Babuk ransomware gang again threatens the release of more DC Police data - time to tighten defenses

Baber Amin, Chief Operating Officer, Veridium

No one starts with the intent to create an insecure system. Increasing connectivity, increasing amounts of information captured and stored, and little to no budget for increased cybersecurity or cyber education have all created an environment that is favoring bad and opportunistic actors.

For too long, organizations have relied on physical proximity and threat of prosecution for security.  But we’re now in a time when, digitally speaking, there are no boundaries, and attackers don’t particularly fear an organizations or a country’s prosecutorial ability. There is a saying that most security systems, processes and procedures are there to keep honest people honest. Think Snow White and the Seven Dwarfs - what did they do?  They locked the door and hung the key on the hook next to the door. That is no different than relying on securing obvious interaction points, contractually trusting your vendors security practices, and blindly believing that all your employees, partners and vendors are as security savvy as your best security personnel.

Ransomware gangs have caught on to this naive approach and are happy to exploit it.  By hiding behind the anonymous nature of digital interaction, they are emboldened even to attack law enforcement, e.g. D.C. Police, Dade City Florida Police, etc.  This is to erode public confidence and trust in the system.  If law enforcement cannot protect its own information and systems, what confidence does one have in its ability to protect me or find evidence for prosecution of a cybercrime against me. 

We have seen an increase in successful cyberattacks lately.  With our aging infrastructure, both the energy and healthcare sectors are prime targets for easy picking.  With ever greater reliance on remote systems, remote services, digital first approaches, we are entering a state of perfect storm.

How do we fix this? Start by realizing that a lack of cyber security hygiene is one of the biggest causes of successful cybercrime, exacerbated by the shortage of highly skilled cybersecurity talent. Also, it’s time to embrace more risk- and compliance-focused approaches that follow a zero-trust model. And passwordless authentication is an important and invaluable component of that.

No one can attack, steal, reuse, share, transcribe, divulge, something they don’t have.

No password = no phishing

No password = no credential stuffing

On the other hand:

Human Error = forgotten passwords + shared passwords + reused passwords + weak passwords. All of which open the door to ransomware.

To thwart crimes such as the cyberattack on the DC Police, context-aware multi factor authentication that is risk aware needs to be broadly adopted and deployed. This is why we enable and urge organization to implement intelligent passwordless authentication that is all inclusive with the largest possible support for authenticators.

Ransomware criminals aren’t going away. It’s time to improve our defenses.