Peggy is joined by Gary Salman, CEO and cofounder, Black Talon Security, to talk about the latest trends in cyberattacks and how cybercriminals are literally stealing and selling data on the dark web. They also take a deep dive into how companies need to be aware of ransomware attacks and how to cope should an attack happen.
Below is an excerpt from the interview. To hear the entire interview on The Peggy Smedley Show, visit http://www.peggysmedleyshow.com, and select 10/12/2021 from the archives.
Peggy Smedley: Gary, we have a lot to unpack in this show. So, let’s get started by talking about some of the latest trends you’re seeing in cyber tech. They just don’t stop coming, and they’re coming in all shapes and sizes, and the bad guys are getting trickier, and it’s almost getting harder to recognize a bad guy from a good guy.
Gary Salman: Yeah. The hits just keep coming, right? I don’t think you can turn on the TV or hit your favorite news website and not see some type of cyber event. I mean, look, we just dealt with Facebook, and Instagram, and WhatsApp going down for most of the day and people went crazy, right?
Smedley: I’m not sure if that went down or if they didn’t do it on purpose. Now, they got a whole different kind of thing going on there, but let’s just say whistleblower, they go down, I got my own conspiracy theories going on there. But listen, I just cover the media, I’m just saying. But you tell me, you do this more than I do. I’m just looking on the outside, looking in, but you go ahead you tell me.
Salman: So, I think there’s some pretty significant changes that we’re seeing in the cyber world right now. The primary one is the modus operandi of these threat actors also known as hackers. So, if you look back at what they did a couple years ago, especially with ransomware, they would break into a network, right, either electronically hacking in, or they would socially engineer an employee at the business. And they would deploy their ransomware code and encrypt all the files on the servers. And then for a smaller, medium business, they may ask for a couple thousand dollars, it wasn’t that crazy of a demand back then.
Then we started seeing the ransomware payments ramp up. They started doubling and tripling in price. And instead of hitting a couple computers right on the network, they would hit almost every single one. So, for a small business, 20 of them, for a medium-size business, hundreds of thousands of them would all be encrypted with ransomware. And then businesses started to get smarter. They’re like, all right, what kind of technology can I put in place to properly back up my data and try and prevent the ability of hackers to basically prevent access to my information? So, businesses started deploying cloud backups, and offsite backups, and all these things. And the hackers are like, “Okay, well now the businesses kind of stopped paying us because they have the data available, and they’re just going to rebuild their systems and restore.”
So, then the hackers pivoted, and they said, “All right, how do I guarantee that I get paid if I hack a business and deploy ransomware?” And what they started doing, a little over a year ago, is exfiltrating, also known as theft of data. So, before they execute their ransomware code—which once it executes everyone knows that they’ve been attacked, right—they see skull and cross bones on their screens. What they do is they steal all of the business’ data. So, they gain access to a machine, they then typically move around the network, try and find the server, and then they start offloading as much data as possible, sometimes terabytes of data, huge data sets. And in many of these cases, there’s no alarm bells going off on these networks to tell the business that they’re having their data stolen.
So, they steal all the data and then they hit them with ransomware. So now the business is in a pretty precarious situation. So, you’re a business owner and you’re IT folks say to you, “Hey, listen, we just got hit with ransomware. All our data’s been encrypted. The ransom note says that the hackers also stole all of our data. However, we do have a viable backup that we kept off site.” Now, as the business owner, you need to make a decision. What did they steal from you? You could have HR files, you could have financials, you could have intellectual property. You could have personally identifiable information. You could have banking info. If you’re in healthcare, you could have all these patient records.
There’s a tremendous amount of value to this data from an extortion standpoint. Think about everything that you store on your network, and if that was exposed, how would that put you, from a PR perspective, from a compliance, from a legal, from a financial perspective? It’s a really bad place to be. So, what most businesses have to do now is (say), “All right, look, we have a backup. However, we can’t afford to have all of this confidential information released. We’re going to make the payment to the hackers, so they quote unquote, erase the data off of their servers, and don’t publish it or sell it.” So, I think that’s one of the biggest trends we’re seeing right now in terms of the new MO that these hackers have.
Smedley: So, these hackers, these guys who are doing ransomware, are basically saying, “Let me put a gun to your head. Pay me or else.” So now you have to get the really best security people to say, “Look, I’m a bad guy, but I’m going to be a good guy now.” So you have to get them to come in to think like how do they think and now hire them to think like a bad guy, but be a good guy, because now you got to get them to kind of fend off the bad guys and they have to behave like them and get into the behavior to learn like them because that’s the only way you’re going to fend them off eventually. I don’t know. Is that ultimately where we’re going to get to, to beat these bad guys?
Salman: I think the challenge is for most businesses, let’s just say excluding say the fortune 1000 companies, right, the big players in the world. Most businesses don’t truly understand the risk. So instead of budgeting for cybersecurity, right, or budgeting for proper IT services, that’s kind of an afterthought, right? We want to spend our money on all this other stuff. And what happens is there is really good technology out there. There are really well trained and certified security professionals that can help defend these networks. But the problem is you can imagine when businesses pay for this type of stuff after the attack, right? The checkbook opens up wide. They’re like, “Oh my gosh, we don’t ever want this to happen again. We can’t afford another million-dollar loss to our business.” Well, what did it cost to get all the security in place?
Smedley: Gary, I got to ask you, when a police department, when a water facility gets hacked, what does the average consumer think? They throw their hands up and go, “Well, if it can happen to them, then we’re all at risk, right? I mean, isn’t that when we really get scared as the average business and go, “I don’t want the rest of the world to know this just happened to us. Oh my gosh, we just dropped our pants.” I mean, that’s what they’re saying, right?
Salman: Right. I think the challenge really is a couple of things. One, you’d be surprised, regardless of the type of business they are, you would think that they have really good security measures in place. I’ll tell you from firsthand experience, we’ll walk into businesses of all different sizes and types. And we’ll go to sit down with the IT department, with the executive team, depending on the type and size of business, and we’re expecting wow, an organization of your size is probably really squared away, right? I’m sure they’re going to have these security folks and all this technology in place. And you walk in and we’re like, “Wait, you don’t have anyone that does that? You don’t have this technology in place? You’re not doing this?”
And it’s very, very eye opening. And I think that’s the inherent problem here is the executive teams aren’t understanding the true risk. And many of the times, these executive teams aren’t technical. And the big, big problem that we see Peggy is the businesses are relying on generalists to secure their business. So, by that, I mean their IT resources, their internal IT folks or their external IT folks, either an IT company or fancy phrased as a managed service provider. The problem here is these individuals don’t have the tools and the credentialing and knowledge to properly secure these networks.
So, what typically happens at the C-Suite or at owner’s meeting is they’re like, “Hey, I just saw on the news that these businesses got hit, what are we doing to protect our business? I don’t know. Let’s call our IT guy.” The IT guy comes in, sits at the table and says, “Oh, listen, I just got you set up with the latest generation firewall. You have next generation antivirus software. I got this great backup solution for you, Mrs. CEO. You’re good. Oh, and by the way, you’ve been working with me for 10 years, have we ever had a problem before?” And Mrs. or Mr. CEO’s like, “Oh no! I guess we’re fine, right? And this next gen stuff sounds great.” Two weeks later, they turn around and they get a call on a Saturday morning that their system’s been hit by ransomware. And they’re like, “Well, how could that have happened? We just had a meeting with their IT guy he said we were safe.” But here’s the problem, right? Oh, go ahead.
Smedley: But I was going to say is the problem because, go back with that. You mentioned about the managed service provider concept of that. Is it because there’s only one person running in a department and you haven’t secured the perimeter concept, there’s not enough eyeballs? Because remember, these bad guys, this isn’t just something that one person’s doing, it’s constant attacks.
Salman: Right.
Smedley: It’s frequent. There’s only so much a small department can do. How many things do you put at it? I know you’re saying the tools, but we know the government gets attacked nonstop. I mean, they got a lot of people, and it happens to them. I mean, we see it. So, I mean, you got to have the right resources, the right tools. How much do you put at that, that you say, “Look, I’m a small to medium business, I can’t put those kind of dollars.” And you say, “What are those kind of dollars? What is the tool that’s going to stop constant repetitive attacks that at some point you’re not going to be able to?” And we all know when we look at what happened to Target, we know what happened, it ended up being human error. We all make mistakes. We all look at certain attacks and say, sometimes they look so real and some of the attacks are because of human error.
Salman: Absolutely. I agree. So, there’s the social engineering style attacks, right, phishing, and spear phishing, and scams like that.
Smedley: Which are most of them, right? I mean, honestly, a good portion of those, right?
Salman: You are correct. Yep.
Smedley: Okay.
Salman: But to address your first question, and it’s very interesting how you phrase it, right? Because if big government and big companies can’t protect themselves, how does the small business or the medium business protect themselves? But here’s the differential, there’s something known as attack surface. Attack surface, conceptually, is all the entry points and vulnerabilities in these environments. Now, the bigger you get the larger your attack surface. So, let’s look at a couple different scenarios. Let’s just say, you’re a small business. Let’s say it’s under 50 computers, right? And you’re all in a single location, doesn’t matter, professional services, finance, for instance, legal, healthcare, or maybe you’re in some type of manufacturing, what’s your potential attack surface? Well, maybe you have one firewall, right? Maybe you have a couple employees who work remotely, and you have some vendors who log in.
Now that type of attack surface could be managed very easily, right? You can do a lot of really good things for not a lot of money to protect that type of attack surface through penetration testing and vulnerability management to make sure firewalls and computers aren’t being exposed, and training of your employees through cybersecurity awareness training. You can really take that attack surface and lock it tight. Now, take a large company with 15 or 20,000 employees with all those people working from home, hundreds of vendors having connections to these systems, 50 different pieces of software installed on these environments, all these contractors coming in and out installing stuff on the networks, whoa, that attack surface is extremely difficult to manage. And what you said, and if you only have one or two people for an environment like that, that is a recipe for disaster. But I do believe that smaller and medium businesses, because they have this smaller attack surface, can actually be secured better than these larger organizations for a fraction of the price.
So, it is proportional Peggy. I mean, there’s no doubt about it, right? A business, a small business that generates say a million dollars a year, isn’t going to invest obviously in the same types of technologies and same types of technologies that a large company would. But there are lots of things that these businesses can do to try and prevent this. And if they’re doing the right things, they are extremely formidable adversary to these threat groups. Because for the most part, hackers are opportunists, right? They’re going to scan the network, they’re going to look for vulnerabilities. If the environment’s locked down and the attack surface is close to being eliminated as possible, they’re going to move on to the next network. That’s just typically how it works.
Smedley: So, Gary, we’re running out of time for this segment, but I want you to come back because I want us to continue this conversation, because I want you to explain the difference between IT companies who are really going to get talking about this, but what we have to do is talk about a cyberattack, the average cost. And I want us to talk about the impact of ransomware. So, we’re going to wrap this up. So, Gary Salman, CEO and co-founder of Black Talon Security, tell our listeners where they go to get more information, because we’re going to have you come back and continue our conversation. Because I got to continue on with so many other questions. And tell us our listeners where they can go to get more information.
Salman: No problem. I appreciate that. So, you can visit us at Black Talon Security, blacktalonsecurity.com.