Loosing My Malware Virginity
It's not a question of IF one gets infected, it's only a matter WHEN
Sitting by the pool that comes with my apartment at a cookie cutter corporate complex in Mountain View, California, shading my pasty white skin from the afternoon July heat under a canvas umbrella, I see my pal Jerry sprinting across the wide common area lawn waving frantically at me.
"Paul, Paul, come quick! Something's happened to Jenny!", Jerry shouts.
"Jenny? Is she OK? Do we need a doctor? An ambulance?", I shout back.
Jerry sighs as he grips the wrought iron spade tipped bar fence with both hands, slightly bent over to catch his breath. "No, Jenny's fine. It's her computer. It's laughing at her!".
"What the hell? Laughing at her?", I sneer.
"Come quick! Jenny's about to have a melt down!", Jerry pleads.
I grab my towel, gallon jug of sunscreen, and my new copy of Wired magazine then head off with Jerry to his apartment. I'd met Jerry while building a new UNIX computer-aided design (CAD) network for semiconductor engineers at one of many chip manufacturing companies in Silicon Valley. Jerry was a semiconductor product line manager who met and married Jenny while they attended Stanford Business School in next door Palo Alto. Jenny was VP of HR at a software company in Sunnyvale. Both were brilliant at the their jobs and not so much with computers.
Jerry and I arrive at their apartment and climb the stairway to the second level then to the bedroom converted into a shared home office space. We find Jenny in tears.
Jerry reaches both arms out and Jenny jumps up to embrace him, tears streaming down her cheeks. Jerry points to her computer. The screen is red, a devil cartoon is pointing and laughing. The hard drive light is blinking furiously.
"What happened?", I ask Jenny.
"Yesterday was my birthday and Jerry bought me this nice desk that has this shelf to elevate the screen to eye level and a separate lower shelf for the keyboard. We moved the old desk out, brought the new one in, and just completed adjusting the keyboard shelf to fit my height. We made the first adjustment of the screen shelf height and Jerry asked me to try it out.", Jenny recounted.
Jerry chimed in "I was reassembling her PC and had just the screen, mouse, and keyboard connections in place so she could sit and I could adjust while she told me 'Up' or 'Down' for the shelf. The screws are still a bit loose until we find her correct height. Her network cable, external hard drive, and printer are over there in the corner until we get her desk just right".
Jenny continued, "I decided to open Outlook because I use that most. It didn't matter that we were not connected to the network. I'm just testing. There were several Happy Birthday messages downloaded into Outlook I had not yet read, so I opened one with an electronic birthday card. THAT is when it happened! The screen turned red, this stupid cartoon appeared and started laughing and pointing its clawed finger at me. It froze and that's when I screamed for Jerry."
Jerry said "I ran upstairs and saw Jenny panicking and pointing to her computer. I had no idea what was going on, so I went looking for you. You've been a great pal helping with our computers when we ran out of space and to get us on the Internet, so I knew you were our go-to guy. I'm so glad I found you at the pool!"
Just then the screen turned from red to the dreaded Windows "Blue Screen of Death" with some English text then a bunch of gibberish characters. Her PC was toast. Apparently the electronic birthday card had a virus included in the message download. The malware was activated when Jenny clicked on the image of a birthday cake. The hard drive light was off. We all looked at each other dumbfounded.
Time for me to get to work.
First, the most fundamental troubleshooting operation for any Windows device: turn it off, then turn it back on.
Its response: "No operating system found. Press F1 to continue". Doh! Jenny's hard drive was destroyed.
I deliver the bad news, "Jenny, that electronic birthday card had a virus and it just ate your hard drive for lunch. It's destroyed. It will need to be replaced. I'll go to Fry's Electronics down the street and buy a new hard drive then install it. Do you have the CD's for your Windows system and Microsoft Office? I'll need the product keys written on those to reinstall everything. I can get you up and running in a few hours. You should order some pizza for us."
Jenny says, "I'll order a large combination from Mountain Mikes on El Camino. Jerry can pick it up while you are at Fry's. I have the CD's you need right here on the bookshelf."
Jerry adds "I'll grab the pizza and two six packs of beer. That should keep us going for the evening. I'll also sinch down the screws on the desk so it's usable when you return."
I agree and I'm off to Fry's.
Thirty minutes later I'm back in their home office and installing the hard drive. PC reassembled; network cable connected; printer connected; external hard drive connected. Windows and Microsoft Office installed. Pizza munched upon & both six packs of beer guzzled fueling the entire process.
I tell Jenny, "It's fortunate that your external hard drive was not connected when you clicked that birthday cake or it may have been destroyed as well."
Jenny says, "Oh my gosh! Those were are all my important files! I stored everything there after running out of hard disk space last month. I'm so glad you installed that for me and moved all my files there."
Jerry takes a long swig of beer then states "This was an eye opening experience for us. We've read about computer viruses in the news but never considered it would happen to us. We're really grateful for your help!"
Job completed, I meandered through the byzantine common areas back to my apartment, with a bit of a buzz and pizza dough stuck between two teeth that my tongue kept poking at.
What did I learn from this first exposure to malware on a friend's computer over 20 years ago that is still applicable today?
Malware preys upon the human element then violates Trust
People are hardwired to trust each other. We trust that everyone will follow the rules of the road when driving. We trust major brands with our credit cards when shopping online. We trust the advice we get from doctors and other learned professionals.
Our email inboxes have become veritable minefields today. Phishing attacks are email or text messages that masquerade as a trusted person or brand that encourage the recipient to click on an image or a link that will do damage to their system and potentially infect other connected computers. This is violation of trust attack.
Companies build and connect computer networks with the same concept of Trust
Companies have built their networks using the castle metaphor: everything outside the castle walls is untrusted while everything inside the walls is safe. Email and text messages (on MacOS) are the few items that are allowed through the castle defenses virtually unchallenged. One click and an entire enterprise can be brought to its knees with a hefty ransom to be paid for recovery critical data and business resumption.
It's not a question of IF one gets infected, it's only a matter WHEN
Due to the sophistication of Ransomware-As-A-Service (RaaS) organized crime rings and turn-key infection capabilities of malware tools, a much lower barrier to entry into the highly profitable crime field is available. This enables more opportunity for less skilled criminals to profit, which increases the likelihood of infection for everyone on the Internet.
Preparedness is key for successfully coping with a data breach
Having competent and tested Incident Response Plans and effective Disaster Recovery plans are crucial for dealing with infection incidents. People can be trained to be suspicious of email/text links and attachments. Tools can be deployed to help verify email attachments and questionable links. Routers, firewalls, and other security appliances can be adjusted to prevent network connections to locations where there are no business relationships. Perform a Risk Assessment and a Ransomware Audit to determine your data assets, vulnerabilities, impacts of data loss and methods for controlling those risks.
Having a first responder at your fingertips is critical
Review and engage companies that provide 27x7 emergency response computer forensics that can be on site within a moments notice. Pay them a monthly retainer so you have known priority when an incident occurs.
Cultivate relationships with local, state, and federal law enforcement agencies to find out how they can help and what triggers their intervention into a cybercrime.
Contact your banking officials to learn how to access large sums of cash in a short amount of time in the event of ransomware extortion. Have a plan to purchase crypto currency, such as Bitcoin, for ransom payments with the assistance of your banks.
Recovery from data breaches take time and costs money
Recovery starts after the ransom is paid and data is restored. Perform a blameless Lessons Learned exercise to determine the root cause of the incident, weaknesses uncovered, and steps including enhanced budgets to strengthen identified weaknesses.
Just like a heart attack patient has a long recovery ahead, so it is with companies that have weathered a cybercrime incident. New processes must be implemented, equipment will need updating, staffing may be adjusted to fill skill gaps. Most importantly, the network will need redesign to remove implicit trust and shift a Zero Trust Network Architecture.
Once you have paid ransomware thieves, you are a target for repeat occurrences. Zero Trust Network Architecture can drastically reduce or eliminate the effects another incident.
Conclusion
Data breaches are no longer if; they are when. Is your organization prepared to drop everything to deal with ransomware or other data loss catastrophe crippling your operations? If you've already suffered a data breach, is your organization fully recovered? I help organizations prepare themselves and, after a breach has occurred, build resilience to reduce or eliminate the impact of yet another. After all, once a breach occurs, you have become a prime target.
Can you say you are really ready? How do you know for sure? Are you willing to bet your company on your answer? Let's talk.