Posted on Monday, October 03, 2016 in CybersecurityBlog written by Rob Swenson
The three toughest days in Thane Barnier’s professional life came in 2013, when he had to fight a nasty variety of ransomware.
Barnier is the IT and web development manager for the Sioux Falls Area Chamber of Commerce, which ultimately had to pay $300 to save its primary membership database.
The battle began when an employee on the Chamber’s network clicked on a fake email disguised as a FedEx receipt. Unfortunately, the employee didn’t report the incident to IT for four hours. By then, problems had spread. Hackers encrypted more than 200,000 files on six network shares and held the information hostage.
"You can spend hundreds of thousands of dollars on security and still not be secure if you don’t educate your users to protect themselves.”
The Chamber had 72 hours to pay or permanently lose the electronic files.
Barnier and the staff worked for 48 straight hours restoring files, but they were unable to recover the organization’s primary membership database. So the Chamber paid the ransom in untraceable electronic currency and successfully decrypted its information.
“If it had been anything but our main membership database, we’d have taken the hit and not paid the ransom,” Barnier says.
The Chamber network had a new backup system in place at the time of the attack. Software indicated the system was working, but it wasn’t working properly, and Barnier says the software company offered no additional support.
Now, the Chamber network has a three-tiered backup system, which effectively protected it against an attempted second, major ransomware attack in 2015.
A saving grace in the attacks was that no Chamber data was stolen or leaked, Barnier says. In addition, the attacks have served as a good, real-life example for training Chamber employees, member businesses and others.
“I look at these two incidents - really the only two major incidents we’ve ever had – and we had the safeguards in place to recover. In one instance it worked, and one it didn’t,” Barnier says. “My point is, you can spend hundreds of thousands of dollars on security and still not be secure if you don’t educate your users to protect themselves.”
Businesses should take steps in advance to keep ransomware attacks from infecting their networks. Tools such as good firewalls and antivirus are important layers in protecting networks. Barnier also encourages businesses to have redundant systems in place back up electronic data.
“Even if you know the sender of the email, are you expecting a file from them, or is this out of the blue?”
The most important and difficult element in protecting a network is to effectively train employees. He says everyone must be part of the security process.
Barnier compares computer networks to medieval castles protected by thick walls. Attackers can try to go over, under or through the walls. But the easiest route to success would be for the attackers to convince someone on in the inside to open the gate and let them inside.
Opening the doors to computer networks is what modern-day social engineering is all about. Hackers play on people’s natural tendency to trust others and use deception to get inside organizations’ networks.
Phishing is a common type of social engineering in which the sender tries to acquire personal information, such as login credentials. Email scams, such as the fake FedEx email that the Chamber received, is also a prime example of social engineering. Fake emails have been a primary weapon in hackers’ arsenal ever since email started becoming popular.
“The best way to protect yourself is to think before you click. Are you expecting an email from this person or company? If you don’t know the sender, never open the attachment, especially if it is a .ZIP or .EXE file,” he says. “Even if you know the sender of the email, are you expecting a file from them, or is this out of the blue?”