Why are Businesses, Including Law Firms, So Vulnerable to Ransomware?

Episode Notes

Transcript

Intro: Before we get started, I’d like to thank our sponsors PInow.com and CaseFleet.

[Music]

Intro: Welcome to Digital Detectives Reports from the Battlefront.  We’ll discuss computer forensics, electronic discovery, and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice.  Right here, on the Legal Talk Network.

Sharon D. Nelson: Welcome to the 131st Edition of Digital Detectives.  We’re glad to have you with us.  I’m Sharon Nelson, President of Sensei Enterprises, a digital forensics, managed cybersecurity, and managed information technology firm in Fairfax, Virginia.

John W. Simek: And I’m John Simek, Vice President, Sensei Enterprises.  Today on Digital Detectives, our topic is “Why are businesses including law firms so vulnerable to ransomware?”  Today, our guest is David White, President and Co-founder at Axio, a company with an innovative methodology and software that provides company’s ability to their cyber risk and enables them to prioritize investments to protect their business and employees.  Dave leads Axio’s innovation team and federal team and is actively involved with clients deploying the Axio360 solution.  He is responsible for Axio’s risk modeling, threat analysis, and assurance analysis activities.  Welcome to the podcast today, Dave.

David White: Thank you so much for having me today and thank you for your interest in Axio and our research and ransomware preparedness.  It’s really a pleasure to be with you, and I’m looking forward to our conversation.

Sharon D. Nelson: Let’s start David by having you tell us a little bit about Axio, and its 2021 State of Ransomware Preparedness Report.

David White: Sure.  I’d be glad to do that.  So, Axio’s mission is to enable security and business leaders to focus on risks that matter most.  And in support of that mission, we’ve created a methodology and a software as a service platform that we call Axio360.  And that platform and methodology is designed to empower risk leaders and security leaders to confidently and continuously answer for critical questions about their cyber risk exposure.  I’ll run through those questions now.  One is what’s at risk in financial terms.  We do this with a quantification methodology and, our platform, it’s a fast-paced and transparent methodology works really well with teams.  And, you know, I really believe that it’s time in the cybersecurity discipline for us to move beyond the classic red, yellow and green ratings and really start to talk about and understand cyber risks in financial terms, the language of business, so that we can speak about them in the same way our organization speak about other risks.  So, that’s the first question, “What’s at risk?”  The second question is, “Am I maturing my cyber security program as I need to be?”  And we answer that with cyber security planning and management module in our platform.  That is all about conducting a continuous assessment with an eye toward the future.  So, our assessment style is that you need to do an assessment that is accurate for where you are today, but always looking at some specific point in time in the future for where you intend to be at that point in time.  And we out-of-the-box support assessments based on the Department of Energy’s Cybersecurity Capability Maturity Model or C2M2, the NIST Cybersecurity Framework or CSF, the DoD’s new Cybersecurity Maturity Certification program or CMMC, and the Center for Internet Security top controls.  We also have our own Ransomware Preparedness Assessment in there.  I’ll talk more about that in the context of the study a little later and we host custom assessment.  So, that’s the, you know, “Am I maturing?” question.  Really, what’s my posture?  And the third question is, “Do I have the financial ability to recover from a major cyber event?”  We talked a lot about resilience in organizations and the bottom line on any organization’s resilience is whether it has enough gas in the tank or money in the bank if you will to live and fight another day.  And in response to a major cyber event, that’s a question that, you know, leaders and organizations have some fiduciary responsibility to understand.  We answer that question through an automated insurance analysis that takes an entire portfolio view to discover policy language, deficiencies and really policy language features that are favorable and unfavorable to cyber coverage or cyber causes of loss, if you will.  And then, we do automated stress testing against those quantified scenarios to answer the question, you know, if we had this major event, —

(00:05:00)

How much of that would we have to consume on our financial statements?  And you can only answer that by understanding how much you would likely recover from your insurance contracts.  And finally, the fourth question is, “Where should I invest to reduce risk?”  We have the ability in our platform to model control changes and how those control changes will affect a given risk or a set of risks.  And, you know, mostly, those control changes are improvements.  They could be improvements to in your assessment.  They could be in the implementation of a new protective technology or control, but we also have customers use that feature to evaluate negative changes, things that would increase your risk, like, “What does my look like if we do close on that acquisition?  And suddenly, in three months from now, I’m responsible for an additional 12,000 endpoints.  And so, that modeling how changes in your environment or your control landscape will affect risk is a key value in what we do.  So, that’s a little bit about Axio.  We recently published the 2021 State of Ransomware Preparedness Report.  This is the first time we’ve published this report.  It was based on an analysis of the identified data from our Ransomware Preparedness Assessment.  The responses were from a wide range of organizations that are all of whom are motivated to improve their ransomware defenses.  This is not survey data or opinion-based data.  So, we think this data has maybe more intrinsic value than a simple survey since organizations were answering these control questions based on their own intention to improve their protections against ransomware.

John W. Simek: Well, Dave, most of our listeners, they’re from the legal sector and a little the cat out of the bag a little bit because I think we pretty much know that they’re somewhat ill prepared to fight ransomware.  But your report really identifies I think seven key areas that the firms could actually address.  Can you talk a little bit about that?  And that I think is the meat of what our listeners want to hear.

David White: Sure, John.  I’d be happy to.  So, the data we are working with here is from our Ransomware Preparedness Assessment.  So, we start by just saying a couple of things about the assessment.  We built it early in 2021 in collaboration with a major insurer who shared insights with us from more than 200 ransomware claims in the prior year.  And so, we’re really confident in the sort of underpinnings of the Ransomware Preparedness Assessment, and that assessment covers 65 controls that are key to the prevention containment and restoration of ransomware.  And it’s available for free.  And if your listeners who are interested, can find it on our website, axio.com.  For the study, we took those 65 controls and organize them into seven key areas that are critical for that ransomware prevention, containment and restoration.  And those seven areas are one management of Privileged Access.  What privileged credentials, Privileged Access are the most powerful keys in the organization’s infrastructure.  And we know from recent ransomware events that the ransomware criminals have gotten really good at pivoting inside your organization and escalating to lend Privileged Access during an attack.  And the Privileged Access they most want is your domain admin credentials, the credentials to your Active Directory infrastructure.  They’ve learned how to sort of weaponize Active Directory to amplify their attack.  And so, management of Privileged Access is one of the most important things that organizations can do to protect themselves from modern ransomware attacks.  So, that’s number one.  And I intentionally am saying more about that than I will about the other six.  Two is basic cyber hygiene.  So, these are things that are preventative and fundamental in the configuration of assets when you put them to work in your organization to make sure that they don’t have unnecessary features turned on really as part of your basic cyber hygiene approach.  Three, managing exposure to supply chain risk.  Almost every organization is shifting.  Everything is a service cloud-based computing and other dependencies on supply chain vendors.  So, we really need to understand what kind of risk we’re inheriting from those third parties and make sure that we have not created any inadvertent entry points through the supply chain for network monitoring, unquestionably the front line of defense for proactively identifying and neutralizing ransomware attacks.  Five, incident management, having a sound competent incident response plan is key to an organization responding with the velocity that it needs to a cyber event, —

(00:10:00)

Like a ransomware event and, given the prevalence of ransomware, it’s really important these days to have a specific ransomware focused incident response playbook.  Six is vulnerability management.  Criminals of all types continue to exploit vulnerabilities.  The time to active exploit from vulnerabilities once they’re announced has dramatically reduced over the years.  So that now, we can point to times when less than 24 hours lapsed from the time of vulnerability was announced to win a criminal.  One or more criminals were exploiting that vulnerability.  So, vulnerabilities really need to be remediated on a timely basis, especially if they’re in any assets that are exposed to the internet.  And finally, number seven, training and awareness.  Anybody in your organization with user credentials is on the frontline of defending your organization from phishing and other entry points from chemicals.  And so, making sure that those frontline defenders have the right training and awareness they need is another critical area of protection.

Sharon D. Nelson: Well, one of the things our listeners would want to know, Dave, is why our law firms particularly so deficient in their preparedness?  What’s your opinion about that?

Dave White: Well, I think law firms — and I should say that, in our study, we did not segregate the data by industry types.  My commentary here is going to be general.  I have, in my past, done some work with law firms and that certainly colors my answer here as well.  Like many other organization types, law firms are in a rush to embrace the latest technology.  And in that rush, I think that lots of organizations may be losing focus on some of the basics and that’s one of our hypotheses in this report.  Look, it makes sense as an organization that we spend a lot of resources and time expanding our technology capabilities, especially when you consider what the world has been like over the past 18 months, as we’ve been dealing with this need for unprecedented, unencumbered remote work.  And so, that rushed to implement new technology is I think one of the things that may be causing organizations to overlook the basics.  I think another factor is the sort of challenge in introducing internal impediments to access, right?  Lots of organizations, especially in smaller organizations have set up their environment.  So basically, anybody with any access has access to everything and that sort of hard shell and gooey center approach to cybersecurity is a very rich playground for a cybercriminal because once they’ve made it through that outer shell, they can do anything and they have access to everything.  And so, I think that’s another reason we see organizations of all types including law firms being exposed to ransomware as a risk.

John W. Simek: Dave, you mentioned about the rush to implement new technologies and those types of things.  But can you tell us some of the key data findings from the report?

Dave White: You know, go back to what I said about the attack pattern where ransomware criminals have gotten really good at pivoting and escalating privilege.  So, based on that precursor, it’s probably no surprise that, personally, my top three findings in this report are all related to Privileged Access Management.  And, number one, 63% of organizations according to our study have not implemented multi-factor authentication for privileged accounts.  I was really surprised by that.  Sixty-three percent is a really high number not to have implemented multi-factor authentication given that those are the proverbial keys to the kingdom.  We found that 64% are not auditing service accounts, and service accounts need to be audited for audited for both their use, the kind of privileges they have and their assignment.  Service accounts are routinely installed on endpoints throughout the organization to facilitate or ease the deployment of technologies.  In fact, ironically, there are a lot of security technologies out there, security software, that asked administrators to install service accounts as part of their installation process.  Those service accounts are a key way that the criminals are able to get hold of those privileged credentials.  And so, we really have to keep our eye on those and absolutely minimize or eliminate their use, but 64% are not auditing them.  And then, there’s a powerful new technology in the marketplace.  It’s been around for a couple of years, Privileged Access Management, and a Privileged Access Management solution is a really great way to lockdown privileged credentials.  We found that 77% have not implemented a Privileged Access Management solution.  So, those are three key findings associated with Privileged Access Management that we were surprised by.

(00:15:02)

Sharon D. Nelson: I started taking notes because I haven’t heard that exact language exactly that way and that’s a very high percentage not to have adopted.

Dave White: Yeah, yeah.  It’s a very high percentage.  Look, these are sometimes taking care of some of these issues.  I mean, when you first deployed Active Directory years and years and years ago, you may not have been thinking about this and that’s why it’s important to circle back and take care of some of those basics.

Sharon D. Nelson: So, how much of a problem is that when law firms fail to evaluate the cybersecurity postures of third parties that are allowed access to their networks?

Dave White: Another finding from the study that I was really surprised by is that we found that 71% do not evaluate the cybersecurity posture of business or technology partners before allowing those business or technology partners access to their network.  So, you’re basically letting unvetted users access the network at a rate of 71% and that’s a major risk for any organization.  When I think about law firms, it’s an enormous risk because of the sensitivity of data that’s typically in the possession of law firms.

Sharon D. Nelson: It’s another horrible statistic.  That’s for sure.

John W. Simek: Well, I think targeted probably wishes they listen to you before their HVAC vendor to access, right?

Dave White: Right, exactly, exactly, exactly.  And, you know, we use that as a little anecdote in the report to highlight the importance of vetting your supply chain before you give them access.

John W. Simek: It’s really too bad.  Everybody can quote the poster children.

Sharon D. Nelson: That’s true.

John W. Simek: But before we move on to our next segment, let’s take a quick commercial break.

[Music]

Advertiser: What could be more important than knowing the facts of your case inside and out?  Case Fleets Powerful Software makes it easy to create a chronology of each case and to track the evidence for each fact.  With an intuitive interface, full text search and built-in document review, Case Fleet makes fact management easy.  Sign up for a 14-day free trial at casefleet.com/Digital Detectives and get 10% off your first subscription.

[Music]

Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation?  PInow.com is a one-of-a-kind resource for locating investigators anywhere in the US and worldwide.  The professionals listed on PInow understand the legal constraints of an investigation are up-to-date on the latest technology and have extensive experience in many types of investigation, including workers’ compensation and surveillance.  Find a prescreen private investigator today.  Visit www.PInow.com.

[Music]

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network.  Today, our topic is, “Why are businesses including law firms so vulnerable to ransomware?”  Today, our guest is Dave White, President and Co-founder at Axio, a company with an innovative methodology and software that provides companies visibility to their cyber risk and enables them to prioritize investments to protect their business and employees.  Dave leads the Axio’s innovation team and federal team and is actively involved with clients deploying the Axio360 solution.  He is responsible for Axio’s risk modeling, threat analysis, and insurance analysis activities.

John W. Simek: Dave, in the first segment, you talked about the seven key areas and one of them was training, which I picked upon because Sharon and I do that as well.  But what percentage of your respondents conduct regular cybersecurity awareness training for their employees, and I’m going to guess that that number is probably on the low side?

David White: Yeah, John, let me ask you a question.  Are you an optimist or a pessimist?

John W. Simek: If we’re talking about cyber on a very pessimistic.

David White: Okay.  Well, in that case, I’ll say it this way.  Fifty percent are not conducting user awareness training for email and web threats.  So, this is a glass, half-full glass, half-empty spat precisely, 50% the respondents are split.  So, I suppose the good news there is the 50% are conducting that training.  We also found that only 45% are conducting proactive phishing assessments.  I don’t know why these numbers are so low, but I think that everybody’s busy, users are busy, and organizations might get a lot of pushbacks from users or attorneys on spending billable time on training and that might be why we find those numbers to be so low.

(00:20:00)

Sharon D. Nelson: They are getting better.  We saw at the beginning of the pandemic that the numbers then were low.  But increasingly, we’re giving two, three, four training sessions a week.  So, that suggests to me that maybe if you measure again in a year, the numbers might be better.

David White: That’s great news.  I know that.  I mean, I love that you guys are doing this.  There are a lot of good resources out there.  So, this is not a hard box to check for organizations.

Sharon D. Nelson: It shouldn’t be.  The other thing I wanted to ask about was how law firms and others are doing with adopting technologies that detect and stop ransomware which, of course, is currently a scourge for everybody.  Are the technologies themselves somewhat unreliable or too expensive?

David White: So, this is a great question.  What we saw in the study is that 68% of organizations are not monitoring for deviations from an established baseline of network or system activity.  So, that’s really looking for anomalies in the use of your technologies and the use of your network.  And then, we found that 55% are now monitoring for or alerting on anomalous connections to the network, so connections they weren’t expecting to be made to the network and 64% are not monitoring for suspicious transfers of data or for processes that use excessive network resources.  So, those are indications that monitoring really isn’t where it should be and, of those seven areas that I talked about before, network monitoring is probably the most technically challenging.  But as I’m sure you’re aware, there are some really good outsource solutions in the form of MSSPs or Managed Security Services Providers.  But you still need even if you outsource your monitoring and there’s a really good solutions out there for outsourcing it, it takes a while to get it implemented.  It takes a while to tune it, and you’re still going to need resources inside the organization who can respond even if you’ve outsourced that monitoring.  But especially for small to mid-sized organizations, outsourcing is the right approach here.

John W. Simek: I would agree with that as well, and it just surprises me how many folks just really aren’t even considering EDR solutions these days.  So, —

David White:  The good news is the EDR is taking off.  The bad news is that there are still a lot of people out there who are dependent on the old school signature-based detection schemes on endpoints, which they’re just not effective at this day and age.

John W. Simek: We certainly agree with that.  Well, shifting gears a little bit.  Your report talked about and you also mentioned earlier in the first segment about going back to basics, the back-to-basics approach which takes some of the easy to exploit weaknesses off the table.  What does that approach involve?  Can you talk a little bit more detail about that?

David White: It involves those seven basic areas that we discussed earlier.  And I would say that the highlights for me there are get privileged access under control and that’s my number one recommendation.  My number two and my number three recommendation are the same thing.  And then, number four would be something like has to do with cyber hygiene and making sure that all of the assets on our network are configured in a way to minimize their technology exposure.  Shut down ports.  Make sure that you got the right protective technology like EER installed.  Get your hands around supply chain risk management, not easy, but building a supply chain risk management program is something that every organization today needs because we are all — look, we are in this era of mass specialization.  So, we’re going to have increasing dependence on the supply chain, and we’ve got to manage the risk that we’re inheriting.  We talked a few minutes ago about network monitoring.  Look, I was really surprised at the number of organizations that have not implemented or tested an incident response program or incident response playbook for ransomware.  We found that only 26% respondents are using ransomware specific scenarios to evaluate their incident response plans.  So, that I thought was really, really low and given the prevalence of ransomware, we need to be prepared to respond to a ransomware event.  So, those are some of the basics that I think we have to get back to.

Sharon D. Nelson: We probably talked already about some of the cybersecurity basics that you mentioned in the end of the report, there are five simple actions identified there.  Maybe, you could quickly go through those for us since we’re about at the end of our time.

David White: Yes.  So, the five key recommendations are secure and control privileged credentials with multi-factor authentication or Privileged Access Management and severely restrict or eliminate service accounts, so those privileged access.  I can’t emphasize them enough given what’s happening in ransomware.  Improve your defensive posture by shoring up some basic hygiene elements through secure configuration of endpoints and servers.

(00:25:05)

Three is revisit supply chain controls.  It’s really time to take a more formal approach to supply chain risk management.  Four, update or build a ransomware incident response plan and test that plan.  And five, reassess your vulnerability management program.  Attackers, criminals are weaponizing vulnerabilities at a faster rate than we’ve ever seen before.  So, we have to be prepared to very quickly respond and roll out patches to address vulnerabilities once they’re identified.

John W. Simek: If our listeners want to learn more, where can they get a copy of this report that you referenced?

David White: So, the report is available for download from our website.  You’ll find our website at axio.com.  That’s A-X-I-O dot com, and your listeners can find it there.  They can also find the Ransomware Preparedness Assessment there on our — or access it from our home page by clicking on the free assessment button at the top of the web page.

Sharon D. Nelson: Those are all very valuable resources.  So, we want to say a sincere thank you for being our guest today, Dave.  We really appreciate the knowledge that you’ve imparted to our audience.  I think that ransomware has been about the scariest thing that most law firms have seen unless, of course, they’ve had wire fraud committed because of business email compromise.  But those are not so many in number, although they are the greatest financial risk, but just hearing what a report shows, I think it makes a big impression on folks to hear some of the stats and just to hear people who are in different areas of the cybersecurity world talked through all that together.  I think it’s very useful and instructive for them.  I did really enjoy your study, and I hope we will take a look at it and take a look at your site for resources.  Thanks for being our guest today.

David White:  Sharon, thank you.  John, thank you as well.  Thank you both for your interest in our work at Axio.  It’s really been an honor and a distinct pleasure to spend time with you today.

[Music]

John W. Simek: Well, that does it for this edition of Digital Detectives and remember, you can subscribe to all the additions of this podcast at LegalTalkNetwork.com or an Apple podcast.  If you enjoyed our podcast, please rate us on Apple Podcast.

Sharon D. Nelson: And you can find out more about Sensei’s Digital Forensics, Technology and Cybersecurity Services at scnscient.com.  We’ll see you next time on Digital Detectives.

Outro: Thanks for listening to Digital Detectives on the Legal Talk Network.  Check out some of our other podcasts on LegalTalkNetwort.com and in iTunes.

[Music]

Podcast transcription by Tech-Synergy.com