Information Technology

The federal government wants to strengthen Australia’s cybersecurity regulations and has suggested seven areas for policy reform, including the introduction of mandatory governance standards for larger businesses, a code for how personal information is handled, and a system for regulating smart devices.In a bid to “further protect the economy from cybersecurity threats”, the government is proposing [PDF] either a voluntary or mandatory set of governance standards for larger businesses that would “describe the responsibilities and provide support to boards”. While the crux of both options is similar, the mandatory code would require the entities covered to achieve compliance within a specific timeframe. A mandatory code would also see enforcement applied. A voluntary option would not require specific technical controls to be implemented and would rather be treated as a suggestion.The government would prefer the code be voluntary, however, saying “on balance, a mandatory standard may be too costly and onerous given the current state of cybersecurity governance, and in the midst of an economic recovery, compared to the benefits it would provide”.It also flagged there was no existing regulator with the relevant skills, expertise, and resources to develop and administer a mandatory standard.Small businesses, meanwhile, have had a “cyber health check” function suggested. A voluntary cybersecurity health check program would see a small business be awarded a trust mark that they could use in marketing. Businesses applying for the health check would self-assess their own compliance, with a basic level of due diligence provided by government or a third party, the paper poses. It would also expire after 12 months.

This idea was pulled from the UK government’s program called Cyber Essentials.The paper also proposes the creation of an enforceable code under a federal piece of legislation to increase the adoption of cybersecurity standards. It said the Privacy Act has the greatest potential to set broad cybersecurity standards in relation to personal information.”Establishing a code under the Privacy Act could drive the adoption of cybersecurity standards across the economy by creating regulatory incentives for uptake,” it said.This code would specify minimum, rather than best practice approaches, but said it was unrealistic to mandate the Australian Signals Directorate’s Essential Eight through a cybersecurity code.See also: ACSC introduces Essential Eight zero level cyber maturity and aligns levels to tradecraftA cybersecurity code would have some limitations, however, and would only apply to the protection of personal information. A code would also only apply to entities that are covered by the Privacy Act.The government is also considering regulatory approaches to increasing responsible disclosure policies, again posing a voluntary and mandatory option.The voluntary option would see the government release guidance or toolkits for industry on the process of developing and implementing responsible disclosure policies. The mandatory option, it said, could be incorporated into the potential cybersecurity standard for personal information.The paper also discusses the introduction of clear legal remedies for consumers after a cybersecurity incident occurs, as currently there are limited legal options for consumers to seek remedies or compensation.It asks respondents what amendments can be made to the Privacy Act 1988 and Australian Consumer Law to sufficiently cover cybersecurity, as well as what other actions should the government consider.Regulating IoT devices is also proposed. “We believe that one reason that many smart devices are vulnerable is because competition in the market is primarily based on new features and cost,” the paper says. “Unfortunately, consumers often aren’t able to tell the difference between a secure and insecure device, which limits commercial incentives to compete on cybersecurity and leads consumers to unknowingly adopt cybersecurity risk.”In a bid to mitigate this, the government last year released the voluntary Code of Practice: Securing the Internet of Things for Consumers that contains 13 principles, or expectations the government has on manufacturers, about the security of smart products.The discussion paper suggests taking this further and making the code mandatory. The standard would require manufacturers to implement baseline cybersecurity requirements for smart devices.It also believes consumers do not currently have the tools to easily understand whether smart devices are “cyber secure” as there is often a lack of clear, accessible information available to them.Potentially remedying this are proposals that would include the introduction of a voluntary star rating label or a mandatory expiry date label.Details on how the former would take shape are slim, but the discussion paper details similar schemes underway in the UK and Singapore. The Singapore scheme consists of four cybersecurity levels, with each indicating a higher level of security and/or additional security testing.The mandatory expiry date label, meanwhile, would display the length of time that security updates will be provided for the smart device. This kind of label would not require independent security testing, and therefore would be a lower-cost approach compared to a star rating label, the government said. In its “pros and cons” table, the government highlights the expiry date option as its preferred way forward.Submissions on the discussion paper close 27 August 2021.LATEST CYBER FROM CANBERRA More

Image: Getty Images
The Australian Cyber Security Centre (ACSC) has refreshed its Essential Eight implementation guide, which now sees all of the Essential Eight strategies become essential. “The Essential Eight Maturity Model now prioritises the implementation of all eight mitigation strategies as a package due to their complementary nature and focus on various cyber threats,” the ACSC said. “Organisations should fully achieve a maturity level across all eight mitigation strategies before moving to achieve a higher maturity level.” The ACSC now states that the maturity model is focused on “Windows-based internet-connected networks”, and while it could be applied to other environments, other “mitigation strategies may be more appropriate”. Compared to its last release, the maturity model adds a new maturity level zero, which is defined as environments with weaknesses that cannot prevent commodity attacks in level one, and the levels are aligned to cyber tradecraft and tactics used. “Depending on an adversary’s overall capability, they may exhibit different levels of tradecraft for different operations against different targets. For example, an adversary capable of advanced tradecraft may use it against one target while using basic tradecraft against another,” the guide states. “As such, organisations should consider what level of tradecraft and targeting, rather than which adversaries, they are aiming to mitigate.”

Attacks within maturity level one include those using publicly-available attacks in a spray-and-pray fashion to gain any victim they can, while those at maturity level two will invest more time in a target and tooling. “These adversaries will likely employ well-known tradecraft in order to better attempt to bypass security controls implemented by a target and evade detection,” the guide says. “This includes actively targeting credentials using phishing and employing technical and social engineering techniques to circumvent weak multi-factor authentication.” At the highest level, maturity level three, the attacks are not as reliant on public exploits, will move laterally through networks once access has been gained, and can undertake tasks like stealing authentication tokens. The guide does warn that even the best cyber protections may not be enough. “Maturity level three will not stop adversaries that are willing and able to invest enough time, money and effort to compromise a target,” it says. “As such, organisations still need to consider the remainder of the mitigation strategies from the Strategies to Mitigate Cyber Security Incidents and the Australian Government Information Security Manual.” Digging into the levels While the guide has the same overall headings as its previous iteration, many of the details have changed, becoming more precise while also reducing various timeframe recommendations.Of particular note for level three is the constant recommendation of centralised logging across systems, ensuring logs cannot be changed, and that they are used in the event of a cyber incident. Under application control, maturity level one calls for “execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications, and control panel applets” to be prevented on workstations within user profiles and temp folders. The next level up sees this extended to internet-facing servers and the executables white-listed. At level three, the restrictions include all servers as well as whitelisting drivers, using Microsoft’s block rules, and validating the whitelist. For patching applications, the level one recommendations now drop the patching of apps on internet-facing servers down to two weeks, or 48 hours if an exploit exists — for workstation software, the deadline is a month. The ACSC is also recommending the use of vulnerability scanners daily on internet-facing servers, and fortnightly otherwise. “Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed,” the level one recommendation states. At level two, the workstation app patch deadline drops to two weeks, while all other updates get a month-long deadline. Also at level two, vulnerability scanning should occur at least weekly on workstations, and fortnightly for all other parts of the network. At the highest level, any unsupported application is removed, and workstation patching drops to 48 hours if an exploit exists. See also: The winged ninja cyber monkeys narrative is absolutely wrong: Former NCSC chief Patching for operating systems has the same timelines and recommendations for vulnerability scanning, with the inclusion at level three of only using the latest, or immediately previous release, of a supported operating system. The ACSC has also recommended for macros to be disabled for users without a business case, macros in downloaded files to be blocked, antivirus solutions to scan macros, and macro security to not be allowed to be changed by users. Level two sees macros blocked from Win32 API calls, and attempted marco executions logged. For level three, macros need to run from within a sandbox or trusted location and need to be validated and digitally signed by trusted publishers that occupy a list that is reviewed at least annually. Under application hardening, as well as the 2017 recommendations to block ads and Java in browsers, the ACSC adds that users cannot change security settings and IE 11 cannot process content from the net. Level two sees Office and PDF software banned from making child processes, while also being blocked from creating executables, injecting code into other processes, or activating OLE packages. Any blocked PowerShell scripts executions need to be logged, and Office and PDF software security settings cannot be changed. Internet Explorer 11, NET Framework 3.5 and lower, and PowerShell 2.0 are disabled or removed at level three. PowerShell could also be configured to use Constrained Language Mode, ACSC states. See also: Australia’s tangle of electronic surveillance laws needs unravellingLooking at restricting admin privileges, the guide now says privileged accounts, except for privileged service accounts, should be prevented from accessing the internet and run only in a privileged environment that does not allow unprivileged logging on. At level two, access to privileged systems is disabled after a year unless reauthorised, and is removed after 45 days of inactivity. The ACSC added that privileged environments cannot be visualised on unprivileged systems, admin activities should use jump servers, use and changes to privileged accounts should be logged, and credentials are unique and managed. At level three, the privileged service accounts exception is removed, just-in-time administration is used, privilege access is restricted only to what users need, and Windows Defender Credential Guard and Windows Defender Remote Credential Guard are used. Multi-factor authentication (MFA) is recommended on third-party services that use an organisation’s data, and on a entity’s internet-facing servers. This increases to recommending MFA for privileged users and logging all MFA interactions at level two; for level three, it is expanded to include “important data repositories” and ensuring MFA is “verifier impersonation resistant “. On backups, the prior monthly recommendation is dropped in favour of “a coordinated and resilient manner in accordance with business continuity requirements”, and timeframes for testing recovery from backup and holding backup data are dropped. Added as a recommendations is ensuring unprivileged users have read-only access to their own backups. At level two, the read-only access is extended to privileged users, and at level three only backup administrators can read backups, and only “backup break glass accounts” are capable of modifying or deleting backups. Related Coverage More

Billion-dollar fashion brand Guess has sent letters out to an unknown number of people whose information they lost during a ransomware attack in February. First shared by Bleeping Computer’s Sergiu Gatlan, the letters state that “unauthorized access” to certain Guess systems between February 2, 2021 and February 23, 2021 led to a breach of Social Security numbers, driver’s license numbers, passport numbers and financial account numbers.The letters — signed by Guess HR senior director Susan Tenney — only went out to four residents in Maine, per the state’s guidelines, but the company implied that more people were affected. In a statement to ZDNet, a Guess spokesperson would not answer questions about how many victims there were, only saying that “no customer payment card information was involved.”The Guess spokesperson would not confirm whether the breach was part of a ransomware attack, but the company appeared on the victim data leak site for ransomware group DarkSide in April, and the group openly boasted about stealing 200 GB of data from the fashion brand during an attack in February. “Guess?, Inc. recently concluded an investigation into a security incident that involved unauthorized access to certain systems on Guess?, Inc.’s network. We engaged independent cybersecurity firms to assist in the investigation, notified law enforcement, notified the subset of employees and contractors whose information was involved and took steps to enhance the security of our systems,” the spokesperson told ZDNet. “The investigation determined that no customer payment card information was involved. This incident did not have a material impact on our operations or financial results.”

In April, a member of DarkSide spoke with a reporter from Databreaches.net, telling the site that they had studied Guess’ financial records and knew the company brought in nearly $2.7 billion in revenue last year. “We recommend using your insurance, which just covers this case. It will bring you four times more than you spend on acquiring such a valuable experience,” the DarkSide representative said in messages translated from Russian. “We act in stages and notify the press usually already when exactly sure that the company will not pay. As for [Guess and another company they named] — I think the press will see them.”DarkSide shut down its operations in May after their attack on Colonial Pipeline brought international condemnation and increased scrutiny from law enforcement. In its letter to victims, Guess said it only recently finished its investigation into the cybersecurity incident, which they said was “designed to encrypt files and disrupt business operations.”Their security team discovered the incident on February 19 but realized that cybercriminals were in their system until February 23. It took until May 26 for the company to confirm that the personal information of “certain individuals” was accessed or acquired by an unauthorized actor.The company waited until July 9 to begin sending out notification letters to those who were affected. As most companies do, Guess is offering the victims one year of credit monitoring and identity theft protection services from Experian. Guess also said it set up a call center for people with questions about the incident or those interested in enrolling in credit monitoring services.Erich Kron, security awareness advocate at KnowBe4, noted that this was an example of the long tail that ransomware attacks have. “Although the Darkside ransomware group is out of commission, that does not mean this breach is insignificant. The significant amount and very personal types of data being collected by the organization, including passport numbers, Social Security numbers, driver’s license numbers, financial account and/or credit/debit card numbers with security codes, passwords or PIN numbers, is an extremely valuable dataset for cyber criminals if they want to steal identities,” Kron said. “For this reason, unlike it appears in this case, organizations are wise to limit the amount of data kept and stored in systems.” More

The US Senate on Monday unanimously confirmed Jen Easterly as the new director of the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security. The agency, established in 2018, is responsible for the security, resiliency and reliability of the nation’s cybersecurity and communications infrastructure.

CISA has not had an official director since November, when then-President Donald Trump fired Chris Krebs, the agency’s first director, for debunking election fraud myths. Krebs’ deputy, Brandon Wales, took on the position on an interim basis, leaving CISA without a full-time leader amid the fallout from the SolarWinds hacks and a number of other state-sponsored attacks on government organizations. Easterly brings both corporate and military experience to the role. She most recently worked for Morgan Stanley as head of resilience. She also served as the Cyber Policy Lead for the Biden-Harris presidential transition team. Earlier, Easterly served at the White House as Special Assistant to the President and Senior Director for Counterterrorism and as the Deputy for Counterterrorism at the National Security Agency. She retired from the US Army after more than 20 years of service in intelligence and cyber operations and was responsible for standing up the Army’s first cyber battalion. Easterly was also instrumental in the design and creation of United States Cyber Command. She is a  two-time recipient of the Bronze Star.President Joe Biden nominated Easterly to lead the important agency in April, and Senate Democrats initially attempted to confirm her nomination in late June. However, her nomination was held up briefly by Republican Sen. Rick Scott of Florida as a means of bringing attention to the US-Mexico border. Scott said he would refuse to confirm any Department of Homeland Security nominees until Vice President Kamala Harris went to the border, which she did shortly thereafter.Amid the delay, ZDNet spoke with a number of experts about whether CISA should be spun off from the DHS. More

SolarWinds released updates for their Serv-U Managed File Transfer and Serv-U Secure FTP tools this weekend after they were notified of a vulnerability by Microsoft. In an advisory sent out on Friday and updated on Saturday, SolarWinds said Microsoft “reported to SolarWinds that they had discovered a remote code execution vulnerability in the SolarWinds Serv-U product.” SolarWinds added that the Serv-U Gateway is a component of the Serv-U Managed File Transfer and Serv-U Secure FTP tools and is not a separate product. The vulnerability can be found in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. Microsoft provided the company with a proof of concept of the exploit and said that at least one threat actor has already used it.  “A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system,” the advisory said.”Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability. SolarWinds is unaware of the identity of the potentially affected customers.” A hotfix — Serv-U version 15.2.3 hotfix (HF) 2 — has been developed and released. SolarWinds said customers of the product should log into their Customer Portals to access updates. 

For those who are not on active maintenance and currently using a Serv-U product, the company said it was offering customer service help. 

SolarWinds Updates

To check if you have been compromised through this vulnerability, SolarWinds listed a number of suggestions and questions administrators should ask. “Is your environment throwing exceptions? This attack is a Return Oriented Programming (ROP) attack. When exploited, the vulnerability causes the Serv-U product to throw an exception and then intercepts the exception handling code to run commands. Please note, several reasons exist for exceptions to be thrown, so an exception itself is not necessarily an indicator of attack,” SolarWinds said. “Please collect the DebugSocketlog.txt log file. In the log file DebugSocketlog.txt you may see an exception, such as: 07] Tue 01Jun21 02:42:58 – EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x041ec066; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5,” the company added, noting that exceptions “may be thrown for other reasons so please collect the logs to assist with determining your situation.”SolarWinds added that administrators should look for “connections via SSH from the following IP addresses, which have been reported as a potential indicator of attack by the threat actor: 98.176.196.89 68.235.178.32 or, look for connections via TCP 443 from the following IP address: 208.113.35.58.”SolarWinds vulnerabilities have been targeted repeatedly over the last year and the company drew headlines in December when Russian government hackers compromised their network and deployed malicious SolarWinds Orion updates to clients that contained a backdoor called Sunburst. In March, it was revealed that Chinese government hackers launched another attack on a SolarWinds server.  More

Cloud security company RiskIQ has been bought by Microsoft for $500 million, according to Bloomberg.  RiskIQ said last year that its cybersecurity programs are used by 30% of the Fortune 500 and more than 6,000 total organizations across the world, including the US Postal Service, BMW, Facebook and American Express. In a blog post, Microsoft cloud security vice president Eric Doerr said they were acquiring the company to help customers “build a more comprehensive view of the global threats to their businesses, better understand vulnerable internet-facing assets, and build world-class threat intelligence.”In the last year, Microsoft has purchased IoT security firms CyberX and ReFirm Labs to boost its cybersecurity offerings. Microsoft paid the $500 million in cash, Bloomberg reported. The tech giant has brought in more than $10 billion in revenue from security products over the last year.  “As organizations pursue this digital transformation and embrace the concept of Zero Trust, their applications, infrastructure, and even IoT applications are increasingly running across multiple clouds and hybrid cloud environments,” Doerr said. “Effectively the internet is becoming their new network, and it’s increasingly critical to understand the full scope of their assets to reduce their attack surface. RiskIQ helps customers discover and assess the security of their entire enterprise attack surface—in the Microsoft cloud, AWS, other clouds, on-premises, and from their supply chain.”Doerr touted RiskIQ’s PassiveTotal community that crowd-sources threat intelligence from around the globe. 

He said organizations can use RiskIQ threat intelligence “to gain context into the source of attacks, tools and systems, and indicators of compromise to detect and neutralize attacks quickly.””The combination of RiskIQ’s attack surface management and threat intelligence empowers security teams to assemble, graph, and identify connections between their digital attack surface and attacker infrastructure and activities to help provide increased protection and faster response,” Doerr explained.RiskIQ co-founder and CEO Elias Manousos said RiskIQ’s Attack Surface and Threat Intelligence solutions will be added to the Microsoft Security portfolio, which include Microsoft 365 Defender, Microsoft Azure Defender, and Microsoft Azure Sentinel.In his own blog post, Manousos said that the company works with “hundreds of the Global 2,000” and that their “community has grown to more than 100,000 security professionals.””We’ll continue to support, nurture, and grow this community with Microsoft. We’ll also continue to grow and work with the valued members of our Interlock Partner Program. We’re joining Microsoft to extend and accelerate our reach and impact and are more committed than ever to executing our mission,” Manousos said. “We’ll work closely with our customers as we integrate RiskIQ’s complementary data and solutions with Microsoft’s Security portfolio to enable best-in-class solution attack surface visibility, threat detection, and response.”RiskIQ raised $83 million from Battery Ventures, Georgian, Summitt Partners, MassMutual Ventures, National Grid Partners and Akkadian Ventures in capital funding before the Microsoft acquisition, according to Crunchbase.  More

You may now see brand logos in your Gmail inbox thanks to a new agreement between Google and the AuthIndicators Working Group, which created the Brand Indicators for Message Identification (BIMI).The developers of BIMI describe it as an “email specification that enables the use of brand-controlled logos within supporting email clients.” BIMI is meant to leverage the work an organization puts into deploying DMARC protection by bringing brand logos to a customer’s inbox, according to the developers behind the project. The group is made up of a committee of companies working to add more authentication to inboxes as a way to offer more security to users. Google, Mailchimp, Fastmail, Proofpoint, Twilio SendGrid, Validity, Valimail, and Verizon Media are some of the companies working on developing BIMI.Valimail chief product officer Seth Blank, chair of the AuthIndicators Working Group, said Vailmail employees are responsible for founding, naming and resourcing the BIMI standard. “We’ve been an avid supporter of BIMI since Valilmail’s founding in 2015. With a goal to improve the ecosystem for everyone, BIMI enables brands to deliver their logos alongside email messages to billions of inboxes worldwide, increasing customer engagement with those messages and boosting brand trust,” Blank said. He went on to explain that in addition to the security benefits, BIMI allows companies and brands to customize their logos on email, newsletters, receipts and offers. 

BIMI was available to Yahoo users but is now available to Gmail users, representing a massive expansion for the effort. BIMI will now be available to more than 2 billion inboxes through Gmail, AOL, Yahoo Mail and Fastmail. On top of offering companies a “secure, global framework in which inboxes display sender-designated logos for authenticated messages,” the effort is also meant to stop people from “spoofing” the logos of different enterprises. BIMI’s developers claim companies that use their system have seen a 10% average increase in engagement. Blank said many brands are now targeted by cybercriminals for spoofing and phishing, adding that BIMI was an “industry-wide effort to advance email authentication and help all brands protect themselves.” “It provides protection for users at scale and makes the email ecosystem better and safer for everyone,” Blank explained, adding that DMARC was an “essential safeguard” against most phishing attacks.”For the brand’s logo to be displayed, the email must pass DMARC authentication checks, ensuring that the organization’s domain has not been impersonated,” the tool’s creators explained. “By displaying the sending company’s logo next to an email, BIMI provides a visual cue to the recipient that the email has been authenticated and the sender is not spoofed.”The AuthIndicators Working Group said that for an enterprise’s logo to be eligible for being displayed in Gmail messages, companies need to get a BIMI certificate — which they called a Verified Mark Certificate — that confirms their right to use the image. “While VMCs are currently tied to registered trademarks from select jurisdictions, future plans seek to expand access to include both additional jurisdictions and options for unregistered trademark logos,” the group said. Valimail also said it was partnering with certificate providers Entrust and DigiCert to create a “streamlined process for companies to enforce DMARC and earn a VMC, both essential steps for BIMI compliance.””DigiCert’s partnership with Valimail simplifies BIMI compliance with VMCs and DMARC enforcement — a strategy designed to deliver more consistent, secure email for businesses and consumers,” said Dean Coclin, DigiCert’s senior director of business development. “We anticipate growing demand for digital certificates displaying verified logos in email and are developing scalable solutions to help companies be ready on day one.”  More

As ransomware attacks surge across various industries, how should banks and credit unions protect their data, their customers’ data, and their reputation? ZDNet caught up with Steve Bomberger, head of SEI IT Services, to learn more about how banks and credit unions can avoid ransomware attacks and why they should pay close attention to what’s going on in the ransomware world right now. Watch my conversation with Bomberger above, or read a few of the highlights below.

Beth Mauder: Steve, what are some best practices to prevent from falling victim to a ransomware attack? Steve Bomberger: I think it’s pretty obvious these days that we’re all living in a digital and connected world. So to your point, businesses of all shapes and sizes, all industries are being affected by ransomware and other malware attacks. If we think about cybersecurity, we’d like to think about it as not just a technology planning solution, but also how it should be in the context of your business operations and your business planning. So a lot of times we have a common question that’s brought to light and it’s is ransomware a technology-related issue? Is it a policy issue? Is it a process issue?Really to us, we think about it in all of the above. Some of those best practices that you would put within those categorizations to kind of go down a quick laundry list for you, Beth, are simple things like maintaining and exercising a simple cybersecurity incident response plan. I think we’re all very, very aware now of what’s going on in the industry, so it’s time for us to be prepared collectively, both in the public sector and the private sector. So maintaining a response plan is a critical start to that.Also, from a preparation perspective, kind of keeping backups of data offline and regularly testing those backup procedures as an organization is pretty critical to being to rally after an event if it were to occur. Simple things like separating your network systems. So keeping your corporate environment separate from your operations or your productions environment is a good way to isolate different segments within your business. Practicing good standards for remote desktop. So we’ve all experienced this remote environment and working from home and that’s increased the surface area that we’re all dealing with from a cybersecurity perspective. So making sure that we are active with securing those connectivities to the best degree we can use multi-factor authentication certainly critical elements as well.The other thing is vulnerability scanning. We’ve seen that through a recent event in the press. Doing regular scanning of your vulnerabilities and then timely patching of those vulnerabilities and making sure people and organizations are updating their software. Those are all things that are also critical. We know an attack vector is email phishing for ransomware. That’s the number one attack vector right now. So user education, good training can go a long way in combating this. Also, conducting regular exercises as an organization. So test the awareness of your users. Do third-party and regular phishing testings on your employees to see how they react and what their level of awareness is. Couple of other things are keeping a good asset inventory. So understanding not just what hardware you have, but also what software you have, and keeping a tidy record of that is going to allow you for a better and more swift reaction too if there was an incident. Really, from a technology perspective, we talk a lot about being comprehensive in your approach to cybersecurity. So the concept of defense in depth, which we know is an industry term that’s been out there for a while, the concept of having a layered approach to cybersecurity is something that’s also very, very important. So this is a little bit of a defense that moves beyond just policy and procedure. So how do you position yourselves to be able to combat this as best as possible? Beth Mauder: Regulations are starting to increase surrounding ransomware. What type of pressure is that adding to an already very pressured field? Steve Bomberger: Yeah. Obviously, regulatory pressure can play a huge part in how we move forward with all this. Ransomware is not old as we all know. It’s been around for 30 years, probably, but it’s really been monetized and kind of in our face in the last decade. More recently, we’ve seen, to your point, about the Colonial Pipeline. We’ve seen a lot of big press on this. So ransomware is not going away. I think in general, if we look at regulatory pressure, it may help reduce the volume and potential severity of attacks. But again, by no means is it going away. If we think about a couple of ways to look at it, if regulation or increased pressure allows organizations to follow standards or to feel more apt to follow standards and strengthen their security posture, that’s going to make it harder for malicious actors, obviously, to get the pay off that they’re looking for.On the other side, if malicious actors are held more accountable or if there’s a mechanism to hold them more accountable for their actions, that would clearly detour them to some degree. From a payment perspective, you look at kind of that hockey stick evolution of ransomware, and it really ramped up when digital payments became simpler. So being anonymous with how you receive your payments certainly has eased the benefit for malicious actors. So if you can take all of those things and kind of put the pressure on certain elements of those, maybe you can help reduce that volume of it.I don’t want to minimize the severity and the importance of this topic, but I sort of think about it from a simple analogy. If you can walk into a convenience store and steal a candy bar easily and walk out of the store and not have any repercussions, you’re most likely or probable to steal that candy bar again. However, if you add in a defense system, if you add in a security camera, if you put the candy bar sitting right in front of where the clerk is, that’s going to detour you to some degree. So collectively, we talk internally here about a rising tide, the old quote, a rising tide lifts all boats. If we can collectively make it harder for these malicious actors through whether it’s regulation or through better standards ourselves, if we can make it harder, then make the payout more difficult, we’re all collectively going to make it a better spot for us.

Beth Mauder: What happens if banks specifically fall victim to ransomware? Steve Bomberger: Yeah. Obviously, banks and credit unions and any other organization that has confidential, very proprietary information on clients and deals with financial transactions are going to be a heavily targeted group. I think you see that in a lot of statistics and data that are out there today. Specifically to banks, they’re going to have to deal with it like most other organizations are going to. Obviously with the added pressure of regulation and communicating through those regulations effectively what has transpired and what’s at a loss from a client perspective or a business perspective. I mean, I think if we talk about best practices and we talk about financial institutions, whether they’re banks or credit unions being prepared for this, you kind of go back to that incident response plan. Having that plan in place is critical.If you walk through the steps of what that looks like, it’s going to vary from organization to organization. But the process that an organization goes through is you got to identify what was impacted by the attack and try to isolate that environment as fast as you can. Time to doing that obviously is critical in how effectively that potential virus or malware can spread across laterally through the organization. So identifying that early, as soon as possible is critical. Then you have to triage. You have to look at what’s been affected, what systems are affected, and then you have to prioritize that restoration and the recovery of that. Next, you analyze as an organization.Certainly, thankfully banks are regulated and have typically teams, processes, and people around this, and they are able to analyze, work to understand kind of where this came from and what occurred. Once that’s going on, you then, this is a big part of what we see today, you have to communicate that. Depending on the appropriateness of what transpired in the communication, you have to work with internal and external stakeholders to get the word out as to what occurred. Moving from there, you start to think about getting up and running or dealing with getting back to business operations as they are. So recovering and assessing.How do you keep this from happening again? How do you share intelligence? Go back to the quote I had earlier if we can all share intelligence and become smarter with what’s attacking us on a regular basis, especially not just within the private sector, but with the public sector, if we can collectively share information as a whole, financial institutions may get smarter because they have more data, more intelligence that can help prevent an attack in the future. I think the last thing that we shouldn’t be scared to talk about too is there’s a lot of resources out there now. I mean, this is a big topic with a lot of energy behind it, both in public and private sector. So if an organization needs assistance, they shouldn’t be afraid to go ask for that. There are some free resources out there and there are also some very good private sector resources that can help an organization through something like that. Beth Mauder: Steve, any final thoughts, anything that you’d like to cover? Steve Bomberger: Yeah. I guess I would just say this is a topic that we’re all heavily invested in across all of the world and within many organizations and sectors. I think the concept of looking at this collaboratively, we know that the malicious actors are collaborating and sharing tactics. So the degree that we can share tactics and all get a little bit more intelligent with how we’re approaching this topic in combating ransomware and other cybersecurity attacks, we’ll be better for it. We need to think about processes internally for organizations. We need to think about people and teams, and we need to think about the technology that we use and how those all work together outside of just the policy to make sure we’re doing everything we can to make it hard on these malicious actors. More