A Large Price to Pay: Ransomware’s Urgent and Escalating Threats to Technology Companies

(DESCRIPTION)
Logo, Travelers. Text, What Makes Technology Companies Uniquely Vulnerable? Ken Morrison speaking over slide. Text, Ken Morrison, Assistant Vice President, Cyber Risk Control at Travelers. Slide, Today's Cyber Risk Landscape. Image of a woman with glasses looking at a computer screen.

(SPEECH)
KEN MORRISON: Sure. And first, by and large, understand that ransomware is basically just a way of doing business, albeit illegally. What that means is that the decision to initiate and continue an attack is at least partially based on a cost-benefit analysis. If the cost of conducting an attack is perceived to be too great, then the attacker may decide to go somewhere else. And the cost is actually determined by the friction the attacker has to overcome. And the friction is from security controls, the controls and processes that are in place.

So what makes tech and life sciences unique? Well, automation, for one, digitization, introduction of internet of things into the manufacturing process.

(DESCRIPTION)
Slide, What Makes Tech and Life Sciences Companies Uniquely Vulnerable? Icon of a person with computer surrounded by four circles with text, Automation, Intellectual Property, Third-party suppliers, End-of-life (EOL) technology. Image of a hand on keyboard.

(SPEECH)
All of these things now are exposed to the internet, potentially. And this creates a lot of security challenges and exposes a lot of potential vulnerabilities that can open doors to attackers, such as ransomware.

Another is overseas third-party suppliers, common in the industry, at risk of cyber attack increases unless you keep a regular eye on these suppliers and their security. Use of end-of-life or end-of-support technology-- so this is software or hardware that doesn't receive updates anymore or support. That could be a criminal's gateway right into your network.

And I actually understand this one really well. I worked in a high-tech environment, manufacturing environment. We used some end-of-life computers. I have to admit. And so these are integrated with multimillion-dollar machining tools.

So to upgrade the computer meant upgrading that multimillion-dollar machine. And it wasn't always so easy. So to compensate, we took those systems completely off the network until we could get the funding to upgrade the whole thing. So just remember, if end-of-life equipment isn't used and it can't be upgraded, you want to get it off the network.

Another is a high reliance on multiple suppliers of their own and a large remote and sometimes fully outsourced workforce. So remote workers using their own computers not protected by their corporate's network can also create some open doors for attackers to get in.

(DESCRIPTION)
Logo, Travelers.

The Travelers Indemnity Company. All rights reserved. Travelers and the Travelers Umbrella logo are registered trademarks of the Travelers Indemnity Company in the U.S. and other countries.

(DESCRIPTION)
Logo, Travelers. Text, What Makes Life Sciences Companies Uniquely Vulnerable? Ken Morrison speaking over slide. Text, Ken Morrison, Assistant Vice President, Cyber Risk Control at Travelers. Slide, What Makes Tech and Life Sciences Companies Uniquely Vulnerable? Icon of a person with computer surrounded by four circles with text, Automation, Intellectual Property, Third-party suppliers, End-of-life (EOL) technology. Image of a hand on keyboard.

(SPEECH)
KEN MORRISON: For life sciences, life sciences-- the business segment is what attackers call a target-rich environment. Why? Because there's a lot of intellectual property. Sometimes foreign state-sponsored attackers have targeted and will continue to target life sciences to steal their intellectual property and disrupt their operations. China, for example, is well known to use this tactic to have us do their R&D for them.

There's a lot of sensitive information, personally identifiable information, health care information, which is ripe for identity theft and extortion. There's a lot of capital and a lot of high availability requirements. So this is a ransomware attacker's delight. So high amounts of capital mean a lot of money to spend on a ransom. And high availability requirements mean you're likely to pay that ransom to get back up and running. Also, believe it or not, hacktivists and extremists can target life sciences for ethical differences, if you will.

And what are some exposures? Well, there's a high reliance on third parties, their supply chain, IT providers-- they collect data-- contract manufacturing organizations, clinical research organizations. The use of all these third parties means that businesses are reliant on their systems and their data, over which they might not have complete control. And that might make them susceptible.

There's a lot of automation in production processes, a lot of heavy reliance on medical devices and sensors. So any of these devices are compromised. A medical device in a hospital, for example, could put patient health at risk.

(DESCRIPTION)
Logo, Travelers.

The Travelers Indemnity Company. All rights reserved. Travelers and the Travelers Umbrella logo are registered trademarks of the Travelers Indemnity Company in the U.S. and other countries.

(DESCRIPTION)
Logo, Travelers. Text, Why Do Mergers & Acquisitions Pose a Risk for Ransomware Attacks? Kirk Harrison speaking over slide. Text, Kirk Harrison, Associate Director, Digital Forensics and Incident Response at Arete. Slide, Three Real Life Examples. Acquisition, Abandoned client, Proxy log on and double extortion.

(SPEECH)
KIRK HARRISON: Yeah, there are several examples that come to mind, particularly what Ken just touched on there with the merger and acquisition. That component is something that comes up fairly often. A client acquires a network as part of some kind of merger or acquisition. And that network contains machines that don't have their platform installed on it yet or their protective services installed on it.

So due diligence is really important there when you're going to be interfacing with those systems and bringing them into your fold. A lot of times, mergers and acquisitions are because of a particular technology or a particular setup or system that a competitor or whatever you're buying out is using.

And so, particularly with that case, I just worked with a-- it was an education-based company. And they had acquired an organization about a year or so before we got involved with them. And in this case, they were actually aware of a couple of things that they knew they needed to tag and take care of. But just because they had a limited availability with personnel and time and resources, they were forced to prioritize things alongside of, hey, we've got to get these other things functional and working in tandem, if not before.

And so it's very easy to get complacent when you don't have something blow up immediately or you don't see something that's terribly egregious. But in this case, there was a particular account that had a-- I guess it had some sort of MFA enabled. So they kind of wrote it off as being OK.

But since this was an AWS environment, some other credentials had been farmed somehow for this network. And so the third actor got access to the network and then actually pushed a vulnerability that they used for MFA on-- in this particular case, it was an AWS key pair. And so they were able to bypass MFA and begin exfiltrating data from their S3 layer and from several buckets which contained sensitive data.

And then right after we finished our engagement with them-- we were able to come in. And they had already nipped the thing in the bud, so to speak. They had found the account, disabled it, deleted all the tokens. But after that, they had gone through a buyout themselves.

And so they had dragged me back into the room to speak about, how is it that this came about? And it was just very interesting to talk about. It was just another merger and acquisition that took place where they hadn't done exactly enough due diligence.

(DESCRIPTION)
Logo, Travelers.

The Travelers Indemnity Company. All rights reserved. Travelers and the Travelers Umbrella logo are registered trademarks of the Travelers Indemnity Company in the U.S. and other countries.

(DESCRIPTION)
Logo, Travelers. Text, Protecting Your Network with Endpoint Detection and Response. Ken Morrison speaking over slide. Text, Ken Morrison, Assistant Vice President, Cyber Risk Control at Travelers. Slide. Text, Prevent, Protect, Respond, Recover. Icons for each.

(SPEECH)
KEN MORRISON: And you can get some of this great information. Pay attention to the US CISA site. So if you go to cisa.gov, C-I-S-A dot G-O-V, a great site for getting alerts on this kind of information. They have a new Shields Up site, which is really geared toward helping prevent any kind of cyber attacks and giving everybody a little bit of advanced warning for bad things that are happening.

Another thing that you can do is disable port protocols that you don't need. So your firewalls have ports and protocols. That's how computers communicate with each other. You don't need them all. You just need a very few. Just make sure you only use what you're intending to use, and you close or block everything else.

Now let's talk about protection-- endpoint detection and response. So this is the next-generation antivirus. Regular old antivirus just does not cut it anymore. EDR, Endpoint Detection and Response, is where you want to go now. It's way beyond just looking for a known bad file. It's actually starting to look at behavior. And it's starting to look just for anomalous activity on the network, something that a regular old antivirus isn't going to touch or isn't going to find.

(DESCRIPTION)
Logo, Travelers.

The Travelers Indemnity Company. All rights reserved. Travelers and the Travelers Umbrella logo are registered trademarks of the Travelers Indemnity Company in the U.S. and other countries.

(DESCRIPTION)
Logo, Travelers. Text, Diving Deeper into Multi-factor Authentication. Kirk Harrison speaking over slide. Text, Kirk Harrison, Associate Director, Digital Forensics and Incident Response at Arete. Slide, Diving Deeper into MFA. Image of a woman holding a cell phone and looking at a laptop screen.

(SPEECH)
KIRK HARRISON: But I would say, despite where we're at and how frequent these things are becoming and how relatively simple MFA is to implement, I would say that probably it's 70-30 don't have MFA enabled. And it's one of those things that's so simple and, from an infrastructure standpoint, for email, is a given.

If your company is using O365, like Office 365, the cloud, Microsoft Office email, it is very, very simple to implement. It wouldn't take more than a week for someone to sit down who doesn't know anything about it and implement it from a technological standpoint. It's very, very simple.

And from an end user perspective everyone always says, well, I don't want to go and-- I don't want to have to go get that code every time. Or I don't want to have to go pull up my phone and get my Duo app or my Google Authenticator or whatever. And there's ways to dial that in. But having that conversation is not grounds for not implementing it, in my opinion.

I think MFA should be absolutely mandatory, simply because it's just the cost of doing business. That phrase makes sense to a lot of business people. And they need to understand that that also applies to technology, especially in the landscape of the threat landscape that exists nowadays.

It can't be negotiable or optional. It's got to be something that we all are using because it reduces your surface area so significantly with such little resource heaviness. And I think it absolutely needs to be more prevalent, and it's not yet still.

(DESCRIPTION)
Logo, Travelers.

The Travelers Indemnity Company. All rights reserved. Travelers and the Travelers Umbrella logo are registered trademarks of the Travelers Indemnity Company in the U.S. and other countries.

(DESCRIPTION)
Logo, Travelers. Text, How Does Cyber Insurance Fit into the Equation? Ken Morrison speaking over slide. Text, Ken Morrison, Assistant Vice President, Cyber Risk Control at Travelers. Slide, Preparing Your Business with Cyber Insurance Coverage and Solutions. Image of woman holding a tablet.

(SPEECH)
KEN MORRISON: But to talk about cyber insurance, you have to understand what risk really means. So remember, risk is considering both the probability and the impact of something bad happening. So what this means is if there's a high probability of something bad happening, and if it does happen the impact is substantial, then you need to manage the risk.

And remember, four ways to manage risk-- one is to accept it. Hopefully you've got good processes in place to document why you're accepting it. Second is avoid it. Third way is mitigate it. Fix those vulnerabilities. But the fourth way is to share the risk. And that's what insurance is for-- share that risk.

So if you remember from property and casualty-type insurance, what you do is you get money to replace or repair property that might be damaged or lost from a fire, from a hurricane. It's pretty clear in that case what the costs were going to be. But with cyber, especially with ransomware, as you mentioned earlier, Kirstin, costs are off the charts.

So first is fixing the damage to the systems. The encryption process that ransomware attackers use can sometimes permanently damage a computer. Sometimes it's not recoverable. And if it's wiperware, then it's all done. So it's a replacement or repair cost.

Then forensic costs-- specialists like Kirk and his team to come in to find out what happened, recommend how to fix it, contain it. So that's a cost as well. And not only that, one of the other benefits that Kirk's team could do is they can actually help negotiate with the ransomware attackers. And speaking of that, the ransom itself-- we're seeing ransoms in the millions of dollars these days. That's very common.

Business interruption-- so how much revenue is lost for every day your systems are down? How long can you survive if your business is dead in the water? Liability-- if your customers and clients are impacted, you might get sued. So the legal fees, indemnification, defense costs.

And then the government-- so compliance, penalties, fines. Do you have to notify customers if their information might have been compromised? And if so, do you need to set up a call center? Who's going to pay for all those penalties and fines for letting it get compromised?

(DESCRIPTION)
Logo, Travelers.

The Travelers Indemnity Company. All rights reserved. Travelers and the Travelers Umbrella logo are registered trademarks of the Travelers Indemnity Company in the U.S. and other countries.