Extortion, Sherry David, Sherry discussed on The CyberWire
My guest today is Sherry. David off regular cyber wire listeners may recognize her as the protagonist a namesake of Jeremy and Smith's book breaking and entering the extraordinary story of hacker named Alien Sherry Davidov is CEO of L. M. G. Security and her latest book is data breaches crisis and opportunity. I have been in Cybersecurity for almost twenty years and when I started off I was handling incidents that MIT. I responded to an ad for people who wanted to stay up late and eat pizza and monitor the network and it has just been amazing to watch. The problem evolved the challenges evolve and the solutions as well back when he first came out in an when it was first enforced in two thousand five. I was tasked with creating the first incident response policies for the Children's Hospital in Boston and working with other local hospitals to coordinate so having watched the laws evolve and watch the response processes of evolve has been fascinating and I wanted to take the time. To tell those stories the really deep and fascinating stories about where data breaches came from and what the human dramas are behind them. The book really has a lot of breadth to it. You cover a lot of ground throughout One of the things that caught my eye is This notion that you present that data is the new oil. I found particularly interesting. Can you can you describe to us? What are you going for with that sure? I wanted to find out where data breaches come from. You know as an author you want to start from the beginning. What was the first data-breach and I managed to nail down when the term data breaches came out And I'll leave that to you to guess but even before that you know the concept of data breaches. That happened and I went back to the eighties. And I found this giant data-breach that likely that giant data breach that had happened to the eighties. I managed to get some FBI files on that so that newly released information is in the book and that was a subsidiary of Dun and Bradstreet and at the time Dun and Bradstreet was really excited about information. They said information is the new oil and at that same time the Exxon Valdez spill happened and I think that was very poignant just the fact that those were happening at the same time and these days you know. We don't as a society really know how to contain information how to control information. It's like automobile repair shops fifty years ago where they were just tossing oil and gas. Willy Nilly all over the place. The same is true with data. So we're in the early days of information management still Well in addition to all of the really fascinating history that you lay out here in the book. There's a lot of forward-looking stuff as well. You're looking ahead at some of the potential threats for for this coming year and beyond. Can we go through some of those together? What's on your radar as we look to the future? Well we're seeing three big threat. Spur of the year. Two Thousand Twenty number. One cloud breaches have been huge. And that's the last chapter of the book because I felt it was very forward facing cloud data breaches built on a lot of the supply chain risks that that we've see and capital one is a great example where there was a simple miss configuration in Amazon. And you're seeing our society wrestle with these questions about who is responsible is it. The cloud provider is at the customer. There are certainly tools that cloud providers can give you that. Make it easier or harder to secure their data depending on the interface and cloud providers certainly share in that responsibility as well as responders. We find it very challenging to respond to cloud data breaches. There's a lot of INS and outs and I've laid out a lot of those a lot of the best practices in my book about what to do if you have a cloud. Data breach in what are best practices. But there's a lot of ethical questions. Cloud providers are not always forthcoming with the data. Sometimes the data that you want to be able to determine what an attacker got and what they didn't get sometimes that's not even there in the cloud so we're really wrestling with these challenges as an industry. What other topics are you tracking? What we've seen some big changes in ransomware over the past few years ransomware has become an epidemic and traditionally ransomware has come in they. Lock up your files and they say okay. Pay Us and we'll give you the keys back while it is true that if they have access to your files they might also have stolen them a lot of times. They don't actually steal your files they don't actually take anything they're simply interested and locking up your files and holding you for ransom and they don't bother exporting information from your systems so that is sort of the silver lining with some good news for anybody. Who's a victim of ransomware? Because if you pay and if you decrypt your data. There's a good chance that they didn't actually take anything. And you can do a forensic investigation to try to rule that out what we're seeing now is multiple groups that are engaged in large-scale ransomware attacks that has shifted to a different type of extortion. So we saw this for example with the city of Pensacola with the company southwire South Wires Manufacturing Company and they were being held ransom for six million dollars so they said they weren't going to pay that presumably. They had good backups. Hopefully they were able to recover their data. It did cost some outages but the criminals once they understood they weren't going to get their money. They published their data. They started publishing it online and this has become their new business model for the Maze Group that holds people for ransom. Where if you don't pay to unlock your data? They will publish it. So that's what we call exposure extortion. There are different types of cyber extortion. If you're being held hostage an you're just trying to recover your data back at the availability is gone that situation where you may or may not want to pay the ransom. You can wrestle with that question but if you're being held hostage and someone is threatening you and saying going to release your data unless you pay to keep US quiet in my mind. Industry best practice. You should never pay that ransom because what is that to stop them from coming back to you in six months and saying hey pay us again we actually still have your data as we're going through and doing the research for the book and you were putting it together any particular things that surprised you any information that you came upon that That really stood out for you as perhaps being different than what you expected it to be absolutely every data-breach dug into had a deep story behind it and my goal is to boil that down and to learn from its to provide these practical tips for today's responders. I think every organization needs to have a data breach response plan so some of the key points that I found our number one. Every crisis is an opportunity and it's important to remember that data breach is a crisis back. When you and I first started geeking out back in the day win someone hacked into a system that was not considered a data breach. The term data breach didn't even come out until later and remember you have to guess when the term data breaches came out but when I first started at MIT and blast or was coming out slammer was coming out all these big viruses. We cleaned him off of people's computers and moved on as soon as we had those backup running and it was only over time that people started to realize. Oh that information could be stolen so we used to have. The national government came out with a response framework. Nist incident response life cycle and that was really helpful back. Then but it's clear that today data breaches touch every aspect of your organization. Every single part of an organization can be touched. When equifax happens when capital one happens whenever any of these major breaches happens in even small businesses. Can't go out of business because of a data breach so we need to start treating them in different ways and that was my big fundamental finding that data breaches need to be moved out of the it department and treated as a crisis and you have to include them. In your crisis management planning systems every crisis has an opportunity to learn to grow and to change that's Sherry David off from G. Security. Her book is data breaches crisis and opportunity and now a word from our sponsor black cloak. Oh come on. It's not like anybody actually needs this anymore. I mean executives and their personal lives doing great. They all have advanced malware detection on all their devices. They're using dual factor authentication everywhere their home. Networks are rock solid secure and they never ever use a weak password as for their families. Little Luke Laya and their significant other their pillars in the cyber security community. Right right. You're right. I was dreaming there from minute. The fact is executives and their families are targets and at home they have no cybersecurity team to back them up. Instead of hacking the company with millions of dollars worth of cyber controls Akers have turned their attention to the executives home network devices which have little to no protection. Black Cloak closes this gap and your company's protection with their unique solution. Cybersecurity professionals of black cloak are able to protect your executives and their families from hacking financial loss and private exposure mitigate these risks that could lead to a corporate data breach or reputational. Loss protect your company by protecting your executives to learn more and partner with black cloak visit black cloak. God I oh that's black cloak dot. Io and we thank black cloak for sponsoring our show..