Episode Show Notes
Episode 1 features Buzz Thomas, Managing Consultant of Cyber Physical Security Services at CMTC. Buzz explains what ransomware is, where it comes from, and who is most at risk of an attack. Buzz also explains the most common ways ransomware hackers gain access to SMMs’ networks as well as tools available to SMMs to help them increase their level of security.
Buzz Thomas is Managing Consultant of Cyber Physical Security Services at CMTC. Buzz has over 25 years of executive operational experience in areas requiring extreme cyber security discipline including emerging technologies, defense manufacturing, aviation, critical infrastructure, and telecommunications. Buzz’s expertise includes multitudes of certifications in Cyber Security, Cyber Ranges, Threat Hunting, Threat Intel, Business Continuity Planning, Disaster Recovery, Software Development, Infrastructure Design/Deployment and Cloud security.
Highlights
00:00:00 - Introductions
00:01:15 - Definition of ransomware
00:03:55 - Where ransomware originates
00:06:01 - Why SMMs should be concerned about ransomware
00:08:12 - Likelihood of being able to access your system and have data restored after paying a ransom
00:09:48 - How ransomware is introduced into your system
00:12:51 - Simple, practical steps to take to assess risk
00:15:53 - Cost of risk analysis tools
00:16:52 - Steps to take after risk assessment
00:21:59 - What to do if hit by ransomware prior to implementing controls
00:23:49 - Types of machines ransomware can invade
00:30:25 - Risk of being targeted according to type of industry
00:31:59 - How to determine which software or hardware is safe
00:35:04 - Advice for SMMs who want to increase cybersecurity but feel overwhelmed
Transcript
Gregg Profozich [00:00:02] In the world of manufacturing, change is the only constant. How are small and medium-sized manufacturers (SMMs) to keep up with new technologies, regulations, and other important shifts, let alone leverage them to become leaders in their industries. Shifting Gears, a podcast from CMTC, highlights leaders in the modern world of manufacturing, from SMM to consultants to industry experts. Each quarter we go deep into topics pertinent to both operating a manufacturing firm and the industry as a whole. Join us to hear about manufacturing sector's latest trends, groundbreaking technologies, and expert insights to help SMMs in California set themselves apart in this exciting modern world of innovation and change. I'm Gregg Profozich, Director of Advanced Manufacturing Technologies at CMTC, and I'd like to welcome you. In this episode, I’m joined by Buzz Thomas, Managing Consultant of Cyber Physical Security Services at CMTC. Buzz explains what ransomware is, where it comes from, and who is most at risk of an attack. Buzz also explains the most common ways ransomware hackers gain access to SMMs’ networks as well as tools available to SMMs to help them increase their level of security. Welcome, Buzz. It’s great to have you here again today.
Buzz Thomas [00:01:11] Hey, Gregg. I really appreciate it. I’m glad to be here, too.
Gregg Profozich [00:01:15] Buzz, I’m really excited about our conversation today. I’m looking forward to hearing your perspectives and your insights. Let’s get started. We’re here to talk about ransomware. From some quick internet research I did, I saw some statistics that were a bit unnerving. In 2015 global ransomware damages were estimated to be $325 million. By 2021 the number was $20 billion, predicted to reach over $42 billion by 2024. These numbers seem to indicate that the number of attacks and the size of ransoms is rising quickly. To level set, can you give us a definition of what ransomware is so we’re all starting from the same page?
Buzz Thomas [00:01:51] Sure. Ransomware is a type of malware. If you want to be technical, it’s actually a virus. But it’s software that’s designed to take away your ability to work and to produce and then to allow the threat actors that gave you the malware to extort you for money. What happens is you get this malware that they send you. Your system either stops working, or you no longer have access to your data, or both. Then they contact you and say, “Hey, if you want to get back into your computer or if you want to get back into your data, you have to pay us.” That’s an extortion crime using ransomware. But there’s also double extortion and triple extortion. Double extortion is once you pay and you get back into your system, where you have access to your data, then they say, “Hey, by the way, we still have your data. If you don’t want us to share it with the entire internet, you have to pay us again,” the second trick. Then if your data has references to other customers, partners, friends, family, these threat actors will then contact those people and say, “I’ve got your information. If you don’t pay me, I’m going to spread that.” That’s the third party or triple extortion. The last thing I’ll say is … Gregg, there’s something we call the frequent flyer club. Once you pay ransomware, then you’re in this club. The ransomware gangs are very organized, and you get special status going forward. They know this is a payer, so you’re going to get more ransomware attacks.
Gregg Profozich [00:03:50] Oh, wow. That’s not a list anybody wants to be on, right?
Buzz Thomas [00:03:53] Correct. You don’t want to be on that list.
Gregg Profozich [00:03:55] Wow. We talked a little bit about it, but where exactly does ransomware come from? Is it one group of bad actors somewhere in the world? Is it nation-states? What are we talking about?
Buzz Thomas [00:04:08] It used to be individuals that were just trying to get money. It started in Vegas. Casinos were getting shut down. Their websites for online gambling would get shut down. At that time, the threat actors would ask for $20,000. I remember when it got to $40,000 and everyone was freaking out, saying, “Oh, wow, they went so much money, $40,000.” Then they got organized. Ransomware has now become an industry. It’s not individuals and its not groups. It’s an industry with different types of organizations that support it. The amount of money that they ask for now is way… Three years ago, it was about $120,000. This year it’s $500,000 just for the fee to get back into your system. That’s an average number.
Gregg Profozich [00:04:58] I could have to pay half a million dollars to get access back to my own data and my own systems?
Buzz Thomas [00:05:05] That is correct.
Gregg Profozich [00:05:09] Well, think about that for just a second or two. That’s an amazing statistic.
Buzz Thomas [00:05:14] Those details are for people and actors that are going after money. But you also have ones that are targeting for other reasons, like they want to damage an organization or a government, or they want information to espionage. The three motives, if you will, for ransomware, is money, and damage, and information extraction, or espionage.
Gregg Profozich [00:05:40] Wow. This is a whole range of actors out there who can have different motives and, therefore, have different methods of attack, I’m assuming, in what they’re looking for and what they’re going to do with it.
Buzz Thomas [00:05:51] Yeah. They’re known for different specialties. These are very organized … you could even say companies because they are companies, and they operate like companies.
Gregg Profozich [00:06:01] Wow. We’ve talked a little bit about these kind of payments, half a million dollars, etc. Sounds like a big company thing. One of the questions I wanted to ask you was … Big companies are big. They have a lot of assets, big payrolls. Smaller companies, not so much. Do SMMs—small and medium-sized manufacturers—really have to worry about a ransomware attack? Why would they have to worry about it if they do?
Buzz Thomas [00:06:26] I’m going to give you some statistics, but let me start with this. There are 600 million ransomware attacks every year. How many is that per day? That’s actually 1 every 11 seconds. Just by sheer volume, SMMs are going to be caught in that net. Most of the ransomware phishing hooks, the things that are sent out there, are shotgun broadcasts through email. But some are more targeted and sent through USB drives and things like that. We can talk a little more about that. But they have to worry about it because there’s so many. If you look at the statistics on who the most … I was going to say, customers. That’s how the ransomware …
Gregg Profozich [00:07:21] Victims?
Buzz Thomas [00:07:23] The most victims. That is the industrial goods and service sector. In other words, manufacturers. It’s SMMs.
Gregg Profozich [00:07:32] I have a business. I have a growing concern. I have a reason I have to keep it alive. I have to pay this. Private individuals, if you get lucky, it’s somebody who has the wealth to be able to do it, but others not so critical. I buy a new computer and start over. [When it's your business system and you can’t manufacture anything for a week, that’s a problem. There’s a different motivation to respond to ransomware, I guess, and they figured that out, sounds like.
Buzz Thomas [00:07:58] Right. You mentioned a week. Actually, the average time is 16 days if they do everything they’re supposed to and they pay. That’s 16 days of not working, not getting revenue, having your reputation hurt.
Gregg Profozich [00:08:12] Wow. If I happen to be a manufacturer and happen to be a victim of a ransomware attack, once I pay, am I guaranteed to get all my data back and access to my system?
Buzz Thomas [00:08:23] That’s a good question. But the numbers say no. Eighty percent of industry in the US is being hit with ransomware attacks right now. The more that happens, the higher the payments are going for this. It’s going to get more and more dangerous for our economy. Of the ones that pay—just about 80% pay—of those, 68% get their business back up and operating. There’s about 30-something percent that pay and get nothing. It’s not cheap. You’re paying a lot. Of those 68% that get their business back operating, a third of those don’t get all their data back, or the data that comes back is corrupted.
Gregg Profozich [00:09:20] Eighty percent pay; 68% of the 80% get their data back, but only 66% of the 68% of the 80% get all their data back uncorrupted?
Buzz Thomas [00: 09:34] You got it.
Gregg Profozich [00:09:35] Sixty-eight percent of 80. Wow. That’s a pretty small number pretty quickly there, huh?
Buzz Thomas [00:09:41] Yeah. You’re in that 50% range of people that pay and get their stuff back like it was.
Gregg Profozich [00:09:48] That’s an unnerving statistic. This is the danger. This is what can happen to me if my manufacturing firm happens to be one of the ones that’s shotgunned. How does ransomware get into my system in the first place? What are the risks? How does it typically happen?
Buzz Thomas [00:10:04] The majority come in through phishing, smishing. In other words, crafty emails and text messages that only take a single click to get your systems infected or have you redirected to a social engineering scheme.
Gregg Profozich [00:10:22] The emails I get when I mouse over the from address and it’s something different than the name there, and there’s something to click on there, that’s the way it could happen?
Buzz Thomas [00:10:32] That’s one of the things you could see. There are a lot of ways to spot phishing, and there’s a lot of ways for them to trick you into going ahead and trusting them. The top two are phishing and smishing, but there’s also the social engineering phone calls, like the car warranty phone calls, but for malicious reasons, not just getting you to pay. Getting access to your accounts and things like that. But there’s a new one, and you may have heard about this. Your charging stations in airports are reflected in this. So charging stations have been compromised. Actually, China has been putting out charging cables themselves. Nothing else around they can compromise you because when you plug them in, they get powered, and they have code embedded in the cable. Then it can beacon out and compromise your system. Now hardware and software are threats.
Gregg Profozich [00:11:41] I hadn’t heard about the cables one. I came across from our cybersecurity practice some information, like never use the free Wi-Fi at the hotel. There was the story of the convention was going to be at the ABC hotel. I won’t mention the name. It was a bunch of financial executives. Six months before, they hacked it and put a Trojan in. Then everybody, when they put in their last name and their room number and got access, it downloaded the Trojan. Then a few months later, it copied your hard drive and sent it all. A bunch of CFOs and folks like that had been there at the financial conference. Of course, all the M&A activity, everything is now open for sale. Fantastic moneymaking opportunities. I don’t have to hack you. I just know you’re about to buy something, so I buy stock in the company you’re going to buy. I can long or short things like that. I knew about that kind of thing. Charging stations I’d heard a little bit about, but even the cables now?
Buzz Thomas [00:12:39] Even the cables. I kept it to show people how it works. I got it at an airport in New Jersey. These things are everywhere.
Gregg Profozich [00:12:51] Wow. A lot of small businesses may not have the resources to make ransomware and cyber threats a priority. Are there tools that are available to them that can help them increase their level of security? They may not have a dedicated IT department. They don’t have the resources in that way, and they’re doing the best they can. What are some simple, practical things they can do?
Buzz Thomas [00:13:14] Resources is constrained, and tools is a constraint. Let me start with some statistics on the resources question. They don’t have the resources. When there’s ransomware, I told you that you may have to pay up to $500,000 to get yourself unlocked, but the largest part of the cost of ransomware isn’t the fee; it’s lost business, which will be more than … On resources, here’s your opportunity costs. Eighty percent of our businesses are getting hit with these. The majority of these, when they have had forensics done, they found that these are done through organized ransomware gangs. This is organized crime on the internet. It’s very intent, high-skilled mercenaries that are targeting manufacturing. It’s very high cost when you factor in when it’s successful. Seventy-five percent, according to CyberCatch—this is where I got this statistic—says that 75% of all small and medium businesses will be forced to close their doors if they get ransomware. I’m saying this because if you don’t find the resources and you try to operate a business without protecting yourself, this is like going to Vegas and just trying to gamble the money. Eighty percent are getting hit, and 75% of those that are small and medium have to close their doors. If they don’t have the resources, they need to get the resources or scale back what they’re trying to do so that they can protect what they are doing. That’s just the scary part of it. Now, on the tool side—and this is where the good news starts—there’s things like the Center for Internet Security—cisecurity.org. They have guidelines that are free, that are there to educate you and give you solid things that you can use to secure your business, harden your systems, and things like that. There’s also standards like the NIST 800 D3, 800-171, which is very popular with the SMMs in manufacturing. Then there’s one called the CSET Ransomware Readiness Assessment, the RRA.
Gregg Profozich [00:15:53] There’s a number of tools I can get out there. I would imagine the things from NIST are free and publicly available because they’re government-sponsored. How about the CSET itself?
Buzz Thomas [00:16:03] CSET is also free, also from the government. Gets published to DHS by CISA.
Gregg Profozich [00:16:14] The CSET Ransomware Readiness Assessment. That’s been made available, and it’s free from DHS and CISA. DHS, of course, is Department of Homeland Security. CISA is what, Buzz?
Buzz Thomas [00:16:29] It’s Cybersecurity and Infrastructure Security Agency.
Gregg Profozich [00:16:33] It’s a department within DHS or something like that?
Buzz Thomas [00:16:37] That is correct.
Gregg Profozich [00:16:38] Say, I download the CSET Ransomware Readiness Assessment. What does CSET stand for, by the way?
Buzz Thomas [00:16:47] CSET stands for the Cybersecurity Evaluation Tool.
Gregg Profozich [00:16:52] I download my Cybersecurity Evaluation Tool Ransomware Readiness Assessment. Once I have that, I can start identifying vulnerabilities? How does that work? What are the practical steps that I would be experiencing once I download that or get that information?
Buzz Thomas [00:17:09] This is a good question, and it begs another question: how is it different from the other options? You’ve got the things from CIS and NIST that I mentioned, which are guidelines and standards. But the Ransomware Readiness Assessment tool is actually a tool that guides you through finding out what’s wrong with your security in your environment and then telling you explicitly what you need to do and the order in which you need to do it in order to be secure and ready for ransomware attacks.
Gregg Profozich [00:17:42] It’ll tell me where I’m vulnerable and then tell me the order of tasks I need to do to harden my systems to get to a higher level of security.
Buzz Thomas [00:17:50] That’s right. Another difference about this tool is that it doesn’t do it in the techno security speak that the NIST publications use, or CIS, or any other security organizations. It translates things into plain, common English, and not in a way where you lose meaning. It actually shows you the formal NIST verbiage to say here’s what the control requirement is that you’re trying to meet. Then it breaks that out into a short novel so that you, as a business owner, not a cybersecurity person, understand what’s happening. This Ransomware Readiness Assessment tool puts things into 10 different areas. They call them security practice areas. Then you cut those into three areas of criticality. There’s the basic ones, and then intermediate and advanced. Basic doesn’t mean less important; it actually means more important. For example, basic has how do you do backup and recovery so that if you get ransomware, you’re not dead in the water. That’s the very first of these security practices it asks you to implement. Then it tells you to question the answer what’s wrong with your systems and in the order in which you should implement and correct. Of course, it starts with basic first, and then intermediate and advanced.
Gregg Profozich [00:19:23] I’m hearing you say that if I was to take the CSET RRA, the Ransomware Readiness Assessment, and complete it that I would end up with a list of precautions I should take and in the order that I would take them. Would that get me across those three levels from basic to intermediate to advanced if I did all of them? How does that structure? How does that work?
Buzz Thomas [00:19:47] It asks you 48 questions. As you go through and you get the answer … You’re not going to know if you’re answering honestly. You’re not going to know exactly the answer to these questions because they’re compound complex questions. One just says do you have the ability to backup? You’ll say, “I do have the ability to backup and then restore.” Can you do it within 30 days? Do you have 30 days of rolling data available? Do you have things off-site? Is it encrypted off-site? It’s very heavy statements. When you go, and you find the … You’ll find the answers to these questions. At the end of it you have a very clear picture because the tool’s nice. Some very colorful graphics and clear charts and pictures. You have a really clear picture of what’s wrong. You haven’t fixed anything. At this point, you’ve only done the assessment. But the assessment will then give you reports on what are your next steps. What is your plan going forward? While you may not have enough money or want to spend enough money to bring in an expert to go and look at everything, evaluate it, and come and tell you what’s wrong, if you use this tool, that’s gone. If you need an expert, you just go to that expert with the results of this tool and say, “This is all I need. I know exactly what I need. It’s right here. I’m paying you for consulting, for discovery. I’m not asking you to hang out. Just bill me for whatever. This is what I want.” Then you get quotes based on that. It puts you way further ahead.
Gregg Profozich [00:21:21] Buzz, I hear you saying that the CSET Ransomware Readiness Assessment is a great tool because it’s going to allow me to go through and answer some questions. Not easily answer questions. Obviously, I’m going to have to really do some research. But when I put in accurate answers to those questions, it’s going to give me a plan of attack. It’s going to give me an action plan to move forward. At that point, I don’t need to bring in a consultant to try to survey and assess things. What I can do at that point is then hire somebody with the technical skills necessary to do the particular thing that the RRA, the Ransomware Readiness Assessment, is recommending. Is that what it gets me to?
Buzz Thomas [00:21:57] That is correct.
Gregg Profozich [00:21:59] Awesome. That’s a preventative thing. I take the initiative. I get out there in front of it. I go through the Ransomware Readiness Assessment and start implementing those things. What happens if I get caught before I’m done or before I get started? Say an SMM is hit with a ransomware attack. What do they do next? Is it best to pay the ransom, get your business back up and running? What do I do once it’s here, once it’s real?
Buzz Thomas [00:22:26] Keeping in mind the statistics we’ve been talking about, if you get hit with ransomware, and you haven’t done this, to be honest, it might be too late. It’s possible that it’s too late. If you don’t have a way to back up and to restore the things that you’ve lost, you don’t have this resiliency built in, and you’re having to pay these huge fees and lose three weeks of revenue-generating time just to try to get through this. Even if you do have the money, we don’t know. I don’t know what to say there. I will say that the government generally says if you have ransomware attacks, don’t pay because it encourages more ransomware. But the government itself pays. So if you have the money and you have to get back to work, you may only have the option to pay. At that point, you’re gambling, hoping for the best. It’s better to use that money in advance. Go through the Ransomware Readiness Assessment. It’s the cheapest, fastest way to get to some resiliency so you can survive because at the end of the day, if you get hit—I shouldn’t say if, because 80%; I should say when you get hit—if you’ve prepared, you’ll make it through. Even if it’s scarred, you’ll make it through.
Gregg Profozich [00:23:49] You could end up with some scars, but you’re going to have a much better chance of coming out the other side without having anything that’s an existential threat to your organization. That’s what I hear you saying. Is ransomware unique to information technology systems, or are there also operations technologies that are vulnerable—IT servers, computers, software, desktop stuff, OT, CNC machines, lathes, automation, those kinds of things?
Buzz Thomas [00:24:19] It is not unique to IT anymore, but it is well-established in IT. In terms of OT, the kinds of things you mentioned add to that critical infrastructure component utilities, SCADA, things like that. Those things are just now coming to the attention of the ransomware gangs. I don’t even like calling them gangs anymore because it’s more like business. We’re starting to see even new products come out, not on the market yet but through investment activities. We see people investing in products designed to protect OT from these kinds of attacks. If we’re talking about water systems, water protection systems, utilities, that’s going to be a huge problem if ransomware gets there. We already see ransomware hitting medical and some critical infrastructure—power grids and things like that.
Gregg Profozich [00:25:20] Okay, so as a small and medium-sized manufacturer, I have to worry about not just my IT systems but my shop floor as well. It’s possible I could walk in one day, and my critical piece of machinery could have the skull and crossbones on the screen.
Buzz Thomas [00:25:33] That is possible. There’s best practice in setting up your network, where you have network spurs that are isolated from others for certain purposes. If you’re following the guidelines for DFARS and CUI, controlling classified information, then you’re going to have to have a network that is segmented and protected at various levels so that that doesn’t happen so easily. But it could happen. Even if you follow all that advice and someone picks up a USB drive in the parking lot and plugs it in in your shop, you may still have this problem.
Gregg Profozich [00:26:07] The USB drive has always been a threat. Its plays on our curiosity. If somebody writes “payroll” on the flash drive and drops in the parking lot, what’s the chance that somebody doesn’t want to know what the CEO makes? They’re going to plug it in and try to find out.
Buzz Thomas [00:26:24] You’re right. Now take the same concept and go, “Oh, I found a charging cable that’s still in the bag, is brand new. I can use that, right?”
Gregg Profozich [00:26:35] Not necessarily. You mentioned DFARS a moment ago. If I remember correctly, it’s Defense Federal Acquisition Regulation Standard.
Buzz Thomas [00:26:45] That’s right. Many of the people that are servicing DOD, they have to comply with the acquisition rules for DOD, DFARS. Specifically, there’s one called the 7012 rule set that requires them to follow the NIST guideline—more numbers—the 800-171 guideline.
Gregg Profozich [00:27:09] Most people within the defense industrial base would have already been exposed to this because it’s been rolled out for a couple years, if I remember correctly. Is that right?
Buzz Thomas [00:27:19] That’s right. Now all DOD contracts are coming out with the language in it specifying that those things have to be met. That wasn’t the case until this year.
Gregg Profozich [00:27:28] When we talked a little bit about … We were talking about operations technologies a moment ago. What are some of the trends you’re seeing in terms of threats on different operational technologies? You mentioned some of the infrastructure stuff, and SCADA, and those kinds of things. Let’s go into a little more detail.
Buzz Thomas [00:27:47] Well, across the board for ransomware, some of the trends are that the ransoms themselves are going up. Now executives are being laid off as a result of ransomware attacks. You’re also having implications … not implications but side effects … from your insurance. When your cyber insurance doesn’t cover ransomware, or maybe even in cases where it does but you didn’t do something that you should have to protect it, insurance getting in the mix of this is on the rise. Ransomware as a general practice is also growing—I would say maturing—as a business process globally as well. That’s another trend. Then operational technologies. The trend there, because it’s so new, is that things are starting to happen in that space. While it started with medical devices … I think the first one was heart monitors that I ever heard about in hospitals. But in OT, I also include industrial IoT, IIoT, as well as OT and stuff like that—heart monitors, medical things. Then we started seeing things in power grids and water treatment facilities. I think that that trend is just going to keep growing. The good news for SMMs, I think, in that space is that their aging shop machines don’t have a huge revenue impact for most of these actors. There’s not going to be a lot of things written to take advantage of those unless they’re processing information that the adversary wants. You can bet that if a nation-state actor is interested in a technology that you’re working on, they will buy all the stuff that you have, and replicate your lab, and try to get the code instructions for your machine shops so that they can replicate what you’re doing. They will be trying to steal things that to you don’t even look like controlled unclassified information. They just look like machine instructions. But to them, they know what they’re looking for. If you happen to be on the end of a targeted attack, OT is going to be your enemy. But for the raw shotgun things that we see, most of them, the globe shop floors are going to be low priority for a while.
Gregg Profozich [00:30:25] If I’m making a consumer product that is not tied in some way to the defense industrial base, lower probability my OT gets attacked is what I hear you’re saying. If I’m making parts for a fighter plane or for a new bomber, higher the likelihood that there’d be something coming targeted to me to try to either get the data from me off of my equipment or my systems or to get a way into the OEM.
Buzz Thomas [00:30:55] That’s right. In fact, if you look at the industries across the board in manufacturing, the different segments, you’ll see on one end of the spectrum the DOD itself has the fewest number of successful ransom attacks of anyone, and then manufacturing has the highest number of successful ransomware attacks of anyone. But the connection is DOD’s supply base is made up 99% by that group, the small and medium manufacturers. That’s the supply base for DOD. DOD looks like they’re not being victimized, because successful ransomware attacks are so minimal, but their suppliers, where all their contracts and their designs and their supplies, they are leaking like cysts. DOD is hurting from this.
Gregg Profozich [00:31:53] That’s not a very comforting statistic to think about.
Buzz Thomas [00:31:57] I’m with you.
Gregg Profozich [00:31:59] Buzz, you mentioned a few minutes ago that the charger cable even now can be something that has code in it that can make you susceptible to a ransomware attack or a victim of a ransomware attack. How do we know …? If I have to go buy a flash drive to move information between two of my old legacy machines and the controllers on them, or if I have to get a new charging cable or any piece of hardware, potentially anything is now a threat surface or a place an attack could come from. How do I know what’s safe?
Buzz Thomas [00:32:27] Another great question. This one is a little tricky. There are ways to find out. One of the ways is by pairing new with old. What I mean by that is if you have a new cable and it’s compromised, and you don’t know it, and you plug it into something that’s new, it will likely be designed, if it’s malicious, to take advantage of those new things in a way that you won’t notice. But if you have an old iPhone 5, iPhone 7, or something like that, and you plug that malicious one into that old phone, then many times you will see things happening, like screens flashing, or windows opening and closing, and things that you wouldn’t expect. Any weird behavior will give you a clue. But the real way to find this out is called sniffing, tools like Wireshark. You simply put Wireshark on the same network that you’re plugging this USB cord into, and then it shows you all the traffic that’s going back and forth between the devices. Then you can see any of the new or weird traffic that’s coming from your cable.
Gregg Profozich [00:33:50] I have to have an IT tool to monitor the traffic from installed hardware, and then I have to be able to identify and recognize the anomaly, the stuff that’s not part of the normal stream?
Buzz Thomas [00:34:01] That’s right. It’s not for everyone, but if you have some skills, you have a tool like Wireshark, you have a tool like Bro, which will help you understand what you’re seeing on Wireshark, then you can see the traffic and know what’s going on. When I was talking about Wireshark, I also mentioned a tool called Bro, which is a network security monitor. I just wanted to say that it’s been renamed to Zeek, Z-E-E-K.
Gregg Profozich [00:34:33] It sounds like a technical thing. You have to have some technical background. You have to be tech-savvy to be able to do that.
Buzz Thomas [00:34:38] Yeah. But always be on guard for anything that looks weird when you use that cable.
Gregg Profozich [00:34:44] But if it looks weird, isn’t it already too late?
Buzz Thomas [00:34:48] For that device, yeah. If you plugged it into your phone and it’s acting weird, it’s too late, but then you know. Wipe that phone, restore it from your backup or from your cloud backup, whatever you have, and then take that cable and do something with it, like the trash.
Gregg Profozich [00:35:04] A couple more questions that we wanted to get through before we wrap up. Next question here, or second to last: what advice would you give to a small manufacturer who wants to implement better cybersecurity but might feel overwhelmed and not know where to start?
Buzz Thomas [00:35:17] That’s an easy one. You’ve heard me talk about the RRA, and probably with some enthusiasm. I really think that is the best first move that any small business can do, medium. In fact, even a business that is well-established in their security practices, if they want to take a snapshot and see where do you really stand vs. where you think you stand, use this tool, the Ransomware Readiness Assessment, because you will know very quickly if you have enough security capabilities to survive a ransomware event. If you can survive ransomware, there’s very little on the cybersecurity space you have to worry about. There are some things but very little. That’s what I would say. First step, RRA.
Gregg Profozich [00:36:05] Ransomware is the number one way that companies get hacked. Is that what I hear you saying?
Buzz Thomas [00:36:12] Yeah, it’s the largest share. It’s the number one way companies get damaged, and it’s also still the fastest growing.
Gregg Profozich [00:36:20] Well, Buzz, thank you for joining me today and for sharing your perspectives, insights, and expertise with me and with our listeners.
Buzz Thomas [00:36:27] Well, it was a lot of fun. Thank you for having me here.
Gregg Profozich [00:36:30] To our listeners, thank you for joining me for this conversation with Buzz Thomas on ransomware and the ransomware readiness tool. Thank you so much. Have a great day. Stay safe and healthy. Thank you for listening to Shifting Gears, a podcast from CMTC. If you enjoyed this episode, please share it with others and post it on your social media platforms. You can subscribe to our podcasts on Apple Podcasts, Spotify, or your preferred podcast directory. For more information on our topic, please visit www.cmtc.com/shiftinggears. CMTC is a private nonprofit organization that provides technical assistance, workforce development, and consulting services to small and medium-sized manufacturers throughout the state of California. CMTC’s mission is to serve as a trusted adviser providing solutions that increase the productivity and competitiveness of California’s manufacturers. CMTC operates under a cooperative agreement for the state of California with the Hollings Manufacturing Extension Partnership Program, MEP, at the National Institute of Standards and Technology within the Department of Commerce. For more information about CMTC, please visit www.cmtc.com. For more information about the MEP National Network or to find your local MEP center, visit www.nist.gov/mep.