Aaron says ago. He's going well. How you doing? Leave. Fantastic. Well, thanks for staying with us, guys. I'll be enjoyed The ethics course were excited to d'oh. Just a brief ethical debate just to see kind of reinforce some of the concepts that we saw on the course and just decided to have you here today.
You want to just kind of introduce yourself to the folks so they know who you are and
to hurt you're about and all that stuff? Sure. Absolutely. My name is Terrorist Jackson. And I'd be a chief information security officer for psychotic software based in Washington, D C. Cyber security company. Um, looking forward, Thio, you know, engaging you today in some some ethical deliverance.
I'm also a career mentor on this. I bury platform, so I'm pretty excited about that.
So thank you. Well, thank you for your contribution, Star community. It's been fantastic having you and I'm very excited today, so I think one of the things that you know, you and I have been talking a lot about his ransom. Where Right now. So And you've got Thanh of experience with this. So maybe just talk to us about how you
kind of evaluate decisions around Ransomware like whether or not to pay it. What considerations
you have in place? Absolutely well. Fortunately, we haven't been put in that particular situation as of yet, but a CZ you mentioned. There's no shortage of,
you know, news media around municipalities, medical facilities that have been hit with ransomware attacks recently.
Um, specifically the ones around them And this a pal ease some of the considerations that should go into evaluating to pay whether or not to pay would be. If you have proper backups, right? That's one big thing that if you have good backups and you've tested your backups and you trust them,
probably shouldn't or have a need to pay to recover your data.
But as we've seen a lot of these instances, companies have not had properly maintained backups. They thought some thought they did, and when they went to do restores, they didn't some just completely didn't have proper backups at all. And, you know, if we look at you know, Baltimore is pretty close to where we are right now. Yeah,
they were hit with a pretty substantial attack. A lot of City Service's were off line,
but they didn't have a cyber insurance policy. Um, and they still made the decision not to pay, which on the surface seemed like the right decision to make.
But was it the correct business decision that made, given that they're over $18 million in remediation costs right now?
Sure. Residents couldn't sell their homes. They couldn't pay their water bills. So what was the return on investment for them not making $175,000 attempt to recover their data and has been millions?
There was no guarantee, given that, you know, they would have been able to recover the data, but they didn't even try.
And you look at the two situations that were similar down in Florida.
He cyber insurers of these municipalities, specifically in Lakewood, Florida. I believe it was advised them to go ahead and pay the ransom to see if the keys would actually recover the data. Interesting. And it did. But this cyber insurer actually made a risk based decision
based off of if we know what happens if they can't recover, the data is gonna be millions. But the lesser of the two evils for the insurance company was to pay the ransom.
Yeah, on Dhe. When? When you say a lesser of two evils, you're really talking dollars and cents right? Dollars and cents. But I also find it interesting that the FBI has been a staunch, you know, opponent of pain, Ransom, like, never paid in ransom. Contact FBI, if you've been compromised,
would've ransomware attack.
And even, you know, in the last couple of months, they've changed that tone. Yeah, I was gonna say, on paper paper, they've seen what's been happening to these businesses and how it's been putting put them out of business, decimating, you know, their finances. And they basically said, Make the best business decision
for your organization and the data
that's been, you know, locked up.
So I find that interesting. Yeah.
Um, how does ransomware actually come in? Like, how does that actually happen?
Typically threw a spear phishing attack. Email is the hackers prefer delivery mechanism. Why tryto breakthrough firewalls and other security protocols when they could just send an email in? And most people are fairly curious and click happy and fishing
emails have gotten very crafty over the years. Especially is weird when the holidays. At this point, who doesn't want that $100 Amazon gift card that they think their boss sent them? You click and you. Sometimes nothing happens on the surface, but in the background no software has been downloaded
and commanding control processes were taken over, and they're looking
for what files they can encrypt. And it's not always immediate. A lot of these software applications will sit dormant
and traversed the network laterally until they find something that's worth encrypting. And then that's when it really starts. And the ransom demands began. Gotcha. Um, do they actually know they're attacking? When, uh, when they do the ransom? I think it's a combination of, Ah,
a little bit of both sama Jessie. No
spray and pray. I call it, you know, But I think as municipalities this year begin to set a standard of paying out that they kind of adapted their model and started targeting specifically small
weren't the most likely capable to have strong cyber defenses or backups on. And that's been pretty lucrative for them so far this year. So, essentially, when you when you pay that ransom as a small municipality,
you're actually causing risk for all the municipalities out there. Absolutely move.
And so that actually causes that has a follow on effect that
maybe you don't calculate when the decision is just for you. Absolutely. And that was one of the
things that the FBI, with the original standpoint of not paying, because once you set that tone and the president right, it says you were paying
the tax become more prevalent, and that's what we've seen. They have become more prevalent.
But the insurers actually suggesting
that the ransom be paid with something I don't think anyone of any of us actually expected. Usually, insurance companies air on the side of caution. They look for,
contractually of not to pay, right. But they're even, you know, at this point just saying this is the lesser of two evils.