Presentation delivered to the Minnesota Counties Computer Cooperative (MNCCC) on February 5, 2020.
In this presentation, Evan Francen (CEO of SecurityStudio) outlines the current threat landscape for ransomware affecting state, county, and municipal government. He also takes the attendees through the free Ransomware Readiness Assessment, then closes with the key risk indicators.
3. This is an interactive presentation.
I want you to come away with something real, something tangible.
Do THIS - Go download the Ransomware Readiness Assessment.
https://wp.me/aaDXKz-xl
We’re going to use this in a little bit…
Housekeeping Item #1
4. IMPORTANT!
Before I get started…
• The World Health Organization states that over 800,000
people die every year due to suicide. Suicide is the second
leading cause of death in 15-29-year-olds.
• 5 percent of adults (18 or older) experience a mental illness
in any one year
• In the United States, almost half of adults (46.4 percent) will
experience a mental illness during their lifetime.
• In the United States, only 41 percent of the people who had a
mental disorder in the past year received professional health
care or other services.
• https://www.mentalhealthhackers.org/resources-and-links/
5. ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio
I do a lot of security stuff…
• Co-inventor of SecurityStudio® (or S²), S²Score, S²Org, S²Vendor,
S²Team, and S²Me
• Made a little, simple, and free ransomware readiness assessment
• 25+ years of “practical” information security experience (started
as a Cisco Engineer in the early 90s)
• Worked as CISO and vCISO for hundreds of companies.
• Developed the FRSecure Mentor Program; six students in 2010,
532 last year, and more than 750 signed up already for this year.
• Advised legal counsel in very public breaches (Target, Blue
Cross/Blue Shield, etc.)
How do we secure America?
AKA: The “Truth”
MANTRA: Information security isn’t about information or security as
much as it is about people. Information security is ALWAYS about people.
6. UNSECURITY: Information Security Is Failing. Breaches Are Epidemic.
How Can We Fix This Broken Industry?
Published January, 2019
How do we secure America?
7. UNSECURITY: Information Security Is Failing. Breaches Are Epidemic.
How Can We Fix This Broken Industry?
Published January, 2019
How do we secure America?
Russian friend.
Chinese friend.
8. FREE STUFF
#1 – Most relevant to today’s discussion.
Go get your Ransomware Readiness Assessment - https://wp.me/aaDXKz-xl
#2 – Go get your free S²Org information security risk assessment
– https://securitystudio.com/
#3 – Go get your free S²Me personal information security risk
assessment – https://s2me.io
#4 – Sign up for the FRSecure CISSP Mentor Program –
https://frsecure.com/cissp-mentor-program/
All free, in exchange for feedback and participation.
11. Ransomware – How Bad Is It?
It’s pretty bad.
• Everybody knows about Baltimore right? ~$18MM
12. Ransomware – How Bad Is It?
It’s pretty bad.
• Everybody knows about Baltimore right? ~$18MM
• Atlanta was almost as bad. ~$17MM
13. Ransomware – How Bad Is It?
It’s pretty bad.
• Everybody knows about Baltimore right? ~$18MM
• Atlanta was almost as bad. ~$17MM
• New Orleans? ~7MM
14. Ransomware – How Bad Is It?
It’s pretty bad.
• Everybody knows about Baltimore right? ~$18MM
• Atlanta was almost as bad. ~$17MM
• New Orleans? ~7MM
• Riviera Beach (FL)? $600K (paid the ransom)
15. Ransomware – How Bad Is It?
It’s pretty bad.
• Everybody knows about Baltimore right? ~$18MM
• Atlanta was almost as bad. ~$17MM
• New Orleans? ~7MM
• Riviera Beach (FL)? $600K (paid the ransom)
• Lake City (FL)? $530K (paid the ransom)
16. Ransomware – How Bad Is It?
It’s pretty bad.
• Everybody knows about Baltimore right? ~$18MM
• Atlanta was almost as bad. ~$17MM
• New Orleans? ~7MM
• Riviera Beach (FL)? $600K (paid the ransom)
• Lake City (FL)? $530K (paid the ransom)
• Tillamook County (OR)? Still down – attacked on 1/22
17. Ransomware – How Bad Is It?
It’s pretty bad.
• Everybody knows about Baltimore right? ~$18MM
• Atlanta was almost as bad. ~$17MM
• New Orleans? ~7MM
• Riviera Beach (FL)? $600K (paid the ransom)
• Lake City (FL)? $530K (paid the ransom)
• Tillamook County (OR)? Still down – attacked on 1/22
• Duplin County (NC)? Still down – attacked 2/3
18. Ransomware – How Bad Is It?
It’s pretty bad.
• Everybody knows about Baltimore right? ~$18MM
• Atlanta was almost as bad. ~$17MM
• New Orleans? ~7MM
• Riviera Beach (FL)? $600K (paid the ransom)
• Lake City (FL)? $530K (paid the ransom)
• Tillamook County (OR)? Still down – attacked on 1/22
• Duplin County (NC)? Still down – attacked 2/3
• Racine (WI)? Still down – attacked 1/31
19. Ransomware – How Bad Is It?
It’s pretty bad.
• Everybody knows about Baltimore right? ~$18MM
• Atlanta was almost as bad. ~$17MM
• New Orleans? ~7MM
• Riviera Beach (FL)? $600K (paid the ransom)
• Lake City (FL)? $530K (paid the ransom)
• Tillamook County (OR)? Still down – attacked on 1/22
• Duplin County (NC)? Still down – attacked 2/3
• Racine (WI)? Still down – attacked 1/31
Most of them thought they were fine. Like you and
me, I suppose.
20. Ransomware – How Bad Is It?
It’s pretty bad.
• Everybody knows about Baltimore right? ~$18MM
• Atlanta was almost as bad. ~$17MM
• New Orleans? ~7MM
• Riviera Beach (FL)? $600K (paid the ransom)
• Lake City (FL)? $530K (paid the ransom)
• Tillamook County (OR)? Still down – attacked on 1/22
• Duplin County (NC)? Still down – attacked 2/3
• Racine (WI)? Still down – attacked 1/31
Most of them thought they were fine. Like you and
me, I suppose.
But, you’ve got “cyber” insurance right? So no big.
21. Ransomware – How Bad Is It?
It’s pretty bad.
• Everybody knows about Baltimore right? ~$18MM
• Atlanta was almost as bad. ~$17MM
• New Orleans? ~7MM
• Riviera Beach (FL)? $600K (paid the ransom)
• Lake City (FL)? $530K (paid the ransom)
• Tillamook County (OR)? Still down – attacked on 1/22
• Duplin County (NC)? Still down – attacked 2/3
• Racine (WI)? Still down – attacked 1/31
Most of them thought they were fine. Like you and
me, I suppose.
But, you’ve got “cyber” insurance right? So no big.
23. Ransomware – How Bad Is It?
It’s pretty bad.
• In the 4th quarter of 2019, FRSecure responded to 19
incidents, and most of them were ransomware.
24. Ransomware – How Bad Is It?
It’s pretty bad.
• In the 4th quarter of 2019, FRSecure responded to 19
incidents, and most of them were ransomware.
• And are you ready for the next thing?
25. Ransomware – How Bad Is It?
It’s pretty bad.
• In the 4th quarter of 2019, FRSecure responded to 19
incidents, and most of them were ransomware.
• And are you ready for the next thing?
26. Ransomware – How Bad Is It?
It’s pretty bad.
• In the 4th quarter of 2019, FRSecure responded to 19
incidents, and most of them were ransomware.
• And are you ready for the next thing?
The next thing(s) are combination
ransomware/extortion attacks.
27. Ransomware – How Bad Is It?
It’s pretty bad.
Source:
https://www.coveware.com/blog/2020/1/2
2/ransomware-costs-double-in-q4-as-ryuk-
sodinokibi-proliferate
OK, great. Now what?!
Simple (sort of). Get ready.
28. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
• Originally created in 2017
• Nothing has changed.
• Same attack vectors
• Same preventative controls.
• Same detective controls.
• Same responsive controls.
• Same corrective controls.
• No matter what you do, you will not be able to prevent all
bad things from happening. This is NOT the goal anyway.
• The name of the game is risk management (possible) and
NOT risk elimination (impossible).
• Assess the problem before trying to fix the problem.
Free and open source. Released under the
Creative Commons License.
30. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
Keyword “simply”.
31. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
Keyword “simply”.
Can’t manage what
you can’t measure.
32. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
Keyword “simply”.
Can’t manage what
you can’t measure.
INCOMPLETE (until
it’s not)
33. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
Keyword “simply”.
Can’t manage what
you can’t measure.
INCOMPLETE (until
it’s not)
Need a translation for
the “normal” people
34. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
Six tabs containing
sections that correlate
here.
35. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
Six tabs containing
sections that correlate
here.
Six Sections:
1. Clients
2. Storage
3. Practices
4. Antivirus
5. Network
6. Servers
36. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
Client Systems
37. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
Client Systems
Key Risk Indicators are
red.
38. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
Client Systems
Key Risk Indicators are
red.
Just answer “Yes” or
“No” (25 questions)
39. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
After all questions are
answered, a score is
calculated.
40. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
After all questions are
answered, a score is
calculated.
If you don’t know the
answers, then this is a
great education tool.
You should know.
41. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
Back on the dashboard,
scores have been
updated.
43. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
StorageOnly seven questions
here!
44. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
Same thing. Score after
?s are answered and an
updated dashboard.
45. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
10 questions about
“Practices”.
46. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
10 questions about
“Antivirus”.
47. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
13 questions about the
“Network”.
48. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
Finally, nine “Server”
questions.
49. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
FINAL RESULTS?!
Back to the Dashboard.
50. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
FINAL RESULTS?!
Back to the Dashboard.
51. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
FINAL RESULTS?!
Back to the Dashboard.
I was sort of hoping for
better than “Poor”.
Give me hope and a dollar, and I’ve
got a dollar. Need action too!
52. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
Quick recap of KRIs.
1. Stay up to date with all software (OS, applications, etc.).
2. Do backups, protect your backups, and (PLEASE) test your
backups often.
3. Establish solid incident response capabilities (policy,
procedures, training, testing, etc.).
4. Default deny is your friend.
5. Restrict permissions/privileges everywhere. Someday,
you’re going to have to get your hands around this.
53. WISDOM: Plan for the worst, hope for the best.
Quick recap of KRIs.
1. Stay up to date with all software (OS, applications, etc.).
2. Do backups, protect your backups, and (PLEASE) test your
backups often.
3. Establish solid incident response capabilities (policy,
procedures, training, testing, etc.).
4. Default deny is your friend.
5. Restrict permissions/privileges everywhere. Someday,
you’re going to have to get your hands around this.
The Ransomware Readiness Assessment
This won’t get your files or
systems back.
54. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
Quick recap of KRIs.
1. Stay up to date with all software (OS, applications, etc.).
2. Do backups, protect your backups, and (PLEASE) test your
backups often.
3. Establish solid incident response capabilities (policy,
procedures, training, testing, etc.).
4. Default deny is your friend.
5. Restrict permissions/privileges everywhere. Someday,
you’re going to have to get your hands around this.
This won’t get your files or
systems back.
But this will.
55. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
Quick recap of KRIs.
1. Stay up to date with all software (OS, applications, etc.).
2. Do backups, protect your backups, and (PLEASE) test your
backups often.
3. Establish solid incident response capabilities (policy,
procedures, training, testing, etc.).
4. Default deny is your friend.
5. Restrict permissions/privileges everywhere. Someday,
you’re going to have to get your hands around this.
Multi-factor authentication, especially for (or starting with) externally
accessible systems.
There are ZERO acceptable reasons for not protecting external resources with MFA.
ZERO as in NONE or NO or NADA or NIL or ZILCH.
56. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
Takeaways…
1. Don’t just rely on experience or “gut” feel.
2. Plan for a ransomware attack. It’s more likely than you
think.
3. The Ransomware Readiness Assessment is just a guide.
4. The Ransomware Readiness Assessment is a learning tool
for you, your colleagues, and others.
5. Don’t assume anything. (empty spaces always get filled)
That’s it.
57. The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
Thank you!
Where you can find me…
Personal Website: https://evanfrancen.com
UNSECURITY Podcast (weekly)
Twitter: @evanfrancen
LinkedIn: https://www.linkedin.com/in/evanfrancen/