This has been a tough week for TrialWorks users; as we write this blog the fourth day of a ransomware disaster hosting outage.  According information shared by customers, the hosting system has been down since Sunday morning due to a ransomware attack.  Update:  reports of customers returning to operation have started to come Thursday.

Ransomware can strike vulnerable companies and most are vulnerable to ransomware.  Examples include hospitals, the City of Baltimore, and countless government and municipal agencies.  Ransomware is a type of malicious attack where the attackers encrypt the organization’s data, after they have infiltrated the systems, then demand a monetary payment. The data is inaccessible by the organization until it is decrypted or deleted.

Next Steps.

This is not the first technical outage and not the last. Every firm affected could have potentially experienced an outage like this on their own. In some respects, it is unfair to think of this as a single event, rather consider it a simultaneous series of cybersecurity disasters. Datto estimates $75 billion dollars in losses by businesses each year with an average cost of $133,000.  Ponemon Institute calculates 850.97 million ransomware infections in 2018.

We also know, according to Massachusetts Institute of Technology,  cybercriminals will target SaaS (Software as a Service) and cloud computing businesses, which store and secure private data. Thus, there is inherent value of Virtual Private Clouds and hybrid infrastructure wholly-owned but the company that uses it.  As tempting as outsourcing all of one’s technical needs to a hosted vendor might be, events like this teach us that owning your information technology has benefits.

While enterprise cloud providers like Microsoft Azure, Google, Amazon Web Services are targets for ransomware – they architect their systems with security as a fundamental concept and mitigate internal risks to a point of little concern to us.  Their job is to provide infrastructure that is more resilient, more capable, and more secure. We encourage law firms to consider virtual private clouds for these reasons.  Please contact us to learn more how our solutions can help you transition to your own Amazon Virtual Private Cloud solution.

Looking Back.

The harsh truth is that you, the firm owners/managers, share some culpability in the event.  What you could have done to avoid ever being in this position was have a candid conversation about security and what it meant to your firm. The conversation could have lead to solutions that help manage inevitable technical failures.  For instance, had you conducted a Vendor Assessment Audits you would have learned that the systems used in hosting were partially shared and thus not multi-tenant.

Is the system multi-tenant?

Multi-tenant means that each customer is logically isolated from the next.  When something bad happens in one tenant, it has no physical means to carry-over to another customer. The ransomware incident spread between systems because it could.  Although we have no doubt they will recover from this event and get every firm operational, the speed at which that happens is reasonably slow.  Just like a plane which cannot move until the last passenger is seated and the doors are closed, disaster recovery requires all environments to be ready before they are allowed back into production.

The alternative to this can be a more costly, or a more complex, architecture that favors logical isolation of customers – also referred to as tenants. In some cases it is impractical, in other cases it is impossible, and in some cases it is the standard.  The only way to architect cloud solutions is to build them to the needs they serve.

Prevention.

Prevention is the most effective defense against ransomware and it is critical to take precautions for protection.

When the U.S. Government says that prevention is the key to infection, we tend to think of technical tools that stop the malware.  Unfortunately, that is not quite what they mean. Instead, they refer to awareness & training as the first line of defense: the human firewall.   After that the recommendations skew towards technical controls that prevent threats from reaching users such as appropriate spam filters and security controls. According to Sophos, 75% of companies infected with ransomware were running up-to-date endpoint protection.

The point here is that, reading between the lines, there is a collective agreement that stopping ransomware is unlikely.

At the same time, the technical community agrees that a well developed disaster recovery plan is the most cost-effective method of dealing with ransomware.  This is because controls that protect and prevent are costly, laborious, and interfere with the convenience of systems many users are accustomed to.

Reality Check.

A fair question to ask is whether this was preventable, and in many cases the answer is “no”.  Simultaneously, that is not the right question to ask because it allows for a binary answer to a complex problem.  Although we can make every effort to prevent a ransomware strike, it only takes one misstep to open a vulnerability that allows the infection. It can be a user error, a configuration mistake, a discovered vulnerability, or third-party software.  More appropriately the focus should be on whether this was a predictable event and what could have been done to mitigate the impact.  In a recent email to customers they said:

We are not the first, nor will we be the last organization in our industry to be the target of one of these attacks.

This is true, this is not new.  The first ransomware attacks appeared in 1989.  Cybersecurity risk planning and risk assessment has become the dominant form of protecting information technology from malicious attacks.  Unfortunately, not enough businesses take the time to look at the risks associated with their systems and make the necessary investments to meet their own needs for uptime.

The first ever ransomware virus was created in 1989 by Harvard-trained evolutionary biologist Joseph L. Popp. It was called the AIDS Trojan, also known as the PC Cyborg. Popp sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference. The AIDS Trojan was “generation one” ransomware malware and relatively easy to overcome. The Trojan used simple symmetric cryptography and tools were soon available to decrypt the file names. But the AIDS Trojan set the scene for what was to come.  — KnowB4

Knowing that we are in year 30 of ransomware activity, we all have a responsibility to protect systems.  You, as the customer, should conduct the necessary risk assessments for your business.  Your staff should be trained and cybersecurity awareness needs to be part of your daily life.  Value of solutions should be based on impact of predictable and plausible disasters and underspending is as much of a security risk as malicious actors.  Finally, you should demand solutions that meet your expectations and never outsource security to someone else.

That may be some tough love, but those of you that listen typically respond with “but I don’t understand the tech stuff” which is equally troublesome. One of the leading sources for information on cybersecurity issues is the Federal Emergency Management Agency (FEMA). Their information caters to non-tech persons and breaks down the business problems of cybersecurity.  Risks, value, impacts, and mitigation measures are not technical – they are the responsibility of every business owner.

In other words, cybersecurity is a shared responsibility between the end-users, the vendors, providers, and consultants that collectively enable information technology.