Ransomware and zero trust

BIG NEWS - a ransomware attack that not only extorted $4.4 million - a ridiculous amount of money - but also resulted in a shutdown of a 5,500-mile pipeline system transporting more than 100 million gallons of gasoline, diesel, jet fuel and heating oil per day.

That's roughly 45% of the fuel consumed on the Eastern Seaboard between the Gulf Coast and the New York metro area - this got a lot of attention, for a lot of reasons.

The Colonial Pipeline is a Georgia-based company. A known hacker group targeted this company, hitting it with a ransomware attack. Basically, the hackers lock up the company's computer systems by encrypting the data. Then they demand a large sum of money, after which they "promise" to send the code to unencrypt the data (which may or may not work, if you receive it). Ransomware attacks reportedly increased 300% in 2020 alone, in just the United States - it's BIG money.

This known hacker group is a professional criminal group that has cost Western nations tens of billions of dollars in losses in the past three years, per a CBS News report. They claim to be a Robin Hood-type group. They seem to think their policy to not hack hospitals, nursing homes, educational or government targets somehow makes them altruistic - what? News alert: cutting off fuel between Texas and the Northeast impacts every one of these industries.

In the future we'll probably get more details about how they were hacked. For now, news sources are saying this was related to a lack of security updates; we'll see. On May 8, the Colonial Pipeline announced they had been hit with ransomware. The attack was focused on the operations part of the business, not the fuel delivery systems, but the company shut it all down, just in case.

What else could they do? They had to err on the side of caution.

This kind of attack usually requires someone to have been sloppy - clicked a link that they shouldn't have; downloaded something from a website; poorly maintained equipment; weak passwords. So now there's a new concept - the idea of Zero Trust, which has been out there for a little while.

Zero Trust starts with the idea of "never trust," always assume a breach. If you come from a position of Zero Trust, you verify every device, application, every identity, in all cases. This is in line with the Multi-Factor Authentication (MFA) push by many businesses as they try to stay ahead of hackers and the social engineering efforts to trick people into giving up personal data or 'opening the door' in an environment. In both Zero Trust and MFA, the idea is that you have to have a second step to prove you are who you say you are.

So, what about your business? Could you be down for five days? You wouldn't know who owes you money or how much; no access to what you owe or to whom; no ability to cut checks or enter cash receipts; can't run a payroll; no access to Word docs, Excel, PDFs, drawings, pictures - all of it held for ransom.

How about a $200,000 ransom payment? Not to mention all the IT costs to recover everything, the lost work time, and, if you get the data back, you have to enter five days' worth of data. Then, when all of this is done, you still need to make those security changes.

We have a better idea - take action now. Educate your staff on social engineering tricks, continuously; replace end-of-life equipment; replace out-of-date software; update patches and firmware on your devices; setup MFA on critical systems; be sure you have off-site backups and test that you can recover the data; get some decent passwords in place and enforce them.

• Catherine Wendt is president of Syscon.