 Is this thing on? Oh, it is. I was totally joking. So does everybody have a sheet passed around a bunch of sheets or had my people do that for me? OK. And if not, then there's some up here. Anyway, welcome. So let me ask the audience. Is there anybody here who has not actually heard of or knows what ransomware is? Wow, OK. I actually didn't expect anybody to raise their hand on that one. So the definition of ransomware is a form of malware that's targeting both human and technical weaknesses in an effort to make critical data and or systems inaccessible. Within the last several years, the most prevalent form of ransomware within the last several years is a variety which encrypts the victim's files then demands payment in the form of Bitcoin before decryption key will be made available. Ransomware is the fastest growing cyber crime. From 2015 to 2016, it's estimated ransomware attacks increased by 450%. In 2017, almost 2,000 cases of ransomware were reported to the FBI's IC3 division and for a total loss of 2.3 million dollars. However, most ransomware cases aren't actually reported. So at least not with IC3. So the FBI estimates the actual cost is closer to 1 billion. Factoring in losses due to downtime, approximately 9,000 per hour on average per hour, the fiscal impact of ransomware could be as high as 75 billion annually. And this is looking at just the small to medium-based businesses within America only. But keep in mind that America is actually the number one country that gets hit with ransomware. Ransomware is a threat to individuals, industry, and government. Several governments municipalities have actually been shut down by them. Finished, ready to deploy ransomware code can be easily purchased on the dark net for less than $50. Ransomware as a service has become a source of income for cyber criminals. Which way is the Act 1? A ransomware case study. Names have been altered to protect the guilty. So now that you know what ransomware is, let's take a closer look at the all too familiar tale. What happens when ransomware strikes the unprepared? Our protagonist. This is our protagonist for the first portion of the story. His name is Malcolm Ware. As you can see, he's a class sales person. And alignment is chaotic with an experience of 10. Those that didn't get the sheet detail here is a more complete one. Mal is just a regular salesman without much in the way of tech savvy. He's an average scores in the skill section ranging from 9 to 12, so for frame of reference. So you can possibly probably guess that Mal is a prime target for hackers. However, office politics, like charisma, is basically a dump skill so you can think of Mal as our bard. So it's a typical Monday morning. Mal walks in, does his usual routine, says hi to his buddies, grabs a cup of coffee, goes over to his desk, sits down, and he begins to check his email. And without thinking, he sees an email containing an attachment so that it's time to make a social engineering check. Critical miss. Still an autopilot, he opens the attachment. Has anybody in here seen this screen before? Oh, only at Google. Well, that's good. You don't want to see this in real life. So the ransomware quickly spreads from Mal's workstation to the rest of the company. Business operations soon become crippled as the company has lost access to its critical production data. This is a crucial moment, and how they respond from this moment on could make or break the company. Picture this. All of your data, whether it's your personal communications or photos, your company, client base, or inventory, or even your critical medical history records are now inaccessible. So in the worst case scenario, back to our story. Without critical data, it's just a matter of time before Mal's company is unable to function. Its clients' relationships are ruined, and its reputation is damaged beyond repair. 20% of small companies that experience a ransomware attack go out of business. The National Cybersecurity Alliance put this statistic closer to 60%. The failure rate after an attack, yet 50% of small and medium businesses believe themselves to be safe. So don't let this happen to you. How did we get here? A retrospective on all the stuff that went wrong and how to fix it from the beginning. Now let's go back to your character sheet. In the next section, you will play part of the hero. Does everybody have a character sheet? I see some new people shut up. OK. In the next section, you will play part of the hero. Each of you has been given a pre-generated character. And with varying skills, as we go through each skill test, I will ask you to refer to your character's sheets to determine if you succeed or fail to your character sheets. There are five characters total, much like typical adventuring party. They have dramatically different skills, but together they form a well-rounded group. Unfortunately, we don't have them work as a group in this. The characters are Malcolm Ware, who you've already met, Irene McDonald, Reggie Istry, Andy Robert-Oyd, and Lynn Knox. Our first test is related to spam filtering, and it requires a systems administration skill check. What technical solution can be implemented to stop incoming emails from senders that have been identified as malicious? Is it, A, use email client-side rules to move messages to the spam or trash folder? B, implement a domain or IP blacklist? Or C, just opt out of the bad guys mailing list? Those of you who have less than five in your systems admin skills, please raise your hand. Unfortunately, you guys missed your role. So just opt out of the bad guys mailing list is the wrong answer. The opt out link at the bottom of emails can often be malicious. It's just a matter, just as malicious as any other portion of the message, so don't just click on it. In addition to possible malware exposure, you may find that the number of suspicious emails actually goes up after you've opted out. This is because the bad guys now know that your email is active and valid. So those of you remaining that have less than 10 in the systems admin skills, please raise your hand. Nobody? So 10 or less? Somebody should have. So they use client-side rules to move messages to the spam or trash folder. While this is adequate for home users, this is not scalable enough to use in business level and does not offer administrative administrators centralized control or visibility. Spammers change their addresses frequently, and this limits the effectiveness of locally managed rules. Anyone who has 10 or greater on their systems administrative skills check? All right. You guys ruled correctly. Implement domain or IP blacklist. While not perfect, blacklists are prone to false positives. These solutions can dramatically reduce the volume of malicious emails which reach your users. And phishing is a numbers game. And exposing users to fewer risky messages directly translates to less exposure to malware. As always, defense in depth is a necessity. Did I do something? You can use various tools that will inspect your incoming messages for suspicious URLs, file extension mismatches and other unusual behaviors. Certain file types such as .exe and .zip are also more likely to be malicious than others. Emails that appear containing malicious content are placed in quarantine where they cannot harm users. Administrators can release emails from quarantine if they're determined to be legitimate. And one effective way to validate if an email is legitimate, of course, is to contact them directly through other means such as phone, text, or instant message. If you've just arrived, come to pick up a sheet. Our next test is related to phishing awareness and requires a social engineering skill check. So how should you prepare your employees to detect and defend against phishing attempts? Is it A, social engineering test campaigns accompanied by awareness training for employees that fail these tests? B, instruct employees to simply never look at their email inboxes because, you know, many do that anyway. Or C, put a clause in the company's employee handbook reminding users of the dangers of social engineering. If you have less than 10 in social engineering, you have rolled wrong. Put a clause in the company's employee handbook reminding users of the dangers of social engineering. Passive efforts create cybersecurity awareness are totally ineffective. Users have not received satisfactory training and will not have the tools they need to follow company policies. Whether they have agreed to those procedures or not, I mean, let's face it. Most people are just gonna do what they wanna do anyway. Or they're just gonna go on autopilot. Okay, so if you have 10 or greater in social engineering, you've rolled correctly. Social engineering test campaigns accompanied by awareness training for employees that fail these tests. There is training, cybersecurity awareness training for employees. There are companies that actually do this. So you may wanna consider that. Actively engaging employees helps create a culture in which users are invested in the organization's security. Fishing awareness training is shown to exhibit significantly, significant return on investment. Wow, it's really loud. Reducing clicks and resulting in fewer security incidences. Using phishing reporting tools gives user a means to share information back to the organization. 30% of phishing emails are opened by the recipients, not necessarily resulting in clicks or successful attacks. Around 80 to 90% of phishing emails are intended to deliver ransomware. Phishing awareness training reduces the frequency of clicks by as much as 90%. So it's a worthwhile investment. TypoSquadders is another form of social engineering. TypoSquadders creating a web domain that is close to a real domain, but one character off. When users mistype the real domain, they land on malicious site and are infected with malware. It's called drive-by download. Web traffic filtering and anti-malware solutions can help mitigate the threat posed by other forms of social engineering-based attacks. What critical policy issue can significantly limit effectiveness of anti-malware and antivirus software? This is gonna require a malware skills check. Is it A, failure to ensure all the computers get vaccinated? B, lack of policies to enforce, protect, and update antivirus applications? Or C, use multiple antivirus solutions? So if you have less than 10 in the systems admin skill, you've chosen wrong. C, using multiple antivirus solutions. It's true that the active protection features from two or more antivirus applications can conflict with one another. However, using one primary and one more second opinion, solutions is a better assurance against wide variety of threats in today's landscape. And each solution has its own definition set and heuristics, so no single software can catch everything. All right, so if you've gotten more than 10 greater in systems admin, wait, no, more than 10, yeah, in the other one, you've got the correct role. Lack of policies to enforce, protect, and update antivirus applications? So in order to be effective, antivirus applications must be installed and have up-to-date definitions. Users may try to disable antivirus software due to computer performance or any number of reasons. Policy should be implemented that prohibit or non-administrative users from suspending protection. This deferring updates are uninstalling these applications. Removable media policy. What kind of policy would you implement in order to ensure crypto malware does not get brought into the environment via USB drives or other removable media? A, disable auto run. B, conduct all external data storage on three and a half inch floppy disk. Or prohibit device installation via user-based policy. Go floppy, floppy. No, sorry. If you have 10 or, wait. If you have 10 or less, less than 10, sorry, not 10 or less, but less than 10, you roll poorly. This policy seems that it would, seems like it would enhance security, but it doesn't prevent users from manually accessing whatever is on the device. And disabling the auto run feature provides a false sense of security and should be avoided or at least used in tandem with a more complete solution. So if you have 10 or more in the systems admin skills, you've chosen correctly, or at least your role has gone well. So it's prohibit device installation via user-based policy. Users should be prohibited from accessing removable media such as CDs, USB flash drives. As these are common malware vectors, removable storage devices are also frequently used in social engineering based attacks that require physical access to the target computer. As a real quick example, that's one of the ways they suspect the Sony data breach occurred. Administrators have a legitimate need for these devices in many environments and can be excluded. Lease privilege principle, security principle. Next relates to user provisioning skills. What's the best way to implement the principle of lease privilege? Remove all privileges from every user within the organization except management. Give desktop system engineers administrative rights on all computers in the organization, or create privileged accounts for desktop and system engineers which are used when performing administrative functions. Who has less than 10 in this one? It's just like, I don't really wanna raise my hand, but yes. Unfortunately, it was a bad role. That's the wrong answer. Give desktop system engineers administrative rights on all computers in the organization. This may seem reasonable, but it actually accomplishes the opposite of lease privilege by giving too much access to too many people. Lease privilege means giving each user the minimum access he, she requires to perform job responsibilities. All right, so who has less than 15 on this? Well, unfortunately, that's wrong too. Character has failed that skill test. Picked remove all privileges from every user within the organization except management. I have actually worked for a company that's done this. It's a really bad idea. This approach is overly restrictive and we cripple production to an unacceptable degree. Additionally, there is no guarantee that managers have better cybersecurity savvy than the other users. In many cases, quite opposite is true. So if you have 15 and more, guess what? That's not the right answer. Create privileged accounts for desktop and system engineers which are used when performing administrative functions is the correct answer. This method enhances security by running fewer processes under privileged accounts. Non-admins won't be able to install software providing some defense against malicious applications. Compromised accounts and malicious insiders are also capable of less damage if their access is limited. Data backups, how many backup copies of your production data should you keep? This is a risk management skill. Is it A, print a physical copy of every document stored on your network, just in case? B, multiple daily periodic and archival via a combination of physical and cloud-based storage or C, one, cloud-based backup for everything. And I know some people that would choose the first one, unfortunately. Well, the wrong answer on this is actually use cloud-based backup for everything. Why do you ask? Why do you ask? The solution creates a single point of failure. Your cloud backup service. Problem can arise if you do not have access to the service due to internet outage. And if your backup platform is synchronized to your computers, any backup files will become encrypted which is useless to restore from if your system is compromised. And then diversification of backups is highly recommended. How many backup copies of production data should you keep? And the correct answer is multiple. Daily periodic and archival via a combination of physical and cloud-based. But I think you knew that. Backup media rotations ensure failure. Ensure a failure of physical media doesn't render your backups useless. This has happened where people have gone to go get their backup and the physical data has actually become corrupted just because of age or whatever. So it's good to always check on that. Daily backups mitigate the degree of data loss should a catastrophic event occur. Ideally an organization should lose less than a single day, ideally. And restoring from backup point that was created prior to the ransomware infection could bypass the need to decrypt your data. In other words, you might not have to pay. I've actually done this. I promise you, that works. I got hit by, I think when we just started dating and I got hit by ransomware and I just went back to the last backup on that. Backup and restore testing can help discover and remediate problems with backup media and procedures before they're needed. Testing is not a one and done procedure. It needs to be performed periodically as well as whenever changes to data or the environment occur. Physical media, sorry. Unfortunately, as we do not have a shrink spell, wait, that's the wrong one. Physical media can fail unexpectedly as well. Familiarizing technicians and the backup procedures can provide critical edge in terms of time and accuracy when trying to recover after an incident. And unfortunately, despite being a repeatable quest, backup testing is not worth any experience points. This one is an operating systems hardening proficiency and requires a system administrative skill check. How frequently should updates and patches be applied? Is it A, once an update has been validated and tested, it should be introduced to the production environment? B, you guys should actually know this one. The moment an update is released from the vendor, it can be deployed or C, Windows Update Service is annoying and should be disabled. Well, it's not the moment an update is released and a vendor can be deployed by the vendor. While this is common practice in many environments, it is not recommended. Some updates can cause changes which do not work well within the environment, potentially even causing service disruptions, and updates may actually introduce new security vulnerabilities, even if they're addressing existing ones. It's not C, but it is A. Once an update has been validated and tested, it should be introduced into the production environment. An update can be deployed in the sandbox, test environment to identify whether it fixes the issues, advertised and whether it created any new issues. Running a new set of vulnerability scans and penetration tests post update is advised. At the very least, have a plan to mitigate up-to-date related issues, rollback, et cetera. Some restraints, some strains of ransomware. Really? Yeah, okay. Sorry, some strains of ransomware exploit vulnerabilities in operating systems and applications in order to infect their victims. Installing updates and patches is one of the best ways to mitigate these vulnerabilities. In addition to installing updates, the OS can be hardened by disabling any unnecessary services or applications, and this reduces the attack surface of the system making it less vulnerable. And unfortunately, as we do not have a shrink spell, this will have to do. Remote desktop protocol is one example of services that should be disabled unless it's critical. And one additional benefit is that running fewer services is more efficient and conserves resources. In the event crypto malware is discovered on a company asset, what is the first step responders should take in order to reduce additional exposure? This is an incident response skill. Is it A, immediately make backups of all device files? B, delete the browser history from your infected machine? Or C, disconnect the device from the network and disable all wireless communications if present. How many of you got 20 or less? Well, you're all wrong. We were asking what the first step should be. First step when it happens is to stay calm. I know I'm not, I'm guilty of not doing that in at least one instance. So stay calm so that you can address the situation. All right, in the event of crypto malware is discovered on a company asset, what is the second step responders should take in order to reduce additional exposure? That's only if you die. Okay, so if your response skill is lower than 10, you have rolled poorly and delete the browser history from your infected machine is the wrong answer. Failure. This response does not offer any benefits and despite what users might think it doesn't actually conceal their activities prior to being infected. So I know that some of you have agreements to delete each other's browser history but it can still be figured out. Ideally, risky websites and suspicious links should be blocked by appropriate measures, eliminating problems and the need to cover them up before they occur. In the event, let's see. So the correct answer, no, this is the wrong answer and immediately make backups of all the devices files. Also a bad idea, they're infected. You don't wanna spread that. While this response may seem, first seem logical, it actually increases the chances of infecting other hosts in the network. It is likely the backup created will already have been encrypted and therefore of no benefit possibly even overriding good unencrypted backups and ideally a backup should have already been created prior to this point. So the correct one is disconnect the device from the network and disable all wireless communications if present. An infected host presents a danger of infecting others. That sounds, anyway. All other computers and servers it comes in contact with. Some varieties of modern ransomware can travel over the network and attack remote users. This includes your cloud storage. Although services like OneDrive have features to mitigate this. Make sure to disable Wi-Fi, Bluetooth and NFC in addition to unplugging any ethernet connections. Incident disclosure. So this one relies on your public relations skills. After a security incident involving ransomware, what is the best approach to take in regarding to public disclosure? I can give you lots of examples of what the bad example is. But let's see what this one says. Drink potion of charisma, then hold a press conference. No, anybody? Anybody? Disavow all knowledge of the incident assuming you won't possibly get hacked again. Determine the extent of the damage as accurately as possible then release a carefully crafted statement. Well, disavow knowledge of the incident assuming you can't possibly get hacked again is wrong. Here's why. This strategy is predicated off the poor assumption the potential for repeated incident of ransomware is high. As cyber criminals will frequently retarget their past victims. Not publicizing incidents can lead to significant risk of damaging companies reputation and may incur liability. And as of 2017, just so you know, ransomware attacks against healthcare providers are being classified as data breaches. After a, okay, so the correct answer would be determine the extent of damage as accurately as possible then release a carefully crafted statement. Potions do not solve everything. Re-establishing public confidence and trust in the organization is possible over time. If the company can demonstrate it has addressed any security issues. And by contrast, trying to cover up the incident can be disastrous in the event of a leak either internal or if the criminals go public. So don't pay that toll. And here's a lovely flow chart that my husband created for us to explain how you might want to go about doing things. I will actually post this on our website later. But I think you get a bit of an idea on how to approach it maybe. How can I locate a, so don't pay that toll. So how can I locate a decryption key? You've been hit by ransomware, now you need to decrypt it. Do a search on the particular strain of ransomware you've been infected with. Some examples of ransomware variations you might be familiar with are Locky, Cryptolocker, Serber, not Petia, and of course the world famous WannaCry. If available, decryption keys will be posted online. You may be able to reference known good decryption keys through reputable IT source forums and or blog posts. De-incentivize cyber criminal activity. Most information security experts would advise not paying the ransom whenever possible. Per the 2017 internet crime report, paying a ransom emboldens the adversary to target other organizations for profit and provides for a lucrative environment for other criminals to become involved. What's the best way to go about paying a ransom? Once you've determined it's the appropriate solution. Acquire a necessary Bitcoin, then follow the hacker's instructions, log on at the specified site, pay the ransom and obtain the key or B. Contact third party service because there are services that will do this for you and obtain the Bitcoin and obtain the key for a fee or roll 1D20, add your diplomacy skill, then hope for the best. Well, let's not contact that third party and let me tell you why. Unfortunately, this option presents a significant chance of being re-victimized. This is becoming a little more popular where legitimate Bitcoin brokers where Bitcoin brokers will offer services but it's really a scam. There are legitimate Bitcoin brokers that can expedite the process of obtaining the Bitcoin but you can always do your own due diligence and research the source. What's the best way to go about paying the ransom? Acquire the necessary Bitcoin, then follow the hacker's instructions, log on at the specified site, pay the ransom and obtain the key. However, there are significant chance you will pay the ransom and still lose your data. This is why backup is necessary. Hackers might have been shut down by law enforcement, lost access to the decryption key or simply never had any attention of providing you the key. An increased number of victims pay the ransom but lose their data anyway. A trend called ransom simply deletes the files with no way of getting them back even upon payment and hackers only need you to believe that they're going to deliver. They don't actually have to deliver it for you. So in conclusion, important takeaways from the conversation. You have several options available to you to avoid paying the ransom. Locate decryption key online, restore from backup that was made prior to infection. If the effective file is non-critical, simply accept the loss. Being prepared is the best defense. Here are all of our references for the information today and here's where you can contact us. Are there any questions? We have a round of applause for Yvonne. We have time for maybe one or two questions. Anyone? I mentioned for backups, for your data backups, you should have multiple combinations. Is there a recommendation for which are the best backup systems? I totally couldn't hear that, I'm so sorry. What do you recommend for backup systems? Cloud backups, those kinds of things. For backup systems, I would suggest utilizing multiple. And it depends on what you're talking about for a business or for home. I think she wanted to know if you had any specific recommendations. I think she wanted specific recommendations for remote backups. Remote backup? Huh? Yes, remote backups. Chris, speak up. Carbonite? Oh yeah, we mentioned OneDrive is also an option. Carbonite? Carbonite and OneDrive? OneDrive. Any other questions? You might have already mentioned this before, I don't know, but who's, what types of businesses and things are most susceptible to ransomware? Is everybody susceptible? Everybody. Everybody. Even people at home or whatever. Doesn't matter. Does this type of site matter, like whether it's just a strictly informational site, it's just for like an online brochure? No, a lot of it's a numbers game. Some of them are just sending out the malware, seeing where they can get hit, and seeing who's gonna pay up. There is no safe zone. Governments have been hit, I think like full cities have been shut down, that wasn't that long ago, that somewhere on the East Coast, entire cities were shut down. Hospitals were shut down in the UK, not that long ago, most of Europe got shut down on their hospitals. Everything is susceptible, there is no safe space. Another round of applause, thank you very much. Thank you.