Event Recording

Bad things that Can Happen

Log in and watch the full video!

Disclaimer: The speaker at this session has not been involved either directly or indirectly in the work in the aftermath of any of the Ransomware attacks described in this session. All of the information from the cases is based solely on data that is in public domain.

Bjarke Alling, Chair, National Danish Cybersecurity Council

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
See, we're gonna talk about a little bit about plumbing today because I think that's sometimes can, can go deadly wrong. So yes, very, very briefly. She here, that should be this one. Ah, there we are. So yeah, let me just a few words on who I am and who are standing here in front of you and, and all of you that are probably watching from outside also streaming and yeah, you see this, you're very young man here and it has actually a history on the, when you look at the, the small blue cube that is on top of the pillow. I don't know if there are anyone here in the room that actually knows that one, but it goes back to 99. And I think the story here goes also on that, that was the first introduction of an internet device that we were selling.
I was working with in, in, in Denmark, back in, back in the days that was an appliance. That was the first thing that people got for getting their email. They got, got their web server, they got their DNS. And I think that was kind of, you know, Hey, fantastic. We now have email and fast forward to today. I think, you know, landscape are quite different. So yeah, I share the private part of the national Davis, Dan cybersecurity council. I will have another presentation tomorrow explaining exactly how we actually work in the private and the public work. So, and then besides that, I also chair the it security committee of the Danish I C T business association. And that's an association that combines up more than 800. It companies in Denmark, going from Microsoft to Oracle, that kind of global companies and all the way to, to very small companies. So it's, it's an interesting kind of kettle where boiling area, where a lot of discussions and policies that taking place. And finally, also, I, I work kind of in the day to day work in the software cybersecurity software company league.
So just very briefly a small disclaimer here for this presentation, because I'm touching on, on stuff that kind of you say you could maybe believe, did he have an insight on that where he aware of something, but just to let you know that I have no, absolutely. The, the information that I'm gonna talk about about just based on public records and the opinion that I bring here to you and, and my viewpoints are not representing the deans government or any the organization in which I, I also work, but I speak in, in this case on, on behalf of myself just to, to make that clear.
Good. So the session, that's the thing you saw in the program already. It's about ransomware, it's about identity management and it's also about the global dominance of Microsoft active directory. And this is not because that I have any specific opinion about exit directory. This is opinion about having that you have put more or less every single egg in just one big basket, and that has caused some unforeseen incidents throughout the last many years. So I will try to add just a few ads afterthoughts to what could have been done different. I will try to say, what can we learn? What could have been done differently, but also where will this bring us in a fight against future attacks? Because I think this is one of the very, very big threats that we are facing. I think we we've seen that already yesterday mentioned a few times that we need to establish the trust.
We need to make sure that all these bad guys that suddenly has come out of that very big rabbit hole. They, they come back to the rabbit hole and, and we by that also can get all the nice, great benefits of having an internet, because I think we all kind of, you know, back to my very early picture, we were also thrilled about that. We suddenly could send an email to our friends somewhere around the globe, and now I'm in a situation where more or less Don, you know, can I get, is this sending email, is someone trying to fraud me? You know, what happens if I click the, the email and at the end of the day, it, it turns out to be kind of a more in a society or a cyber infinity that, that you simply are afraid of using digital. And you're looking around Europe, you will see various countries. That's actually someone in the political game is also picking up on that, on, on this kind of against the internet against digitalization. But just before I go into the more details here, just like to know of, of course, all of you out there watching online, you can raise your own hand, but, but just here, how many of you have made a company risk assessment on a ransomware attack?
That's great. That's great. And all of your other ones just go home and please do it because I think it's something that's gonna strike as all in whatever kind we cannot say, you know, I'm immune to that. We might be immune to the COVID, but we would not be immune to cyber for these cyber attacks. So the structure that I put in this presentation is based on the, on the identity management, in which I also have a very, very long background. I think I started this technology back in 2004, five timeframe. So I've been involved in a numbers of large scale project in Denmark, but I put in here the active directory as, as, as one one block, but also the external browser on API access. Now I think we, we, we had all the talks on APIs and I think there will also be some of you saying, okay, API's great, but did we think this through and how secure should a secure API actually be?
And finally the user management, it sounds maybe to some of you, of course this has been talked and talked and talked on. Oh, and on now again, but it may be, hopefully I can bring you a little, few extra arguments that you can bring home with you because I expect more or less that you all are aware of how this works. So just a few things, just a very, very simple thing on passport, just to emphasize why the password is so bad. I think I just pull out this old 2017 report from, from Verizon and, and just highlighting that 81% of the breaches that they discover four years ago, having a reason back to passwords. So why are we here now? Two, four years later still talking about that password is the issue because we have been knowing that now for at least four years and probably many years before.
The second thing is that just looking at the methods. I think I, I came across this small graph and I think it, it was actually quite simple. And I sometimes simplicity is a good way of explaining things that we have the password. We all know that that is convenient. We also have that two factor thing, username, password, and OTP, number generator, phone, tap, swipe, fingerprint, face ID, whatever we have there does that work five times a day? Does that work in, in a, in, in emergency clinic, on a hospital, would that work in a citizen service where someone is going back and forth account and serving citizens coming in, you know, okay, sorry. You have to wait because I just have to do some things on my phone and ah, damn my phone. The app is updating, ah, sorry. You have to wait in the line.
Okay. The line, no bloody, no. We need to work in a way that we can get passwordless authentication and also nameless. That's what I want to talk about in, in this area here. So stepping a little bit into the autonomy of a ransomware attack, because this is where this, this presentation also comes from. I've been borrowing the very great investigation report made by the Danish center for cybersecurity. And you can, you can Google, you can Google the title. You will find that 35 pages. It very extensively goes through all these steps. And I think some of you might at least some of you that did not make the risk assessment could potentially grab out some interesting stuff there. So just highlighting these two points, initial access fishing drive by compromise, supply chain compromise, external remote services, removal, media vulnerabilities. Some of those have related into the password active user base. Some of those are assembly application errors. The lateral movement is even getting worse lateral movement. It's a strange version where people is moving around. This is, this is wall tactics, steel, potential gas, insecure password move, literally with RDP, RDP. How many of you, how can you even point ourself in our own company? How many of you have an internal IDP service? Probably all have, because we are using windows. We accessing that. We might have a think about that.
Step two. How does this evolve then yet again,
Access to steel credential case passports. You see, this is just going and going and going in, in that storyline on, on the autonomy. So let's jump into the first case. I think some of you, I actually heard the me name mentioned yesterday, the no crude, which is the, the aluminum manufacturer in Norway, the William demand, a hearing aid company and ISS the very big cleaning company. They were all suffering from one single thing. They had a large international, global active directory. They were hit by ransomware. Someone was able to, you know, slowly evaluate into getting an administrative account from when they had the account. They could style. De-install changed the group policy. In some cases, even de-install the antivirus software. I think none of us winding back to my blue cube and all the
Fun we had at that time saying, okay, we got internet had imagining that that would be a case 20 years later, but so what are our, what are my thoughts on this mitigation? What can you actually do? Network segregation, zero trust directory, segregation. It might be radical. But think about it, think about that. Instead of having one big pot, start slicing things a little bit apart, puts things where individual make it more robust. Think about like on a, on a big vessel. You know, you have water chat, you know, doors, you can seal off areas. If that kind of thinking use of meter directory principle that goes in the, also into the segregation use of multiple operating system platforms who have set, it's a mandatory rule that everything should run on, run all your critical infrastructure on just one operating system. I think that's, that's really worth consideration put in risk there. So, okay. If you, if we are hit by a ransomware on one platform, it might not hit the other one. So still make that for robustness and that resilience of course, protect your admin account. Use your cm system.
I know all of you will have a cm system. All of you will have the best locking system in the world. I speak to Dan municipality is 5,000 people working critical kids, 24 by seven. Those people say, okay, what about your locking system? Yeah, well, we lock into that server to check if something goes wrong. So you don't have a centralized system? No, no. And we tried something at one point, but we couldn't figure it out to make it work. I just say, okay, please just add in maybe just the open source version, the S lock service at least have a lock system that is not on the same machine. That can be compromised because I think you send cybersecurity and then might just put out another node on that saying, if you don't have any logging, then you can't even then you can't even prove that you were hacked because no one knows actually you were there and then offsite hot disaster recovery.
It's actually a technology that you can have your exit directory and your databases run in an environment. Second from where you are in a hot environment where you can make a switch over, if something happening also technical errors, obviously continuously malware scanning of historic backup. Things is out there. You can do that. Everyone knows that malware now infects your backup. And then when you restore, restore your backup, then everything just explodes up into your open, open face. So those are things we need to take into account. The simple thing antivirus people tend. Sometimes in some tenders, we see that they buy the cheap version because the expensive version was the one that had the encryption tools in, in building. So we don't need that. I think we defender can fix that. And then finally that goes into the ransomware risk assessment exercise. It's just not something you do in your department or among your colleagues.
You have to do that on a corporate scale, you have to train, what do we do the day that our system are just burned down? Keep in mind, ransomware is a digital burn. It's like, you know, a physical where just consumes everything. You have to train that scenarios. You have to build your communication channel, et cetera. So jumping onto the next one, external browser and API access just dial was in Indian company. They lost a hundred million records on, on that area. Half you might have heard about that. That's pretty weird exchange services running on the open internet that has some, maybe surprisingly enough, some weaknesses down in the code going back. ASA was hit. A lot of other companies would hit. Kasiah had, you know, supply chain at tech hit the Swedish supermarket chain. They had to shut down 800 stores. They ended up handing out the food for free.
So the people, because the food that could not, you know, they could not sell imagining being someone having on your vegetable, all the meat, all the milk, you just have to give it away. Cause why you had to throw it out as waste. And then I think the last one, all this Cosmo DB, I think it's just also explains a little bit about the vulnerability in cloud. We have all the, that misconfiguration. And I think that there's so many stories on that. So mitigations half Newum put in a proxy service that is as simple as it can do. Just check, not just for the IDs and IPSS, but also validate the communication. There are tools out in the market that does that API gateways. You cannot do a secure API yourself. You need to have a robust system in front safeguarding UUA APIs and monitoring the traffic and monitoring the payload.
C cetera, cetera, mandatory trust. We we've already seen that now in a zero trust discussion. I think establishing trust between every everyone communicating risk based of indication, something as simple as evaluating on from where does that communication come yesterday? We heard this story on, on, on remote access and in same sense also talking about zero trust. I think zero trust and remote access. I think if we have zero trust, then we don't have remote access because everything is remote access. So there's kind of a little bit back and forth on that. So rethink the concept of accounts, accounting, a user database, yes that's users, but that's also, as we see now, ILT it's application office people and, and everything else in that, that space. So there's a lot can be done there also the last one, the user account management, as simple as it sounds, please close down the accounts that is not being used.
Just make sure that when someone leaves, when someone is on maternity leave, when someone is on whatever they are, if they're not working for you, if they're not having an account with you, please make sure just click that small check. Mark disable. I think colonial pipe is one of the companies that would have, you know, been very, very happy if that had did that, because that, I think apparently calling to media, there was a VPN account for a consultant that caused all that problem. Suddenly half the us east coast could not get gasoline. And we all know how depending Americans are their cars.
So yeah, there was a few others. I had a case actually I were expert witness on a case that a small company were breached on, on a remote access. They filed a lawsuit against the insurance company because the insurance company did not, they did refuse to pay the, pay the cost on, on this cybersecurity insurance, because the, they said that that the access to the system was not secure. And I was asking, you know, was it secure or was it not secure? Unfortunately for the company I could say, okay, putting out an open RDP on the open internet, that's not seen as secure. And that was why you were, why you were hacked and the ransomware took place. Also the other ones, JBS, you can see there more or less going in the same direction. Sometimes it's, it's, it's it's vulnerability in the application sometimes in the IDP.
Sometimes it's not quite clear, but, but they're all point in the same way. So thoughts on mitigations ID validation of any account password list login everywhere, including the VPN and the remote desktop. We can get back to, to the details on the differences in password list, but there are some very, very strong for, for why password list suddenly do something differently than the symmetric way print of, of least privilege, real time monitoring of login activities. That's also very typical thing. People apparently is not monitoring that someone is trying to log into an account three o'clock in the morning from Brazil. Well, the person is just working here in Munich, normally locks in there. So why, why don't they do that real time user account integration to payroll system? That's a simple thing it's been out there. Just get it done and finally automated deprovisioning. I think that's exactly the point back from colonial pipe. So they are these tools in the toolbox.
Actually. I think all of those things mentioned here on the slide zero trust ISO 27 0 0 1, GDPR PS two, the ISE 34, 0 2 needs upcoming needs two. I, they all the logical consequence of 10, 20 years of learning. And what does governments do when they see a need for regulation, they do regulation. So that's kind of the way start somewhere develop and we get rules and regulation. Zero trust is a framework. Yes, but it has actually also goes in, in, into, into various regulations. The Ida is inheriting quite a lot from the principles of zero trust. That's exactly what I wanna emphasize. Also with you use these regulation. They are fantastic tools for enhancing and securing and make your company and make your networks resilient and secure. And just one big plea for you. Because I think I would not have been able to make this presentation if I've not been able to go to online media and search for these incidents, but I cannot learn if people is not talking about what happened to them, it is not embarrassing to be hit by an ransomware tag, got other cybersecurity incidents.
You don't have to disclose all your bad things, but at least tell, okay, this is what happened. We were able to address it. We'll learn from that because then I can learn from you and you can learn from me. And by that we have a positive spiral. So only knowledge with sharing. Please make sure that we get that done and exchanged. And we are working on working with that in the Danish government area to set up a more formal approach. Because I think if you all probably just ask you, you know, what are your definition and security by design we're in a program right now in developing program where we kind of asking our developers and okay, how do you see security by design? Yeah, that's something by, you know, blah, blah, blah. Okay. It's not even structured. It's a nice principle is article 25 in, in, in the, in the, in the GDPR privacy by design security bio design, but we are right.
Not quite not sure, actually, what is it? And how do you implement that and how do we work by that? So those are processes and they can only be come to life. If we are able to get that to work in, in a way where incidents are shared, they are worked on and then they come back and, and become, become something in, in the, in the, in the learning process. So with all of that, I just like to say, thank you. I just wanna say, you can find me there. You can find probably presentation will come online. My number, my Ling profile. And yeah, that's it. Great.
Thank you very much. B.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00