Industry Commentary – Page 18 – IS Survivor Publishing

Not just alarmism

Are you as tired as I am of movie and television series plots that revolve around super-hackers and super-counter-hackers?

It was bad enough when a bad guy sat down, cracked his (or, less commonly, her) knuckles, started typing, and five seconds later told the uber-bad-guy (no, not a tailgating ride-share-driver), “I’m in!” (Fair’s fair: In the first Die Hard movie the hacker needed a more reasonable hour or so.)

If you’re working on a hacking-related script, please: Have the bad-guy-hacker open a desk drawer, pull out a Post-It®, and type in the password written there. While in the real world this isn’t a reliable method … in a typical office the hacker would have to visit at least five desks … it would at least be plausible.

Accuracy would depict the hacker sending out a spear phishing attack, but I’ll make a concession, given that, unlike your average caper movie, in a hacker plot the process isn’t the point.

Which (in admittedly slow motion) gets us closer to the point of this week’s epistle. But to get there … my wife and I were catching up on a couple of television shows we enjoy. Both of their plots, back to back, were based on ransomware attacks. And no, I’m not going to identify the shows. My guilty pleasures are none of your business.

What is your business is protecting your organizations from ransomware attacks. On a pain scale of one to ten, where one is your level of discomfort following a vaccination and ten is what you experience during an anesthetic-free amputation, these rate about twelve.

What’s most shocking about the ransomware epidemic, both on television and in the real virtual world (now, now, don’t be like that!) is that they are, so far as I can tell, both more preventable and remediable than your typical write-up on the subject would suggest.

But only if you’ve prepared.

What follows are a few basics to get you started. Most are steps you should have taken even before ransomware became prevalent. Next week we’ll dig deeper.

Data can’t be infected. Data can be encrypted, making it inaccessible, which is what ransomware does. But except for macro viruses, data can’t be infected, because … it’s data, not executable. So make sure all of your data resides on different physical servers than your executables. That’s physical, not just virtual.

More important, make sure all of your data backups are read-only, managed by different, air-gapped physical servers.

More important yet, take frequent snapshots and preserve all journal files and change logs for an excessive period of time.

Ransomware discontinues business operations. So include recovery from a ransomware attack in your business continuity plan. Additional thoughts about this:

If you have two overlapping recovery plans to keep synchronized, they won’t stay synchronized.
Know how you’ll continue business operations during a ransomware attack. Improvisation after you’ve been attacked is considered industry worst practice.
As with the rest of your business continuity plan, an untested ransomware recovery plan isn’t a plan, just wishful thinking.
Hope wasn’t a plan before ransomware became a threat. It’s even more not a plan now.

Reinstall. Make sure you can reinstall, not only applications, but also the platforms they run on. Document every procedure required to rebuild every piece of your production environment, starting with the original installation files. That’s the only way you can be confident you aren’t recovering ransomware executables in your attempts to restore an uncompromised production environment.

Cloud due diligence. Review your cloud vendors’ ransomware recovery plans and make sure they’re up to your standards, especially with respect to data protection. Consider adding on-site, read-only, snapshotted, air-gapped data backups to your cloud architecture.

Bob’s last word: In addition to making sure you have a professional-grade ransomware response plan, rationalize your application and platform portfolios. If you do have to recover from a ransomware attack, recreating the production environment is polynomially simpler in organizations that have consolidated redundant applications and platforms, and whose platforms are sufficiently current that reinstallation will work.

Bob’s sales pitch: I don’t claim to be an expert on this subject (thanks to Mike Benz, who is, for reviewing it).

This isn’t intended to be either gospel or complete. Consider it a nudge, and guidance on where to start digging. If you haven’t been taking this threat seriously … take this threat seriously. It’s shocking how many IT organizations have succumbed to ransomware attacks with little or no preparation. The pandemic-level growth of these attacks is even more shocking, and we’re still at the pre-vaccine stage of dealing with it.

Safe behavior is the best defense. Make sure you’re practicing it.

Mutual assured baloney

The world’s first website was launched on August 6, 1991. By rights, someone should have programmed a bunch of Twitter ‘bots to sing happy birthday to the World Wide Web. (And thanks to my friend Mike Benz for pointing out this historical marker to me.)

# # #

Speaking of ‘bots, while up-to-date statistics are hard to find, and the sensational nature of the subject matter invites exaggeration, there clearly are a lot of social media ‘bots out there, and in particular there are a lot of ‘bots out there that spread misinformation, disinformation, fake news, baloney, and other forms of utterly nonsensical but dangerous propaganda.

Back when Mutual Assured Destruction was the backbone of U.S. nuclear military strategy, it was widely understood that disarmament was desirable but unilateral disarmament would have been destabilizing.

Which leads me to wonder why those who want to spread reliable, curated content don’t deploy counterpropaganda ‘bots.

Most of what we read about countering ‘bot-driven disinformation campaigns is defensive – how to recognize the dangerous little critters. I wonder what a ‘bot arms race might look like.

# # #

Speaking of the Internet and disinformation, no, Al Gore never claimed to have invented the Internet. Al Gore also never claimed to have invented technology for countering disinformation, which is just as well given how utterly inept he was at it. As proof of his ineptitude, most Americans still seem to believe that he did claim to have invented the Internet.

# # #

Continuing to speak of the Internet and disinformation, SpotFakeNews.info has published a handy guide to recognizing disinformation. Its step-by-step is as follows (follow the link for details): (1) develop a critical mindset; (2) check the source; (3) who else is reporting the story? (4) think about the evidence; (5) don’t accept images at face value; (6) listen to your gut.

The full text behind #6 tells you to pause and ask if what you’re reading is designed to play on your hopes and fears. It tells you, that is, to do the exact opposite of listening to your gut. Go figure.

# # #

Meanwhile, as we are, after all, celebrating the birth of the World Wide Web, a quick timeline: In the beginning (of the Web, not the Internet itself) was SGML – the Standard Generalized Markup Language. It was a syntax for defining tags that could be used to identify parts of documents. Everyone who came into contact with it knew it was important. The main barrier to its adoption was that nobody could figure out anything useful for it to do.

Then CERN’s Tim Berners-Lee, wanting to make Ted Nelson’s idea of hypertext real, figured out that a simplified version of SGML could be just the ticket. He called the result the HyperText Markup Language – HTML.

To make HTML useful, Berners-Lee then created WorldWideWeb (later Nexus) – the first web browser.

Shortly thereafter, in 1993, NCSA’s Marc Andreessen and Eric Bina wrote Mosaic, the first web browser anyone ever heard of.

Somewhere in there, Al Gore sponsored legislation privatizing Internet governance and encouraging the transformation of the Internet’s underlying connectivity, from a fragile spiderweb of low-speed channels to a robust backbone-based architecture.

Imagine what the world would be like, right now at this moment as you read these words, had none of this history happened.

# # #

Bob’s last word: In the absence of a TIP program we do need tools of some kind to help us differentiate honest information sources from those whose purpose is to deceive.

One tool every information source can deploy to help its consumers judge their reliability is to reveal the processes and practices they employ to gather, process, and publish. The Washington Post provides a laudable example. You’ll find it here: Policies and Standards.

I haven’t yet prepared one for KJR, but will get started on the project shortly.

Bob’s sales pitch: Speaking once again of Internet-driven disinformation, in 1997 I proposed creation of a TIP (Trusted Information Provider) certification program. Later in 1997, and on through the present, this proposal was almost universally ignored.

But on the other hand, in 2010 the Harvard Business Review published its “10 Must Reads.” Amusingly enough, not one of the articles HBR considered must-reads made any mention of information technology or the Internet.

Nice to know they’ve been keeping up with the times, even if they aren’t keeping up with yours truly.