How Cyber Extortion will affect GDPR

GDPR has been on everyone’s mind for the last 2 years, especially the organizations that do business in Europe. GDPR is all about accountability – organizations must comply with these new regulations, and they must demonstrate their compliance with detailed documentation. This documentation must showcase that there is a process in place that ensures that personal- and sensitive data are protected and/or can be deleted at the request of the user/organization.

Credit: shutterstock.com

This post is not created to give a complete understanding of the full extent of GDPR, but to point out a trend in the cyber extortion otherwise known as hacker blackmail/ransomware. This can be defined as an online extortion, by holding data hostage. It sounds scary, and under GDRP, any ransomware attacks must be notified within 72 hours of discovery. This could without a doubt hurt the organization’s publicly, and also have financial consequences, but it is a requirement that information about organizations that haven’t complied with GDPR is made public.

The picture above shows the WannaCry ransom note. During the WannaCry outbreak, bitcoin was used to pay the $300 demand needed to unlock the data. Since bitcoin uses blockchain technology, a twitter account called @Actual_Ransom has been following the three blockchains. WannaCry gained around 60 bitcoins, and that is still rising today. If we use today’s bitcoin prices 1 BTC equaling 16,834 USD, the total price for 60 BTC equaling a staggering 1,010,070.40 USD. It is crazy (and scary) to think about the fact that the increase in popularity of bitcoin/cryptocurrency has fueled cybercriminals.

GDPR is coming into force on 25 of May 2018 – security experts predict that hackers or scammers will begin to steal data with ransomware, and then blackmail the victims by threatening to report them to GDPR commissioner. Paying these criminals ransom might be cheaper than risking the maximum fine of either 20 million EURO or 4% of the annual turnover of the organization.

So – how can one protect oneself from this?

Cyber extortioners make easy money by using ransomware, but we must first debunk the myths of what can protect you.

Firewalls or other perimeter defenses are just that – defenses that try to protect you, but even they might not have the correct tools. Most organizations today are not using best practices. Cybercriminals are successful because unused ports, or outdated security protocols are still in place.

Internal IT has a lot of pressure, and are always being downsized, because IT doesn’t make money directly. Many organization’s IT infrastructure was created years ago, and the people that implemented it have since left, leaving gaps of unknown security risks. IT Administrators do not always follow the best practice security approach, mainly because security has been on the back of people’s mind for so long.

Backups are the most overlooked myth. Usually people take backups, but do not actually know how to restore from those backups. Also, organizations often never monitor backups, thus resulting in incomplete backups or filled backup drives.

I remember when I was working in the US and we got affected by ransomware. The first thing I did was to instruct all the employees to unplug the ethernet cable from their computer. This immensely stopped the attack, and allowed us to isolate the computer(s) that got infected. As soon as we found out the user whose computer was infected, we also disabled the Active Directory rights for that user. This brings us to the first prevention method.

  1. Disconnect from the network immediately, when a breach has been discovered, to reduce not only the amount of your files to be encrypted, but also the files in the shared folders that you could be connected to.
  2. Do not make payments. Shortly after WannaCry was spreading around the world, the company who leased the email account that allowed you to receive the code in the ransom note was turned off. This caused a lot of organizations who already paid ransom, to not receive the so-called release code. Studies show that only 33% of companies received a release code.
  3. Consult third-party cyber security experts/organizations to frequently attack your organizations IT infrastructure or applications. It could also be useful to test the feedback of the staff by sending phishing emails to employees as well.
  4. Backups are listed as a myth, but if done correctly with a detailed backup and recovery test done at least quarterly, could prevent your data being locked out due to the cybercriminals.

Esther Pauline “Eppie” Lederer who used to be an American advice columnist wrote back in 1975, “If you think education is expensive, try ignorance”. This is still true in today’s digital world. Internet ignorance all starts with people’s blind belief that they are secure. Organizations do not spend enough time training their staff in security awareness, and people generally feel a false sense of security provided by firewalls and virus protection software. Organizations will undergo major changes in the coming months due to the new GDPR requirements. This change brings a wonderful opportunity for organizations to go through their security protocols, and spend some time educating every level of employee on how little it takes to be attacked, and how major the impact of a simple attack could be. Cyber extortioners are just sitting there, waiting for us to make a single mistake.

 

Advertisements

The Agility of Multi-Cloud

Multi-Cloud.jpg

Over the past several years, cloud computing has been on the forefront of various workloads and applications across businesses. It’s not long ago that most data centers were owned on-premise, co-located, or managed by third-party vendors, and it could take weeks if not months to create new servers—this has all changed. We are now witnessing a trend inside multiple organizations when choosing multiple cloud vendors, instead of just one.

Multi-Cloud refers to a strategy where an organization uses services from multiple cloud vendors. This provides a wide variety of options to present the best-suited and effective response to any business tasks at hand. The Multi-Cloud strategy has been slowly trending in advertising and marketing expedient, and it will become a major topic in the coming months. Gartner states that “a Multi-Cloud strategy will become the common strategy for 70% of enterprises by 2019, up from less than 10% today.” [1]

Multi-Cloud Benefits

There are multiple reasons why Multi-Cloud is beneficial for organizations. Using a variety of vendors gives access to a wider range of services provided, compared to using a single vendor. Another reason is to support geo-replication applications — —like e-commerce organizations use to serve a larger market. Depending on the developers, or the project at hand, it can be both cost- and time-effective to use a cloud vendor that is known by the specific developers.

Additionally, the strategy of not wanting to be locked into a single cloud vendor. As the cloud vendors grow and the services they provide increase with that growth, organizations are not willing to put all of their eggs into one basket. Furthermore, reducing the vendor lock-in allows flexibility to move between the cloud vendors that best suit the future of the project. Gartner expects multiprovider IaaS/PaaS strategies to become the defacto standard. [2]

Multi-Cloud Challenges

Although there are plenty of examples of why Multi-Cloud is becoming a best practice scenario, but it also has its downsides. Managing complex Multi-Cloud environments could be very costly, as it requires a multifold of resources to maintain and understand a multi-vendor approach. A major factor would be the upkeep of employees to stay relevant on the constantly changing cloud vendors. Hiring, training, and retaining a team across multiple cloud platforms could be expensive. Also maintaining a relationship with the top cloud vendors would provide its own challenges; for e.g. number of certified solution architects and helping tier.

There is also the issue of hidden cost, as when dealing with multiple vendors. Each vendor has its own service and with each service the cost way more depending on where that service is located for the pricing model. The type of data being sent or stored can often cause an added cost.

Another caveat is the hidden VPN cost — —most applications will require a VPN connection between the Multi-Cloud strategy. AWS VPN is currently USD $0.05 per hour, well Azure is between USD $0.04–$1.25. To add on to the hidden cost is the data transfer service that depends on the provider, but can cost between USD $0.02–0.05. This in turns results in about a USD $438-–$16,000 increase when using a single VPN connection a year.

For a security standpoint, using IAM (Identity and Access Management) to manage the security within the cloud requires a brokerage intervening with the cloud vendors. Making security between the cloud vendors very difficult without a brokerage tool.

Addressing the Multi-Cloud Challenge

Having a lot of balls in the air when designing a Multi-Cloud strategy could be compared to building the Lego’s Star Wars Collector’s Millennium Falcon with 10,179 pieces. It can be done in one of two ways; efficient and inefficient. The efficient way would be to plan out what needs to be done. By organizing the vendors of choice into categories and assigning employees to those categories. While an inefficient way on the other hand, would be going with the flow, allowing for mass chaos and not sorting the pieces out before joining the Multi-Cloud strategy.

Reducing VPN and data transfer cost can be done, but it will require detailed planning. In turn this can be mitigated by using other forms of data transferring methods. For example, AWS offers VPC Endpoints that can send data to S3 buckets compared to sending it over VPN. If you used a VPC Endpoint to S3 it would only cost the price of data transfer and reducing the cost of the VPN ($USD 438.25).

This has however been done by CMT with a design approach of using ADFS and SAML 2.0.

Multi-Cloud Configuration Management Tools

With the growth predicted by Gartner, Multi-Cloud configuration management tools (CMT) will also be viable option. Configuration management tools are integrated products that incorporate self-provision system images, enable billing, and monitoring. The ability to manage the Multi-Cloud strategy with one single management tool can limit a few of the challenges that Multi-Cloud brings. An issue one might run into regarding configuration management tools is vendor lock-ins. Being locked into a specific vendors CMT is something one wants to avoid in the Multi-Cloud approach. With the growing services that each cloud vendor is producing, this makes it extremely challenging task for cloud configuration management tools to keep updated with the newest cloud services; e.g., when AWS comes out with a new service, but the CMT will still need to patch the product before it can manage the new service. This could take weeks, if not months, before that new service is available to be managed.

Cloud configuration management tools are relatively new and are popping up all over. That brings us to the question: What is the best CMT? There has been over 50 CMT released over the past five plus years. Some of them haven’t made the cut and some of them are still going strong in the market. Each tool provides different approach to connecting from on-premise to a select few cloud vendors.

The different CMTs have different unique features, and each one might fit one organization better than another—it all depends on how the organization wants to connect to your future VM’s. CMT offer two ways to get its features into the VM’s: Agent and Agentless. Picking the integration method with the CMT depends on the organization needs also when choosing the correct CMT, can make or break any project in the future or present. Researching the best CMT for the organization needs is a big investment. The current CMT leaders at the time of this article are RightScale, Ansible, Scalr, Puppet, and Chef, in no particular order.

Conclusion

In summary—getting the most out of agility Multi-Cloud requires that you have relationships with multi-vendors, you have the right employee resources, and have a standardized operation and practical approach to what Multi-Cloud can do for you.

To accomplish success in Multi-Cloud you should invest in the right training for the right employees. You should weigh the cost and risk of Multi-Cloud up against the benefit it could have for your organization. Using a cloud management tool could relieve the stress on learning the Multi-Cloud strategy, but this could also place you right where you don’t want to be—locked into certain CMT vendors.

References
[1]
Gartner, The Future of the Data Center in the Cloud Era, David J. Cappuccio, 19 June 2015
[2]
Gartner, 2017 Planning Guide for Cloud Computing, Mindy Cancila, Douglas Toombs, Alan D Waite, Elias Khnaser, 13 October 2016