Ransomware Readiness 101 - How prepared are you?

Ransomware Readiness 101
– How prepared are you?
Preparing, detecting, and responding to
ransomware in local government

Agenda - Format
Solving our Information Security Language Problem

This is an interactive presentation.
I want you to come away with something real, something tangible.
Do THIS - Go download the Ransomware Readiness Assessment.
https://wp.me/aaDXKz-xl
We’re going to use this in a little bit…
Housekeeping Item #1

IMPORTANT!
Before I get started…
• The World Health Organization states that over 800,000
people die every year due to suicide. Suicide is the second
leading cause of death in 15-29-year-olds.
• 5 percent of adults (18 or older) experience a mental illness
in any one year
• In the United States, almost half of adults (46.4 percent) will
experience a mental illness during their lifetime.
• In the United States, only 41 percent of the people who had a
mental disorder in the past year received professional health
care or other services.
• https://www.mentalhealthhackers.org/resources-and-links/

ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio
I do a lot of security stuff…
• Co-inventor of SecurityStudio® (or S²), S²Score, S²Org, S²Vendor,
S²Team, and S²Me
• Made a little, simple, and free ransomware readiness assessment
• 25+ years of “practical” information security experience (started
as a Cisco Engineer in the early 90s)
• Worked as CISO and vCISO for hundreds of companies.
• Developed the FRSecure Mentor Program; six students in 2010,
532 last year, and more than 750 signed up already for this year.
• Advised legal counsel in very public breaches (Target, Blue
Cross/Blue Shield, etc.)
How do we secure America?
AKA: The “Truth”
MANTRA: Information security isn’t about information or security as
much as it is about people. Information security is ALWAYS about people.

UNSECURITY: Information Security Is Failing. Breaches Are Epidemic.
How Can We Fix This Broken Industry?
Published January, 2019

UNSECURITY: Information Security Is Failing. Breaches Are Epidemic.
How Can We Fix This Broken Industry?
Published January, 2019
Russian friend.
Chinese friend.

FREE STUFF
#1 – Most relevant to today’s discussion.
Go get your Ransomware Readiness Assessment - https://wp.me/aaDXKz-xl
#2 – Go get your free S²Org information security risk assessment
– https://securitystudio.com/
#3 – Go get your free S²Me personal information security risk
assessment – https://s2me.io
#4 – Sign up for the FRSecure CISSP Mentor Program –
https://frsecure.com/cissp-mentor-program/
All free, in exchange for feedback and participation.

Ransomware – How Bad Is It?
It’s pretty bad.

It’s pretty bad.
• Everybody knows about Baltimore right? ~$18MM

It’s pretty bad.
• Atlanta was almost as bad. ~$17MM

It’s pretty bad.
• New Orleans? ~7MM

It’s pretty bad.
• Riviera Beach (FL)? $600K (paid the ransom)

It’s pretty bad.
• Lake City (FL)? $530K (paid the ransom)

It’s pretty bad.
• Tillamook County (OR)? Still down – attacked on 1/22

It’s pretty bad.
• Duplin County (NC)? Still down – attacked 2/3

It’s pretty bad.
• Racine (WI)? Still down – attacked 1/31

It’s pretty bad.
Most of them thought they were fine. Like you and
me, I suppose.

It’s pretty bad.
Most of them thought they were fine. Like you and
me, I suppose.
But, you’ve got “cyber” insurance right? So no big.

It’s pretty bad.
• In the 4th quarter of 2019, FRSecure responded to 19
incidents, and most of them were ransomware.

It’s pretty bad.
• And are you ready for the next thing?

It’s pretty bad.
• And are you ready for the next thing?
The next thing(s) are combination
ransomware/extortion attacks.

It’s pretty bad.
Source:
https://www.coveware.com/blog/2020/1/2
2/ransomware-costs-double-in-q4-as-ryuk-
sodinokibi-proliferate
OK, great. Now what?!
Simple (sort of). Get ready.

The Ransomware Readiness Assessment
WISDOM: Plan for the worst, hope for the best.
• Originally created in 2017
• Nothing has changed.
• Same attack vectors
• Same preventative controls.
• Same detective controls.
• Same responsive controls.
• Same corrective controls.
• No matter what you do, you will not be able to prevent all
bad things from happening. This is NOT the goal anyway.
• The name of the game is risk management (possible) and
NOT risk elimination (impossible).
• Assess the problem before trying to fix the problem.
Free and open source. Released under the
Creative Commons License.

Keyword “simply”.

Can’t manage what
you can’t measure.

Can’t manage what
INCOMPLETE (until
it’s not)

Can’t manage what
INCOMPLETE (until
it’s not)
Need a translation for
the “normal” people

Six tabs containing
sections that correlate
here.

Six tabs containing
sections that correlate
here.
Six Sections:
1. Clients
2. Storage
3. Practices
4. Antivirus
5. Network
6. Servers

Client Systems

Client Systems
Key Risk Indicators are
red.

Client Systems
Key Risk Indicators are
red.
Just answer “Yes” or
“No” (25 questions)

After all questions are
answered, a score is
calculated.

After all questions are
answered, a score is
calculated.
If you don’t know the
answers, then this is a
great education tool.
You should know.

Back on the dashboard,
scores have been
updated.

Storage

StorageOnly seven questions
here!

Same thing. Score after
?s are answered and an
updated dashboard.

10 questions about
“Practices”.

10 questions about
“Antivirus”.

13 questions about the
“Network”.

Finally, nine “Server”
questions.

FINAL RESULTS?!
Back to the Dashboard.

FINAL RESULTS?!
Back to the Dashboard.
I was sort of hoping for
better than “Poor”.
Give me hope and a dollar, and I’ve
got a dollar. Need action too!

Quick recap of KRIs.
1. Stay up to date with all software (OS, applications, etc.).
2. Do backups, protect your backups, and (PLEASE) test your
backups often.
3. Establish solid incident response capabilities (policy,
procedures, training, testing, etc.).
4. Default deny is your friend.
5. Restrict permissions/privileges everywhere. Someday,
you’re going to have to get your hands around this.

backups often.
This won’t get your files or
systems back.

backups often.
This won’t get your files or
systems back.
But this will.

backups often.
Multi-factor authentication, especially for (or starting with) externally
accessible systems.
There are ZERO acceptable reasons for not protecting external resources with MFA.
ZERO as in NONE or NO or NADA or NIL or ZILCH.

Takeaways…
1. Don’t just rely on experience or “gut” feel.
2. Plan for a ransomware attack. It’s more likely than you
think.
3. The Ransomware Readiness Assessment is just a guide.
4. The Ransomware Readiness Assessment is a learning tool
for you, your colleagues, and others.
5. Don’t assume anything. (empty spaces always get filled)
That’s it.

Thank you!
Where you can find me…
Personal Website: https://evanfrancen.com
UNSECURITY Podcast (weekly)
Twitter: @evanfrancen
LinkedIn: https://www.linkedin.com/in/evanfrancen/

Ransomware Readiness 101 - How prepared are you?

Recommended

More Related Content

Similar to Ransomware Readiness 101 - How prepared are you?

Similar to Ransomware Readiness 101 - How prepared are you? (20)

More from SecurityStudio

More from SecurityStudio (6)

Recently uploaded

Recently uploaded (20)

Ransomware Readiness 101 - How prepared are you?