Cyberattacks: Your Data in Danger
RadioEd is a biweekly podcast created by the DU Newsroom that taps into the University of Denver’s deep pool of bright brains to explore new takes on today’s top stories. See below for a full episode transcript.
Recently, hackers successfully targeted the country’s largest fuel pipeline, the world’s largest meat processor and the New York City transit system. One company even paid the hackers nearly $5 million to recover its stolen data. In the wake of these cyberattacks, the White house warned companies to increase their cybersecurity and formed a Department of Justice task force, which was able to recapture that ransom money. DU cybersecurity professor Nate Evans discusses what makes a company vulnerable to an attack, how companies weigh the decision to pay ransom and why we are seeing a spike in cyberattacks now.
Show Notes
Nate Evans is a teaching assistant professor in the Ritchie School of Engineering and Computer Science's cybersecurity program.
More Information:
- New York Times: "Majority of Colonial Pipeline Ransom Recovered, Justice Dept. Says"
- Bloomberg: "Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom"
- Bloomberg: "All of JBS’s U.S. Beef Plants Were Forced Shut by Cyberattack"
- New York Times: "The M.T.A. Is Breached by Hackers as Cyberattacks Surge"
- Department of Justice: "Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside"
Episode Bonus:
Transcript
Alyssa Hurst:
You're listening to RadioEd.
Nicole Militello:
a University of Denver podcast.
Lorne Fultonberg:
We're your hosts, Lorne Fultonberg.
Alyssa Hurst:
Alyssa Hurst.
Nicole Militello:
And I'm Nicole Militello. After several high-profile recent cyberattacks, the White House is now warning that businesses need to up their security measures to protect themselves and their customers. In the past few weeks, we've seen the country's largest field pipeline shut down for five days, creating gas shortages and chaos in the Southeast after a cyberattack. The company ended up paying the hackers almost $5 million to recover the stolen data. And now, a new cybersecurity task force just formed by the Department of Justice found and recaptured the majority of that ransom.
Nicole Militello:
In two other recent cyberattacks production at the world's largest meat processor was targeted, along with the systems used by New York City Transit, which oversees the subway and the buses. I talked with Nate Evans, a professor in the University of Denver cybersecurity program about what makes a company vulnerable to an attack, how companies weigh the decision to pay ransom and why we're seeing a spike now. First, we start with the basics. He explains what a cyberattack is and how it happens.
Nate Evans:
It's really whenever somebody running something on a computer that they're not supposed to. Typically how they happen is, people write software and unfortunately all software has vulnerabilities in it. So people make mistakes when they're writing code, despite all of our best efforts. Right? And the attackers, hackers, bad guys, whatever you want to call them, are able to exploit those vulnerabilities in order to, again, execute something on a system that they're not supposed to.
Nate Evans:
So typically the ingress point is going to be a combination of human error and a software vulnerability. Not always, but in a large number of attacks, the starting point is somebody sending you a phishing email, which I'm sure you're familiar with, where there's a malicious link or a malicious file. But then when you click on it, or open it, or whatever, it's going to exploit some vulnerability that's nascent on your system. And then that gives you access.
Nicole Militello:
Can you explain how ransomware attacks fit into this conversation on cyberattacks?
Nate Evans:
Yeah, ransomware is just a specific type of cyberattack. So again, any kind of malicious software that's running on somebody's system would be considered a cyberattack or a cyber intrusion or whatever. And ransomware is just a very specific kind of cyberattack, where essentially an attacker's software is going to either delete all the files that are on your system, or most commonly encrypt all of the files that are on your system. And, the stuff is still there, but you don't have access to it anymore, even though on your own computer.
Nate Evans:
So then, the point of ransomware, typically, is to sell you the decryption key or sell you your data back. And then, I guess, another motive might even be not to restrict your access to your data, but maybe threatening to reveal your data to someone else. So, if I am an attacker who gets hospital records, right, you are going to look pretty bad as the hospital administrator if all of your data gets put on the internet. So, sometimes ransomware is just, if you don't pay us, we're going to release this information to everybody.
Nicole Militello:
So is there typically a general motive behind this? Or does it just vary from attack to attack?
Nate Evans:
It varies from attack to attack, and it also varies based on who the actor is, the threat actor. So if we're talking specifically about ransomware attacks, typically, those are financially motivated. There's not so much where it's somebody trying to exert political pressure or perform cyber espionage, although of course, that's a possibility. But, again, because these attacks are so in your face with ransomware, it's, pretty obvious that the goal is financial. So, if you had a threat actor that was a nation state, for instance, that has a huge amount of resources and are very highly focused on a specific company or sector, or maybe trying to steal some particular information from another government ... Usually those attacks are a lot more stealthy. And so we don't hear about them necessarily as much, because again, they might only target one or two individuals, or one or two companies, and they will not be so brazen to say, "We're here and you need to pay us." But they'll just hide in the network and very slowly extract information that they want or something like that.
Nicole Militello:
Okay. So sometimes you might not even be aware of the cyberattack happening?
Nate Evans:
Yeah, in a lot of cases. And I actually think that the numbers that we see about the different types of cyberattacks are pretty skewed. Sometimes we get reports from cybersecurity companies who maybe have a pretty good picture, but there's a lot of attacks that either aren't detected or aren't reported, because again, attackers might be in your system for months or even years in some cases without being detected, either because the cybersecurity practices at that company just aren't very good, or the attackers are just really focused and really good at what they do. So yeah, there's definitely attacks that nobody knows about. And then there's also no requirement in many industries for companies to report if they had a cyberattack. So, in addition to companies that don't realize that they're being attacked, they might be attacked, but they don't want to lose face, so they're not going to report it to the public. Right?
Nicole Militello:
Interesting, yeah.
Nate Evans:
Yeah. There's a lot of things we don't see, I think.
Nicole Militello:
Yeah. And so we've seen several headlines about all of this recently. Why do you think those specific companies were targeted? Or what made them vulnerable?
Nate Evans:
I guess I would start by saying that ransomware attacks, the kinds that we have seen, are typically not specifically focused on a particular business or industry or sector or whatever you want to call it. They're more just a scattershot approach. They don't care who they attack because they're really just trying to get money out of it. The obvious reason that the companies that do get breached or attacked are, is probably because their cybersecurity defenses aren't very good. Maybe they don't have enough resources devoted to protecting their networks, or they don't follow cybersecurity best practices.
Nate Evans:
Again, I really don't think that they're being targeted based on attackers saying, "Boy, we really want to take down the meat distribution industry in the world," or something like that. So I think it's usually just they're going for the low-hanging fruit. They will send out mass phishing emails when a new vulnerability is discovered and whoever clicks on the link or goes to the website that's malicious, they'll then try to attack. And I really think it's more like that. It's picking off whoever they can, as opposed to specifically targeted attacks.
Nicole Militello:
And we know with the Colonial Pipeline, they paid the hackers nearly $5 million. So what's the risk of giving in and paying that kind of money? And how does a company weigh that decision?
Nate Evans:
That's a great question. I think for most businesses, it's going to be strictly a cost-benefit analysis where they say, if we're down for a day, we lose X amount of dollars and the ransom is Y amount of dollars. So if the amount we're losing is more than the amount of the ransom, maybe we should just pay it, because then we'll be back in and being operational immediately.
Nate Evans:
So the first part of your question is, what are the risks? The main risk is you pay them and then they don't unlock your files or give you access back. And that happens in some cases, where the ransomware group maybe even just disappears. Either they got spooked, because there was worldwide attention paid to them or something, where they just go away. But in most cases, if you pay the ransom, you do get your information, your access back.
Nate Evans:
But another thing, even if you get your data back, you don't know that the attacker is gone. So you have to assume that they still have access to your systems, even if they give you your information back. And that means that once you're operational, again, you still have to start over and burn your computer systems down to the ground and start over from scratch, because there's no real way to know that the attackers are out.
Nicole Militello:
It just seems like a slippery slope, because you're sending the message that you are willing to do business with them. And it gives hackers more of an incentive, that this does work and we should target whoever we can, because maybe they'll pay us the money.
Nate Evans:
Right. Yeah. And it's almost win-win for attackers, because they can just scattershot. Like I said before, just send out all these emails or scan all of the systems and see what they're able to access. And if somebody refuses to pay and they rebuild their systems from backups, okay, so you didn't succeed in that. But maybe there's 100 other companies that you're attacking at the same time that that would be more willing to pay.
Nicole Militello:
How does cybersecurity in general work in the United States? Is it just a company-by-company basis? Is there some national guidelines for how companies should be protecting themselves against these attacks?
Nate Evans:
Yeah, that's a really good question. It depends on your industry, is the short answer. So there are national guidelines. Lots of different government agencies put out different guidelines, but there are only specific sectors that have legal regulatory requirements for specific cybersecurity best practices. So, healthcare is one where there are requirements for storing and transmitting patient data, and for securing systems in which patient data lives. So, that's one industry where there are pretty strict requirements. It doesn't stop everything. And another industry is the financial sector, which also has requirements for payment processing and payment data, where you have to have certain cybersecurity minimums in place in order to do business. But most of the industries and businesses are just ... Whether or not they take it seriously and whether or not they implement the best practices, there have been some attempts. I think maybe 10 years ago, there was an attempt to make more stringent requirements for critical-infrastructure businesses that didn't actually get put into, into law. But yeah, there are no across-the-board requirements that everybody has to follow.
Nicole Militello:
I was reading a lot about the recent attacks and a lot of people were saying that there's really no excuse for these big wealthy companies to have these kinds of cyber breaches, because they do have the money to put effective cybersecurity in place. And I was just curious what you thought about that?
Nate Evans:
Yeah. I think that's a harsh take, to be honest, because if an attacker is resourceful enough and focused enough and motivated enough, they will be able to breach any system. So no matter what you do ... Like I think I started by saying, there's vulnerabilities in every piece of software. So there's no way to perfectly protect all of your systems. There's always things that are going to get through. There's also a lot of human error involved. Again, you see some estimates that 70% of cyberattacks start from a phishing email. And that's highly related to human error. Right? A person clicking on something because they think it's a legitimate link or legitimate file. And there's really nothing you can do other than education to prevent that.
Nate Evans:
And then there's also attacks that start from an insider threat. So if somebody inside of your company is disgruntled or maybe trying to perform a ransomware attack against you, they've infiltrated your ranks and they already have access. So there's nothing you can do to prevent that. So I don't think it's fair to say that if companies paid more money then they would be immune to these types of attacks. I think it would reduce the incidents, of course, but I think it's too harsh to say that it's all their fault.
Nicole Militello:
Recently, the Department of Justice just created a task force focusing specifically on cybersecurity, and they noted the growing threat that ransomware poses. And I was just curious, what's behind that growing threat? Why are we seeing a lot more of these attacks now, or hearing more about them?
Nate Evans:
One thing would be that these are high-profile attacks and they seem to be working in a lot of cases. Again, people look at that cost-benefit analysis and say, "I want my systems back up and running today, and the only way to do that is to pay." So in some cases, unfortunately the ransomware attacks are successful. And, it's also hard to track down and prosecute the ransomware actors and there's a lot of different reasons for that. But, it's hard to figure out who exactly is perpetrating these attacks and to actually shut them down. So again, they're working.
Nate Evans:
I think another reason is that ransomware attacks are really easy to perpetrate nowadays. So you can buy software that performs the actual attack, encrypting all the files on a system or exploiting vulnerabilities. And then, from deleting the files or transferring them or encrypting them or whatever ... You can buy that stuff for pretty cheaply, something like $500 for software that can perform these kinds of ransomware attacks. And then you just have to get entry into a system and you deploy the software that you purchased and it'll do everything else for you.
Nate Evans:
Even worse, there's what are called ransomware-as-a-service groups out there, which a couple of the high-profile attacks that we've recently seen are these ransomware-as-a-service, not companies, but organizations, groups, whatever you want to call them, where they will essentially bundle up the software that's going to do the actual ransomware attack. So, say, encrypting all your files. And then they'll also deal with like the payment processing on the backend. So, deploying a Bitcoin wallet or Bitcoin address to get payment. And then also monitoring when that payment gets made, and then unlocking the files. They'll basically do everything for you, and you essentially just have to contract with them to use their software, and then they get a cut off the top. So there's a low barrier to entry, I guess, is another one of the main reasons.
Nicole Militello:
What changes do you think we need to see to better enhance cybersecurity?
Nate Evans:
So a big one would be, I think, education. Again, user error is a reason for a lot of attacks. It's the starting point for a lot of attacks, with the phishing emails again, which I've been a broken record about that. But it is a huge entry point. So, teaching people what information to trust in an email or on a website. I think there's still a large gap there, because people, when they receive an email ... If you receive a Word document from somebody that you don't know, you shouldn't open it. And even if it is from somebody that you think you know, there's ways to look at the email headers to make sure that it is, in fact, from the person that you thought it was. And you might even go as far as saying, "If I receive a Word document or PowerPoint from Nicole, maybe I should call Nicole and say, 'Hey, did you really send me this file?'", which I don't think anyone does in, in most cases. But that might be only way to really be sure that it is from somebody that you expected.
Nate Evans:
Another thing, I think perhaps, regulation would help. Making some minimum requirements for companies for their cybersecurity posture. I don't think it could hurt. Then, of course, enforcing those requirements becomes really difficult, because you essentially have to audit all these different businesses to make sure that they are up to the standard. And so that might be a huge administrative burden on the government or whomever is required to do these things. Again, related to education, I think if companies took a more active role in ensuring that they are somewhat secure, performing security audits on a yearly basis, having penetration-testing teams come in and tell them where perhaps they have weaknesses, just a more security-first focus, would be great. But I don't know how we make that happen. The only people who can do that are the people in charge of those businesses. So it's possible that all the news around this we'll make that happen, but it's hard to say, and maybe regulation would help there as well.
Nate Evans:
The last thing I'll say is in designing software and designing applications. If people took security as a more first-class problem, instead of not thinking about security until their program or application is complete, would be great. So in software engineering, baking in cybersecurity into the design process and the build process and testing would be great. Again, you can't prevent all software errors or all software vulnerabilities from happening. But if you think about security earlier on in the process, then you'll make better software and that would reduce some of the impact.
Nicole Militello:
And we've talked a lot about the impact that these attacks have on businesses, but what's the impact for consumers, especially when it might be their personal information that they've trusted a company with?
Nate Evans:
Yeah. Unfortunately, that's what the real impact is, in addition to taking a business down. When data gets leaked, it's individual's data. So, once your credit card number, social security number, address, even just your phone number, gets leaked on the internet, then you are at risk for things like identity theft or receiving something just annoying, like spam phone calls or spam emails, those kinds of things. But yeah, the individual is really who loses in a lot of these things, especially when it's medical software, medical data-related breaches that people really lose out.
Nate Evans:
And, unfortunately, there's not much you can do once you give a company your information. So, you go to the doctor and you tell them everything about you and you just are hoping that they have good security practices and that your data doesn't get leaked. And you're doing that all the time. Whenever you sign up for anything on the internet, or give your payment information to purchase something on the internet, you're at risk of being breached. And you can do things, like not giving out your information, or not going on the internet, or not purchasing things on the internet. But that's not realistic for most people, so you are at the behest of companies handling your data.
Nate Evans:
So if people were more worried about what companies were doing with their data, which in the US were especially bad, seemingly, at caring about our privacy and security of our information, then we could make companies be more accountable for what happens when you lose your data. If a company gets breached and your data gets put on the internet, if everybody stopped buying things from that company, then they would go out of business. The market would speak again. But yeah, we are at the behest of whoever we give our information to. And we're the ones who lose out in the end.
Nicole Militello:
To hear tips from Nate Evans on how you can best protect your personal data, visit our show notes at du.edu/radioed. Alyssa Hurst is our Executive Producer, Tamara Chapman is our Managing Editor and James Swearingen arranged our theme. I'm Nicole Militello and this is RadioEd.