The so-called ransomware attack that shut down a Milwaukee company last month shows the ever-present risk that now threatens all organizations.
Small businesses that have less sophisticated systems to protect their computer networks from being hacked can be particularly vulnerable, according to cybersecurity experts. But every business or organization — large corporations, health systems, universities — is at risk.
“We all run the risk every time we cross the street of getting hit by a car – no matter how cautious we are,” said Thomas Kaczmarek, director of the Center for Cyber Security Awareness and Cyber Defense at Marquette University.
“You have to be beyond cautious. You have to be defensive, and organizations are trying to be defensive. But it costs time and money and resources to do that.”
Ransomware is a type of software, known as malware, that locks down parts of a computer system – or, in the worst case, the entire system – and denies access to the system or data until a ransom is paid.
The FBI estimates that several thousand ransomware attacks occur each day.
“Cyber hacking has become a business,” Kaczmarek said.
People don’t even have to be technical experts to become cybercriminals: They can buy kits that provide the needed software.
“There are very low barriers of entry to the marketplace,” Kaczmarek said.
He likened it to becoming a franchisee. If perpetrators succeed in penetrating a computer system, they can sell the access – the rights, so to speak – to another party in exchange for what would be considered a finder’s fee in the business world.
Most ransomware attacks are not publicly disclosed. But the fact that businesses can buy cybersecurity insurance shows the risk they face. What happened to vcpi could happen to any business or organization.
“The more you look into this, the more it scares you,” said Khaled Sabha, a senior lecturer at the University of Wisconsin-Milwaukee, who teaches courses on computer hacking and forensics.
“It could happen to any person, even to me,” he said. “You have to be vigilant all the time.”
Sabha and other experts stressed that the first line of defense is awareness.
An estimated 90% of successful attacks are from so-called phishing, in which someone clicks on a Word document, PDF file or link that contains “scripting,” or executable code.
The problem is the email can be sent under a false address.
The computer science department at UW-Madison this year was the target of so-called spearfishing – a type of phishing designed for a specific person or organization – under the name of the former department chair, said Barton Miller, a computer science professor.
No one fell for it.
But few people are computer scientists – and all it takes is a lapse by one employee for a computer system to be breached
Once the system is penetrated, the virus has a beachhead of sorts. The Emotet virus, for example, originally was designed to steal information, Miller said. But around 2018, a new version appeared that could bring in other software, such as Ryuk malware, as well as get into email contacts.
The malware then will look for vulnerabilities, such as updates that haven’t been done or flaws in how the system is configured, such as a default password that wasn’t changed.
Computer networks are designed with firewalls and other protections to stop a virus or malware from getting beyond a certain point.
“You need layered security,” Miller said. “At each level, you bring in safeguards.”
Defenses now are built into operating systems and applications, he said, and software now has to be written not only for efficiency but also for safety.
Tools also have been developed to identify potential weaknesses.
“One of the primary principles of cybersecurity is defense in depth,” Kaczmarek said.
Once the system is penetrated, the virus has a beachhead of sorts. The Emotet virus, for example, originally was designed to steal information, Miller said. But around 2018, a new version appeared that could bring in other software, such as Ryuk malware, as well as get into email contacts.
The malware then will look for vulnerabilities, such as updates that haven’t been done or flaws in how the system is configured, such as a default password that wasn’t changed.
Computer networks are designed with firewalls and other protections to stop a virus or malware from getting beyond a certain point.
“You need layered security,” Miller said. “At each level, you bring in safeguards.”
Defenses now are built into operating systems and applications, he said, and software now has to be written not only for efficiency but also for safety.
Tools also have been developed to identify potential weaknesses.
“One of the primary principles of cybersecurity is defense in depth,” Kaczmarek said.
Only authorized people, for instance, should be allowed access to certain parts of the network.
That’s partly why cybersecurity experts stressed the importance of complex passwords.
Viruses now exist that can capture keystrokes and in the process get passwords, Kaczmarek said. But so-called brute force attacks that try possible combinations are the most common.
There also are so-called dictionary attacks that try popular passwords. Hackers also will use social media to learn the name of a dog or a best friend.
Using an upper and lower case letter doubles the complexity. Numbers and special characters make passwords even more complex.
Kaczmarek recommends using phrases for passwords – though he acknowledged that “gopack” probably isn’t the safest choice in Wisconsin.
One problem is people often use the same password for different accounts. And passwords also can be picked up when people use unsecured Wi-Fi.
The biggest concern is compromised credentials, such as a simple password or a password used for a number of different sites or accounts, said Brett Rehm, vice president of technical services team at Epic Systems, one of the two largest software companies for electronic health records.
Health care organizations and insurers have become inviting targets for cybercriminals.
In a two-month period this year, eight health systems, hospitals or medical clinics were hit with ransomware attacks that in some cases caused them to shut down temporarily, according to Becker’s Hospital Review.
Epic has never had a customer who has had information stolen through malware, Rehm said.
“We say that security is a constant part of our design process,” he said.
The company trains its people in how to write software that is less vulnerable to security breaches. It also has a dedicated group of people who look for potential vulnerabilities.
Beyond that, Epic works with health systems on how to design their computer systems so that sensitive information is segregated.
What is known as multifactor authentication – such as when someone cannot gain access to a system without a fingerprint or a code sent by text – is another defense.
The most important defense is ensuring that so-called patches are installed regularly, Rehm said. Most malware attacks could be prevented by installing the latest version of security software.
Epic’s customers are large health systems and physician practices that have sophisticated computer networks. Smaller health providers, businesses and organizations don’t have the same resources.
“They have become more of a target because the major organizations are doing a better job defending themselves,” Kaczmarek said.
They also may believe they will not be a target or assume they have adequate protections.
“The awareness is not there,” Kaczmarek said.
The National Institute of Standards and Technology has put out a framework that consists of standards, guidelines and best practices for cybersecurity. A coalition also has worked to raise awareness with its “Stop. Think. Connect Campaign.”
“That’s kind of their advice before you click on something – stop and think,” Kaczmarek said.
But even with that, organizations still are risk. For this reason, experts stress the importance of backing up their data – and regularly testing their backups.
“Just saying I do backups is one layer, but it’s an incomplete layer,” Kaczmarek said.
Miller, the UW-Madison professor, said that organizations also must have an incident plan in place to continue their operations.
They can’t bet that they will be able to keep their computer networks safe from intrusions.
“That is something that every company,” Miller said, “has to face.”