That’s not going to happen. If that’s the outcome, once you paid the ransom, how quickly did they actually—and this is the weird thing—is how ethical were the hackers to actually give you the key? They have a reputation to maintain. “We’re the mean hackers.” But they also realized that, “If we never give anyone the key, we’re never going to get the money.”
It is an interesting issue. About two-thirds of the time you do get a decryption key. I have yet to run into a spot where you gave them the money, they gave you a decryption key, but then they said, “Well, we have a copy of your data, and we want more money.”
Now that has happened. It happened very famously in the Change Healthcare breach just last year. But I have yet to turn into that. You already alluded to it, Chris. Believe it or not, the criminals have a reputation to uphold. Most of the time, you do get a decryption key. Most of the time, it works, but there are edge cases.
I worked at an event, it’s been a number of years now, but what happens when you encrypt data, when you make it turn into gibberish, like I said, you’re making it more random. If you have a program on your hard drive that’s designed to compress data or deduplicate data, well you’ve broken the ability for those programs to work. Which is a mathematical way of saying your data’s going to bloat, it’s going to get a lot bigger.
One of the recommendations I give to my clients is to make sure they have at least 35% free drive space on every important drive share. Because if they suffer a ransomware attack and the data gets bigger, even though mathematically it shouldn’t, in practicality, it does. If they end up filling a drive, and if the encryption keeps on going, because that’s exactly what it’s going to do, anything after the drive is full is now unrecoverable forever because it never finished writing.
I have yet to work on a ransomware case where we got back 100% of the data. Normally, it’s 60%–80% you get back and the rest of it is lost to either full drives or just odd errors. Cyber criminals aren’t known for their strong beta testing to make sure that in this version of Windows and this version of Linux and this type of hard drive and so on and so forth…
Criminals have bad QA?
You are the QA department and the victim all in one. Aren’t you a nice guy? So you don’t get it all back. If you’re lucky, you get around 80%. But the cases that we’ve worked, I have yet to have one where we have been stiffed, where they just took the money and ran.
Ironically, we’ve worked ransomware cases as small as $490. That one was amazing. Came out of China and we picked it up. It was about a $2 million company. They said, “What do we do?” And I said, “You pay for it.”
They said, “But aren’t we propagating the issue and this and that?” And I said, “No. I’m by the hour and emergency services rate, so I’ll talk about it as long as you want, but they don’t know. They should be asking you for $49,000, not $490, because you’re a $2 million company. You pay it; you hope to God it works. Then we’re going to talk about how to keep it from happening again. But this is a new outfit. They don’t understand how the game is played, and you got lucky.” That was our smallest, and the biggest was the one where the initial demand was $8 million.
So if we have time, we’ll do two things. What are the preventative things that people can do? You and I talked a little bit beforehand. We know that when it comes to cybersecurity, there is no such thing as 100%. Unless you live in a cave and you’re living with rocks and matches, which none of us want to do. Well, OK, 99% of us don’t want to. There’s a small percentage who want to go back to that. How do we manage in a way that’s practical? Perfect security is immensely expensive. How do we get good-enough security? How do we get 90% of the way there, 99% of the way there?
We need some proactive, we need some detective, and we need some break-glass solutions.
The proactive. I’m a giant fan of cybersecurity awareness training. Many companies don’t have it because we get emails from all over the world, and some of them look very good and very convincing. As I said, I’ve fallen for a couple of them myself that my clients had put out. We need strong cybersecurity awareness training, and that is a huge step forward.
I’m a giant fan of cybersecurity awareness training. Many companies don’t have it because we get emails from all over the world, and some of them look very good and very convincing. -Bryce Austin Share on XWe need diligent patching. Regrettably, these applications we put on our computers have new vulnerabilities found all the time. If we don’t have a good, diligent patching program, especially of our externally facing systems, and after that, of any system that may realistically get an attachment from an email—so a PDF or a Word doc or what have you. Patching of those is imperative along with your Windows and Linux operating systems. Those are the important, I’ll say, proactive steps.
More ongoing. Passwords stink. We’re working on pass phrases and passkeys, and I think passkeys may get somewhere long-term, but we’re stuck with passwords. People are using the same passwords everywhere. It’s a real problem.
I’m not a fan of required password changes unless there’s an indicator of compromise. But I am a fan of having your company do a dark web scan looking for anytime one of your email accounts showed up in a former breach, seeing what the password was, the passwords were harvested, then making sure that password doesn’t exist anywhere on your network. Then to go back to the awareness training, we need to have people using different passwords for different things.
There are too many systems for a human to do that. I’ve got over 700 passwords in my password store. You need a password keeper, which is scary to some people because what if the password keeper gets hacked? Reasonable concern.
You’ve got to serve somebody. It’s like that country song, You Gotta Serve Somebody. I like companies that specialize in password keepers because if they have a bad breach, they’re probably out of business, which means they care as much as you do about keeping your password secure. We’ve got to have a password keeper. That is very big.
I like companies that specialize in password keepers because if they have a bad breach, they’re probably out of business, which means they care as much as you do about keeping your password secure. We’ve got to have a password… Share on XFrom a break-glass standpoint, having immutable offline backups. A lot of companies will sell you immutable backups. If they will sell you immutable backups and a guarantee that if their backups don’t work, they are liable for any damages you incur, then maybe they’re immutable. But no one’s going to sell you that.
So you need offline backups in a drawer. They’re a pain in the rear end. It is challenging to do them for cloud-based services, but it can be done. I have a number of clients that once a month are hooking up a device to their network, backing up everything they care about, removing it from the network and then taking it somewhere else.
My good clients have three of them. They have one plugged into the network. They have one unplugged from the network, but in the same room for cyber defense. Then they have one that they’ve taken off site for physical defense, in case the whole place burns.
I think those are some of the big areas. We could spend hours on the things that you should be doing to stop ransomware or cyber attacks in general. The only other thing I’d be remiss to bring up, even though it’s not ransomware, is when it comes to moving money around.
You want to be the most irritable, pain in the rear end, have to follow every process and procedure. No one wants to work with you. You take the grumpiest but competent person that you’ve got and put them in charge of moving your money. That person really needs unique passwords because if their email gets hacked, that’s a really bad day. I’ve worked breaches where that happened.
I am a firm believer of all of those. I have tried and not been as good about it, particularly this is mid-January. California has had some really nasty fires, and the concept of geographically diverse backups springs into my mind.
It’s absolutely horrible if your house burns down because you lost the original. You lost the backup in your desk. But if you kept the backup at the community bank three corners down and it burned down as well, you don’t have a backup there anymore.
I do have a geographically diverse backup that I send off to someone on the other side of the country. I don’t do it frequently enough for it to be super effective.
Well, but it’s at least […] resort. It beats nothing. Just make sure it’s encrypted.
I have to double-check on that.
It’s important. I was at a big company that I won’t name because I have named them earlier, that lost a drive in transit using a big shipper, like UPS or FedEx or DHL; I don’t want to name which one. The server just disappeared into the ether, never to be seen again.
Well, it had a million user accounts on it, and it wasn’t encrypted at rest. The company ended up having to divulge this had happened and pay for two years of identity theft and so on.
The CEO of the company went to his directs and they said, “I’m looking for a piece of paper that explains why this happened, that explains how it’s never going to happen again, and that has a signed letter of resignation from you, because if it does ever happen in your area, I’m going to invoke it.” And frankly, given how easy it is to fix that problem, to simply encrypt the data at rest before you move it, I thought he was reasonable. I thought that was a fair thing to say that we are a big enough company to where we just need to care enough.
It’s back to those laws don’t change behavior. Well, he made a rule, but the enforcement of the rule was going to happen on its own because it’s only invoked when something bad happens. But the penalty was you lost your career. Well, that would make me care.
It forces you to. I also agree with having a grumpy person in charge of dealing with the finances. Because I’ve been doing this long enough, I have a contractor who’s out of the country who does a very specific small amount of work for me in the scope of my business and a really small amount of money.
But I got an email saying, “Hey, we need to change the bank account.” All of my red flags go up and it’s like, “OK, I need to go through this. I can’t respond to the email because I have to assume the email’s compromised. I’ve got to call this person. Well, they’re halfway around the world, so I’ve got to make this phone call at 2:00 AM my time, all over a very small….”
If I had given the scammer $50, irrelevant. But I’ve got to practice what I preach. I’ve got to go jump through all these hoops. They were like, “Oh, I totally understand that.” But it was funny just to do it over such a small amount of money.
Well, you absolutely do have to jump through the hoops, Chris. Sometimes, those small amounts of money lead to much bigger ones, so understanding the root cause as to what happened…. Was their email hacked? Was your email hacked? Are they using an insecure computer? So it wasn’t the email itself, someone had a keyboard logger, who knows how that went down? But figuring out what the root cause was to see if you can keep doing business with it again is a very important piece of the puzzle.
I’m a little jokingly saying an infinitesimal amount of money to my business, but not a small amount of money to them. If their computer was hacked and they didn’t get their paycheck, that’s significant to them and their worldview in the same way that what happened to Target was relevant to…
Me.
It’s very relevant to you, to the whole corporation. Yeah, a pretty big bump in the road, but not one that’s going to shut down Target. But it ended your career and lots of other people’s.
Well said. Yes it did.
We’re bumping up against the time limit here, so I want to be sensitive to that. If people want to find you online, where can they find you?
Thank you for offering. I am available at bryce@bryceaustin.com. You can find out more about the company at tcestrategy.com or bryceaustin.com. My direct number for those of us nice enough to listen to the podcast is (612) 730-9897.
And if people want to learn more about ransomware and what they could do for their companies, do you have resources on that?
Absolutely. We put out a monthly newsletter with best practices on cybersecurity and what’s going on in the news. We’ve got a number of articles that I’ll say are cybersecurity 101-type articles on the website, tcestrategy.com. It’s a great place to begin understanding the blocking and tackling of cybersecurity. Then if need be, we can help you relate it to your company or your situation.
Awesome. Bryce, thank you so much for coming on the podcast today.
Thank you for having me, Chris. I appreciate it.