Nobody Expects The Spanish Inquisition

Riverbank Ruminations; Observations from The Banks of The Technology River

Tom Evans ~  Ashton Engineer Emeritus

 

Nobody expects the Spanish Inquisition

Reg (slightly irritatedly and with exaggeratedly clear accent) One of the cross beams has gone out askew on the treddle.
Lady Mountback Well what on earth does that mean?
Reg I don’t know. Mr. Wentworth just told me to come in here and say that there was trouble at the mill, that’s all – I didn’t expect a kind of Spanish Inquisition.
Cardinal Ximinez Nobody expects the Spanish Inquisition! Our chief weapon is surprise…surprise and fear…fear and surprise…. our two weapons are fear and surprise…and ruthless efficiency…. Our three weapons are fear, surprise, and ruthless efficiency…and an almost fanatical devotion to the Pope…. Our four…no… amongst our weapons…. amongst our weaponry…are such elements as fear, surprise…. I’ll come in again. (exit and exeunt)

 

From this article:

The volume of ransomware attacks over the first three quarters of 2021 reached 470 million, a 148% increase on the same period last year, making 2021 already the worst year on record, according to SonicWall.

From a KnowBe4 newsletter:

Starting in late 2019, ransomware started routinely exfiltrating data, in what is now commonly known as “double extortion.” I wrote about it on January 7, 2020 on the (KnowBe4) blog. I shared that beyond traditional encryption, ransomware programs and gangs were also doing the following:

  • Stealing Intellectual Property/Data
  • Stealing Every Credential It Can – Business, Employee, Personal, Customer
  • Threatening Victim’s Employees and Customers
  • Using Stolen Data to Spear Phish Partners and Customers
  • Publicly Shaming Victims

It’s Not Just Extortion, Anymore

When we put this together it paints a bleak picture for the future. When ransomware first reared its ugly head, the only threat you had was the extortion to get your data unencrypted. Then, the bad guys realized that if a good backup was available, the ransom didn’t have to be paid. So they started encrypting backups as well. Then people started having offsite backups that couldn’t be encrypted so the bad guys resorted to data exfiltration first, then encryption. If you didn’t pay the ransom, the threat was to have your data dumped out into the public domain. Then the bad guys graduated to threatening to inform the clients of the victim. Then they added DDoS attacks to keep the victim from getting back online. Add the additional activities listed above and others yet to be added to the list and you see that a network compromise has moved far beyond the simple extortion for data encryption keys.

The challenge for victimized businesses lies in what they do not control. Assuming you have good backups available, and assuming your recovery plan works, and assuming you don’t lose customers because of the breach, and assuming you get back to business before you go broke, you still can’t control what the bad guys do with your data if they got it as part of the attack. These days, it is SOP to get the data first, then do something to the network.

How Valuable Is Your Data?

It is bad enough you have been violated. How much worse if the data the bad guys got is then used to attack your customers? Your data gives the bad guys a window into your customer’s business. It gives the bad guys contacts with detailed information about people and contracts that allow spear-phishing campaigns to be launched with great effectiveness. It may even facilitate successful attacks to compromise other networks. Can you say ‘downstream liability’? I am not a lawyer nor do I play one on TV but here is an interesting point from an interview on PBS

If I were to break into your system, and use that to go downstream to another system, there’s no clear-cut law saying that there’s liability on your part. You only have an obligation to protect the records for your client base, and for your customers and for your corporate owners. There’s no real responsibility downstream, since you have not actively done anything. But that doesn’t mean that, as the bar is raised, as the business practice says everybody should have a certain security and you don’t have that implemented on your system, that tomorrow there won’t be an issue of liability, because you didn’t have that in place.

Don’t Wait To Take The Proper Precautions

If you hadn’t noticed, people have become surprisingly litigious. Many times, suits are frivolous and only brought because someone doesn’t want to take responsibility for their actions. However, the trend of insurance companies refusing to insure companies that don’t have good security should be taken as a signal that security is no longer optional. If you don’t have insurance, and you have been successfully attacked, that could be the end of your business. If you are found legally liable for damage to someone else, your troubles are just beginning.

As long as bad guys make money with ransomware, attacks will continue. Phishing continues to be a major attack vector. Unpatched systems are another significant vector. These things can be mitigated to some degree, depending on your willingness to do so.  You may not expect the Spanish Inquisition, but you can expect the bad guys to attack. The time to prepare is now.