Real Conversations with Real CIOs: Have you been held hostage?

Brian Kuhn rd 2016The September event hosted by the Vancouver Chapter of CIOCAN provided opportunities for conversations among members on five different topics of interest.  Brian Kuhn hosted the discussions about Security/Ransomware, and submitted this summary:

When asked if they had experienced a Ransomware ‘event’, virtually all participants in the three sessions indicated that they had. Ransomware is a relatively recent and interesting technique for extorting funds from organizations and individuals. Universities, hospitals, and businesses around the world have been hit by these exploits and our Vancouver CIOs have not been left out. In every case however, these savvy CIOs described recover efforts that took minutes or hours by restoring from near term backups or restore points and none were required to pay a ransom.

However they manage to gain access to a computer, (‘phishing’ e-mails or bad web links) the ransomware program or script downloads and encrypts documents and data files. If the computer is on a corporate network, the program will look for shared folders and encrypt files there as well. The ransom note then appears on the screen, usually indicating a starting price and the rate of increase if there is a delay in paying the ransom to get the decryption key. Recently, these exploits also randomly delete documents and files each day the person delays. Most ransom notes will ask for payment in bitcoins to cleverly hide their tracks.

It was generally agreed that user education and awareness of security issues and requirements are essential. Members shared some of the methods of training currently being used. Some colleagues have hired firms to undertake random phishing attacks. These companies then record who got ‘sucked in’ and clicked on the link. Knowing who fails the test can be used to require employees to take special security training.

Most training is online, uses animated scenarios, and includes some kind of assessment. Certainly training is seen as an essential ingredient to defending against security vulnerabilities. The SANS organization provides a free security training course which includes 20-30 1-2 minute video animations, each followed by a 3-5 question ‘test’. Results are recorded, and if the person passes, they receive a certificate. A side benefit of this approach saw trained employees reporting messages with a bad link to the help desk! Another organization selected a security advocate from each business department and sent them on 7-days of security training. This individual then became the security ambassador for their department.

OpenDNS is another service used by one of our members. When an email is received or a website visited, all links are sent to the OpenDNS service to validate the links against an up-to-date database of ‘bad links’. If a bad link is detected, the user will see a report and the event will be logged for the organization to review and report on, and the link will be blocked.

The conversations acknowledged the importance of an in-depth defensive approach against ransomware and other security threats. CIOs agreed that anti-virus end point protection is no longer sufficient; a multipronged approach is best. This can involve using IPS (intrusion prevention system) filtering on a firewall, anti-virus protection, two different email filtering processes, and training/ awareness efforts. Another important approach to consider is removing things hackers want. One organization involved in significant financial transaction volume removed credit card information from their system, pushing that requirement (and risk) to their credit card processor.

All CIOs see security as part of an IT risk management program, which itself is part of organizational or enterprise risk management. We undertake annual IT risk assessments with a security focus and feed this into the enterprise risk register. Some have created formal security incident response protocols to standardize response to incidents. As IT leaders, we brief senior executives on our security efforts and through this are able to significantly raise awareness at the executive table. This has translated into more resources for IT to manage risk.

CIOs agree that due diligence is very important when addressing IT security. We need to demonstrate that sufficient steps have been taken technically, procedurally, and with their teams to sufficiently address security risks at a level expected for their sector. One of our members reported success in having some IT security audit built into the annual financial audit. Auditors will recommend IT controls and mitigations and these recommendations flow up through the CFO to the senior executive and board. This is another helpful approach to raising awareness and concern which can translate to improved resources for IT to address the greatest risk areas.

For more on this topic, check out the CIOCAN – InfoTech Webinar scheduled for October 20, 1:00 pm ET/10:00 am PT.