Why Cyber Resilience is the Way to Measure Cybersecurity

Episode Resources:

• Resilience Cybersecurity & Data Privacy
• 8 Useful Small Business Cybersecurity Tips You Need to Know – Resilience Cybersecurity & Data Privacy
• Disaster Recovery: Calculating Your RPO and RTO – Resilience Cybersecurity & Data Privacy
• Yes, Virginia, You Can Calculate ROI for Cybersecurity Budgets – Forbes
• Cracking the Code to Security Resilience: Lessons from the Latest Cisco Security Outcomes Report – Cisco Security Blog
• Ten Commandments for a Cyber Resilience Strategy – TechNative
• The 4 Lenses of Resilience and What They Mean for Security – Cisco Security Blog

Episode Transcript

Brian: Hey, welcome to the Fearless Paranoia podcast where we are demystifying the complex and incredibly dense, complicated and obtuse world of cybersecurity, making it hopefully accessible and reasonable to the everyday person, the average person, the everyday listener to our podcast. Which, you know, there’s gotta be at least six of you by now. I am Brian, the cybersecurity attorney.

Ryan: And I’m a cybersecurity architect. And I usually go by Ryan.

Brian: Yeah, there are other names. But you know, for right now, we’re gonna go ahead and make sure that any of the kompromat that the Russian government has on either one of us is kept to a relative minimum. So today, we’re gonna be talking about constantly you’ve heard us discuss in numerous instances in the past. And it’s this idea of being resilient. Resiliency as a business. Now, as a basic concept, being resilient is not complex. Most people understand the idea, it’s, you know, it’s how well can you withstand something? How well do you bounce back up again, basically. It’s, I mean, if you don’t have a Chumbawamba song in your head right now, then I’m really not doing my job well, but that’s what resilience is.

So what we’re going to talk about today is more specific, what are we talking about when we talk about your company being resilient and having security policies that improve your resiliency? So Ryan, when we’re talking about this in real world, cybersecurity, what in your mind is the key components of a resilient business?

Ryan: That’s making sure you go through the steps and make sure that you’re never going to keep me down. Sorry, I couldn’t help it, I got the song running through my head. Now to know the really, the big pieces of my work is done here. The really big pieces of understanding resilience to me in our world, the really important keys are understanding what’s important to your business. And really, really, first and foremost, you can’t be resilient if you don’t understand what’s important about your business. So you need to classify what’s important from access to your systems, what’s your most critical data, what’s the stuff you cannot operate without, and make sure that you have put measures in place to protect that data to limit access to that data to backup that data and to make sure that integrity of that data is never compromised. And that means going to different extents for different datasets. But at its core, it means backing up, it means backing up your backups, it means storing them in different places. And just kind of always assuming that anytime you put any of that stuff in one common place or under one common account, etc, that has the potential to all burn together. And that’s never a position you want to see your business. And so resilience is again, it’s starting with making sure that you have good general best practices in place, strong authentication, least privileged access to your data, the data classification, we were just talking about getting those data backups in place, making sure you’ve got those good, strong off Site Backups, and then getting policies and procedures in place to really enact a control all of that. You need to understand basic concepts like RTO and RPO, how long can you be down without drastically impacting your business operations and starting to lose customers or lose revenue? How much data or? Or how much information can you potentially afford to lose before it’s become too large of an impact to really restore your business someday, most businesses will find out that they can afford to lose some limited data. But when you get to be a company the size of like Amazon during Christmas time, you really can’t afford to lose anything, because every 10 seconds worth of transactions can be potentially millions of dollars’ worth of data loss.

Brian: I think you explained that particular topic really well on our disaster recovery episode when you’re talking about a hedge fund the idea that the question is when you’re talking about how much data can you lose, it’s between whenever your data loss occurs, and your most recent full backup was that data well, and that also, any additional time you lose in restoring your systems, that amount of time that passes, that’s data that you’ve lost, that your business can no longer rely on. And if your business relies on Minute-by-Minute transactions, you better have a backup every minute so that if your date is goes down right now, you know that at least 60 seconds ago, you have every transaction up to that point. And so what we’re really talking about here is yes, it’s great to have cybersecurity. It’s great to have the walls that keep out the bad guys. But as was so eloquently stated and movie Patton mountains and rivers can be overcome anything built by man can be overcome. You can have the best walls, but something’s gonna find their way past your walls, how effectively Can you respond, you can have great security, but you can never guarantee that you are entirely secure from a disaster or a breach. And it doesn’t have to be a data breach, as you were just talking about it can be a flood that shuts down your data center.

Ryan: Yeah, what if hardware failures they happen all the time in the IoT world and that’s why technologies like raid and stuff have been built over the years to work on finding ways to build more integrity. And then you started coming up with the concept of high availability, load balancing across regions just to like separate out the data physically to prevent against those kinds of things. Again, anytime you put all of your data in one place and don’t have some sort of duplication of that as far as at least a backup if not like a hot site for high availability you end up with a all your eggs in one basket. So now you’re relying on the integrity of that basket to be the steward of all of your data going forward. If that if that baskets like server running from 2005, or something, you know, that’s a tough basket to keep your important eggs, if you’re relying on those things being the future, your business,

the very basic of this concept being resilient.

Brian: First, you know, it’s, the first concept is admitting that you have a problem, you can’t solve a problem until you have admitted that you have one. So the first step in establishing resiliency is acknowledging that the systems you have in place may fail, let’s face it, if your systems were perfect, you wouldn’t need a data backup policy. So anyone who has a data backup policy has at least taken that first step and admitted that there are situations that they foresee as being not just likely, but just possible, where they may need their data restored from a backup. So you need to acknowledge that all the steps you have may not be sufficient to protect you. And then what and I think that’s the key if resiliency then becomes a question of how much are you willing to put into your company’s policies and procedures? And when I say how much are you willing to put into that? That means a lot of things because there’s on the front end, how much work are you willing to put in to establishing the right policies and procedures, implementing them, making sure they’re actually followed by all of your employees? And then there’s also executing those policies? How much money and time are you willing to spend on all the systems, it’s not free to run data backups, it’s not free to have heavy monitoring of your usage, it’s not free to replace equipment before it fails, so that you, you know, circumvent that issue. So there’s, there are decisions that you have to make that will determine how resilient you are. But the important idea is that you accept that being resilient is itself important.

Ryan: Yep, that’s absolutely correct. I think, again, to me, classification is one of the most important things that most businesses can do. And that’s classified your systems, your processes, and specifically your data to just understand because again, without knowing how valuable your data is, and the level of access, or how important having access to that data is, without understanding that you don’t have any respect for the process in the first place, there’s really there’s no incentive to dig into a process like trying to be resilient. And it’s something that most businesses may just think they don’t have the time to really invest into, or don’t have the funds to invest into, because they think they’re going to need a hugely expensive solution. And that’s one of those lessons, you don’t want to learn the hard way, because it becomes very, very challenging in the case of a disaster to try to recover and return back to you know, what was previously the status quo without having those systems in place. And just having some of those very, very basic systems can turn recovery that could end up being weeks or months long into something that could be days or a couple of weeks instead. And that kind of reduction in recovery time can usually be a make or break type scenario. For a lot of businesses, especially the smaller businesses, they just they can’t afford those levels of disruption and those type of outages.

Brian:   You’re listening to the Fearless Paranoia podcast. For more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms.

Brian: Well, I can say without hesitation from my perspective in advising companies on their policies and procedures regarding cybersecurity, that there’s not a single process that I put together that didn’t start with data classification. If you don’t identify what you have, and where it’s located. None of the other security measures that are included in everything that I put together for your company is going to work. It seems like a small thing. But it’s also can be very broad and expansive. Do you know where your confidential information your trade secrets or proprietary information is being kept? Do you know if your people are saving important and critical data down on their workstations as opposed to being saved in a designated location? Do you know if it’s being saved to mobile devices where you have no ability to track what happens to it once it gets to that device if you don’t have the data classified and by classifying means identifying what data is important and knowing where it is, or at least establishing where it’s allowed to be kept your entire system everything that comes after that is essentially useless?

Ryan: Yeah, it definitely lacks a lot of purpose and direction without those core targets in place. So I mean, that’s really critical to being able to put together a good plan for resiliency is understanding what you have what’s worth protecting, and then figuring out how to protect things that are prioritized or working your way down that list.

Brian: Well, of course, you know, and protection. You know, we talked about resilience, and it can seem like this is just about bouncing back from something getting through but you you also use the same principles when you’re talking about your physical security, for example, how effectively you train your employees will have a huge impact on how quickly your company rebounds from a disaster, but also will help improve your actual frontline security. The physical security policies you have put in place will dramatically improve how effectively you can prevent anything from happening but they will So set up all the processes, you need to make sure that the recovery from any of these things are not at all impeded by physical access to your facilities. So there’s so many things here that increase your security overall almost exponentially when you add them because they contribute both to your frontline security and to your resiliency and implementing them sitting down writing out the policies, making sure that your employees follow them is the only significant step between your company being wide open to attack and dead in the water in the event that it does occur. And being frontline secure and resilient on your end.

Ryan: You’ve made an interesting major point there at the end, the difference between setting up the plans, the policies and actually implementing them. That’s where I think a lot of businesses find hesitation and tend to stop and part of the process is it’s really easy to get to, I’m not gonna say it’s easy, but it’s one big step to get to the point of defining the policies, having the policies in place and saying, Yes, we are going to abide by these policies, actually doing the work after that is a huge step. Because the policies, again, are good enough to get you an insurance policy, they’re good enough to get you past an audit, they’re good enough to get you past those regulatory checks. They’re not good enough to keep you safe unless you’re actually practicing what you’re preaching. And so it depends, are you looking to check some boxes, are you looking to be safe and resilient. And if you want to check the boxes, and that’s all you’re really interested in, and you don’t care beyond that, then put the policies and stuff in place, go buy some canned stuff, and be done and then call us later once you guys get impacted and are actually dealing with a disaster because you will be and we’ll be here to help you through it after a very, very tiny, I told you so.

Brian: Yeah, and by the way, at a significantly higher rate, unfortunately.

Ryan: Yeah the I told you so might be in font size one on the bottom corner of the invoice somewhere, you might not even notice it’s there. But for those of you guys that are actually interested in going that next step further, it’s worth the journey. It’s worth the investment, the time you really only need to go through it once because then it becomes standard practice as long as you keep being diligent to it going forward. And in the end, not dealing with one of those incidents will be a lot of time that’s brought back to you a lot more money sitting in in your account and a lot less time sitting down and going through the pain of recovering from from a major disaster. There’s been a lot of people out there that have spent the time and have had to go through those disasters, go find a couple of them, they’re probably not that hard to find. Nowadays, most everybody’s been at a business that’s suffered something and just get their feel for it and see if that’s a pain that you’re interested in. I think that going down these steps for basic resiliency are a much much less painful option, then then suffering what could come in its place.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Brian: And I do want to add one key thing that I’ve noticed and part of the reason why this is part of my experience, Ryan, you just talked about the difference between writing the policy down and then actually implementing it. A lot of my clients are law firms who are trying to improve their security and the nature of a lot of law firms business structures is they are almost all for ethical reasons, partnerships. Partnerships tend to be large, especially you know, medium sized firms and some some small firms. But the bigger you go, the more it is operated on the premise of the attorney who’s been there the longest is the highest on the totem pole. And and just so anyone’s listening Yes, I do know that is an incorrect metaphor, being the lowest on the totem pole was technically the most important, but we’ll ignore that for now. The most senior person was the one who had been there the longest. So the key thing that I had to explain to so many of these companies was it’s great if you have these policies, it’s great if you’re making sure that all of your staff is following them. Are you following them senior managing partner? No, it turns out that every single one of these policies has a little exemption carved out for some of the senior management entertainingly enough it’s always the senior management who has the highest access level all the fortunately most of these people have given up like network admin duties because functionally operating a computer is not high on their skill list. But you can’t exempt people from policies if you want the policy to be effective period.

Ryan: I mean, that goes back to the old adage of lead by example anyways, right? Because even if you do have the expectation that the whole rest of your company is following it, but now you yourself are not how are you going to expect them to keep toeing that line at some point in the future? How are they going to you guys make them to continue to follow that when they look at you just blatantly shrugging it off and going about get out whatever reckless activity you’d like to because you’re above the law.

Brian: Just imagine what kind of signal Do you even send about how truly important following the policy really is when someone finds out that they can add a different web browser to their workstation and on that web browser, circumvent all the blocking software that your IT company put in place. There are so many things. And I mean, and I’ll also say as one additional benefit to going through all of this stuff is that most companies now we’re approaching January 2023, is when several states laws on new privacy provisions go into effect. And there are quite a lot of companies who are just under what will be necessary to qualify for these policies. But I can assure you that as time goes on, these laws are gonna apply to more companies, not less one of the added benefits to having a professionally assembled set of security policies and procedures, they almost always address the same subjects that these new privacy laws address. So yes, am I a little bit throwing in a sales pitch for the services that I render here? Yes, sure. But one of the most important things you can do is make sure you have policies in place that are being followed. And guess what, you can’t do that without making sure that the policies you have in place regarding your internal procedures and security match what you tell the rest of the world is your terms of service on your website, and your privacy policy and your website and your return policy in your E commerce do they all match up with the things that you actually do inside your company, you have to know these and so if they don’t match up, you will find yourself in violation of some of these policies that have very significant and punitive potential damages for you and your business. Not to mention the fact that it probably isn’t going to look great if your company happens to be one of the few that’s sued by the FTC or one of these state agencies. And that gets broadcast all over the news that you are violating a privacy law. Resilience is a huge thing in cybersecurity in a lot of ways is a huge Jenga tower and resilience is one huge chunk of that tower. It relies on so many individual blocks holding up the rest of the building, you can’t pull one of those blocks out without the cybersecurity tower falling over entirely. So make sure that how you are being resilient also impacts how you are protecting your customers. Privacy also impacts how you are keeping your company safe from the outside both from digital and physical threats, all of his important and all of it works together. There’s a whole lot more on the whole concept of resilience. We’ll talk about probably in smaller bits in the future, but we definitely wanted to make sure that you understood what we were talking about when discuss resilience in general and is a plug that my co host mentioned to me before we went on the air with this particular episode. For any more information, you can always jump over to resilience, cybersecurity and data privacy, which is www dot resilience. cybersecurity.com. There are also links from our website at Fearless Paranoia to get over there, we’ll have a lot of information on various ways that your company can improve your cybersecurity and be more resilient. That’s all we really have. For this topic today. We probably went a little bit longer than we should have to apologize for that. But please subscribe to Fearless Paranoia on any of your favorite podcasting apps. You can also get more information on our website where we have a full on transcripts if you’re really masochist. But we also have a lot of really good resources on each one of the topics that we address and a whole collection of other topics that you may find interesting. We try to keep these episodes relatively short so that you can learn the topic and get about your day. Check all that stuff out on our website, reach out to us via email or by social media if there’s any topics that you think we should be addressing, or you’d like to hear more about all that having been said thank you for joining us today in Fearless Paranoia. I am Brian…

Ryan: …and I am Ryan and we look forward to chatting with you guys more about cybersecurity next time.

Ryan:    And I’m Ryan, cybersecurity specialist.

Brian:   This is season one, episode one, the inaugural episode: Ransomware 101. Today we are talking ransomware at a very basic level. In this episode we’re gonna discuss the essential principles of ransomware. What is it, at its core? We’ll discuss the general concept of what ransomware is, why it is so disruptive, and why it’s so effective. Just remember, this episode is not meant to be a deep dive into all the individual aspects of ransomware. This is a general survey of the subject to make sure that you’re familiar with ransomware in general. We will be bringing the deeper dive into various aspects of ransomware in later episodes. This, however, is ransomware 101.

But before we get there, we want to remind everybody that you can check out our other episodes on Fearless Paranoia.com. You can also subscribe to our podcast through any of your favorite podcast subscription services. For additional information on how you can keep you your business, your family and anyone else safe from cyberattacks, please visit our website at www.resiliencecybersecurity.com to get tips, hints and suggestions and plans and procedures and everything you could possibly imagine to help protect yourself from cyberattacks.

It’s a Saturday night and for reasons passing understanding I’m working it’s 8:30pm. I open my laptop, and knowing that I’ve got some work to do, I open up my Dropbox connection where I put some documents in the day before at work. As I opened the box, something catches my eye. But not enough for me to think too much about it. The files that were there, they’re all their regular files, but they’re not quite the same. And I as glancing through, I can’t really figure out what’s different. I also noticed that the icons don’t seem to be loading properly. But that could just be my computer being my computer. I double click on a Word file that contains something I was working on. That’s when it’s confirmed that something’s wrong. Instead of one box opening two boxes open right off the bat, not a good sign. The first box opens up and it’s a bunch of gibberish, symbols, letters, any kind of order. And I’m really puzzled for a second. But then I see behind that document, the corner of the second document is open. That one doesn’t have symbols that one doesn’t have jumbled, jumbled language. It has text in bright colored font, they have my data locked up. And I can contact them at this email address to arrange to make a payment to unlock it. I’ve been hit by ransomware.

The story I’ve just told you actually happened. Fortunately, it was from back in the days when before ransomware became quite as insidious as it is now and we were able to resolve it with limited business interruption issues and other costs. In fact, the costs of reclaiming our system, clearing it up and everything, actually ended up being less than our insurance deductible. That’s something that doesn’t really happen anymore.

So what is ransomware? I think most people who follow the news or anything, read anything about computers, anything about business, anything about security these days, knows or has an idea of what ransomware is. But getting an understanding full technical definition requires expertise that exceeds most people and requires time that most people don’t have. Fortunately, we’ve got them both. And Ryan, the cybersecurity and IT specialist. So Ryan, walk us through what is ransomware?

Ryan:    That’s a fantastic question, Brian. I’m protecting against the defending against ransomware really starts from the core of just understanding what it is and how it works. And so what is ransomware? It’s software. This is a piece of code that somebody’s written, that encrypts data enacting very, very standard, very widely used encryption tools that are being used with custom algorithms, and makes it unusable to anybody other than the generator of that software to create a ransom-able environment or ransom-able situation where they can hold data of yours hostage and offer it back to you for what they consider to be a very reasonable cost. It’s no different than old fashioned kidnapping or theft for ransom or anything to that effect. The main difference here is these are things that are not happening in your front yard. These are things that are happening from people halfway around the globe, over the internet, you know, a tool that we all use every single day.

Brian:   So the concept it means it’s taking something hostage, and it’s the idea and I think, I mean, it’s been around forever, but the idea that something is worth more to you to get back than it may be worth on the open market. The idea of, even if your computer systems were full of personal information that might be sold on the dark web, that data is not that expensive on the dark web, but you were willing to pay a lot more to make sure it comes back or to use it yourself, then it then has actual intrinsic value.

Ryan:    Yeah, that’s great. You actually touched on a couple of really important points there, too. The first one is that the data is important to the generator, the owner of the data, and life is just not as easy to continue on with without having it back. Whether that’s a detriment to your business, this is core critical data that you don’t have backed up somewhere else. It’s data that is not recoverable easily. And so it’s, it’s got a certain level of value attached to it. Some of that data has just value purely to its owner. Some of that data is very valuable to a whole variety of people based on the nature of it. So not only do you have a situation where as your data gets into a situation where it’s been encrypted by ransomware, and it’s being held hostage, that data, again could just be valuable to you enough for you to offer a payment back to these criminals to get access back to your data. It could also be valuable to them from an extortion standpoint of what happens if we dump this data, are you going to be willing to pay us a little extra not just to get access back to it, but to keep us from publicizing the state out on the internet so that everybody else can have a copy of it too. And that’s been that’s been something much more prevalent and the ransom attacks popping up in the in recent times is that there’s almost a two-stage piece behind that ransomware attack where they attempt to profit twice from it. And again, it’s good from a business standpoint, but it’s, it’s terrible for the rest of us that are on the receiving end of those types of malicious attacks.

Brian:   You’re listening to the Fearless Paranoia podcast for more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms.

Brian:   Yeah, I’ve been amazed recently how it does seem like ransomware while certainly was you know, when this stuff first became popular it was an effective term; extortionware almost seems like it’s the better term for the modern version, because ransomware evokes the concept of “we’re holding this until you pay us to get it back”; extortionware it is a much. I mean, and that is a a version of extortion. You know, kidnap and Ransom situation is one type of extortion, we are going to illegally get money from you, based on you either doing something or not doing something. We’re going to leverage you to pay by taking something valuable of yours and returning it back. But the whole concept of extortion, there is this idea that you can be compelled to do something not just based on the proposition of getting something back, but on a whole variety of levers. And I think, and we’ll talk about I definitely want to talk about this in greater detail, in a later episode, this concept you touched on as the what I’ve been seeing referred to as double and triple extortion, where the people doing the extortion actually leverage different ways of getting you to pay, one of which is not even approaching you with the ransom, but approaching your customers and letting your customers know that, you know, they have your data. And there’s the actual data about the customers. And I think one of the more famous examples of that recently was, I think, a Scandinavia, essentially a large psychiatric organization where they took people’s patient notes and contacted the patients that said, if you’re, you know, if your psychiatric doc doesn’t pay up this ransom, we’re releasing your psychiatric notes.

Ryan:    Yeah, it’s definitely taken a few different iterations. And it continues to find ways to become not just more effective, the malware families and especially the ransomware itself, but just the entire method of distributing it and how they’re utilizing it to draw maximum income capabilities out of the whole process has really kind of gone through, again, a whole series of evolutions, and I don’t see any of that stopping. A lot of it follows very standard criminal methodologies of just finding, you know, low hanging fruit, easy opportunities. And a lot of these ransomware attacks really kind of focus on, you know, those easily exploitable people. So again, folks like ones with medical issues where something is, you know, that’s really personal information, or going into a business and stealing source code from a software developer. That’s your bread and butter. Those are your trade secrets. That could be something as simple as a customer database where maybe it’s not critical to your business, but it’s certainly going to be critical to everybody who does business with you, which can turn into, you know, a major business impact later on if that data were to get out. And so it’s a constantly changing field. And it’s one that’s one that’s just going to keep getting more and more devious, which is why it’s more important than ever now that we put in to effect at the personal professional levels everywhere we can basic internet hygiene practices to stay safe from some of these because a lot of these attacks are taking advantage of and exploiting overlooked updates, overlooked resources, very well known exploitable holes that could be, they can be closed pretty easily with basic hygiene practices, basic updating and patching. And there’s a lot of just general hygiene practices that can really prevent, I’d say, I’d say a good majority I’d even go so far as to guess probably 90% of a lot of these are really avoidable incidents.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Brian:   Let me ask you real quick cuz I think that, you know, a lot of people who watch you know, any TV program that deals with computer issues, and usually deals with very poorly among most people, I think is this idea that encryption can somehow be cracked. I think in reality, cracking encryption really means having the password, having the key that unlocks the whole thing. And we’re definitely going to have an entire episode on just helping people understand the basics of what encryption is and how it actually works. But when we’re talking about encryption, you’re not cracking any of this stuff, unless you know the code, right?

Ryan:    So yes and no. in some instances, some of the less mature ransomware gangs have used very weak ciphers and some of their ransomware code that they’ve done, they’re developed and in some of those cases, and it’s been relatively trivial for some expert researchers to reverse engineer what was used. And so yes, some encryption, and in theory, all encryption really can be cracked, as long as you have enough time and enough resources to do all of the testing and all of the brute forcing. And part of the biggest problem is a lot of these lot of these encryption ciphers nowadays, even with extremely powerful supercomputers or distributed computing, or even if you were to find a way to wrangle the power of like an extremely sophisticated botnet, something where you’ve got a lot of computing resources to crack away at this, and we’re still talking years, decades, potentially centuries, in some cases, to crack some of these with current technology. So again, are they crackable? Yes, is the likelihood that they’re going to be cracked with any sort of, you know, in any sort of short timeframe or with any ease, it’s pretty, pretty safe to say no, in most of those cases, theoretically…

Brian:   it’s uncrackable. Practically speaking.

Ryan: In most cases, where the ransomware tools do get reverse engineered and do get cracked, a lot of times, it’s either because they’re using an extremely old piece of tooling in the ransomware. Or it’s because the ransomware gang itself has had some of their code repository or places where they’re holding some of those secrets, some of those passphrases keys actually gets compromised. And what they’re doing to other people actually happens back to them as their source code, their internal tools are taken by security researchers and then distributed on the internet, saying, Hey, here’s a tool to help you decrypt all of these things, because we broke into their infrastructure, you start to get into some interesting legal issues from that side, too. But again, it does happen from time to time that some of these things do get reverse engineered or do get broken, but it’s not something that one would ever want to count upon. The better approach is to certainly put plans in place to protect yourself from it. And to make sure that in the case that it does happen, you’re not counting on either having to pay a ransom or find a key to get back into it, that you’ve got a secondary plan in place to make sure that you can continue enforcing business continuity around the issue instead.

Brian:   So what is ransomware then fit in in the overall concept or context of a business getting hacked?

Ryan:    So the ransomware again, ransomware very rarely ever, the first stage of compromise ransomware is usually one of the end stages of compromise. That’s kind of the end goal is to apply the ransomware apply the ransom and collect and then finish whatever the business relationship is there, if you can call it a…

Brian:   Business relationship gets business conducted at the end of this meeting, the your signature, or your brains will be on this contract. Yeah.

Ryan:    And effectively, I mean, it is it is business. I mean, it’s a billion-dollar industry, you know, so rants Software is a huge business nowadays. It’s a legitimate business and most of our minds, but it is what it is.

Brian:   And so it’s this combination of really strong encryption and these ransomware groups knowledge of where to look for critical information, and most importantly, what constitutes critical information for businesses, health care, so facilities, even individuals that makes ransomware so disruptive to our modern economy system way of doing things. Absolutely. Well, in a nutshell, there it is. Ransomware 101. Want to thank you for joining us today. Look forward to seeing you again in the future. Don’t forget to subscribe to our podcast, you can do so through your favorite subscription service or on our website. Also, if you have a specific cybersecurity topic you’d like to hear Ryan and I address in our podcast, you can go ahead and send us a message on the Fearless Paranoia website at Fearless paranoia.com We hope to see you again next time. This is Brian and Ryan Fearless Paranoia signing off.