Cybersecurity a costly necessity


  • Brian Levine, founder of UMass Cybersecurity Institute, speaks to Franklin County Chamber of Commerce members Friday. Recorder Staff/Richie Davis

Recorder Staff
Friday, October 27, 2017

“We thought we were protected,” with multiple computer system backups and firewalls, said Franklin Regional Council of Governments Executive Director Linda Dunlavy. “But it’s hard to protect against user error.”

So when a new employee faced an email just before 5 p.m., her bosses hadn’t yet alerted her “Please don’t trust the Bulgarian prince” from cyberspace, so she opened up a nasty email.

By 7 a.m., “We had 100,000 files encrypted,” Dunlavy told about 100 Franklin County Chamber of Commerce members at a breakfast meeting focused on cybersecurity for small organizations and businesses.

It was a perfect case of the complexities involved in trying to protect against attacks like last May’s WannaCry ransomware that infected more than 300,000 computers in 150 countries in a matter of days, demanding ransoms to regain access to their computers.

Rather than being held hostage to cyber criminals who have manage to get into the most heavily guarded computer systems of businesses, hospitals and government agencies, it’s essential to be knowledgeable and diligent, said Brian Levine, founder of UMass Cybersecurity Institute.

Yet security is hard.

“Despite the fact that Apple and Facebook and everybody have tried to make it appear that you can manage computers, if you’re running a business and you have important information, you should perhaps call someone in to help you do it,” said Levine, whose talk came as the Associated Press reported a new study that said the attack could have been prevented if security updates had been installed at computers at 81 of Britain’s National Health service.

In the case of the WannaCry attack, which was first launched on British hospitals, computer operators were told via a user-friendly note that they needed to pay a $500 ransom to have their files freed up, using a Bitcoin cyber account. It was just enough extortion to make the attack worthwhile for the criminals, who ultimately made $250,000, said Levine. Yet the ransom wasn’t so costly that users would balk.

Meanwhile, the malicious software, or malware, looked for ways to spread to other computers, so it spread worldwide within a matter of days.

“It’s difficult to protect a computer,” said Levine, running various types of attacks, including phishing emails that try to fool users into sending sensitive information, whether by pretending to be a Nigerian prince, your boss, or even your friend or relative in need of help.

“Security is annoying,” Levine acknowledged. “It’s the opposite of usability,” and it only seems worthwhile if its cost is less — in time or money — than the value of what you’re trying to protect.

In the case of last May’s attacks, which have been blamed on North Koreans, cyber criminals tried to make it easy to understand how to reclaim encrypted files, and also went after files that seemed most valuable, including spreadsheets or anything with a Microsoft Office extension, archives, emails, databases, source codes to files and encryption keys that could be used to decrypt other files.

Even for users willing to pay the $500, he said, there was the lingering question of whether it would really help unlock the files. In some cases, there were stories of the ransom not helping to retrieve the lost data, he said.

Using “back door” paths into computers, by impersonating addresses on your computer’s email list, even if you think you’ve cleared up a problem, you may not, Levine said.

“By being able to get back in, they’re then able to take control of your computer and make use of it,” he said, “So all of those spam emails you get, believe it or not, they’re from machines that have been infected and those machines are controlled by someone else. Let’s say they ‘own’ a million computers that have been hacked previously, and then they rent control of those million computers to other people on the black market … So if you want to send spam, you go on the black market and say to someone, can I rent your ‘botnet,’ and then it’s your computer that’s used to send these spams.”

The virus attacked computers that had not been protected with operating-system patches, which present tradeoffs to businesses by sometimes making them vulnerable to other computer problems, said Levine, whose Apple computers haven’t been as vulnerable to the attacks, but which he’s protected, anyway.

Even though ransomware has been around since 1996 and takes advantage of poorly managed computer systems, he noted, even the world’s largest companies get hit as well.

So what’s a user to do?

There’s the 3-2-1 backup rule: Make sure you have at least three backups of your data, two of which are saved to a different device, with one copy that’s entirely offsite. (It’s because the COG backs up its data overnight that it hardly lost any data, said Dunlavy.)

Beyond that, he explained after the talk, “If it’s critical to your business, then you need to put money into protecting that data and making it accessible and making it confidential,” and he added that every business has to take stock of what kind of data it maintains – and how important it is to protect. “It’s another business expense. I think you need to get some training or hire an outside organization. You wouldn’t just install electricity all over your house and not hire an electrician. We plug things in all the time, so you have to think of computers that way.”

On the Web: www.cybersecurity.umass.edu