“It’s not the crime, it’s the cover up,” is a phrase that was popularized during the Watergate scandal in the 70s. At the time, it was in reference to President Nixon lying to the American public about his knowledge of the wrongdoing—and as we all know, the coverup led to his eventual resignation of the Presidency.
A couple of weeks back, Uber CEO Dara Khosrowshahi revealed a cyberattack his company fell victim to back in October, 2016, that certainly falls under the category of scandal. Sometime in 2016, two hackers gained Uber AWS credentials through GitHub ( GitHub is a cloud-based code repository for developers). The hackers then went to AWS and downloaded 57 million user accounts, including driver’s license numbers for 600,000 Uber drivers.
After downloading this goldmine of data, the hackers contacted Uber to discuss ransom terms. The final settlement? Uber would pay the hackers $100,000, under two conditions: first, they had to destroy the stolen data (and “double promise” they did this). Second, they couldn’t tell anybody. Cyber hands were shaken, payment was made, and everybody went on their merry way.
As we all know though, bad things do happen to good people. Today’s organizations face the real risk of being attacked and having data held hostage. In a survey Ponemon Institute recently published, 61% of respondents reported falling victim to a cyberattack. 54% of those suffered a breach of customer and/or employee data as a result. If that wasn’t enough, respondents saw a staggering 26x increase in ransomware attacks. 52% of cybercrimes reported were attributed to ransomware, compared to just 2% the previous year.
I’m not paranoid, I know everybody is out to get me
Thinking that Martians are infiltrating society and taking over the world is not a productive way to live your life. On the other hand, thinking that your data center is extremely vulnerable and using that paranoia to guide your cybersecurity strategy is good. This should lead to a more comprehensive plan that considers protection, detection, mitigation, and recovery.
Smart IT organizations consider security from the ground up: CPUs, servers, virtualized platforms, applications and data. For applications that are hosted in the cloud, those smart IT organizations are even more deliberate in ensuring security mechanisms—for the sake of intellectual property (IP) and customer data.
Unfortunately, many other IT organizations are less vigilant. There’s an assumption that infrastructure, operating systems, and applications are inherently secure. That collective logic leads to putting trust in cloud providers and sites like GitHub to fully protect IP and data. This attitude of “it’s in the cloud – it must be secure,” is what leads to exposing network credentials and not encrypting data. To be clear— Uber ’s breach was not a failing on the part of GitHub or AWS. Uber ’s breach was the result of an organization that was lax in its approach to security.
The best offense is a good defense
Ubergate should be a reminder of our vulnerability. Hackers are for hire. Malware can be purchased and customized for a small fee. Search the dark web and you can find pricing sheets for data theft. Because of this growing threat, developing a living strategy is critical. Look to third parties that specialize in cybersecurity and can offer an outside perspective.
A critical part of any cybersecurity plan is recovering from ransomware attacks. The Federal Bureau of Investigations (FBI) has a very useful guide that should be read by every Chief Information Security Officer (CISO). Among this very useful guidance, there are three things I’d like to highlight:
- Having a thorough data recovery plan is key. Because of the nature of cyberattacks, I would suggest using a Disaster Recovery as a Service (DRaaS) provider. Housing data offsite with a provider that breathes data protection is a smart move. Cloud services like Microsoft Azure provide this service, as do many cloud-based data protection services such as Carbonite.
- Notifying your local FBI office in the event of an attack is critical. There are teams dedicated to cybercrime, and you may find federal involvement alone can scare away less sophisticated hackers.
- Seriously weigh the pros and cons of paying a ransom. The FBI has found very mixed results regarding payment of ransomware—sometimes it results in retrieval of data, sometimes it doesn’t. Sometimes payment encourages those very same hackers to attack an organization repeatedly.
Don’t be the next ‘gate’
Hacks are going to happen. Even the most vigilant IT organizations can’t protect against an employee opening a phishing email or inserting a dirty USB stick into their laptop. The response to these events is what separates a responsible company from the next Ubergate. Stay paranoid.