Q&A With Fidelity’s Director of I.T., Aron Pollak
As a leading provider of payment processing solutions for many businesses in the tri-state area, Fidelity keeps a close watch on emerging security threats—and unfortunately, in recent months, ransomware has been attacking businesses at growing rates. In our community alone, over a dozen companies have been targeted by this malicious software that locks the victim out of their files until a ransom is paid.
Ransomware attacks can be incredibly costly for businesses, and more often than not, businesses are left on their own to pick up the pieces (even government agencies like the FBI are unable to help). That’s why our Director of I.T., Aron Pollak, took it upon himself to volunteer his expertise—alongside a group of technicians within the I.T. community—to assist many of the victims whose businesses were brought to a complete shutdown by ransomware.
Aron sat down for a brief interview with Fidelity’s Security Manager, Zalman Miller, to share some insights into the nature of these attacks, as well as some advice on what organizations can do to protect themselves.
ZM: Was there a common thread among the victims?
AP: Absolutely—the victims I dealt with lacked some basic security measures which could have stopped the attack or mitigated the impact. Here were the common findings:
- All users had admin rights on their computers, thus allowing anything to be installed and any changes made to configurations without user verification.
- No security policies were enabled in Microsoft’s Active Directory technology for network management. These security policies enforce basic security controls such as password requirements, which helps protect the server from attacks.
- No antivirus software (not even Windows Defender) was found on many of the devices.
- On devices that did have antivirus software, often times the hackers were able to disable the software as they had admin privileges once they obtained access to the device (see #1 above).
- Those who had online backups (even reputable ones such as Carbonite) had their entire backup deleted by the hackers because access to the backup was not properly secured with dual-factor authentication. This meant that once the hackers stole the password to the online backup, they could easily log in and delete the data without being prompted to verify their identity further.
- The point of entry for most seemed to have been via free remote software solutions, such as TeamViewer, that do not have such robust security.
- Even among users who used more reputable remote software, hackers were able to obtain easy entry by stealing passwords. Dual-factor authentication had not been enabled on these software programs.
- Forensic investigators are currently examining if phishing played a role, and if so, to what extent. Phishing is a method of obtaining sensitive data, like passwords, by posing as a legitimate entity (i.e. one’s employer or bank) and requesting data from the user. One of the best ways for companies to prevent phishing is by training their employees to look out for phishing attacks, and unfortunately, none of these companies had any user awareness and training programs in place.
ZM: Do we have any idea of how badly these companies were impacted?
AP: This varied among the companies, but most were shut down for at least a day while trying to restore from backup. Some lost decades worth of files and archives, and some paid the ransomware to get their data back (at least one company paid $100,000 in Bitcoin).
ZM: What do you recommend companies do to protect themselves from ransomware attacks?
AP: The threat of ransomware can never be completely eliminated, even if you’ve implemented every security measure possible; it’s truly beyond our control and requires protection from a higher power. However, there are several things you can do to reduce the odds and keep your data safe:
- Do not grant admin rights to all users.
- Enforce robust password requirements (consider following the Payment Card Industry’s password requirements).
- Implement dual-factor authentication whenever possible (this means that, upon entering the password, the user will be prompted to verify their identity; for example, by entering in a passcode that’s sent to their phone).
- Make the investment in antivirus software and other security solutions from reputable providers—the costs are truly a drop in the bucket compared to costs incurred by an attack.
- Have a backup in place AND secure your backup with strong access controls.
- Do not use free remote software or have an internet-facing remote desktop protocol (RDP).
- Do not use legacy software systems (this refers to outdated software that’s no longer being updated with improvements, such as those to improve security).
- Cyber liability insurance coverage may cover some costs incurred by a data breach.