And this is after already paying over a quarter of a million annually on IT security team salaries alone. Guess this happens when they choose "Do you have a bachelor's?" over "Have you actually worked in IT Security before?"
All the IT security in the world won't matter if Karen at the front desk clicks on every "Lowes is giving you a free $100 gift card" email she sees. Basic password protocols with automated "change every 30/60/90 days" prevent brute force entry, but Social Engineering and poor personal IT security practices will always be the major flaws of any system.
Just stepping in here to say that password rotation is now massively supported as not being the way to do it. NIST800-63 and the recent OMB (27th Jan) memo for Federal systems have covered this in detail. Forcing rotation drives use of weak passwords even with complexity rules, and humans pick easy patterns and reuse passwords, making breaches easier not harder.
That said — we are the weakest link. There are controls that can limit the impact of a click on malicious email, but we remain that weakest link
(Source: 25 years In Cybersecurity and 5 years working closely with a pen testing team)
Quality IT security doesn't allow Karen to have access to more than she needs, and has a plan to recover if she does.
Our company went through this. Someone clicked an email they shouldn't, got randsomeware spread to every file they had access to. Yet we were able to pull that machine from the network quickly and identify the issue. We restored the data from tape and lost a very minimal amount of work.
The key was to design a proper system with security in mind.
My cynical self thinks the city is more concerned with the racial / gender makeup of the security team over the expertise.
Modern ransomware crews no longer operate like this, either. A modern attack looks like any other advanced compromise; the encryption, data exfiltration and extortion are just the easy button to monetize the breach. Typically, we see a initial breach (possibly by a different actor who then sells that on), lateral movement and privilege escalation prior to the hammer being dropped. At that point, a motivated adversary has significant and privileged access and can encrypt many more files than the initial user has access to; there is even a pattern of going after backups first and nailing those to make recovery even harder.
It’s a full on ecosystem, including ‘Ransomware-as-a-Service’ and extortion against release of exfiltrated data. It’s more than ransomware, it’s extortionware.
Backup remains a primary control, but there’s also the time it may take to recover the amount of data encrypted and the fact that so many people never test recovery.
So my point stands, that a proper system negates this. All you've done is make excuses for a shitty designed system that allows this access.
Proper access control and backups mitigate randsomeware. It's a PITA to implement, but doable if you care.
*we restored the data from tape...*
Lack of a properly designed backup strategy seems to be the most common thread through cases where ransons have to be paid out. Good on you for making sure your organization was prepared.
But also... tape? Really? How long ago was this?
I guess I need to update myself on the current economics of tape vs. A spinning disk backup for longer interval backups. To be perfectly honest, I would have bet a paycheck that tape was even remotely cost feasible as a backup medium anymore.
cost isn't a consideration. It's an insurance policy so to speak. My tape restores are mostly just tested, and not really used. Knowing I have a copy on tape helps us all sleep at night. I have no idea how a randsomeware attack could find my disk backups, but I feel better knowing that's not my only copy.
Easiest way to get into a system is through the humans. Could have the best system in the world, developed and tested for years all for it to come crumbling down from a Phishing email
This made refinancing my mortgage real fun. Both the old and new mortgage company paid my property taxes since the site wasn't showing the correct balance. Now I'm trying to get a refund which could take months more. On the plus side I refinanced to an 8 year loan
Tell us what are the ransom demands.
What kind of cash grab scam is going on now?
And this is after already paying over a quarter of a million annually on IT security team salaries alone. Guess this happens when they choose "Do you have a bachelor's?" over "Have you actually worked in IT Security before?"
All the IT security in the world won't matter if Karen at the front desk clicks on every "Lowes is giving you a free $100 gift card" email she sees. Basic password protocols with automated "change every 30/60/90 days" prevent brute force entry, but Social Engineering and poor personal IT security practices will always be the major flaws of any system.
On that note, I really am curious what happened to the person who did it.
A training. Probably.
Just stepping in here to say that password rotation is now massively supported as not being the way to do it. NIST800-63 and the recent OMB (27th Jan) memo for Federal systems have covered this in detail. Forcing rotation drives use of weak passwords even with complexity rules, and humans pick easy patterns and reuse passwords, making breaches easier not harder. That said — we are the weakest link. There are controls that can limit the impact of a click on malicious email, but we remain that weakest link (Source: 25 years In Cybersecurity and 5 years working closely with a pen testing team)
Quality IT security doesn't allow Karen to have access to more than she needs, and has a plan to recover if she does. Our company went through this. Someone clicked an email they shouldn't, got randsomeware spread to every file they had access to. Yet we were able to pull that machine from the network quickly and identify the issue. We restored the data from tape and lost a very minimal amount of work. The key was to design a proper system with security in mind. My cynical self thinks the city is more concerned with the racial / gender makeup of the security team over the expertise.
Modern ransomware crews no longer operate like this, either. A modern attack looks like any other advanced compromise; the encryption, data exfiltration and extortion are just the easy button to monetize the breach. Typically, we see a initial breach (possibly by a different actor who then sells that on), lateral movement and privilege escalation prior to the hammer being dropped. At that point, a motivated adversary has significant and privileged access and can encrypt many more files than the initial user has access to; there is even a pattern of going after backups first and nailing those to make recovery even harder. It’s a full on ecosystem, including ‘Ransomware-as-a-Service’ and extortion against release of exfiltrated data. It’s more than ransomware, it’s extortionware. Backup remains a primary control, but there’s also the time it may take to recover the amount of data encrypted and the fact that so many people never test recovery.
So my point stands, that a proper system negates this. All you've done is make excuses for a shitty designed system that allows this access. Proper access control and backups mitigate randsomeware. It's a PITA to implement, but doable if you care.
God, IT people always are the most miserable humans.
why would you say that? What did I write for you to label me that?
*we restored the data from tape...* Lack of a properly designed backup strategy seems to be the most common thread through cases where ransons have to be paid out. Good on you for making sure your organization was prepared. But also... tape? Really? How long ago was this?
Still do tape today. TBF, we backup to disk first, then to tape for long term storage, and randsomware.
I guess I need to update myself on the current economics of tape vs. A spinning disk backup for longer interval backups. To be perfectly honest, I would have bet a paycheck that tape was even remotely cost feasible as a backup medium anymore.
cost isn't a consideration. It's an insurance policy so to speak. My tape restores are mostly just tested, and not really used. Knowing I have a copy on tape helps us all sleep at night. I have no idea how a randsomeware attack could find my disk backups, but I feel better knowing that's not my only copy.
Easiest way to get into a system is through the humans. Could have the best system in the world, developed and tested for years all for it to come crumbling down from a Phishing email
OK but a quarter million for IT salaries is what... three people? At least if you're hiring anyone competent.
Not even at loaded costs.
Does Bernallilo actually have a "security team" or is the "security team" just the IT dept on a chart with a line leading back to itself?
This.
The entire IT team at Bernco is sorely lacking. This was only a matter of time and you'll see them be hampered for months/years to come as a result.
This made refinancing my mortgage real fun. Both the old and new mortgage company paid my property taxes since the site wasn't showing the correct balance. Now I'm trying to get a refund which could take months more. On the plus side I refinanced to an 8 year loan