 So, hello again, everyone. We are now moving to our interactive open session, and we have just started a webinar focusing on ransomware prevention in the global postal sector, and we have invited an amazing panel of experts in the field of cybersecurity and threat intelligence to discuss and engage with us on this topic. This is quite very relevant, because the ransomware threat is one threat that is increasingly affecting also our sector, not only private people, but also the business everywhere in the world that is affected by this ransomware. Therefore, it is very important for us to better understand our threat, the threat that we are facing and how we could possibly counter it. So, let me give the floor to the IP to introduce this agenda item and to moderate the panel discussion. So, Tracy, you have now the floor. Thank you. Thank you, chair, and welcome to everyone who is joining us from wherever you are in the world. In Switzerland, it's morning time, so good morning for those in Switzerland and Europe, and for the rest of the world, good day, good afternoon, good evening, good night, wherever you are. Thank you for joining us for today's ransomware prevention in the global postal sector session. As our chair said, we do have an exciting and very intense session plan for you today. We have several experts lined up that you can see on screen. I'm going to let them introduce themselves at the appropriate time, but just let you know who they are. We have, I'm going to call in order of what I'm seeing on my screen, John Brown from Team Kummery, Matt Hell from the NTC Group, George Abraham from the Global Anti-Scam Alliance and Scam Advisor, Peter Wiglevin from Zero Networks, and last but not least, because he's actually with me, literally here today, Misha Ubrecht from DreamLab Technologies. Welcome all. So they will introduce themselves shortly in our introductory session, but before we begin, I'm going to ask my director of the UPU Poser Technology Center, Latima Tata, to give us sort of a few minutes, set the context, set the stage about why we're here today and what we're doing here today. So Lati, over to you. Thank you very much, Tracy. So as Tracy introduced, my name is Latima Tata. I'm the director of the Postal Technology Center, and I just want to speak a little bit about what is the postal sector within the UPU. So maybe to the panelists who might not be familiar with the UPU, we are an intergovernmental organization and our job is sort of to oversee the postal sector, the public postal sector, and we are a country-driven member body. So thinking about the public postal sector, the first, let's say, most of the time you start thinking of the very, very old processes, very paper-based, which is mostly true up to a point. But actually from about 1999 we became highly, highly digital. Why I say this is you, of course, have the experience of going to your normal post office, not the private sectors, so the traditional one. You hand them over a parcel, you get a barcode, and they tell you, go to a website and follow anywhere in the world. On that point of anywhere in the world, the UPU's network is massive. So if you look at the introductory text about the UPU, we say we are a network of networks covering 192 territories composed of about 200 plus designated postal operators and with postal access points of around 700,000 postal access points. So basically you walk into your local post office, you hand over a parcel, you're given a barcode and it magically appears somewhere in the world to the person that you addressed it to. Now in between that, there is a lot of digital processes that happen other than moving the piece of mail. So as I mentioned back in 1999 we were focused on track and trace. A lot of messages were sent between the postal operators and exposed to you as a customer. Then we started using this data for accounting processes and that's from the mid 2000s. An interesting trend now is to use this same data driven processes for what we call customs clearance processes. Now what that means is two things. The first thing is in these custom driven processes personal identifiable information is digitalized and sent over our networks. That's the first important thing. The second important thing is now our operational, our physical operational processes are actually driven by decisions of the availability of the data and the quality of the data. So no longer is digital processes a side part of our physical operations but actually they are the deciders of the physical operation. So now this has entered a new critical phase for us and for that reason I would say dot post it's focused on cybersecurity awareness it's focused on cybersecurity protection is critical to us. So in short we are very pleased for you to make yourselves available to speak to all of us. We are very pleased that we can listen to you panelists and learn from you about how we as a postal sector can protect ourselves from ransomware attacks. Thank you very much. Thank you very much Lati and that was extremely useful and I'm sure helpful introduction to why we are here today and what we are dealing with. I am absolutely positive discussion amongst our panelists and attendees will zero in on the issues that the postal sector faces but as we start we will zero out or zoom out I should say for a bit and we will begin our discussion focused at I guess at the highest level. To do that I would like to ask George Abraham Professor George Abraham from Global Anti-Scam Alliance and Scam Advisor to give us an introduction to himself first of all as well as to the concept of scams and online scams and George allows to provide the link between scams and ransomware so he is going to take sort of a helicopter view and we are going to zoom in from this. I hope that you appreciate this approach that we are taking. George over to you. Thank you very much. Just checking, do you see my screen? Yes we can. Thank you. Thank you very much. Thank you very much Mr. Chairman. As you said my name is George Abraham I run both the Global Anti-Scam Alliance which is a non-profit organization where we bring together law enforcement governments telecom operators, postal services consumer authorities and anybody else who is interested in consumers not get scammed online and I run Scam Advisor.com which is our business to consumer brand where we have about 5 million consumers every month checking if a website is legit or might be a scam Our mission is as I said very simple. We want to help consumers worldwide not get scammed but maybe taking one step back before I go deeper into this what are scams Scams are a weird kind of crime they are the only crime you can actually fall for and that makes it special like extortion scams because it's something where people feel ashamed for they don't go to the police and the victim itself is in some way part of the crime where scams are a difficult area I mean where does bad service end and where do scams start if you go to TrustPilot or SideJab or other review sites very remarkable their scores for Apple and ASOS are terrible but we all I think agree that these are not scams how we define scams apart from the formal definition is that there is a huge gap between what's being promised and what's being delivered and when that gap becomes too large then it becomes a scam so it's not black and white it is a there's a twilight zone what we nowadays see is that what started with malware went to online phishing now online scams they're all related just as extortion scams and extortion online are very related to online scams but we do see that scams are hit more and more by scams which are not necessarily malware or phishing there are hundreds of different definitions of scams and also types going from products not being delivered to investment scams to of course ransomware and extortion scams sometimes real and sometimes fake and yes of course sometimes the victim could have known better if you buy a verified PayPal account or you try to buy a weapon online or a driver's license or you want somebody to write your thesis for you it might not be a surprise that you do not get the service or product delivered and you get scammed you will not very likely go to the police to complain about it some scams are too incredible to believe but they do work recently there was a Japanese lady who paid an astronaut 35.000 euros the scammer claimed to be an astronaut stuck in space and he needed money to return to Earth and of course he also promised to marry her so maybe taking one step back how big are online scams at the moment what we do every year is we research 48 different countries and try to determine how much money is being lost how many people are being scammed and what our governments and organizations actually doing to protect their consumers better and no surprise we see a very sharp rise last year we estimated about 55.000.000 euros being lost in scams reported by over 300.000.000 people however as a result we see that already online scams are either the first most or second most reported crime in most countries in the UK 41% of all crime now reported to law enforcement is related to online fraud in Singapore this figure is even 50% so this is only the tip of the iceberg because we see that as a global average only 7% of all scams and extortions are actually reported to law enforcement by consumers Zooming in on business to business scams because this seminar is of course about business to business scams and especially extortion we see that companies often focus on what we call the hardcore cyber crime the hacking, the DDoS attacks but they often leave the door open when they regard their own employees and users we see a lot of B2B scams we see a lot of comprised employees and of course phishing and I think there should be much more attention to the entire threat landscape and not only to hacking and DDoS attacks some B2B scams are obvious and rather innocent they still exist where you can pay a huge amount of money to get your face on a non-existing magazine or a magazine which might be exist but nobody reads we also see that more and more scams are coming up around fake orders this website was actually set up by a scammer to convince a office supplier to deliver office equipment the office equipment was immediately resold on the market places and well the office equipment seller was thinking that he was doing business company actually the address was fake the company exists is registered but the address where to deliver was fake we see the same with wholesale especially on Alibaba scammers are trying to attract companies to buy not on Alibaba they use it as an advertising platform where you can buy materials then they take the conversation online on fake websites and hope to get an order especially for raw materials and intermediate products same with airline companies there are massive amount of fake transport companies now around some of these scams are very professional we see for example the website which really looks very legit but only after researching hey you claim to be 25 years old but why is your website only 2 years old and we didn't get any reply we did some further research we had serious doubts about this company and then of course extortion scams and you have the real ones and the fake ones and you would be amazed how many companies e-mails everyday with e-mails that hey we're being hacked where our data is encrypted while it's actually not the case it's just trying to get money and finally we see also a lot of recruitment scams especially targeting cyber security professionals within the company with malware so they get an invitation on LinkedIn saying that they have a job offer they click on the PDFs with the vacancy and actually that includes then the malware and of course cyber security experts within the company have a huge amount of access to all kinds of systems and are very interesting targets for cyber criminals and what we now see actually is that phishing is the one of the most used methods to get in with ransomware into a company but there is an interesting development and that's the unknown we more and more do not know where, how the attacker is getting into the company to compromise the systems that might be an interesting part for the bit later on where I would like to emphasize or address, especially attention to what is the risk of your own employees your own employees are both consumer and employee and we do see that more and more companies are being hurt not intentionally by their employees but because their employees are being scammed and as a result they bring in malware they become a liability because they have invested in an investment scam lost all their money in a potential liability to the company we see it also with roman scams and especially with sex torsion that the goal is not to get money from the employee the goal is to get data or access to the company so we do think it's very important that you not only protect your own systems but especially your employees not only from malware not only from phishing but also from other scams targeting your employees I'm running out of time but I would like to quickly round up with what we can do together so what we do see is that scammers are winning at the moment the market is growing very quickly and the chances of getting caught are very very slim according to the world economic forum at the moment only 0.05% of all cyber crimes are being prosecuted so how can we turn the tide often we say awareness, awareness, awareness is that awareness is not resulting in a decrease of victimization why? because the scam victim has received awareness trading has become more confident online and people as a result are becoming overconfident and are still being scammed or being misused to afforded by cyber criminals what can we do together? I think the role of the global and the Scam Alliance and Scam Advisor is to bring together as many stakeholders as possible to share knowledge around scams in our working groups and our summits but also to really share data so there are three things we can do together one is please feel free to use our data we offer API access we offer our data feed to protect your employees and your users please also share domain names which are clearly misusing your brand or our scams with us we are very happy to share it with all our data users which are antivirus companies security companies, search engines and social media to own consumers that this website is a scam and finally we offer a tool which might help also your users and consumers it's called Check My Lean it's a wide-label version of Scam Advisor in ten countries no, I should say 15 countries where people can go to a website which can be in your own look and feel people can check if a website is legit or a possible scam and draw their own conclusions and with that I would like to conclude and give back the floor to the chairman thank you very much for having me thank you very much George appreciate that and I think this was an excellent introduction to the overall topic of scams and how we within the postal sector can potentially be affected by the overall scourge of scams online scams and potentially this is where malware as you indicated can create incursions into our networks I think that's very important because as we go through this discussion it's important to understand that when it comes around to my prevention it is not strictly a technical topic but really is an issue of how how does it get into our networks, our environments and increasingly we have found that it's no longer using things like RDP it's primarily through methods that you mentioned scams and phishing and so on George, if you don't mind you can stop sharing your screen and I can now ask colleagues and of course I do appreciate you keep to the original time of 5 to 7 minutes presenter we're going to move on to something focused on ransomware specifically now with an introduction to an overview of the topic of ransomware for this I'm going to invite Matt Hull who's the Global Head of Cyber Threat Intelligence at the NCC Group to introduce himself and to provide us with some insight into this what exactly is ransomware and some figures that he may have to share with us. Matt, over to you Yes, thank you very much just checking you can hear me and you can see my screen Yes, we can hear you and you can see the screen Thank you very much, intro is partly done so my name is Matt Hull I'm the Global Head of Cyber Threat Intelligence at NCC Group NCC Group are a global cybersecurity company and we provide services across multiple sectors and multiple regions focusing on penetration testing traditional assurance instant response and managed detection capabilities as well as cyber threat intelligence so just for my slot this morning I'm just going to be giving you a bit of an overview about what ransomware is and it's one of those topics that is on everybody's lips whether you are working in technical environments whether you're defending against these types of threats or whether you're just reading the newspaper there is something in the news every single day about a new ransomware incident and it's affecting everyone every organisation around the globe it's affecting all types of organisations no matter which sector or region you're operating and more specifically for the focus of today's discussion it is impacting organisations that work within postal services as well but what is ransomware and where does it come from so it's believing it or not it's been around for quite some time so back in the late 80s we saw the first use of ransomware albeit it wasn't online it was actually deployed using floppy disks but it was used anyway and it presented a demand on someone's screen so what ransomware has historically done as typically focused on is encrypting data so denying access of the user to their data and then a demand is made as per traditional ransom type activity so denying that access demanding a payment to recover access to that data and over the years the ransomware capabilities have improved they've increased in terms of their sophistication in the early 90s up to 2010 there was a focus on mass targeting of organisations using online delivered ransomware so malicious software that was essentially deployed through phishing links so again going back to that concept of using social engineering but also contained within files within emails as well so being delivered through what looks like a legitimate email or a legitimate file in simple organisations as the capabilities increased as the attacks became more sophisticated different types of ransomware were introduced so focusing on locking down entire environments as opposed to purely focusing on individual data sets and of course with the introduction of cryptocurrencies this became a lot easier for organised criminal groups to actually deliver their ransomware capability but also to make demands and make demands using crypto which of course makes it much harder to track down where that money is going and who is responsible for those attacks as attacks evolved further we saw big big impacting attacks such as the WannaCry incident back in 2017 I guess that's the one that's on everyone's lips as the big ransomware incident in our sort of living memory anyway and that affected organisations around the globe because that became a wormable piece of malware so it was actually able to spread through an organisation's environment and that took advantage of a very very widely prolific vulnerability within organisations through a Microsoft vulnerability as I guess things have moved on we've moved into a period now where ransomware is kind of the pinnacle of its use and its reach the concept of big game hunting so less a case of targeting everyone and anyone but actually zooming in on those organisations that are more likely to pay big ransomware demands we've seen the evolution from purely encryption of data to the actual exfiltration of data as well through this process called double extortion so ransomware operators are now encrypting data but also stealing it so there's the initial demand to get access back to their data that's been encrypted but also it's now being leaked and it's being made publicly available on so called leak sites and that of course has a massive impact for organisations when it comes to regulatory fines so personally identifiable information has been breached, has been leaked but also reputational damage as well so customers of organisations are having their personal information potentially leaked onto the internet and what makes it even more prevalent at the minute as well is that ransomware is very much as a service so anybody can through a dark web forum or marketplace access ransomware capabilities and deploy your own attacks relatively cheaply and at scale as well in terms of just looking at some of the numbers because we track this stuff within my team at NCC Group and what we can see here is the number of double extortion victims in the last three years while everything is a little bit up and down between 2021 and 2022 what we actually saw was a decrease in ransomware double extortion victims last year by about 5% but scary reading for this year so far we can see that the numbers are well off the scale and they're far higher than what we've seen in recent years one of the main reasons for that big jump in March is actually there's a ransomware operator called CLOP and they have taken advantage of a widely used piece of software that had a vulnerability within it and that has resulted in mass exploitation there through that mechanism through the go anywhere exploit in terms of targeted sectors that we saw this is 2022 data so heavy focus on the industrial sector and what this includes is things like manufacturing, processing but also construction and those sorts of industries as well consumer cyclicals this is high end retail and hospitality type stuff technology does what it says on the tin but then also healthcare and basic materials and academia and education postal in the terms of what this is looking at sits within the industrial sector because actually a lot of that processing of information sits within those sorts of manufacturing and IOT type environments so that's a bit whistle stopped or on where ransomware has come from or where it's heading to and obviously happy to take some questions a little bit later on but if you do want to get any more information about these threats then we publish this data for free through something called our threat pulse I've got a link there for you so if anyone does want to keep tabs on these sort of statistics as they develop over time then they're available through that publication so thank you very much for looking forward to speaking to everyone later thank you very much Matt those were I have to say very startling figures that you presented but on a more positive note I do appreciate the the very clear explanation of what ransomware is and the historical overview which I think not many people be aware of that it started in the 80s so that I myself challenged by that field of history so as Matt said we will be discussing this further and Matt will be available in the discussion that we have just after these introductory presentations so please feel free to pose your questions in the Q&A box as you're seeing some questions going in there and we will try and answer as we see fit and maybe our panelists can also answer if any questions come to them in the Q&A box in the chat we can use for comments as far as possible next up we do have sort of a deeper dive into this ransomware discussion and we are asking our colleague Misha Obrecht from DreamLab Technologies to take us into this landscape this ransomware threat landscape and to help us understand exactly what we are talking about in terms of what are we facing and what is the real nature of this threat Misha, over to you Yes, thank you very much Hello everybody and thank you for having me you should be able to see my screen, is that the case? Ok, then let's full screen this Alright, my name is Misha and I am here for DreamLab I like understanding things and researching them and then talking about them today we are talking about the ransomware threat landscape we already heard some words about what ransomware actually is and I just like to point out two ways in how ransomware operators are getting more and more creative these days we heard about classical ransomware which is just encrypting data and then double extortion for not publishing data it goes further there is a triple extortion tactic on the rise which means that operators or criminals start to exploit relationships between the primary victims and then customers or business relationships of the victims to third parties and it goes in the other direction as well which is just simple extortion without encryption so at some point the ransomware operator figured out that it's actually not always necessary to threaten to publish the data that they stole criminals are inventive and creative when we want to understand the threat landscape we should spend a little time about how does ransomware actually get into an organisation and it's more or less this process here there's always this phase of an issue like this so one has to get the foot in the door of an organisation and then it is about looking around moving lateral inside a network inside an organisation stealing data and finally sometimes at least encrypting data one example for reconnaissance here that we recently saw in the wild is that the criminals actually looked for insurance policies in mailboxes of the victims and then adjust the ransom demands to the amount that is covered by insurance policy so the initial amount that they demanded very well matched the insurance policy or the insurance money that was covered by the policy the ransomware threat landscape is industrialising what I mean by that is there is an increasing automation happening there are things like shodan and databases and tools that help criminals automate their activities and there is specialisation and division of labour happening so what we typically see is that there are groups that specialize on getting initial access to organisations and then brokering this initial access to other groups who specialize on actually installing ransomware supporting defences, stealing data and extorting money let's talk about initial access for a second we already heard about a lot of how phishing and the user stolen credentials and actually the human element is a common denominator in the initial access phase about 80% of breaches are somehow involved in human element the remaining 20% are more or less services that are published into the open internet that get compromised and then used as a backdoor here are some examples of how this could look like or some more food for thought talking about phishing people start using large language models such as gtp to write phishing mail so that means we are likely going to see an increase in sophistication in phishing mail another way to gain initial access involved in the human element is just to simply buy an employee or buy access to an organization, this is an example of a group called Lexus offering a reward for somebody giving them access to an organization here we have an example of an access broker selling access to an organization on a russian underground forum and this finally is an example of the Swiss National Center for Cyber Security reminding critical infrastructure operators to close gapping vulnerabilities in their system, so this is also a thing sometimes systems remain in the open internet for a long long time without having weaknesses getting fixed one more thing on this note about exposed systems I actually didn't try to look for the universal postal union but I stumbled upon it by accident by looking at the data set that we own at DreamLab I just looked at systems that two years ago had suffered to quite catastrophic vulnerabilities there are ways to find these, it's easy and the point here is just by looking at the data set and looking for these systems that may be vulnerable the universal postal union came up in the top five organizations in Switzerland that run these kind of systems I'm not saying these systems are vulnerable right now I'm saying these are easy to find potential entry doors once you know what you're looking for are very easy to find it took me about five minutes to find these systems here moving on to the second part of actually monetizing the attack and the extortion tactics there was a group named Conti which was a mixture of Russian and Ukrainian citizens when the Russian and Ukrainian conflict started, this group dissolved because of issues they had inside their organization and somebody actually leaked a lot of internal information which was a treasure trove to analyze and understand how these groups work. What we learned is that ransomware groups they basically operate like businesses there is a human resources department there is a hierarchy there are different roles like programmers, testers different specializations who all have their different roles in the organization what happens if you do get compromised this is results from two reports by Sophos about half of ransomware victims managed to get their data back from backups and the other half about a quarter they pay the ransom and another quarter of these other half some completely lose their data and some find some other means to get their data back sometimes there are free decryption tools available but this is actually decreasing this gray slice here so I wouldn't count on a free tool being available to decrypt your data so can you recover your data it depends if you have regular offline backups then you should be fine sometimes there are decryption tools if you pay there is no guarantee that you will actually get your data back also in the same reported states that only about 65% of victims who do pay actually get their data back so that's something to keep in mind one final word this is an extrapolation to the year 2032 everybody who knows the statistics knows that you shouldn't trust extrapolation so far in the future but even if only 10% of this is true we are looking at a massive increase in ransomware damages worldwide in the next 10 years and with that back to you Mr. Chairman thank you very much wow thank you Misha in the very startling information presented there I was particularly intrigued by that slide you showed regarding the the new ways that this is being perpetrated and obviously I think there is going to be a potential risk for this increasing as you say exponentially over the next several years we will be very very wary and very careful about so with that in mind we've given some very very bad news or some scary figures some data but maybe my colleague John John Brown from team would be able to give us some positive information as to how we can prevent ransomware with some best practices so John maybe I can hand over to you with your experience to introduce yourself and to let us have a sense of how we can prevent ransomware go ahead John, thank you great, can everybody see my slides okay and hear me? yes, we can awesome good morning, good afternoon, good evening thank you Mr. Chairman for having us today and putting on this important conference I just have a few slides to discuss some things about ransomware prevention and some best practices of things that organizations should be doing there's a couple slides I'll just pop through very quickly here these are non classified slides so in the security world we call that traffic light protocol so to help you clear briefly about me I am a CISSP I'm also a commercial multi engine airplane pilot I've been doing internet things for 35 plus years et cetera, I won't belabor all of that but there's some interesting crossovers between commercial aviation and good practices in the cyber security world which I'll hint at a little bit in our presentation I work for team Camry as a security evangelist we'll talk a little bit more about some things that we might have that could help down the road but I don't really want to be in a sales presentation so there's a slide about that but let's go into more best practices in my mind and really about if you're going to get ransomware, it's really more about when you're going to get hit with a ransomware as our colleagues before have presented and shown ransomware is on the rise it's becoming more automated, more industrialized it's there the tools to find vulnerability and paths into an organization are getting easier and there are a lot of organizations and a lot of verticals out there where they're low hanging fruit those are organizations that haven't thought so much about that they're going to be a ransomware victim who wants to ransomware I mean I don't want to be overly simplistic here but stamps on a postcard but really there's a huge infrastructure behind the ability to run our global industrial environment and that's real money and that's real commerce and there is a very large target there that says that there's a potential for payout the thing we have to keep in mind about the threat actors out there is the risk reward factor is very much in their favor the risk of getting caught is very low the reward is very high and so we have to keep that in balance so it's not a matter of if but when and so there are some things that we need to do organizationally that are critical for that we need to have offline backups and I don't mean just that you backed up your data and put it on a different drive store network attached storage unit that's still connected to the network, right? I'm talking about physically putting a backup that literally goes off site backed up in a different location is not connected to your network you need to have that physical air gap separation you need to test your backups you need to make sure that your backups actually do work I've been doing this thing long enough that I can remember back in the days when we used to do tape backups and a person would put a tape drive and they'd back up to it every day and then once later they would want to try to restore their backup but they couldn't because the actual tape magnetic material on the tape had worn down because they never physically changed the tape so you need to test your backups you really want to make sure you have golden copies of your installs right so when you are in the middle of a situation you want to have a known set of CDs thumb drive whatever the install mechanism is for your operating system and applications that are critical you have a known set that works that's up to date and is not physically connected to the network and cannot be infected right but you want to know that you can quickly restore those servers from a low level perspective from bare metal backed up speaking of backing up and bare metal we have supply chain issues still if your threat actor has done enough damage to your infrastructure you may not want to use the same server that was attacked and maybe you can't use the same server because it's now being involved in a criminal investigation or some other investigation because it's evidence it's where what's going on so that server can't come back up so you need to have a separate piece of equipment to be able to put back into play so having a cold spare line something in your inventory that allows you to bring those servers physically back online and rebuild infrastructure I remember many years ago banks used to actually go to cold spare sites where they would have another IBM 360 or similar sitting over in a cold storage location and that company would provide the ability to allow the bank to disaster recover, bail over to that cold storage site and start bringing up their systems if their main frame had failed so you might want to look at that practice in the modern world today but most important have a written updated plan that's been tested have a plan A and then have a plan B as a commercial pilot we always have a plan B we always know where we're going to divert to mechanical failure we're constantly updating that as our trip progresses and that's something we need to do in the prevention of ransomware and how to help mitigate let's look at some vectors of how people get infected if you will you need to do a regular scanning of your network assets you need to know what your network assets are you need to know what laptops and desktops and more importantly nowadays you need to know what internet of things or IOT devices are connected to your network keep in mind that that small card reader that is doing credit card processing there's only so much hardware there's only so much money they're going to spend building that device so they're not spending a lot of money building super strong security into it and does that device that's now connected to an ethernet jack does that device have a vulnerability in it that could be compromised that now could be leveraged because your internal IT policies allow traffic from an internal address so could that scanner could that device be something that is used to attack your network I think that it can there's certainly some interesting case studies after that show that very large organizations have been hit because something on the inside was compromised in a way that people didn't think about so maintain an inventory basically if it connects to the network scan it inventory it know what version of software you're running on it know what the MAC addresses are of that device patch and test your devices regularly filter traffic that has no business to being on your network filter out porch 137 through 139, port 445 make sure RDP is not available from the public internet and probably not even available from inside the network is there a reason that you need to use remote desktop you need to have a tested plan A and a tested plan B you need to train staff but we have to be careful about training staff because if you over train you desensitize that staff they become sort of yeah yeah we've heard this before it's yet another internal phishing attack I'll click on it anyway I'll get my little point that says I went through the training but wait a minute that wasn't actually a training fish that was a real fish so make sure that you balance your training and that you don't desensitize your staff train your staff to look for key indicators train staff to not react to an urgent message but to have them stop evaluate confirm what they think it is and then take an action I mean we see business email compromises where somebody will pretend to be the CEO and send an email that says hey I'm on site I'm trying to do this deal I really urgently need you to wire $250,000 to me we can get this really great deal done and so forth we need you to move fast come on let's go go go and people have a tendency to not stop and think that looks like the CEO's email he has enough information and yeah I need to get this done because I've got a million other things I've got to do come back to the point that one of our other presenters made which is cyber crime today is a business they treat it as a business right they get up in the morning they're figuring out what their revenue is and what their losses are all of those things just like we do the difference is what they are doing is harmful and what we're doing is not harmful so they are going to figure out how to get information to pretend to be that CEO that vice president of sales or whomever to cause you to act or react quickly so stop evaluate, think, confirm and act leverage things like DMARC DNSSEC to help protect your domain and email systems make sure that when somebody receives an email from you that that is in fact an email and a domain that has validity behind it that is harder to spoof harder to fake and folks know what's going on there again you'll hear me say this have a plan B innovation is a great way to help prevent and set trust within your community and constituency be alert look at the threat intelligence look at what's happening on your network many times a threat actor is going to do a recon of your network and try to figure out vulnerabilities maybe they're doing a direct recon of your network or they're using something like Shodan or they're using one of the other tools to find what's out there and what's vulnerable so pay attention and be alert to what's going on in your network look at what is a normal pattern of life for your network monitor your system logs use automation when you can to help raise and flag up things that are outside of a pattern of life when I ran an internet service provider business every morning I'd get up and look at my network monitoring graphs if my network overnight work wasn't running well or not just by 10 seconds of looking at the graphs I could tell pattern of life was changed or not and I had a sense of what's happening have a plan you can have all the best technology in the world but if you don't have a written tested plan you won't know what to do when ransomware strikes so let's use an analogy for a second you're flying across the landing in an Airbus 350 and all of a sudden you have an engine failure the flight crew pulls out a quick response card and when they pull that quick response card out it tells them exactly what to do to deal with that engine failure and as a checklist and the reason we have that checklist is because we humans when we're under stress we tunnel vision our view of the world gets shorter and shorter depending on stress and we're focused by having a checklist we assure that the flight crew knows what steps need to be taken to help solve the problem of that engine failure and thus keep the airplane in the lot up in the air well that works really well for aviation why wouldn't we want to do that in running our IT organization so have an incident response plan have a plan that documents what you're going to do test your plan senior management needs to be involved in this plan development of it but in the sign off of it and the support on executing it does your plan identify key critical stakeholders is it IT is legal there from a regulatory perspective from a contracts perspective from a risk management perspective is your legal folks at the table to discuss this plan what about your customer support if you've had a ransomware attack and your customer is going to be calling in do you have a plan and does your customer support organization know what to do what to say what about sales what about marketing folks what is your message that you're going to put on to social media who is the leader of this plan in many cases the leader of this plan may not be a chief or senior executive it may be somebody else who is more actively involved in execution of the plan sure that the person who is executing the plan is also not the person that has to communicate to everybody about the plan because their job should be executing the plan somebody needs to take point you need to have these people at the table when you're putting together a plan that's in a summary some things that you should look at doing from a risk management or ransomware mitigation or management prevention is build a plan understand what in your organization is vulnerable have an inventory of that vulnerabilities and make sure you stay on top of the devices and the things in the firmware et cetera in your network and then know what how your network runs what's going on in your network what's going on in your business what you're going to do to be creative what to do to make it more difficult with that yield back to you thank you very much I hope it doesn't be like my age I worked in government Včeščo, da je mi vse način všim kraju. Vse ni bojo vse način vse, da je to vse način vse. Vse je, da je bilo sreč, da jih je vse vse. Vse je to vse, da je vse, da je vse, da je vse vse. Ne bojo vse način vse, da je vse način vse. In ja bilo vse način, da je vse vse vse. Včešča bo še ste bolj, da se odloži, obježimo, da ste odloži, da ste odloži, da ste odloži, da ste odloži, da ste odloži, da ste odloži, da ste odloži. To je izgledaj, je zelo, če je deločne, tako, da ste odloži. automated compliance measures for our post domain holders to ensure that their e-mail support is compliant with our security policy. So with dot post I would want to ensure that our members and those who have not yet got a dot post domain do reach out to us because I think that's one arrow in zelo, da se zelo vzelim, da je bolj zelo v tem kako se vzelo. Zanimamo, that there's a lot of stories, there's a lot of data, but there's one person that's in this panel who actually is going to let us into maybe, take a look into an actual ransomware incident in še zelo se tako zemljava na svetu. We have Peter from Zero Networks, who is going to share with us a brief case study on this particular victim, and of course, with all confidence in place. in počkaj smo prišli počkaj, tako, as we go for in our session today. So, Peter, over to you. Thank you. Fantastic. Thanks a lot, thanks a lot for having me. So my name is Peter, and I work for a company called Zero Networks, which I recently joined, somewhat recently before that, I worked for Microsoft for about 15 years, always been active in the security space. So Zero Networks is a company that specializes in micro segmentation I'll explain a little bit about that further on in this conversation, but like you mentioned, first we're going to talk about a case study. Now, before I go there, I think a couple of things have been explained in this, in this, by the previous presenters already. Attackers are winning. One of the reasons that attackers are winning is because networks are open, so it's fairly easy for attackers to move lateral. According to dataprod.net, which is a website anyone can visit, last year, every 11 seconds, there's been a ransomware attack year before, it was 40 seconds. And how do attackers get in? I think we've heard it as well by the previous presenters, either through phishing, malicious websites, sometimes you have specific services exposed to the internet. Someone, the previous presenter also talked about RDP, whether you should have that at all. My latest job in Microsoft, I was actually on the RDS team that invented RDP, so it hurt it a little bit, but I'll manage. So I'm going to share a story about something, which is called Update Your Flash Player. So this story goes back to late 2017 and it's around a large financial organization somewhere in Europe. An IT admin came back from lunch, you get to get back to work. But instead of just the regular desktop image that this person normally had set, all of a sudden something else was showing, which was bit of a disturbing message. Now, without reading all of it, this basically says, all your files have been encrypted. Visit our web service using this store link and after payment you'll receive a password in order to decrypt and enter your password here. Now, this piece of ransomware is called Bad Rabbit and initially it's targeted Russian, Ukrainian, Turkish and German users, but just like viruses in the real world, it's very hard to contain them to country borders. They can just spread anywhere. Now, in this case, the way it works, because there's various ways in which ransomware can hit an organization, but this works by spreading a fake Adobe Flash installer that the victims installed themselves. And it looks something like this. So, important to know is that this user, who now was confronted with this ransomware message, didn't install this Adobe Flash player that you can see on the slide. And as you may notice, this is not a real Flash player update. You can even tell by the URL, but for the untrained eye, it's fairly easy to just mistake this with something legit and we've all got the instructions, make sure you run the latest software update everything. So, here someone was thinking they did a good job, but not realizing it was actually malware that they were bringing into the organization. So, one of the key takeaways is there will always be a patient zero. There will always be a device that's compromised. No matter how much training you throw at a user, there's always someone who wants that free iPad or free iPhone and clicks the link and something funky happens. Now, let's take a closer look at what happened in this. And there's multiple ways to illustrate what happened. My favorite way is to plot something on top of the MITRE attack framework. For those of you unfamiliar with this framework, it's a matrix that contains a set of techniques that are used by adversaries to accomplish a specific objective. Now, it's a large framework and I just shrunk it down a little. Otherwise, it will be too much information on the slide. Here you can see, let's say, categories. So, there's always an initial access needed, typically there's credential theft, very likely in order to spread ransomware or malware in general, you have to do lateral movement and you also wanna make sure that you persist. So, if machines are rebooted, you wanna make sure that your malware remains active. And then on the far-right side, you can see there is a specific impact. Now, in this case, what happened and we knew this already by looking at the flash update, this turned out to be phishing. So, the attacker posed as a legitimate source. This could be, like this time it's phishing, but it could also be RDP brute force, weak application settings, or many more. It's just a distilled version of the framework. Now, once this attacker came in using phishing, what happened next is that they were using a tool called Mimikats. Important thing to know is that Mimikats is a publicly available tool. You could even discuss whether this is malware or not in my, according to my definitions, it's not. But what it allows you to do is many things, but it also allows you to just steal credentials. And if you're lucky, you may even get a token from someone who logged on to a machine before, which allows you to elevate privileges. So imagine if someone got remote assistance or maybe the help desk, someone with more privileges, you can actually steal that token and level up. All right, so you have initial access, you manage to steal credentials. What do you do next? You wanna move lateral, wanna move to other machines. And in this example, what the attacker did is they used PSXAC, which again is a free tool. It's not malware. It's a part of CIS internals, which has been acquired by Microsoft a couple of years ago. And it allows you to just execute on remote devices or remote Windows PCs. So that was used to spread across the network. And then afterwards, you wanna make sure that you persist. In this case that we're using scheduled tasks. And one thing to note here is nothing of this is super complex. Using scheduled tasks is just a Windows feature. PSXAC, free tool, Mimikats, free tool. You could just argue that maybe the phishing, there's some development and effort needed, but everything else is fairly simple. Now afterwards, obviously the data encryption took place and then you're confronted with the question, should you pay or not? This was already mentioned or discussed by a previous presenter, but even if you pay, it doesn't mean that all of your troubles are over. First of all, you support the business of ransomware, which obviously is less than ideal. There's always a chance of not getting the decryption keys. You don't know, typically you do get them, but it's not a very trustworthy person that you're negotiating with. And then you also don't know if more backdoors have been installed. So even if you get the decryption key, who knows, two weeks later, everything could be encrypted again, you never know. And then even if you get the decryption key, there's a lot of manual labor involved. That's not like a light switch, you turn on and everything is decrypted. Typically it means there's work involved. Now, not paying also introduces risk. It typically means you have to rebuild and restore all or part of your environment, which typically means your business cannot operate at either full capacity or half or even less. And something also discussed by previous presenters, the attackers now decide more and more to publish sensitive information to the general public. So all of a sudden you're being extorted. Regardless of what you do, you have to get your security up to higher standards, which may require a new hardware and software and for sure will be time consuming. Now, the previous presenter did a really good job in explaining the best practices. And I liked the analogy about flying and playing and making sure that you have a cart ready with steps to take, because if stress is high, humans tend to do silly things. So think about it in advance. And there's a lot of, let's say, run-of-the-mill advice, right? Never click on save links. Keep software up to date. Don't expose vulnerable systems to the internet. Use a good EDR system, et cetera. There's one thing I'd like to add, because I think we should pay more attention on prevention instead of detection. There is an industry trend going towards more detection, more alerts, and also more noise, in which we sometimes drown. But instead, I think we should add more on prevention. And that's where all of a sudden you come into my world, which is preventing lateral movement using segmentation. I'll explain what that means. If we go back in time, well, actually maybe not so much because some companies are still organized like this, they have their intranet where everything's trusted and then the evil internet. Now, if one asset is compromised, this is how an attacker feels like. They can just roam around freely. They can just move lateral without any issues. As a result, what a lot of organizations did is, they started to segment, which is good. It means you segment specific floors or departments or groups to kind of limit the blast radius and prevent lateral movement to a specific contained area. But it's far from perfect because even though customers and organizations started to do this, we could still see ransomware still on the rise. So then came along the promise of microsegmentation and it's the holy grill. It is wrapping a firewall around every asset you have, which could be Windows, could be Linux, could be Mac, could be IoT. This industry started about seven, eight years ago, but still we see it not being the industry standard. So even though it's a fantastic promise, it doesn't live up to its promises. And there's a couple of reasons why that is and I'll recommend you, if you ever look at a microsegmentation solution, choose something that skills. There's a couple of reasons today why those solutions or some of the solutions out there do not scale. The primary reason is that if you use a microsegmentation solution, you still have to define this server and access that server over this port and this protocol. And before you know it, you'll be in the business of just managing network rules. You need an army of network engineers to manage and maintain and configure those. Another thing to look out for is unnecessary agents. Agents can introduce performance, security issues or stability. Also make sure you have something you can just deploy quickly as little maintenance and also building on top of what the previous presenters said. RDP, for example, is, I even saw someone post on LinkedIn, RDP, which as many of you know stands for Remote Desktop Protocol. Someone said, no, no, no, no, it's ransomware deployment protocol, which again, heard it a little inside, but I get it. So one thing I would recommend to do and in the postal industry, maybe this is not standard yet. We see finance, for example, moving in towards this, is making sure you have MFA on RDP or SSH or WinRM, all of these privileged protocols that IT uses, but attackers abuse as well. And try to segment as much as possible. If you do proper segmentation, this is what an attacker feels like. So they're just stuck. They will always, or there's always the option that one asset is compromised, but they can't move anywhere. If you have a good segmentation solution, you can cover up to 70% of the Mitreotech framework, which I think is good bang for your buck. So definitely look into it. Just to finish, keep some couple key takeaways, try to focus more on prevention instead of detection, generating more alerts, getting lost in the noise, is not helping anyone. Try to find the right balance because the safest computer is the one you can't use. So don't strive for perfection, but initially go for good, and then afterwards you can see how you can tweak to get close to the perfection. And like mentioned on the previous slide as well, fixing lateral movement, you can get you up to 70% of the Mitreotech framework, which I think is low hanging fruit. So with that, I want to hand it back to the chairman. If anyone ever wants to reach out to me, you can find my email address here on the slide. I'd love to hear from you. Thanks. Thank you very much, Peter. If you don't mind, you could just stop sharing your screen. So I think that was a really excellent deep dive into a particular incident and the potential solutions that we can deploy in our organizations, of course it's resource dependent. One of the things that we have to be aware of is in the postal sector, there are limited resources available to do this kind of work. So if we add all of the potential solutions together, as you said, prevention is certainly the best approach that you can take. And there are, I guess, simple methods you could deploy, as well as, as you go further up the value chain, it could be more complex and more expensive methods. But certainly start with the basics and ensure that you are able to at least create more resilience within your environment, both at a human and a technological level. I think that's important to understand as well. I like the pointer of don't over train at one thing. One of our presidents said don't over train because that gets people almost numb to the message eventually. So you need to find the way to find the right balance, as Peter said, between exactly what you need to do, but don't overdo it, because for example, as you said, the safest computer is one you can't use and who wants that really at the end of the day. So now we move on to the next part of our webinar, which is where we move into sort of a talk, show format. As you imagine, I know I have on one side, we actually do have the ability to do a talk show with an individual because he's right here with me, Misha, and we have actually on my right, we have the chair of the dark post group who I will also invite to speak as he sees fit. But at the end of the day, we want to ensure that all of you participate in this talk show and we are going to take questions from the audience. Please post in the Q&A and then we're going to have a dedicated session where you can ask live questions to the panelists. If you don't ask any questions, we just continue talking in talk show format. So please post your questions in the Q&A. If you want to speak, you can indicate so in the chat and you can create a queue for you to raise your hands to speak as you go forward. Let's start with a very, very simple question that I think many of you have addressed thus far. The way I'm going to do this is basically open it up to who wants to respond to this question first. I'm not going to call your name unless no one answers, but I'm going to ask the first question. Can you tell me why do you think ransomware, now I guess that it's a debatable statement is on the rise, because I know there's some data that shows a lot of peaks and troughs, but I think the general trend is up. So there are some types that are going down, but some types that are going up, skewing drastically up. And as George said earlier, scams on the rise full stop, which would lead to malware incursions, which could include ransomware. So why is this incident situation on the rise? What do you think is causing this? I see matters already unmuted, so am I seeing matter one's answer first? Matt, over to you. I think you're absolutely right. There was that gradual trend up in terms of the use of ransomware as a worthwhile business model, I guess, for criminal groups. Last year was unique over the last few years because an awful lot happened geopolitically. The war in Ukraine and Russia had a big impact on some of the criminal operators who operate out of Russia and Ukraine who have potentially been impacted by the war there. But also there was a lot of significant law enforcement intervention last year as well against certain ransomware groups and the criminal groups that sit behind the scenes. So lots of things to make it very difficult for ransomware operators to do their stuff. But one thing is absolutely clear. Criminals are criminals and they will continue to want to make money. And this is a very successful business model. Now it's evolved, we've seen encryptions being the primary driver but now as organizations collecting and owning more and more digital information, so intellectual property PII type information vast amounts of this that is now where that main commodity that can be monetized by criminal groups is. And this is why I think it was Peter that mentioned, sorry, me sure even that move to focus on exfortrating data and making use of that data as opposed to encrypting the data. And that is absolutely what we're seeing this year. So that massive increase in March was heavily focused around exfortration of data as opposed to encryption of data and by those ransomware groups. And I think we're going to see that through the rest of this year as well. Thank you for that, Matt. John, you would like to say something? Yeah. I think, again, we need to sit back and realize that the threat actor is in business and the if we apply general business practices and thought processes ransomware has a great return on investment. And investment as a threat actor is really quite low. You're not having to go out and buy thousands or millions of dollars worth of equipment, infrastructure, and so forth. You can go rent somebody else's stolen network infrastructure to push out your your campaign. And knowing that many businesses insurance will pay out a portion to all of the fee you're really not in a negative position, right? You can do this work while sitting on the beach and potentially still make tens of thousands or hundreds of thousands of dollars and really have no worry that the police are going to come knocking on your door because the likelihood is very, very small as was said earlier in our chat today. So criminal, why wouldn't I want to get into this? This is a heck of a lot easier. It's a pretty good profit making environment and the chances are that if I send out a thousand different ransomware environments that a good percentage of them are going to pay and now we're even seeing as I think it was Misha that mentioned, we're seeing folks that they're not even really worrying about encrypting. We're going to come in and steal your data and that's really where there's a huge issue, right? Look at the regulatory regime and this is one of those things where you have to have it in your instant response plan but look at the regulatory regime there are certain governments today that charge a large amount of money per individual victim if you don't do certain things related to a data breach. So let's see I either pay the ransomware guys and go on my data to hopefully prevent them from leaking the data or I may end up having to pay some regulatory fine plus I have a brand of tarnishment and I have a customer confidence factor that's just been nuked and isn't there anymore so lower effort don't need to do the encryption don't need to worry about that just break in, steal the data and tell them I'm going to splat it out on the internet there's a good chance that people are going to pay and if they don't then I could just simply sell the data to one of the other threat actor groups out there and they can leverage that data to move laterally to find business to business relationships compromise those from the data that I stole where do I sign up? Well I think that's very blunt blunt reality there exactly it's very blunt it's a reality position there John George you wanted to say something Yeah I noticed that John is considering a career move but sorry John I think we've been very naive in a general sense I really think we're just at the start because what we've seen in the e-commerce industry is I used to work in travel and in 2002 we thought well maybe 10-20% of all travel will be via the internet and now it's 99% and the same thing is happening with crime as John was already saying it's cheap chances of getting caught are nearly zero and we see that in the UK less than 1% of all law enforcement officers are involved in fighting cyber crime well 41% of all crime reported is already related to cyber crime so it's weird we're really in serious problems and maybe also a discussion with the other panelists I'm a big fan of making or paying ransom fees illegal and I wondered what the other panelists are thinking about that I see John already smiling but Mr. Chairman I don't know if you have time for this question we have time and we're going to deep dive into this going forward so hold our thoughts as we say let me take the discussion a little deeper and more specific to the postal sector why is the postal sector an increasing threat I think we've seen quite a few incidents of the last several months especially recently without naming any one particular entity but why do you think that the postal sector is an increasing threat any thoughts on that? If I may So what we've seen in terms of the targeting of different organizations of ransomware groups over the years is historically there was focus on those organizations that had lots of money they were able to pay out these ransom demands and so on and so forth and focusing on the data there but as those types of organizations and I'm sort of pointing fingers here in financial services mostly as they've become more heavily regulated they have put better security controls in place, they have bigger budgets and there are there is more focus there on protecting what they have although types of organization perhaps the postal sector we're seeing it with education who haven't kept up with the times so they are less regulated they have less money to spend on these security controls and actually they haven't done the fundamentals as well as perhaps they could or should have and as a result they are softer targets it's as simple as that we're also seeing particularly around OT environments and manufacturing big focus there as well because organizations that are really susceptible to downtime target for ransomware operators and extortion operators as well Thank you Matt, next up I see Peter would like to take the floor? Yeah, if I can just add one thing I definitely agree with Matt one important aspect as well is the postal sector like many other industries is just increasingly using technology in its business and as the whole digital transformation within this sector takes place it also increases the likelihood and the interest of attackers to actually go into this space so I think that's one of the main reasons why you'll see this increasing in the foreseeable future as well Thanks Peter, John I'm going to defer briefly to Misha because I've already had a chance to talk and let Misha go first and if there's still time I'll chime in. OK, thanks, make it quick we talked about the difference between soft targets and the traditional ransomware targets like banks and financial institutions getting harder, yes, I think that's one part but another side of the medal is that we just see an increase in ransomware attacks across the board and you just get your share of this increase across the board as well so I think it's two forces of play here. Thanks Misha, John. Just to echo previously what we just said it comes down to low hanging fruit I mean the postal organizations are not just about delivering mail and packages but many postal organizations also have a direct association of financial institutions and the transfer and movement and dealing with money for in the people or for consumers and so, a, it's an organization or it's a community that's not been necessarily well thought through with regards to or I shouldn't say it that way. It's more it's a target rich opportunistic environment where this community hasn't been hit as much as others but it has a direct impact, right? I mean at the end of the day there's going to be a huge amount of pressure if a particular national level post is not able to deliver your packages from Amazon, everyone is going to scream and if you do that at the right time of the year as an attacker you have an immense amount of pressure political and community and public pressure to solve the problem, pay the money get the get the systems back up and running, right? And so the threat actors know this and there's a great leverage there so what we've got to do in the community is really make sure that our game is there and we're able to help not only prevent but also mitigate and respond accordingly to these and that's going to require a commitment from various posts to train their staff, have the right folks and develop the right policies and practices post is going to be a target and there's money there, there's packages there why would I as a criminal want to ignore this? I think you're going to see more potential attack towards post because there hasn't been that much there in the past and it's low hanging fruit. That's startling and frightening John They went after the healthcare industry they've gone after the electrical grid they've gone after the water supply I can point you to water utilities where the chlorine and other things have been impacted and water supply treatment facilities have been it's just a natural evolution post is next Exactly and as I said we are seeing the effects of that today, literally speaking we actually have a question from the postal sector in the Masumil Jauče who as you pointed out John actually they have a financial institution that they own in Italy he has a question specifically related to what's going on with the data so with ransomware tax and when you have data that's encrypted and being made unavailable and then you have the business disruption that follows thereafter the question really relates to what insights do you have as a panel as to the impact that is brought about by the stolen data exploitation itself so not just the fact that it was stolen but the exploitation of that data so for example that it's analyzed exploited to gain some malicious benefit and then sold on black market for profit what insights do you have as to the after effects of an incident when that data is taken sold on a dark web and so on anybody wishes to take that Matan you would like to go first there's a few things to think about here so in most cases the data is made available for free so it doesn't need to be commoditized in that sense so as it's been traded and it's made available on a leak site it's there for anyone and everyone to get hold of some of these leak sites are on the dark web or the so-called dark web but it's really easy to get on there and get hold of it some of these leak sites are on the clearnet so what we can normally say so it's really easy to get hold of that stuff so some of that information is very sensitive it allows access into that target organization so it's really important for the organizations to get on top of what is within those data sets but the biggest impact is guesses from the consumer or customers of those companies that have been targeted and we've seen examples of increases in fraudulent activity against the target organization making use of stolen user accounts and things like that so if it's a retailer and customer information is leaked then there's fraudulent activity that can potentially take place in there the challenge is it's really really difficult to quantify the level of impact because we don't always know what's been leaked we don't know what the subsequent attacks look like from the outside so it's really hard to quantify but fraud is a big issue and further breaches is another big issue thank you Matt John, your hand is up I'm not sure if that's an old hand or a new hand nope, that's a new hand again, reminding that the threat actors today are sophisticated organizations in fact there's many organizations out there whose job it is is not actually to be victim facing but they are other threat actor facing so they are a service provider to other criminals it's become so well organized it's almost like, gee, it was a normal business out there except it's the business of stealing from people hurting people and killing people depending on where and what kind of cyber threat you're looking at data is highly important if I steal data from a postal organization and I have enough of that data and if I may I'll use Tracy as an example if I have enough data of Tracy and what he has shipped and mailed over the last few months when I call somebody up on the phone or when I email them and I say, hey look I need you to do X, Y, and Z I know you shipped this package to this person on this day and I know you shipped this letter to this person on this day so you need to trust me that I really am somebody from the organization because I have this trusted information Tracy's guard is going to be lowered he's going to not feel as threatened or as concerned because wait a minute, that data would have only been known by the sender and the receiver of the package and the post now I've got his his guard down and I can leverage that to do something else some other scam or I can leverage that to cause an action to happen to Tracy's detriment and to my benefit as a criminal so data is about patterns as well and the criminals out there understand this they will leverage and use that information to figure out how to move laterally within an organization or within the whole landscape so it's not just that they have the address or their social security number or national ID number or bank info it's about a whole bunch of other bits and pieces that allows you to build credibility with your victim so that you can scam them so protecting data is super important thank you John, Misha is one thing to add here if you're thinking about personal information such as credit card information and so on that gets stolen and leaked sometimes there's a regulatory or societal pressure to then mitigate the effects of these leaks through let's say commercial services who are monitoring these leaks then or changing numbers if they can or protecting the affected individuals in some other ways this can mean a tremendous amount of money spent it's not uncommon that just this alone eats up the whole insurance sum by itself after a successful attack so that's, I think that's one other thing to keep in mind when talking about effects of data leaks on the company as well as the individuals themselves thank you very much and I saw in the chat that there's comments about the insurances someone started a thread on that already, thank you now I would like to we just have a few minutes left so I want to ensure that we involve as many folks from the audience as possible I see a few hands up in the attendees list that I can view on my screen and there are no questions written in the Q&A or in the chat that I could see so I'm going to potentially ask, I think this is possible Nahu Vuka are you willing to speak? I'm going to allow you to talk now go ahead, you can unmute your mic now if you don't speak I'm going to allow someone else you would like to speak? I'm going to allow you to speak as well alright and if you can't speak, you can type in the chat Ahmed El-Malif I'm going to allow you to speak go ahead you might need to unmute yourself to be able to speak I hope that you are seeing the messages available is coming up on your screen to unmute and again if you are not able to do it I'm going to just move through and you can continue to post your questions in the chat if you do not see the ability to talk Musa Thien go ahead you can unmute now and you can ask your question you need to unmute yourself to speak alright and I see I'm reminded some people maybe using the raised hands to just say they're here and they're around so that's fine and there are no questions in the chat so I'll just continue proceeding just have a few minutes left as I said so I'm going to allow all attendees hands and if you do have any questions I see one coming up in the queue can you assist me with that queue is it a question? is it to us? there's no open questions it was just a thank you alright thank you very much alright so I'm going to return to my talk show format as we begin the wrap up session we'll allow all hands in the moment just to remove that from the queue now what non-technical steps should be taken in terms of ransom prevention before you answer my question one of my colleagues who I guess wanted to speak and was unable to speak is asking what is the importance of PRA in ransom ransom prevention what is the importance of PRA in ransom prevention and if no one understands that maybe you can explain what PRA means is it I think you can see it colleagues in the chat Musa that question answered and there's a question in French a question yes I need my French my French assistants here a question we have a question on VPN SVP sivu ple microphone for the speaker please recovery plan in fact someone Mohamed is asking he has a question on VPN but I don't know exactly what does it mean VPN alright I think he is spelling it out further down below so while you get that the PRA clarification as recovery plan what is the importance of a PRA I think he probably meant disaster recovery plan disaster recovery plan in ransomware prevention and he wants to take that disaster recovery plan what's the importance of disaster recovery plan in ransomware prevention I'll jump in because it's sort of the me being the planning guy right you have to have a plan you can't be fumbling around time is of the essence you need to recover and you need to have thought out in advance of being attacked what your steps are going to be and this is where I come back to it is critical to have that action plan I mean I'll use my analogy of flying the airbus 350 across the Atlantic you have an engine failure that's not the time to be sitting down going so what should we do should we turn the fuel on should we change fuel tanks should we try to restart that I'm sorry I don't need to be blunt but clearly truly not having a plan is critically disastrous you need to have that plan you need to think out what is required what you as an organization need to do to recover from this event as quickly and as low cost and low impact as possible and sometimes that plan might have several different paths depending on what changes during the recovery process thank you very much John Matt I was just going to add to what John says there really and echo the fact that yes absolutely recovery plan is needed I think what is just as valuable though is actually running through that plan in a simulated way and actually table topping those exercises we've seen a couple of examples for example where everything has been planned out and you've got this fantastic plan but you haven't taken into consideration so a big part of that plan will be around how you communicate within the organization now what if as part of that attack your internet phones go off or are compromised and all of a sudden you lose the ability to ring someone or email someone within the organization by testing these things so I think testing is crucial and it needs to be renewed it needs to be reviewed and unrepeated thank you very much Matt some really good advice on yourself and John there and responding to that question I'm going to ask my colleague Mesa because I'm still in A1 French class so Mesa can you help me with that question of course I'm not a formal interpreter but I'm happy to help so we see a question from Mohamed Indiyaya I think from Senegal and he's asking kaj so de mesurel ki peuvent et rappliqer po kem vp what are the measures for a VPN to be attacked or broken through that can be applied to prevent a VPN from being attacked or breached I can maybe take this as well or Misha is here if you hand up as well I'm not sure if you were sooner than I was feel free to take this one if you want you can go ahead, I'll add some things if I feel like it I'll be quick so it's a good question because we do see a lot of VPN services being compromised or at least it is a way to get in I think one of the fundamental problems that VPN has is that it's exposed as a service to the internet at all times so a lot of attackers can just brute force their way in one way to go about if we look at how VPN has evolved VPN has benefits, you have a direct connection it's typically speaking very performing, it's fast if you look at where the market has gone to what we see more and more is ZTNA Zero Trust Network Access where you kind of VPN through a cloud service and as a result or as a benefit is that you don't have to keep that port open to the internet because you use another party that potentially does additional authentication before you granted access that's where the market has gone to I think as a next step where the market is going to and this is not there yet is where we kind of go back to the traditional VPN method but then we layer additional security controls on top for example, using multi-factor authentication where if someone tries to connect that port is closed but only after you have confirmed your identity using multi-factor authentication then a particular port is open for your source IP only so to summarize my answer traditional VPN exposed to the whole of internet something I wouldn't recommend unless you have additional layered security controls ZTNA is where the market is going to in the future I think we're going back to the older model with additional security tools laid on top of it and then I'll hand over to Misha Yes, thank you Yes, pretty much what you said I agree on all points there from a technical perspective, from my view VPNs are actually pretty good usually, there are security devices they're hardened, they're meant to be doing what they're doing and they're meant to be accessible more or less, of course you can add an additional layer of security to improve on that but first and foremost on a technical level keep them up to date every once in a while VPNs have a vulnerability if you patch them you get rid of those another idea on the technical level will also be geofencing if you are in a country somewhere in Latin America and you don't have any employees in Asia there's no reason the whole of China needs to be able to access your VPN that's one thing on the technical level managerial process level also multifactor was mentioned I very, very much agree on that one but also manage your accounts if you have accounts that are not needed anymore disable them if people leave your company, disable their accounts and also do not have shared accounts on VPNs, I mentioned this thing of the lapses actor buying access to companies shared accounts mean plausible deniability when I sell my VPN access to an actor like this amongst other things but this is one important thing so do not have shared accounts but have personalized ones where you can have an attribution of what happens with which account if it gets compromised thank you, I see John's handle but let me do this as time has run out in terms of the substantive part of this session I'm going to and John you will start you can lead from that in terms of closing remarks so in terms of closing remarks basically we're trying to get feedback from all of you in terms of what are the next steps for the posts in particular in terms of ransomware prevention so all prepare for that question which is the wrap up remarks give it, keep it to two minutes and John I'll start with you which you can also jump in with your comments you wanted to make but you can then continue with the closing remark that you would have on what posts can do going forward over to you John really quick just to add to the VPN discussion there is no silver bullet there is no one technology that fixes everything VPN is simply a wrench or a spanner in the toolbox and you have to appropriately apply it for what you're trying to solve in addition you have to make sure that not all VPN service providers out there are treated equally some of them share data with others that you may not know about so understand what's going on with the VPN ecosystem and if you're really concerned about it build your own private VPN with your own hardware and know what's going on with it so that's just really sort of what I wanted to add on the whole VPN thing with respect to what can post organizations do, what are sort of next steps quite honestly the things that I would encourage each postal organization out there to do is to identify a person in their organization who is going to have not only the responsibility of the authority to develop and implement good sound practices within their organization for cyber security create an incident response plan create what your plans are as we just mentioned a moment ago what happens when an employee leaves the organization whether they leave friendly or they've been terminated because they did something they shouldn't have done what is your organization's process from a security and infrastructure perspective on treating those access accounts those data, that information that they have and so forth build an incident response plan build an IT cyber security plan and have an individual that is clearly has the responsibility and the authority by senior management um and then make use of tools there are a lot of great open source tools there are a lot of commercial tools there are a lot of organizations out there that will help you look at what's going on look at some of the things that George has with the global anti-scan alliance if I got the name right DASA look at things that Bob has at NCC and Misha and Peter have and other organizations there are tools and information and things out there at team comery we have our own intelligence data and other information that we can provide organizations as well so get into the community be active at the end of the day cyber security is not a spectator sport you cannot turn up to a football pitch and simply watch the game it is a game that you have to participate in you have to be down on the field getting your hands dirty and being involved in what's going on if you in fact want to protect your organization so to the senior leaders of postal organizations support, encourage, mentor and nurture your staff to enable them to be able to get out there and protect the organizations that they work for those are my closing comments Thank you very much George, one minute George Yes, I fully agree with what John was saying I mean, I'm Dutch so you need to build a dyke and it's every measure is one stone to build to build the wall to turn this fight on cyber crime and very recently I spoke to the chief security officer one of the largest cyber security companies in the world and even he admitted that he was being spoofed he thought he was getting a text message from his CEO to quickly arrange some gift cards for a client he bought them and the only way he discovered that he actually was being scanned within five seconds he got another request for more gift cards from himself, from Amazon, from Google then he started thinking well this is not my CEO so it can happen to everybody and one of the breaks I think every company should pay attention to next to what's already being named is indeed employees protect your employees from phishing and from scams Thank you One minute Organizations can go a long way to protect themselves by getting the fundamentals right it's fundamental I know a lot of organizations do the basics well they are fundamental they need to be in place put our list in the chat Employee MFA where possible that goes a long way to protecting segregate as to Peters import, segregate, segregate, segregate we need to back up stuff so John back up your data make sure you've got multiple copies make sure that you can actually test that those backups are working hatch because whilst it's not one of the most easy ways in or most common routes in vulnerable systems are still exploited and we've seen that in March with the Klopp ransomware group invest in your people in the teams awareness sessions so to George's point make sure that people have that baseline level of understanding about what the threat is and how they can protect themselves as well as the organization and then last but not least have that incident response plan and rehearse it and stay informed use threat intelligence to help inform your organization about what the threat is it goes an awful long way do you have any questions yes I think all the important things have been said this is a very nice list that Matt posted I'd just like to point out two things on that list that are actually free updates assuming you're using properly licensed software as you shouldn't you most likely are updating your software mostly comes for free it may annoy you a little bit it may slow you down a little bit but it doesn't cost you hard cash and second one multi-factor authentication and strong passwords there's really no excuse to not use strong passwords anymore there's no excuse to not use multi-factor authentication if it is available and the third and last one investing into people and the people's awareness one thing that we found to be quite successful there is to not restrict that to the personal life you can tell when you're educating people you can tell them in professional role only this also applies to your private lives it also matters if you get hacked in your private life if you're Facebook, if you're Insta if you're whatever goes bust you have a problem what we teach you here you can one-to-one port to your private life as well thank you, Michel and Peter preventing ransomware in the postal industry or sector it requires a multi-faceted approach and it includes both technical as well as non-technical measures I really like how Matt positioned this as these measures as fundamental it's also very hard to add anything on top of what has been said already what I can do is just close with my top 8 real quick I'll be quick one, keep software up to date this includes all of your security controls such as anti-molar software move away from passwords and during the journey of moving away use strong passwords on top of that use multi-factor authentication wherever possible and we even see many cybersecurity insurances now demanding that you use multi-factor authentication limit access to systems and data only to those that truly need it train your employees to recognize to recognize phishing and then one point that John has talked about very extensively is regularly take and also test your backups and also what he talked about is develop an incident response plan and then I'll close with my personal favorite which is limited blast radius compromise assets by using micro segmentation little bias there I understand but it's definitely lowering fruit if you have the right solution thank you very much to all and I would like to wrap up with my own I'll take the presenter's privilege by using my own organizations efforts in terms of what we're doing on the dot post side so we are currently media objects so we are currently implementing a shared services platform where cybersecurity forms a key part of our thrust to the community that we serve in terms of cybersecurity we have been very active in this space in terms of developing policies we are focused heavily on compliance with our domain security policies domain validation so nobody can get a dot post domain without being verified very big on DNS abuse and anti-abuse working with our colleagues in the infosec team on cyber incident response team developing skills and capacity building efforts within the dot post environment and pulling that all together in our policy framework which is available at as you can see there info dot post slash security policies we recently launched domain compliance monitoring tool dot post in may 2022 and for all dot post domain holders you are able to essentially use that tool to check compliance with our DNSsec policies our secure email authentication policies and our web server secure online transactions policies there is no time to go into a demo of that today but I do invite you to contact us through that tool and how to use it especially for those who are not who are new to the dot post environment we've been doing cyber security capacity building for postal operators utilizing our dot post platform as well as existing webinars such as this that you are seeing today our dot post platform is also accessed via server track dot post and as I mentioned we do anti abuse domain monitoring dot post has never been abused as a domain one of the top level domains in the world has never been abused which is we are very proud of that reputation we tend to keep it that way and as DNS abuse becomes a huge issue going forward so to do that you need to register dot post domain and I don't want to get into the great details here but simply visit us at register dot post or contact us as a kateriat at info dot post to learn more about how to do that as I wrap this up I'm going to ask the director of the PTC Latima Tata to add a few remarks on this and to answer a question actually two questions related to what the UP is doing to assist post with this type of ransomware prevention activity so over to you Lati thank you very much Tracy and I just also want to acknowledge very excellent contributions from the panelists I have learned a lot in a very very short time before I answer the questions I just want to also contribute just to what to Tracy said in terms of dot post so as I mentioned in my opening remarks the PTC does have a lot of online services that it delivers to the postal sector and we actually made the decision back in 2012 to put all our services under the dot post our online services under dot post so we have been a big supporter of dot post right from the get go the second remark that really struck me and I want to repeat it especially for the participants attendees is what I think Mr. Brown said and I'll summarize it as a trifecta of tragedy the first one is of course you lose your brand you lose your business the second one is then you are subject to further run some fines so this is further costs that you may have to incur then the third one is if there are government regulations that you have breached then you get further fines so this is a very very expensive let's say tragedy for you all of us if we are attacked and it seems like it is not if it is when we are attacked so then that builds on to all the excellent advice we have been given and one thing that comes to me all the time is who is going to pay for all this we may have open source tools but we need to change our procedures we need to implement backup actions this is expensive I can speak very authoritatively on this because the PTC for the last 5 years has been going through a process of certification so this is the ISO 277 27001 we are certified but only for a certain scope of our services and we had to do a lot of work and I have been questioned several on why we are spending so much money on this but I think it speaks for itself why we are doing this now so to answer the questions what can the UPU do I would say what you are being presented here now attendees you have access to very very sharp minds when it comes to advice on what you can do to improve your own internal IT networks so again thank you very much panelists you have access to the dot post domain and what comes within that platform and you have access now to what I would call the overall international bureaus activities to consolidate and to bring together all the best tools basically we can combine all your contributions to help us all so this model has worked very very well because when you individually let's say add your experiences to the international bureau we then make it available for the entire community so this sort of collaborative approach is what I would like to strongly encourage our chair of dot post is an extremely big fan and I think we will work on him of setting up an ISAC a UPU level ISAC to sort of combine and consolidate all this in one place so this is a long term plan we hope to achieve to bring everything together and I hope the postal sector will well I'm sure not hope they will benefit from this work in terms of cyber security protection thank you, thank you very much again all the panelists thank you very much Latija and it's nothing left for me to say except to say thank you to all the panelists, Misha, Matt, John George and Peter and all of you who participated and now hands back over to the chair of the assembly Massimiliano to give us final remarks and to close us off, thank you thank you very much also from my side to all the panelists the session was really highly entertaining and there were very interesting discussions that arose and I'd be particularly impressed by the figures that were presented but also this initiative is a concrete demonstration on how we could contribute in raising awareness on a phenomena which is spreading all over our business also our business also we had some measures that we could adopt to counter this phenomena and we know that also dotpots is an important role in supporting our design operators to counter this threat effectively in a very short time because we don't have enough time to wait in my opinion the threat is is very important so thank you again thank you Tracy for the great work for in arranging this webinar I think that this concludes our 15th General Assembly I would like to thank you again the entire secretariat the interpreters and the technicians and all of you for your contributions today and the meeting is now closed thank you very much thank you very much, thanks to all for the rest of your day and the interpreters from my and as well, I appreciate it bye bye thank you very much, I appreciate it