What is Zero Trust Cybersecurity (and Can I Afford It)?
One of the hottest buzz-phrases in cybersecurity these days is “zero trust.” In this episode, we talk about the three elements of zero trust cybersecurity, and how to implement a zero trust model. Affordably.
- Resilience Cybersecurity & Data Privacy
- 8 Useful Small Business Cybersecurity Tips You Need to Know – Resilience Cybersecurity & Data Privacy
- How To Destroy Perfectly Good Cybersecurity Policies – Resilience Cybersecurity & Data Privacy
- CISA Publishes Multi-Factor Authentication Guidelines to Tackle Phishing – InfoSecurity Group
- Why Zero Trust Helps Unlock Security Resilience – Cisco Security Blog
- The 5 Core Principles of the Zero-Trust Cybersecurity Model – Imperva
- How the Modern Data Landscape Made the Traditional Cybersecurity Approach Obsolete – Imperva
- Why Do User Permissions Matter for SaaS Security? – The Hacker News
- Weak Security Controls and Practices Routinely Exploited for Initial Access – CISA/Five-Eyes Security Groups
Brian: Hey everybody. Thanks for joining us here on the Fearless Paranoia podcast. I am Brian, the cybersecurity attorney.
Ryan: And I am Ryan and I’m a cybersecurity architect.
Brian: And we are here to help decrypt the complex world of cybersecurity. And today we have a topic that is close to our co-host’s technological heart, he, he’s a very big advocate is the right word to use. But this is a very big deal for him. We’re here to talk about zero trust. There’s a lot of talk in the cybersecurity news in tech news in really all it discussions about zero trust. And I feel like it is not a term that when it’s discussed, is discussed with at least in the business world, much actual attention to what the term itself really means. So Ryan, what does zero trust mean?
Ryan: So zero trust is a really interesting concept. And like you said, you’re probably going to hear different speeches based on what zero trust is, and one of the biggest reasons I think this message gets messed up a lot lately is because there’s a lot of people also trying to sell zero trust. And I think so that you’re getting a lot of marketing messages that are getting in the way of what zero trust is, to me, zero trust is a very simple concept. And it starts from the concept of understanding what trust is in the IT world and in the technology world, and how that it was kind of used in the past versus how we need to break away from that. Now, in the past, before the internet was so easy to traverse, and there was so much bandwidth and so many services offered and things it was it was easier to just set up your little walled Palace, you would set up your perimeter, you put your systems behind your perimeter, and then you effectively just open the walls. So you end up being in a one room house on almost every house that was on the Internet back in those days, everybody existed in that same Palace, you all existed with the same level of trust, the same level of access the same level of whatever outside that perimeter, you really didn’t trust anybody else. But once they made it through the gate, they were effectively treated as like citizens of the kingdom at that point
Brian: Is that kind of a version of assuming that everyone is who they say they are?
Ryan: It’s kind of like saying, if you have a wristband, you can be in the party. So all you need to do is get a wristband, and then you get access to everything. Once you’re on the inside, obviously, you can see what the trouble with that is, is nowadays, it’s become much easier to get a wristband to get inside somebody’s party.
Brian: Yeah, no one’s asking how you got that wristband or where it came from.
Ryan: And sometimes even if they are, it’s gotten to be more easy to get hold of that. And so back in the day, where even around Active Directory, and a lot of those kinds of business level systems, there was a significant level of trust involved in all of the transactions that were done, you would authenticate once, sometimes they were access control lists doing broad level of access control to different secure resources, outside of that everybody was effectively trusted to just kind of have access broadly to a wide range of services without any sort of secondary authentication or auditing or anything beyond that initial point of access.
Brian: So what you’re seeing is then that one, I think common example of at least identifying what trust means in this context would be anytime you click Remember me on this computer, that’s a version of trust. Now, the level of getting there obviously varies. Or if you save something in your browser, it’s a level of trust. If you save a password in your browser, then any site that you go to trust that whomever is accessing that site through your computer, or through your browser is you.
Ryan: That’s kind of you assuming that you are going to be the only one that ever has access to those resources. So I mean, that same thing is like leaving your computer unlocked at home, if you’re okay with whoever’s inside your house, having access to your computer, that works just fine. In a true zero trust environment, you’d have a lock on your front door, I’d have a lock on the door to my office, my computer would be locked here, my individual applications would have different levels of authentication, you build up those layers of security, and you don’t trust anybody at any point anymore. And you require them to, you know, go through the zero trust process without banging into many keywords right now, because we’ll get into that in a moment.
Brian: So it sounds to me a lot like that. The metaphor is what makes the concept of zero trust seem hostile, because in real life, you might have a lock on your office door, if you have things in your office that people who are regularly in your in your house shouldn’t get. But the bottom line is you’re not going to ask your wife to verify her identity every time she comes in the door of the house. It’s just not something that in interpersonal communications in the real world, that is something that that happens if you don’t know somebody, you might ask for their ID, things like that. But once you have become accustomed to someone, you assume that it’s not someone doing the Men in Black wearing someone else’s skin is a suit, there’s a level of trust there and I can certainly see why this idea of zero trust when that metaphor gets applied, starts creating the impression that it’s all hostile that I’m not going to trust you and it’s because I don’t trust you as a person. But that’s not what we’re talking about at all is it?
Ryan: That’s not what it should be viewed as that’s really not what we’re getting to because this isn’t this isn’t a social thing. This is a technical thing to employ zero trust and your social life is a whole different aspect. If that’s if that’s something you want to do, by way, I wish you the best of luck on that. But it’s not. It’s an interesting social experiment. This is this is more meant for systems and access. Because while it’s really nice and great, and it’s a warm feeling to be able to say, hey, I trust everybody. So like, if you’re in my office building, I’m gonna leave these file cabinets unlocked because I trust you guys. But then again, I can see all of you I can probably usually physically watch access. So there’s some level of distrust or lack of trust, or at least oversight of that trust that usually is involved in most of those equations to some level or earned trust or interest.
Brian: Sure, you build up a relationship over time. But again, you can identify that person in the real world, there’s very few ways for someone to impersonate someone else. So effectively, that in those one-on-one face to face exchanges, that you have a reason not to trust that the person standing in front of you isn’t who they say they are.
Ryan: Correct, we have not figured out deep faking reality yet, so we’re not quite there. But at some point, we’re gonna even have to start putting zero trust into things like some of our video communications because of things like deep fake in the future, but really at Yeah, at its core, we can’t with systems and access to data, and especially remote access to systems nowadays really rely anymore on the concept of trust, because it needs to at its basic origin to be trust, but verify. And that’s kind of like the initial steps into zero trust, right? Like, you want to make sure that yes, I want to trust this person, but I’m not going to instead, please tell me who you are. And then validate that you are who you say you are, because you can just say you are anybody we want to make sure that we go through and you know, properly deal with things like the authentication, like strong authentication into resources is probably one of the biggest cores of zero trust is you need to make sure that you have access to all of your systems delegated to only who should have access, then you need to make sure that you validate that those people who should have access are who they say they are before you provide them access. And then after you provide them access, you should have a way to account for that so that you can go back and have audit trail that that access was granted. And once you meet those three major things, you’ve kind of gotten through the major core of what you need to provide a good zero trust environment at the very basic level.
Brian: You’re listening to the Fearless Paranoia podcast. For more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms. Also, please share this podcast with anyone you think would find it helpful or useful. We rely on listeners like you to help get the word out about this show, and we appreciate the support. Now, time for some more cybersecurity…
Brian: You just kind of describe what I was going to ask you about which is how zero trust works in practice. And it sounds to me like it’s actually a combination of what at least in my business of advising companies on policies and procedures for cybersecurity involves the intersection of several different policies. First, you need to have your data governance and confidential data identification policies and effects so that you know what data you have, where it’s located, what needs specific protection and have those protections set up. And then number two, you have your data authorization policies and your access and your acceptable use and everything like that, that would determine who gets access to the specific data and what data they need. And then three is to have your security monitoring and your password and your multifactor authentication systemsin place. It’s like in the real world, like GPS monitor on person, once they identify who they are, and you’ve confirmed that they are who they say they are, at least to the extent you can now you need to know where they go and what they do. And then I guess as a follow on to that would be determining how frequently that second step is going to be performed? How often do you make them confirm that they are, who they say they are, and so forth? And then what you do with that third step, that audit information is another part of that as well. But that seems to me like it’s the intersection of those policies is how you effectively implement zero trust.
Brian: Am I getting that right now?
Ryan: You hit it absolutely right on the money. That really, really simplified approach is very strong authentication, strong passwords or password lists, multifactor going down those type of routes, least privilege, so classifying your data, making sure you understand what it is delegate only who should have access to it and set that up in a controlled system. So you can do that per user per group, or however, you’re going to do that per role. And then making sure that you audit all of the accesses to those data to make sure not only gated it stay within the least privileged model and the classification that you had designated but you understand all of the type of access that was made to what was done so you can understand trends and look for any other types of anomalies that you would normally expect as well. You know, if you get one user accessing data, and every single day, the most that they do is update, you know, a single spreadsheet and then all of a sudden, one day you see a user upload 85 gigs worth of data to some online sharing platform. Those are the kinds of trends that you need to understand as well and that’s also part of the end of that zero-trust process. So have, you have to really validate your people validate your access, and then validate all the actions in the end and make sure that you log it and are actually looking at that and reviewing it and understanding what’s going on. Because that knowledge is the key to really implementing zero trust properly, you have to make sure you understand all the different points that compromise or anomalies can arise from, and make sure that you’ve got visibility over all of those.
Brian: So it sounds to me like the first steps, the understanding your data and the authorization process, those are largely going to be policy driven, it’s going to be what you decide to implement. I don’t know of too many systems where it would be not just prohibitively expensive but expensive at all, to effectively implement what you need to implement it your password policy, are you willing to require your employees to have 16-to-20-digit passwords for everything? Are you willing to shell out the money to buy it physical token for people to use, that’s gonna be about you. But you’re not talking about significant expenditures. It’s the third step that essentially the monitoring of the access, which is what occurs to me could be really resource intensive. What kind of things should small and medium sized businesses be doing to make sure they’re adequately performing that third task while getting effective value without overspending on their cybersecurity? How can small and medium sized businesses know they’re doing what they need to do without breaking the bank?
Ryan: Yeah, I really don’t think that and I’m gonna probably, unfortunately, upset a few people by saying this. But really, you don’t need to spend a ton of money to make zero trust work. But you’ll see as you progress through those three major steps that we kind of identified that the potential for cost gets a little bit higher as you go into those steps. Again, implementing stuff like MFA, and thanks, strong encryption, good password policies, relatively low cost, relatively easy to do. And most places have already started to really implement that.
Brian: With most of the tech tools that I think small businesses use nowadays, I have almost all of those options available for free anyways, you don’t need to spend money to do that.
Ryan: It comes down, yeah, to availability of the option, which is pretty broad. And then it comes down to your willingness to actually go through implementing it. Some people just don’t want to deal with MFA, because they don’t want an app on their phone, or they don’t want to go through the extra time, or they don’t want to deal with what it does add one extra layer of complexity, which is an unfortunate byproduct of the world today, we face a lot of threats that require at least those basic levels of security. But it’s just same as locking your door at night, having to go through and make sure your doors locked, because you know, somebody might come up and just check your handle in the middle of the night. And you want to make sure that your important things are publicly available, getting into the second level classifying the data. And really putting those controls in place, a lot of that’s very procedural driven and very policy driven also, and a lot of that can be implemented pretty easily, it comes down to taking the time and having the diligence to actually stay on top of that once you get it done. Because data classification is not fun. It does require an extra administration. But if you have that done, it really enables you a lot to understand what’s really important about your business and being able to avoid or recover from those type of instances when they come up. But dealing with the third one that auditing ability is really where most places probably fail to meet that final kind of step of zero trust because when you look at it topically, it’s not as required to have that piece as long as you know, a lot of places think well, I’ve got an MFA now, and we’ve got people using strong passwords, and we have a risk policy in place. And we use encryption and we’ve got confidential labels and stuff on our data, we should be fine, right? Except that there will always be something that will pop up, there will always be an anomaly somewhere, there will always be that one zero-day problem you’re unaware of, there’s going to be that one bad actor inside your company that’s like an insider threat, there’s always going to be something and so you need to be diligent about watching all of those kinds of transactions as well. And that’s where having that kind of like coordinated sim, whether it’s a managed service, or whether at its very basic core, you get some sort of tool that can do like file integrity monitoring that at least watches that type of access, and can report back to a business owner so that they can look for those kinds of at least major trends, I’d say at a very, very minimum base. If you can’t go back and look for those type of things. Because it’s going to be too complex for you then have to really at least polish up hard on the first two steps and make sure that you really reduce access down to only the people that need it because you either need to cut the access or monitor the access. Those are the only two real ways to be safe and truly secure in today’s environment.
Brian: You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at firstname.lastname@example.org or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless Paranoia.com where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.
Brian: I can’t get past the notion that zero trust is poorly communicated in the business world by people who want to get your attention to talk about zero trust and not even necessary In a nefarious way, the real talk about zero trust is actually just a better security system. It’s taking what your security should employ and taking it to the next level. Because the bottom line is the ability to impersonate an authorized user is unfortunately, getting easier and easier. And our security needs to increase itself to match.
Ryan: Well, and to do so anonymously and from anywhere in the world is the other big key to because it’s one thing to protect your house, we talked about locking your door, but that also assumes that your threats are standing on your doorstep. In the case of an internet connected world, your threat could be halfway around the world in a non-extradition country basically having just shy of immunity in their ability to harass you remotely. And that’s a dangerous adversary to be facing, because very little to lose on their side, a heavy amount to gain. And it’s the exact opposite for us on this side defending you’ve got potentially a lot to lose your business, your proprietary data, intellectual property, PII, you start running into some of those other types of issues of things that you could lose. And if you know, there’s obviously there’s no gain in that battle, except winning against being compromised, which is this best-case scenario…
Brian: Holding the line really,
Ryan: Yeah. And that’s really what it comes down to. So you need to do those things. Because if you don’t, you will fall behind and you will be compromised, you will have to face those other challenges. And in the end, those will end up taking more of your time, they will have a more detrimental impact on your business. And they’ll probably be more costly than just implementing some policies that might seem a little bit tough at first, but really just becomes second nature once you get them implemented. And you get in the strides of working with those technologies.
Brian: Well, there’s really no under-stating how important it is when your authentication systems are in a lot of cases now not dealing with authenticating a workstation within your physical premises, but actually authenticating someone accessing remotely the remote work. I guess the world that began with COVID and has held much longer than it really any other aspect of our dealing with that pandemic. It is a new world out there for companies dealing with authenticating their employees and making sure that only the right people have access to information. So zero trust is an incredibly important concept and your company should be applying it to the fullest extent that is possible. So I mean, zero trust itself is probably best looked at as a goal. If you have any recollection of concepts of calculus, it’s approaching a limit. Are you ever going to fully get there? Well, probably not. Because you’re not going to authenticate a user every second they’re on your system. But the closer you get, the more secure your system will be. I want to thank you all for joining us here on the Fearless Paranoia podcast today. You can find a whole lot of other information on this topic at our website, www dot Fearless Paranoia.com. We will also include some links to helpful resources including some various systems that you can use to try to implement that third step of zero trust security. Thank you again for joining us. Make sure to subscribe to us on any of your favorite podcast scripting channels. You can also get additional information on more cybersecurity topics at Resilience Cybersecurity.com. I’m Brian…
Ryan: And I’m Ryan and we’ll see you next time.
Ryan: And I’m Ryan, cybersecurity specialist.
Brian: This is season one, episode one, the inaugural episode: Ransomware 101. Today we are talking ransomware at a very basic level. In this episode we’re gonna discuss the essential principles of ransomware. What is it, at its core? We’ll discuss the general concept of what ransomware is, why it is so disruptive, and why it’s so effective. Just remember, this episode is not meant to be a deep dive into all the individual aspects of ransomware. This is a general survey of the subject to make sure that you’re familiar with ransomware in general. We will be bringing the deeper dive into various aspects of ransomware in later episodes. This, however, is ransomware 101.
But before we get there, we want to remind everybody that you can check out our other episodes on Fearless Paranoia.com. You can also subscribe to our podcast through any of your favorite podcast subscription services. For additional information on how you can keep you your business, your family and anyone else safe from cyberattacks, please visit our website at www.resiliencecybersecurity.com to get tips, hints and suggestions and plans and procedures and everything you could possibly imagine to help protect yourself from cyberattacks.
It’s a Saturday night and for reasons passing understanding I’m working it’s 8:30pm. I open my laptop, and knowing that I’ve got some work to do, I open up my Dropbox connection where I put some documents in the day before at work. As I opened the box, something catches my eye. But not enough for me to think too much about it. The files that were there, they’re all their regular files, but they’re not quite the same. And I as glancing through, I can’t really figure out what’s different. I also noticed that the icons don’t seem to be loading properly. But that could just be my computer being my computer. I double click on a Word file that contains something I was working on. That’s when it’s confirmed that something’s wrong. Instead of one box opening two boxes open right off the bat, not a good sign. The first box opens up and it’s a bunch of gibberish, symbols, letters, any kind of order. And I’m really puzzled for a second. But then I see behind that document, the corner of the second document is open. That one doesn’t have symbols that one doesn’t have jumbled, jumbled language. It has text in bright colored font, they have my data locked up. And I can contact them at this email address to arrange to make a payment to unlock it. I’ve been hit by ransomware.
The story I’ve just told you actually happened. Fortunately, it was from back in the days when before ransomware became quite as insidious as it is now and we were able to resolve it with limited business interruption issues and other costs. In fact, the costs of reclaiming our system, clearing it up and everything, actually ended up being less than our insurance deductible. That’s something that doesn’t really happen anymore.
So what is ransomware? I think most people who follow the news or anything, read anything about computers, anything about business, anything about security these days, knows or has an idea of what ransomware is. But getting an understanding full technical definition requires expertise that exceeds most people and requires time that most people don’t have. Fortunately, we’ve got them both. And Ryan, the cybersecurity and IT specialist. So Ryan, walk us through what is ransomware?
Ryan: That’s a fantastic question, Brian. I’m protecting against the defending against ransomware really starts from the core of just understanding what it is and how it works. And so what is ransomware? It’s software. This is a piece of code that somebody’s written, that encrypts data enacting very, very standard, very widely used encryption tools that are being used with custom algorithms, and makes it unusable to anybody other than the generator of that software to create a ransom-able environment or ransom-able situation where they can hold data of yours hostage and offer it back to you for what they consider to be a very reasonable cost. It’s no different than old fashioned kidnapping or theft for ransom or anything to that effect. The main difference here is these are things that are not happening in your front yard. These are things that are happening from people halfway around the globe, over the internet, you know, a tool that we all use every single day.
Brian: So the concept it means it’s taking something hostage, and it’s the idea and I think, I mean, it’s been around forever, but the idea that something is worth more to you to get back than it may be worth on the open market. The idea of, even if your computer systems were full of personal information that might be sold on the dark web, that data is not that expensive on the dark web, but you were willing to pay a lot more to make sure it comes back or to use it yourself, then it then has actual intrinsic value.
Ryan: Yeah, that’s great. You actually touched on a couple of really important points there, too. The first one is that the data is important to the generator, the owner of the data, and life is just not as easy to continue on with without having it back. Whether that’s a detriment to your business, this is core critical data that you don’t have backed up somewhere else. It’s data that is not recoverable easily. And so it’s, it’s got a certain level of value attached to it. Some of that data has just value purely to its owner. Some of that data is very valuable to a whole variety of people based on the nature of it. So not only do you have a situation where as your data gets into a situation where it’s been encrypted by ransomware, and it’s being held hostage, that data, again could just be valuable to you enough for you to offer a payment back to these criminals to get access back to your data. It could also be valuable to them from an extortion standpoint of what happens if we dump this data, are you going to be willing to pay us a little extra not just to get access back to it, but to keep us from publicizing the state out on the internet so that everybody else can have a copy of it too. And that’s been that’s been something much more prevalent and the ransom attacks popping up in the in recent times is that there’s almost a two-stage piece behind that ransomware attack where they attempt to profit twice from it. And again, it’s good from a business standpoint, but it’s, it’s terrible for the rest of us that are on the receiving end of those types of malicious attacks.
Brian: You’re listening to the Fearless Paranoia podcast for more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms.
Brian: Yeah, I’ve been amazed recently how it does seem like ransomware while certainly was you know, when this stuff first became popular it was an effective term; extortionware almost seems like it’s the better term for the modern version, because ransomware evokes the concept of “we’re holding this until you pay us to get it back”; extortionware it is a much. I mean, and that is a a version of extortion. You know, kidnap and Ransom situation is one type of extortion, we are going to illegally get money from you, based on you either doing something or not doing something. We’re going to leverage you to pay by taking something valuable of yours and returning it back. But the whole concept of extortion, there is this idea that you can be compelled to do something not just based on the proposition of getting something back, but on a whole variety of levers. And I think, and we’ll talk about I definitely want to talk about this in greater detail, in a later episode, this concept you touched on as the what I’ve been seeing referred to as double and triple extortion, where the people doing the extortion actually leverage different ways of getting you to pay, one of which is not even approaching you with the ransom, but approaching your customers and letting your customers know that, you know, they have your data. And there’s the actual data about the customers. And I think one of the more famous examples of that recently was, I think, a Scandinavia, essentially a large psychiatric organization where they took people’s patient notes and contacted the patients that said, if you’re, you know, if your psychiatric doc doesn’t pay up this ransom, we’re releasing your psychiatric notes.
Ryan: Yeah, it’s definitely taken a few different iterations. And it continues to find ways to become not just more effective, the malware families and especially the ransomware itself, but just the entire method of distributing it and how they’re utilizing it to draw maximum income capabilities out of the whole process has really kind of gone through, again, a whole series of evolutions, and I don’t see any of that stopping. A lot of it follows very standard criminal methodologies of just finding, you know, low hanging fruit, easy opportunities. And a lot of these ransomware attacks really kind of focus on, you know, those easily exploitable people. So again, folks like ones with medical issues where something is, you know, that’s really personal information, or going into a business and stealing source code from a software developer. That’s your bread and butter. Those are your trade secrets. That could be something as simple as a customer database where maybe it’s not critical to your business, but it’s certainly going to be critical to everybody who does business with you, which can turn into, you know, a major business impact later on if that data were to get out. And so it’s a constantly changing field. And it’s one that’s one that’s just going to keep getting more and more devious, which is why it’s more important than ever now that we put in to effect at the personal professional levels everywhere we can basic internet hygiene practices to stay safe from some of these because a lot of these attacks are taking advantage of and exploiting overlooked updates, overlooked resources, very well known exploitable holes that could be, they can be closed pretty easily with basic hygiene practices, basic updating and patching. And there’s a lot of just general hygiene practices that can really prevent, I’d say, I’d say a good majority I’d even go so far as to guess probably 90% of a lot of these are really avoidable incidents.
Brian: You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at email@example.com or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.
Brian: Let me ask you real quick cuz I think that, you know, a lot of people who watch you know, any TV program that deals with computer issues, and usually deals with very poorly among most people, I think is this idea that encryption can somehow be cracked. I think in reality, cracking encryption really means having the password, having the key that unlocks the whole thing. And we’re definitely going to have an entire episode on just helping people understand the basics of what encryption is and how it actually works. But when we’re talking about encryption, you’re not cracking any of this stuff, unless you know the code, right?
Ryan: So yes and no. in some instances, some of the less mature ransomware gangs have used very weak ciphers and some of their ransomware code that they’ve done, they’re developed and in some of those cases, and it’s been relatively trivial for some expert researchers to reverse engineer what was used. And so yes, some encryption, and in theory, all encryption really can be cracked, as long as you have enough time and enough resources to do all of the testing and all of the brute forcing. And part of the biggest problem is a lot of these lot of these encryption ciphers nowadays, even with extremely powerful supercomputers or distributed computing, or even if you were to find a way to wrangle the power of like an extremely sophisticated botnet, something where you’ve got a lot of computing resources to crack away at this, and we’re still talking years, decades, potentially centuries, in some cases, to crack some of these with current technology. So again, are they crackable? Yes, is the likelihood that they’re going to be cracked with any sort of, you know, in any sort of short timeframe or with any ease, it’s pretty, pretty safe to say no, in most of those cases, theoretically…
Brian: it’s uncrackable. Practically speaking.
Ryan: In most cases, where the ransomware tools do get reverse engineered and do get cracked, a lot of times, it’s either because they’re using an extremely old piece of tooling in the ransomware. Or it’s because the ransomware gang itself has had some of their code repository or places where they’re holding some of those secrets, some of those passphrases keys actually gets compromised. And what they’re doing to other people actually happens back to them as their source code, their internal tools are taken by security researchers and then distributed on the internet, saying, Hey, here’s a tool to help you decrypt all of these things, because we broke into their infrastructure, you start to get into some interesting legal issues from that side, too. But again, it does happen from time to time that some of these things do get reverse engineered or do get broken, but it’s not something that one would ever want to count upon. The better approach is to certainly put plans in place to protect yourself from it. And to make sure that in the case that it does happen, you’re not counting on either having to pay a ransom or find a key to get back into it, that you’ve got a secondary plan in place to make sure that you can continue enforcing business continuity around the issue instead.
Brian: So what is ransomware then fit in in the overall concept or context of a business getting hacked?
Ryan: So the ransomware again, ransomware very rarely ever, the first stage of compromise ransomware is usually one of the end stages of compromise. That’s kind of the end goal is to apply the ransomware apply the ransom and collect and then finish whatever the business relationship is there, if you can call it a…
Brian: Business relationship gets business conducted at the end of this meeting, the your signature, or your brains will be on this contract. Yeah.
Ryan: And effectively, I mean, it is it is business. I mean, it’s a billion-dollar industry, you know, so rants Software is a huge business nowadays. It’s a legitimate business and most of our minds, but it is what it is.
Brian: And so it’s this combination of really strong encryption and these ransomware groups knowledge of where to look for critical information, and most importantly, what constitutes critical information for businesses, health care, so facilities, even individuals that makes ransomware so disruptive to our modern economy system way of doing things. Absolutely. Well, in a nutshell, there it is. Ransomware 101. Want to thank you for joining us today. Look forward to seeing you again in the future. Don’t forget to subscribe to our podcast, you can do so through your favorite subscription service or on our website. Also, if you have a specific cybersecurity topic you’d like to hear Ryan and I address in our podcast, you can go ahead and send us a message on the Fearless Paranoia website at Fearless paranoia.com We hope to see you again next time. This is Brian and Ryan Fearless Paranoia signing off.
to make cybersecurity understandable, digestable, and guide you through being able to understand what you and your business need to focus on in order to get the most benefit for your cybersecurity spend.
©2022 Fearless Paranoia