SafeBase Presents: Ransomware Readiness with Matt Roeckel

Kevin Qiu
November 11, 2021

Macy Mody

Alright, I guess we can get going now at least with the intros and a few more people might trickle in. Awesome. Thank you all for attending today's webinar. We're super happy to be able to partner with Matt Roeckel of Split to speak about ransomware. Readiness. I Macy, I'm the Director of Strategy and Ops at SafeBase. And today we have Kevin Qiu and Matt Roeckel joining us. So just a little background on them, both security experts. So Kevin is the Director of Information Security at SafeBase, and he oversees our internal security program, as well as having a direct role in the future of the product. Prior to joining SafeBase, Kevin was a consultant in the financial services world and he helped start the security programs at both jet.com and SeatGeek. Matt is the Senior Director of IT and Information Security at Split Software. He currently oversees IT governance risk and compliance and information security. Prior to joining split, he ran global workplace operations at Invoice2Go and operations at RelateIQ, which is a Salesforce company.

With that, I think we can dive right into the discussion. The plan for today is to spend about 30 minutes on some prepared topics. And then definitely leave some time at the end in case anyone has questions. You can also feel free to put them in the chat as we go. And I'll try to add them in if there's a relating topic. Cool. All right. And for those that just joined, thank you so much. We're really excited to have you here. We're gonna jump in now.All right, Matt, my first questions for you. So I think some of our attendees might not be as familiar with ransomware. So can you start off by discussing how ransomware generally works and how it tends to make its way into a corporate network?

Matt Roeckel

Thank you, Macy. Yes, so ransomware, it's a type of malicious software or malware that prevents you from accessing your files or systems or networks. And in return, they're asking for a ransom. So they demand a ransom, which is typically, you know, now we're seeing, you know, five to $10 million to access your data again. So typically, those assets are encrypted, and the hackers own the keys, so you don't have access to your data anymore. And that's why they're holding you hostage for that data. Ransomware attacks can cause costly disruptions to business operations, and loss of critical information. So be prepared. We'll try to mitigate those risks over time. And there's some recent examples. I think Kevin's gonna go over a few of those recent attacks.

Kevin Qiu

So I think specifically in 2021, in particular, we've seen some pretty damaging ones. So earlier in the year, if any of you guys are drivers, you might have noticed that gas prices spiked. Colonial Pipeline was an organization that got hit really badly with ransomware. And so it disrupted a lot of the supply chain logistics for oil. And this is because their entire IT infrastructure was pretty much taken down by ransomware. And another really big one that happened in the past 12 months was Kaseya, which is something that I'm sure a lot of you have seen in the news and affected lots of organizations worldwide, because it's something that a lot of IT teams use to help manage their laptops, servers, etc. And this actually prompted the White House to take action. And they released an executive order talking about how the US had to improve its cybersecurity capabilities in response.

And in terms of another sector, one there that was pretty big back in 2017. As some of you might have remembered the name WannaCry. So this was a really big malware campaign that spreads to lots of organizations using Windows servers, and the NHS in the UK, which manages the UK's  health care. They actually got hit by ransomware, which is really bad, right? Because if you're running a hospital, and you can't pull a patient records, and if you can't, access your systems that are connected to X rays and things like that, people can actually potentially die, and so ransomware is something that's very serious.

Macy Mody

Awesome, thanks. Thanks. Both, it seems like ransomware is very widespread. And we all have heard the term many times and know it's destructive. Matt, it would be awesome if you could talk about some general IT security controls to reduce the chance of ransomware infecting laptops.

Matt Roeckel

Of course. Yes, on the general IT side of it, for internal IT, as well as your production servers,  patching is very important. So having a patch management policy and procedure where you're tracking vulnerabilities based on the CVSS score, an identifying those and remediating them within a defined timeline. So it's critical to ensure that your servers are patched, especially on zero days. Zero day vulnerabilities are announced, and you have to take action right away. So definitely, on the action side, that's super important.

Next is endpoint protection, so ensuring that your employees and their laptops are as secure as possible. So any malware that could enter from an end user could then get into your production servers if you're connected to your VPN for the production servers. So endpoint protection is very critical. There's different vendors out there that offer endpoint protection. One that we use here at Split internally is Jeff Protect, and that's rolled out through our MDM. So that's definitely one of the ways to protect from the laptop side of the business.

And then phishing, training and filtering. So yeah, around all of our employees that are onboarded here, it splits off where they go through security awareness training. And part of that is phishing and ransomware. And just general and IT security tips. And that's refreshed annually. So as new technologies are introduced, and new ransomware attacks are developed, that training is then iterated to bring every employee up to date, on a yearly basis.

Macy Mody

Awesome. And I'm going to throw in a question I didn't have on the sheet. And maybe Kevin, you can take it, but I actually got an email this morning, I believe, from Robinhood, saying that someone contacted their customer service on the phone, and then got, a lot of personal information. Is there anything different you would do for kind of people that have high call volume?

Kevin Qiu

What do you mean by high call volume?

Macy Mody

Like if people are servicing customers on the phone versus just via email? Is there anything different? You would you would do to prepare?

Kevin Qiu

You mean from a vendor side or like a customer side?

Macy Mody

Vendor side? Yeah.

Kevin Qiu

So, from a vendor side, something that's really important if you're interacting with someone, and it's not over video chat, and you don't know how they sound like, it's always good to do some sort of verification. So if any of you have ever called like a health insurance company, it's kind of annoying. They ask you, oh, what's your birthday? What's your address? And what was your most recent appointment? It's because a lot of people do take advantage of call centers to exploit them, because a lot of the employees, they're following a procedure. And it's not really their job necessarily to determine if someone is phishing or not. And so if you're dealing with any sort of sensitive data, just have some sort of second level of verification, because anyone can say I am so and so person, here's my email, right? But let's say you're in ecommerce, something you could do is say, what were some of your last few purchases, right? Because stuff like that, generally, the actual person knows and a random attacker probably won't know it.

Matt Roeckel

You always trust everybody, but you have to verify. So trust but verify's a good principle to follow.

Macy Mody

Good tip, good tip. I like that as a tagline. Trust, but verify. Awesome, anything else to add there or not? I have another question. No? Cool. Awesome. Okay. So I know that a critical part of being ready for ransomware is having the data available in backups. What what are some typical backup kind of gotchas that folks might not be aware of?

Matt Roeckel

Sure, back to this one. So you're actually testing your backups. So on an annual basis, are you actually testing them? So you have these backups, but can you restore? And how long does that take to restore? So that'd be your your RTO, your recovery time objective. How long does it take to restore your information from a backup? And also the frequency of them. So how, how often are you backing up? Is it daily, is it every 12 hours, is it weekly, and this would be your RPO, which is a recovery point objective. So how far back would the customer lose their data would be defined by the RPO. So if you do a backup at midnight tonight, and you don't do another backup till midnight, next week, will the customer lose anything? If you're to restore a backup on Monday, they would lose six days worth of data.

So doing daily backups is definitely critical, as well as out of band backups. So this is one of the new attacks that ransomware is taking is that they're targeting your entire network and infrastructure. And most SaaS vendors are storing their backups in the same infrastructure. So using a different provider to store your backups would be ideal. And I say out of band backups is kind of the new push in the industry and is definitely on the back side of your standard systems.

Kevin Qiu

Yeah, I think every now and then you guys might see on tech blogs, like Amazon Web Services, US East is down. No one can watch Netflix, right? This is kind of an example of where people are like, okay, we're using a big cloud provider, that should be fine. And then what they're not doing is doing a replication to US West or something similar. And so if the entire East region goes down, their app essentially also goes down with it. And so it's always good practice to do geo replication, even outside of the general availability zones within one region.

Matt Roeckel

Definitely, yeah, having a failover region is critical.

Macy Mody

So that sounds right, because I don't want my Netflix going out when I want to watch. Awesome. Okay. So another question I have is, there's been a lot of media coverage lately about the risks of third party vendors, and our reliance on them. What are some important areas that our attendees should focus on to prepare internally for a potential ransomware attack? And maybe Kevin, you want to take a stab at this one first?

Kevin Qiu

Yeah, so full disclosure, we work for SafeBase. And we work in this space where reviewing vendors is obviously super important. And so one thing we always recommend is when you're evaluating your vendors, really try to get a good sense of their security capabilities, like these days, a lot of companies are getting SOC 2s, and one of the important things is to actually read through the SOC 2 report and see if there's any major exceptions. What a lot of folks don't realize is, sometimes auditors will look at a company, there'll be controls that may not fully be in place, they'll still issue the report. And then in a table buried in the report, it'll say, vulnerability scans were in run for three out of four quarters or something like that, right. And so just don't just look at the logo that's on a company page. At surface level, I really look at it, read it, make sure everything is okay. And I also strongly recommend working with vendors that have cyber insurance, which I think we'll probably tackle later on. So those of you that aren't familiar, cyber insurance covers things like denial of service attacks and other types of security related incidents. aNot every company has it. And we're starting to see a lot of them asking for this in security questionnaires, because people want to be financially secure if their vendors have an issue.

Macy Mody

And I think there's a might be a couple more you want to touch on that. But really quick, we got a question from David, relating to what you were just talking about. Kevin, are there any main points to look out for and SOC 2 reports?

Kevin Qiu

Yes. So we obviously use a lot of SaaS vendors. And something that I've started to notice is there a lot of these firms, they're essentially lowest bidders, and they're taking anyone they can get, and they promise SOC 2 reports in a week or so. Check for basic, basic, basic controls, like make sure that if it's a SaaS app, they have had a pen test recently, right and make sure that there are policies in place because policies are very important. Because if someone does make a mistake, HR needs something to go and say, hey, this is enforceable and you were supposed to do this. And just make sure that the auditor also gives a really good technical description of the application and the infrastructure. Because usually you'll see there's a network diagram or something in the first few pages. And if the auditor is able to summarize the it up in the report, then it shows they actually had a really good understanding. And they weren't just kind of doing a check the box type of deal.

Matt Roeckel

I think on the to elaborate on the diagrams, the data flow is so important to really understand where is your data being sent and is it being processed by a subprocessor as well. So yeah, on the SOC 2 report definitely going through the the description, and then just scrolling the bottom, that's usually where all the exceptions are. So that's a quick, quick way to see if they have any exceptions. Scroll the last page of that PDF.

Macy Mody

Awesome. And not did you have anything else you wanted to kind of add on for areas for attendees to focus on to prepare for a potential ransomware?

Macy Mody

Yeah. So I mean, from the legal side of it, you know, definitely retaining legal counsel and PR for ransomware. So being ready, where if your company is attacked, that you have a plan in place. And then part of that plan would be, you know, are you going to pay a ransom? So having the executive decision from your board, stating they're gonna pay up to this amount without their approval, and the executive to approve that. Yeah, I think also on the ransomware, back to the NHS, if there is a threat to life, pay the ransom. Nothing's worth more than a human's life. So that's definitely a pay scenario.

And one of the top things as well, as at least in the US, establishing an early relationship with an IC3 agent, the Internet Crime Complaint Center, powered by the US FBI. So establishing contact with law enforcement personnel, so that you are ready, and you have a direct contact. So you're not scrambling after the fact. And then if you take action, it could potentially be detrimental to the company.

Kevin Qiu

Yeah. And one last thing to add about this question is, so if someone does ransomware you and they say, if you don't pay me by this amount, we're gonna release all this to the public. Just be aware that even if you do pay that ransom, they might still leak that out. There's no guarantee that they'll just return the data or the decryption keys to you and then delete stuff on their own. There's really no incentive for them to keep their word because they're hidden behind chains and chains of cryptocurrency wallets. So it's very hard to track who they are. And so that should factor into your executive decision as well, whether or not to pay.

Macy Mody

Interesting and, and it looks like we had a question come in. Is there anything particular you've done at Split to prepare internally that you didn't cover? And have you done all the things you did cover?

Matt Roeckel

So for all the items that I have covered, we have implemented at Split. We're SOC 2 type 2 certified, and we're pursuing ISO 27001 at the moment. So yes, all that's been implemented.I think the last item to add is during the tabletop exercises, to simulated attacks. So that's definitely something that should be part of your plan as well.

Kevin Qiu

I think, whenever you tell executive, oh, a ransomware can happen, they might say, it's probably not gonna happen to us. But if you actually have a PowerPoint, or some sort of interactive game, where you say, pretend this is happening right now, what would you do? It does force a lot of folks who aren't necessarily familiar with security to actually start thinking about it to sit down and going, oh, this would be really bad, who we should contact?

Macy Mody

Awesome. And should people be proactive about those exercises? And if so, how often would you recommend people host those exercises?

Matt Roeckel

So we do it annually, here at Split. And I think that, you know, at least annually, if not more often, and updating like your call tree. So when something happens, making sure you're ready. We use OpsGenie also another competitor is PagerDuty, and making sure that that culture is up to date, as personnel changes over time. So who was on the call tree three years ago may not be the same people today. So definitely at least annually keeping that data up to date.

Macy Mody

Awesome. All right. We did get a question from the audience. But I think we mainly covered it. I'm just reading it right now.With ransomware becoming more prevalent, how are you upgrading your defense against it at Split or other companies you advise? It feels like a cat and mouse problem or bad actors are always getting better and security leaders need to get ahead of it. And I think we mostly covered it, but if you have anything else to add, or if Kevin wants to follow up?

Kevin Qiu

Yeah, so one thing to note about that is a lot of the really common attacks happen because someone's defenses are just so poor, right? So the idea behind keeping up with the attacker is is the more effort you spend defending, the more effort they're going to also have to spend attacking. And so a lot of times these ransomware attacks, they happen through phishing emails, or they email a whole ton of people. And the ones that tend to get hit are the ones who don't have a lot of defense in depth in place. And if you think about it, they want to just hit somebody get some ransom. And if it cost them a penny versus $1,000 to be successful, they're probably going to aim for the pen situation, right? So having things like email gateways, endpoint protection, phishing training, etc., makes it much less likely that those people come back to your organization. Whereas an organization without any security, and they see on LinkedIn that there's no one on a security team, it's probably more likely that those folks will be less prepared for it.

Matt Roeckel

And I think iterating constantly as well. So technologies that you implemented three years ago, may not be applicable to today. So continue continuously improving your infrastructure, is definitely top of mind, always.

Macy Mody

Awesome. Um, question that I'm actually personally very interested in, I think we typically hear a myth that Mac's aren't able to get attacked? At least that was a myth I heard when I was a kid. And what if a company uses both Linux and macOS? We mostly hear about Windows getting attacked. But are they at risk? And are just macOS organizations at risk in general?

Matt Roeckel

Sure, I'll take this one. So every operating system is at risk. Yeah, there's definitely more targeting and more attack surface with Windows. So there's larger organizations that have 1000s of Windows machines, and macOS is more prevalent these days. So it's, I would, I would guess, maybe 10 to 20% of environments are running macOS, globally. And macOS is not immune to malware, as well as Linux machines. So definitely having endpoint protection on every single type of iOS is necessary today.

Kevin Qiu

Yeah, that's why you guys will notice if you're using Mac, even your personal ones, it seems like every day or so you'll get a notification in the upper right saying updates are available, would you like to restart an hour later? And if Macs weren't susceptible, Apple wouldn't be pushing these out so frequently, right? They're they're doing this for a reason to protect you and your organization. And on a personal level as well, if you're using an iPhone, same thing. iPhones are also vulnerable to malware. They're not just not these magic devices that are super secure, despite what Apple marketing may lead you to believe.

Macy Mody

A question and follow up from me. On my personal computer, I am a culprit of not wanting to restart it and update it all the time. Is there a cadence? I know there's, of course, important updates that I read about in the news. And I always do those. But is there a cadence that in general, we should be checking for updates and pushing organizations to check for updates.

Matt Roeckel

So within macOS, specifically, you can check the box to say automatically run updates. And that's highly recommended. And rebooting, I reboot my laptop at least once a week, even without any security updates. So just for cleanliness of the system file. So definitely run updates, when you see the software updates being pushed by Apple, run them right away. A lot of them are zero day. We had one where there was in macOS Big Sur, about a month and a half ago, where there was an iteration that was pushed. That was a zero day, as well as for Catalina. So there's definitely updates that are less urgent, like you don't need to update to the latest macOS Monterrey, because there's probably lots of vulnerabilities with a brand new OS. But any iterations within your primary major OS version would be highly recommended.

Kevin Qiu

Yeah, I always recommend folks do it during lunch, or if they're working from home and they're taking like a half day or something. Leave your computer there for a couple hours. By the time you come back. It should all be fully updated. We're not saying do it during the middle of day where you have 10 meetings, but do it on a less busy day or even just like a while you're cooking dinner or something where you don't need it for the rest of the day.

Macy Mody

Got it. Thank you. That's helpful. I have one more topic I wanted to go through. So this is my prompt for the audience. If you do have questions or additional topics, and I see we have one, please feel free to put them in the chat or in the A&A. And we'll make sure to get to them in a couple minutes here.So my last kind of topic I want to talk about is insurance. Does insurance that companies might have cover ransomware attacks?

Matt Roeckel

For you take a stab. Sure, yeah. So on the insurance front, you'd have to have an additional policy for cyber insurance. So most companies have a supplemental policy for cyber. One thing to keep in mind those with cyber insurance policies, they'll reimburse for the ransomware. Payments, possibly, but they will not pay up front. So the company is required to pay that out of their own bank account, and then seek reimbursement from the insurance company. So that's something to keep in mind. If you're able to pay the ransom is based on what access to liquid cash, or Bitcoin these days you have access to. But yeah, cyber insurance will still cover all the PR and legal costs associated with it, and disclosures that have to be made.

Kevin Qiu

But you know, knowing that it is reimbursement, they're not going to give you the money themselves right away. Keep in mind that it's insurance, right? So when you file your claim, you're probably not going to see that money back for a little bit. It's not going to be the same day. And so also another factor to consider when deciding whether or not to pay that ransom.

Macy Mody

Awesome. Got it. And I know that company size depends on the amount of coverage. And Kevin, I know you've kind of gone through this recently, actually, could you kind of talk through what coverage amounts someone might need?

Kevin Qiu

Yes, so a lot of times, if you guys are working with vendors, right, they'll say, the numbers that we typically see, our cyber coverage should be anywhere from like a million dollars to $5 million on aggregate or per incident, depending on the situation. So for smaller companies, a million probably makes more sense. And then as you get larger, the 5 million makes more sense. And so your insurance broker or provider will likely do a survey to see the number of assets you have, the number of employees, and they'll work with you to come up with a reasonable number. And if you do encounter those contracts where they say we want a ridiculously high amount of coverage, usually you can say, well, we do have coverage, but for a company our size, this amount was deemed appropriate. We've never had issues with that. And so just just be aware that those numbers are usually just there as a template in MSAs.

Macy Mody

Okay, that wraps all of the topics I had wanted to cover. Al did post one question, which I'll read out. And I would definitely encourage others to ask questions. They don't necessarily even have to be ransomware related. If you have general security questions, we do have two experts on the line. So feel free to ask away.

So Al's question is ransomware has been around for a while, ut has the shift to remote work exposed companies to be more susceptible to ransomware attacks? And then as a follow up, are there any new tools or solutions that security leaders are adopting or buying, given that this shift is so recent? Is this something to consider in the boardroom when companies think about building remote teams? Matt? Maybe you want to take this one?

Matt Roeckel

Sure. Yeah. So they the scope has changed a little bit with all the remote work, it depends on how the infrastructure is set up. So you know, here at Split, we've had a cloud based approach to all of our infrastructure VPNs through the cloud. So you know, on premise, there was a lot of shift for  larger companies to shift from on premise services into the cloud, because employees were no longer in the offices to access those servers. So there is a push towards the cloud, for access for VPNs. And not restricting access based on your location. So the location, you should be agnostic to your location, and then exclude any embargoed countries that you might have as your policy. So we have our list of embargoed countries where you can't access Split's data. Some of that's driven by customer contracts, and some of it is our internal policy.

Kevin Qiu

Yeah, if any of you have ever worked for like a older company that doesn't use AWS or anything like that, you probably have had to VPN to the office network from home and depending on the company, this might be a miserable experience, because not all offices have super high bandwidth internet. And so if you're on a VPN connecting to some database that's hosted in your office and they only have like 100 megabits per second and 1000s of people are sharing it, you're gonna probably run into slowdowns and disconnects. This happen quite a bit with a lot of these companies that had never allowed employees to work from home and then COVID kind of forced it and these IT teams are scrambling to install VPN solutions, and they didn't really have time to test them or stress test them. And it was just a really big mess in the early parts of last year, and so we're starting to see tools like perimeter 81 and Cloudflare Access, which are much easier to use and much more SaaS compatible crop up. That's why you might be seeing a lot of these advertisements saying like VPNs are dying, etc. It's a lot of these newer next gen providers that are trying to get rid of that old way of connecting to an office network.

Macy Mody

Makes sense. And Al thank you for asking that because we are a global team here. It's a global remote team here at SafeBase. So great question. And we have a few more minutes. We're happy to answer more questions if you raise your hand.I can also allow you to talk if you would like to kind of speak to Matt and Kevin and ask a question. And I'll give you guys a few seconds. And if not, I guess I can do my wrap now while I give you all a few seconds.

So thank you for joining today. SafeBase is an interactive security portal. We help companies share their security posture and automate access to sensitive documents. We would love to work with you. So we will reach out after this webinar. Feel free to reach out to us. Our emails are simple. Mine is macy at safebase.io. Kevin is kevin at safebase.io. So we would love to hear from you. And then also I know as promised, we will be giving the first 25 signups free safe base access for the first three months. And additionally we'll be doing a raffle and you'll hear from me if you win the two amazon gift cards.With that any final questions or remarks? Anyone wants to ask your ad? If not, we'll give everyone like 10 minutes back. All right.Thanks, everyone for joining. And thanks, Ethan. Good luck to you too. And we will be in touch.

Discover SafeBase

Learn how SafeBase has helped companies speed through security assessments and expedite deals.