Join us for the first episode in the brand new Series 3 of our Naked Security Podcast.
This week we wonder whether Cybersecurity Awareness Month is a waste of time, explain the concept of “linkless phishing“, ask if it’s ever OK to pay a ransomware demand, and advise what to do when the CEO won’t stop looking at naughty sites.
With Paul Ducklin, Kimberly Truong and Doug Aamoth.
(And thanks to Edith Mudge for our cool new intro and outro music!)
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
WHERE TO FIND THE PODCAST ONLINE
You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.
Or just drop the URL of our RSS feed into your favourite podcatcher software.
If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.
Anonymous
Where’s the old podcast crew? Ana, ally, Mark, Peter
Naked Security
Anna, Mark and Alice no longer work for Sophos. Peter is a senior threat hunter in our Managed Threat Response team and has only ever made guest appearances, which we hope will continue when possible, because his availability for the podcast has to fit around the exigencies of his job. As you can imagine, this often involves complex engagements at very short notice.
HtH.
Adrian
What a pity I really liked the old crew – no offense to the new one ;-)
Paul Ducklin
As a member of both the old crew and the new one…
…I am not quite sure how to take that :-)
Joe U.
The mayor of New Bedford, Massachusetts, paid a ransom in Summer 2019. The fact that his IT department could not roll data back to bare metal forced his hand since government services were down for 2 weeks. Apparently the City’s insurance policy paid the ransom. Mayor Jon Mitchell has remained tight-lipped about the details to this day. I can’t say 100% what I would have done in his situation since I don’t have all the details, but in theory his IT people should have been able to perform complete restores without caving in to ransom demands.
Paul Ducklin
Part of the issue seems to be that if you have cyberinsurance, the job of the insurer is to get you back on your feet again, in a way that the insurer’s experts conclude is the most effective. (In automotive claims, for eample, it’s usually the insurer that decides whether to repair or replace a damaged vehicle.)
Typically that seems to involve the insurer parachuting in a recovery team and figuring out what will give the fastest and most effective remedy that can be funded by the policy you have bought. My understanding is that insurers don’t like paying the crooks any more than you or I would, but often they do if they think the results will be faster and more complete. (I assume that if they pay and the crooks let them down then they have to go for the next-best option anyway.)
In the case you mention, you say that the IT department “could not roll data back”, so perhaps that was the unhappy situation that required paying up, rather than simply a sense that it would be “easier”?
S. Bowie
Re S3 Ep1: Ransomware – is it really OK to pay? – Naked Security Podcast
I would like the text version please. Podcasts are inconvenient in my office.
Paul Ducklin
We don’t do transcripts, for a number of reasons. Firstly, the job to do them falls to me and as I am not a stenographer it takes AGES :-) Secondly, when did an experiment a while back and published them every week for a while, the average number of views per transcript was somehere between 10 and 20, which made it clear that the enormous effort was not worthwhile. Thirdly, written and spoken English are essentially different languages, so a transcribed podcast does not generally make a readable article, and it’s not supposed to.
Simply, we don’t make our podcasts to be read – we make them for what is a significant proportion of our audience that likes to consume content in different ways. (This is why we do a weekly Naked Security Live video, too. Not to replace our articles but to go alongside them.)
So, if reading is your thing then the majority of Naked Security’s content is already in written form, and we give you links in the shownotes so you can access them that way instead of listening.
In short: the podcasts are meant to be listened to, in the same way that our articles are meant to be read.
HtH.
Cassandra
Re suggestion that you annually just check that you can restore your backup: A Cautionary Tale
If you only do this annually, you do not have a routine and you have to be very careful what you do.
A place where I worked in the 1980s had an IBM AT on which marketing kept their database. IT did not like this because they did not control it – putting forward all sorts of arguments which included “if we handle the database we back it up so you cannot lose your data if there is a hard disk crash”.
So to try to silence their criticisms, Marketing bought a tape drive, and “backed up” the hard disk to the tape drive, I think, once per week. IT were still not happy spreading a whole lot of FUD (fear uncertainty and doubt).
So to prove it worked, Marketing decided to test their back up (as recommended by Duck). But the way they did it was not described (as not described by DUCK). So:
Format c:\*.* blah blah
Boot from the PC-DOS floppy
Restore d: c: (or something like that)
It was at this stage that they realised that their backup process had not worked.
If you are going to do backups (good), you need to have a defined data-safe way to check the back-ups and you need to follow it. It should not involve over-writing your live production data!
Paul Ducklin
If your master copy has been destroyed, then your backup copy is your new master until you have a backup of your backup :-)