In a recent podcast interview with Cybercrime Magazine's host, Charlie Osborne, Scott Schober, Cyber Expert, Author of "Hacked Again," and CEO of Berkeley Varitronics Systems, discusses how poor corporate remediation of vulnerabilities can be a material risk factor. The podcast can be listened to in its entirety below.
Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Charlie: Scott, welcome to the podcast.
Scott: Oh, great to be with you, Charlie.
Charlie: Today, we're going to be discussing some recent cybersecurity stories that have made the headlines.
So, let's start with an analysis of vulnerability data of more than 7,000 companies rated by S&P. Now, according to the company, poor corporate remediation of vulnerabilities can be a material risk factor with 4 out of 10 organizations saying they fix known system flaws infrequently. Scott, what are your thoughts on this and is patching really such an issue?
Scott: I do think patching is a huge issue, and I'm glad they have these stats for us to just kind of think about. What it really helps us to appreciate, I think, is that companies are not prioritizing this, and they put it off. And maybe we've been guilty of it even as a consumer. If we see, hey, there's a security patch available for our OS, or for a particular app, or a mobile device, whatever it is. And we say I'll do it later, tomorrow, whatever. We get complacent. And I think that same thing we see in these companies that S&P reported on here, these 7,000 companies, because 40%, I was very surprised. And it's over 40% that are not actively remediating these vulnerabilities, or infrequently or not at all. That's a huge percentage. And I guess the other side of the coin we have to look at—Well, what happens if you don't do this? What kind of risk does this then present to companies? I think the problem is that there's been known vulnerabilities that have been exploited where malicious software can come down onto the system. They can control the system take over and they steal data, they could shut the system down all by this malware getting onto different networks and it could pose a big problem for these large corporations, and it will affect their bottom line. So I more aware of this, and they need to be more proactive, so they can remediate these vulnerabilities quickly and update patches as soon as it's possible.
Charlie: I'm glad you mentioned the bottom line because there's also another facet of this. And I'd like to know whether you think security has a material impact now on an organization's value reputation or even attractiveness to investors.
Scott: It's a brilliant question. I think about that, and I've written about this in the past, and I think it's a really interesting subject because when you look at the brand of a company—and I look at some of these larger organizations—some of them that we know very quickly, and we see their logo, we hear their name, the jingle, whatever it is. It took them decades sometimes to build the brand, to build the customer loyalty, to build that trust factor. Now, when they are targeted, hacked, when vulnerabilities are exploited, they're victims of a cyber breach, that brand and trust erodes quickly. Shareholder value can erode quickly, and a lot of it has to do with how quick the company and the brand can respond by clearly informing the end users—"Hey, guys, here's what happened, here's how it happened, here's what we've done so it doesn't happen again. And here's what we're going to go doing forward to protect your data that maybe was compromised," or whatever else, be it free credit, monitoring or changing passwords, or other tips and recommendations that will be proactive within the company, as well as to their shareholders and customers. So I think brand is everything these days. I mean, I know as a company we're in business now over 52 years. We work hard every day, building our brand, building our customer base, building trust in our customers. When we're victims of something such as a cyber breach or other attacks which we have been that's foremost on our priority. We got to get out there and contact and communicate effectively with our customers what happened and reassure them. Hey, we're still here, and we've got their back. And I think that's so important with a lot of these companies to your point of building and keeping that brand strong.
Charlie: Now let's move on to a rather notable data breach that was reported in October. So a ransomware group, INC Ransom, took responsibility for an attack on Arizona hospice pharmacy services provider, OnePoint Patient Care.
Nearly 800,000 people were impacted with the exposure of their data, including names, addresses, medical record numbers, and social security numbers. Scott, if cybercriminals are willing to go after hospice care providers, is anyone safe?
Scott: That's a great point. No, not exactly, because they kind of. In my opinion, they've crossed that line when they're going after hospitals, pharmacies, doctors, all of this, where they're really going after, I should say the big data, the medical record information, prescription details, things about us that are very personal. That personal information is far more valuable than, you know, typical breaches. They get your name and your address, and maybe your social security number, maybe your credit card, and could be sold on the dark web for a couple bucks. But here, in this particular case, with 800,000 individuals affected, their medical personal information has been compromised. That's extremely valuable. That could be worth hundreds, if not thousands, of dollars per compromised individual. And the question is, why? Because they can use that information for false claims. They could put a false claim that this procedure was done. These particular prescriptions are needed, and then they could use that to leverage further money and sell that information, and that becomes very powerful.
So I think, when they exfiltrate that type of sensitive data, and they use that, be it in a ransom, or just take it and sell it on the dark web. In particular, the healthcare industry really pays dearly, and in turn, we, as a consumer that go to the hospital that go to the doctor that take out prescription drugs—it affects us. It could affect our health care. Maybe if we're rushing to an emergency room, and we can't go under a particular surgery or something, or we can't get our prescription, or it's just we're victims as a result of the higher cost of insurance premiums in the healthcare sector as a result of all these payouts, because a lot of these healthcare companies are caving and they're paying that ransom. And that's just driving up the cost for business for them in turn affecting us consumers.
We'll be right back after a quick word from our sponsor.
Cimcor develops innovative next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak. That's C-I-M-C-O-R.com/C-I-M-T-R-A-K.
And now, back to the podcast.
Charlie: And on the topic of ransomware, a Russian court has recently sentenced 4 members of the REvil ransomware group. Can you tell us a little bit about them and whether or not the charges levied against them, reportedly including payment card fraud and malware distribution, are enough?
Scott: Unfortunately, it's never enough. And why do I say that? Because in this particular case, REvil, we've heard about them in the headlines in the more recent headlines, and they're a notorious gang, and they're ruthless. They're very successful. Now, the fact that they receive prison sentence in Russia. I mean, I commend that. That's an acknowledgement, I guess. Hey, these are the bad guys, lock them up. 4 and a half to 6 years is not that much time, and my guess is they'll probably get out earlier than that. And in many cases, the corruption in prisons allows cyber criminals and bad guys to still orchestrate business behind bars. And that's part of the problem. So yeah, it's a slap on the wrist. But it's good. There was some cooperation between the U.S. and Russia in doing this here, I guess, but being the fact that they're charged under Russian law, I personally question: Was enough done? Could more be done? And I'm assuming the answer is probably yes, because I've talked about our REvil Ransomware many a times, and many others, too, that have reported on it. So I'm afraid it's just they're going to resurface, probably under a different name, after they serve a limited sentence, probably less than this, and start the game all over and come back with even more fury, unfortunately.
Charlie: And I'm glad you mentioned that U.S. and Russian authorities work together on this, and I wanted to know whether you think current geopolitical tensions are making tackling ransomware, or perhaps cybercrime itself as an industry, a more difficult prospect.
Scott: Absolutely, because communication is the key. Even within the U.S., there's been a tremendous push for public and private to communicate, to share information, and this isn't just information. Hey, this company's been attacked. Sometimes this is, hey, here's the key to unlock this ransomware because it's encrypted. Hey, here's the tactics that one particular cybercriminal gang is using, here's how we can counter it. So, when the private and public sectors within the U.S. work together, they could be more than twice as strong. The same is true with countries. If the U.S. and Russia could play fairly, that would be fabulous, and they could actually minimize and stop some of these large-scale attacks and some of these large ransomware groups. Unfortunately, my fear, and I think it's kind of played out in the news. We see that Russia will quickly deny any involvement or any support to many of these State-sponsored groups, and I think they're getting a lot of support from the Russian Government indirectly, and when you have that type of support, they could be extremely powerful and accomplish a lot of things. Not just against the U.S., per se, but perhaps even against Ukraine, perhaps against other maybe NATO countries that are allied to the U.S. So it's dangerous, and it needs to be worked out. But unfortunately, because of the Ukraine conflict that's ongoing with Russia right now, I think it's going to take a while. If that were to resolve peacefully, then perhaps U.S. and Russia, and other countries could kind of get into more deeper talks, and how to prevent some of these ransomware from spreading so bad and lock up some of these gangs that are really causing so much problem.
Charlie: And as our final noteworthy piece of news for this episode, I'd like to discuss a new Five Eyes initiative. Now, the Five Eyes Intelligence Alliance, which comprises of agencies from the United States, United Kingdom, Canada, Australia, and New Zealand, have recently released some new security guidelines to help small businesses protect themselves. Do you have any advice for small businesses when it comes to managing the risks of cyber-attacks?
Scott: Oh, yeah, tons of advice, but maybe just a couple points to share. And this is brilliant, that the Five Eyes Security and Innovation here, giving small businesses guidelines is a great starting point. They need to build upon that, I think, because I keep saying that cybersecurity is all of our business, but especially small business owners. They need to instill within their organization, and this can be from the janitor up to the CEO, really a good cybersecurity posture where everybody understands, respects, and builds everything from the simple things like strong passwords, not reusing passwords, really implementing two-factor, multi-factor authentication for all remote access. That's really key, I think that people do that, and it really creates a good cyber hygiene. And it's really getting everybody on board and even doing some simulated things, simulated phishing attacks, testing employees, educating employees and rewarding them when they're going through this process of learning. Why? Because then they're savvy cyber-savvy. When you think about something, before you click, you stop. You ask a question. Is this really from my boss? Does he really want me to buy gift cards, or does he really want me to transfer this amount of money? Stop thinking and check and ask these questions. And that's really what, in a sense, I think this innovation guideline does. It starts getting you to ask the questions.
Charlie: Scott, thank you for taking the time to talk with us today.
Scott: Oh, wonderful to be with you, Charlie.
