Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The ransomware threat has spooked nearly everyone. A big unknown is how vulnerable your organization actually is to ransomware attacks. A cybersecurity company called Black Kite says it’s developed a way of assessing your risk by using open source intelligence. For how it works, Black Kite’s Chief Security Officer Bob Maley spoke to the Federal Drive with Tom Temin.
Tom Temin: All right. So tell us about this assessment. And you did a pretty good assessment of federal contractors. We’ll get to that in a moment. But how can you tell someone’s vulnerability to ransomware attacks?
Bob Maley: So we collect a lot of data about companies that’s publicly available on the internet, we do analysis for our clients. And last year, we had some of our clients ask us, they said, could you figure out a way to see if our vendors are susceptible to ransomware? We’re seeing a really good rise in that. So we did, we put some researchers to it. And we discovered that there were a certain number of things that bad actors typically employ to break into companies to execute ransomware. So we developed an algorithm that looks at all of our data and extracts that and gives us a probability. It’s a number from 0-1. So that’s what we did.
Tom Temin: A scale of 0 to 1, I guess that’s 100 points in there somehow?
Bob Maley: Yeah, percentage.
Tom Temin: Got it. And what are the main vectors that you discovered that ransomware people do? I thought it was pretty much phishing.
Bob Maley: Well, phishing is one of the top two things that happen. And there are some underlying things that make phishing more effective. They’re technical things that have to do with how you have your email configured, their DNS settings, things that a lot of companies just aren’t paying attention to. The second-most thing that bad actors are doing, they’re looking for open remote access ports, on your servers on the Internet. That’s what happened at Colonial Pipeline, for instance.
Tom Temin: Got it. So old fashioned hacking in is still very much a vector. They don’t necessarily rely on the weak employee that clicks on that link.
Bob Maley: Absolutely. It’s been this way for 20 years. Ransomware was invented 20 years ago, but the bad guys have just gotten better at figuring out how to get it inside our networks.
Tom Temin: Well, the implication here, then is that the companies that you’re testing need to let you look at what ports might be open. And that’s kind of a scary prospect.
Bob Maley: Well, they don’t need to let us look at it, they’re actually open that the bad actors can see. That’s why it’s so concerning that it’s out there for anybody that knows how to go out and look for these things. They can do it.
Tom Temin: And is that a basic cybersecurity hygiene measure, closing ports that are unused?
Bob Maley: Yes, it is. I know, it’s interesting the Department of Homeland Security put up a website a few months ago called “Stop Ransomware”. And the top things that they recommend you do to stop ransomware were things that they’ve been telling people to do for at least the last two to 10 years. So these are not new things.
Tom Temin: You can probably cite the page on NIST Special Publication 853, where that particular piece of advice is.
Tom Temin: I haven’t memorized it. But I know it’s in there somewhere.
Bob Maley: It’s a pretty big document I have not either.
Tom Temin: And a recent report that you put out showed the degree of vulnerability to ransomware in parts of the defense industrial base in the federal contracting community, tell us more about what you found there.
Bob Maley: So what we did was we looked at the top 100 by contract value in the DIB. And we ran those companies through our research. And we discovered that there was a higher percentage of them that also were failing in these basic things that bad actors look for. And they were susceptible to ransomware.
Tom Temin: Can you give us some numbers? Like you said, there’s a scale of 0-1, was the average above a certain point where it goes from “you’re probably okay” to where you’re in the risky territory?
Bob Maley: Yeah, we saw that 20% of those top 100 were highly susceptible. And what that means is there were somewhere over a 0.60 in the ransomware susceptibility index.
Tom Temin: And you mentioned open ports, and we talked about phishing attacks, is there any other indicator of high vulnerability?
Bob Maley: There is. So some of the things that bad actors look for. They look for lead credentials. The credentials are user IDs and passwords that are for sale on the dark web. And we found that 42% of those contractors had at least one lead credential out on the dark web in the last 90 days. And we saw that patch management, there was a lot of servers that were using older operating systems that are typically targeted by ransomware bad actors.
Tom Temin: We’re speaking with Bob Maley. He’s chief security officer at Black Kite. And of course those again, a basic hygiene issue is I mean, continuous diagnostics and continuous monitoring and patching have been federal policy now for several administrations. And that’s for federal systems and you would think contractors ought to follow the same best practices. But I want to talk about the fishing angle for a moment. And is it possible to assess whether a company is susceptible to phishing, because that depends a lot on its employees, how well they’re trained, how sensitive they are to it. And that would seem to be a tougher thing to get at than whether they have opened ports.
Bob Maley: Well, yes, it’s a little bit more complicated. But some of the things that can make a company or contractor a little bit more resilient to phishing, is there are technical things in the way their email is configured, it’s called DMARC, DKIM, SPF. These are things that you can do that when they are registered, it makes the domain a little bit more phishing proof. And what I mean by that is the top email providing companies like Microsoft and Google and Yahoo and all the others, they look at that information. And when they see an email that doesn’t have those attributes, they say, this is a spoofing or a phishing email, and they block it before it even gets into a company. So that’s one of the things that we can see that companies that don’t have those things configured correctly. But it’s also one of the easiest things to fix.
Tom Temin: Yeah, the DMARC standard is not something new. But it just seems to have heightened importance in the ransomware era.
Bob Maley: Absolutely. None of these things are new.
Tom Temin: Alright, so what should companies do in the CMMC area, then, when everybody’s looking at everybody else’s supply chain or US part of the supply chain are being looked at? Everyone’s peeping into everyone’s kimonos here, it seems like it’s time to get to the basics of guidance coming out right from the government itself?
Bob Maley: Well, CMMC, that’s a complicated question. Now that we have 2.0 just came out, there are changes to it already. And in reality, CMMC is a compilation of existing controls, there’s really nothing new in CMMC. What it is is an effort to try to put it into a single type of audit that the contractor base, the DIB base, the 300,000 vendors are subject to the same compliance regimen. So that’s the goal of CMMC. While I think it’s a great goal, I don’t think that CMMC will really have a whole lot of effect in slowing ransomware down.
Tom Temin: Got it. And with respect to some of those other technical issues, like closing ports, and making sure you’re running the latest and most patched versions of software, especially operating systems, but some of the applications also, I had thought that at this point in history, companies would have automated ways of doing that with a dashboard report on your OS’s and your patching. And that it was kind of set and forget, but it sounds like still a lot of hunting and nailing to do.
Bob Maley: Well, it’s not so much knowing what’s there. It’s understanding what the business implications are, if you’re going to patch or if you’re going to upgrade an operating system. Imagine you’re a technical person who’s responsible for patching systems and you’re urgently telling your business that we need to upgrade this operating system, because it’s out of date. It’s old, we can’t even get patches for it anymore. And management will say, Well, can you guarantee that that’s not going to break our applications? What kind of a decision are you going to make? You can’t guarantee that. So a lot of times people just hope that they don’t become victims. And they continue to do business as usual.
Tom Temin: In the case of phishing attacks, where what they want is return of data in return for money, is encryption a good protection against that?
Bob Maley: Well, no, it is a protection against the second level in a ransomware attack. So there’s two levels that happen. The first one is they encrypt your data, and they require you to pay ransom so you can unencrypt it and use the data. The second thing is then they will then sell your data as well. If it’s already encrypted, it kind of stops that second level of attack, but it still doesn’t give you the access to your own data because they’ve encrypted it as well.
Tom Temin: So your best advice is take the assessment?
Bob Maley: Yes, and address the simple things. It’s it’s not the hundreds of controls in CMMC. Although compliance is important, and I understand why that’s being done. But think the way the bad actors do – address the things that they’re using to get into your networks first, be proactive.
Tom Temin: Bob Maley is chief security officer of Black Kite. Thanks so much for joining me.