We Are Better Prepared for a Zombie Apocalypse


Last week, a discussion panel of cyber security and electrical industry stakeholders examined what could be done to protect U.S. public utilities from cyber-attacks, and what steps could be taken during a high-risk event  to mitigate the effects on the grid.

It turns out that we now rely on our DoE regional coordinators in each of the 10 Federal Emergency Management Agency (FEMA) regions to work with first responders during the event of a natural disaster or a terrorist attack (which may be the same thing). The panel cited an agreement signed by the Secretary of Energy in February that identified these individuals as points of contact to share information with the DoE and states in the event of an energy supply disruption, as an important step toward cyber-security preparedness. This would supposedly serve to improve information sharing and communication during critical response activities.

I don’t know about you, but this sounds a lot like the ads for LifeLock where the “security monitor” tells the Bank manager that “Yep, it looks like a robbery”.  Except, those are supposed to be funny. This is not.

It gets worse. They went on to applaud the fact that they are working on preparedness exercises to be held by federal agencies and the private sector that would include annual studies on the risks and hazards that might affect the energy sector. And, we actually pay these people?

Someone should point out to this group that despite their heroic preparedness efforts, U.S. cyber security is not nearly as prepared as it appears. As Arthur House, commissioner for the state of Connecticut Public Utilities Regulatory Authority, warned, “The thing to remember about cyber security, we are far better on paper to take care of things than we are operationally. It’s not as if the president could turn to the secretary of energy in the event of a grid cyber-attack and say ‘turn it back on.’”

As we should have seen in the Ukraine power grid attack, the holistic strike vectors that disrupted restoration attempts immediately following the grid attack itself were the real problem faced by the Ukrainian security engineers and not just the initial strike on the grid. We are not even close to addressing let alone planning for a similar recovery disruption here.

It doesn’t take much imagination to conjure a scenario where an attack on the electric grid would be accompanied by an attack on our financial sector or another attack on our water supply at the same time. Or, simply an attack on our recovery efforts through brute force DDoS vectors against all of our FEMA sites and disruption of our communication protocols.

As recently as last year, Jehovah Johnson, Secretary of Homeland Security said “I’m sure FEMA has the capability to bring in backup transformers. If you want an inventory and a number, I couldn’t give you that.”

That might be because in fact, there is almost no such capability in the realm of large power transformers (LPT’s). Even if we had them as the STEP (Spare Transformer Equipment Program) people claim we do, how would we transport equipment weighing half a million pounds or more across interstate lines in a rapid response to a critical outage? According to FEMA representatives, as of this moment, that capability has never been tested.

LPTs are essential to the functioning of the grid. Because they are very expensive, only the largest and most profitable power companies can afford to keep backup transformers on hand. Because the transformers are custom-made, they are not easily interchangeable. Because the equipment is huge, it is not easily transported. Because these transformers are, on average, thirty-eight to forty years old, some of them were originally delivered by rail systems that no longer exist. Because the vast majority of LPTs are built overseas, it takes a very long time to replace them.

The federal response to federal response to Hurricane Sandy is an interesting case in point. In addition to hitting major sections of New Jersey and Long Island, Sandy flooded New York City streets, tunnels, and subways, effectively cutting off all electric power to Lower Manhattan.

They brought in power trucks, flown in from places as far away as California on DOD [Department of Defense] planes, to begin replacing the poles and the lines. At one point FEMA had about eighteen thousand people working in that area going door-to-door, bringing people food and removing them from unsafe buildings until they could get the power back on.

It took more than five days before any power was restored to Lower Manhattan, but 95 percent of New York’s customers did have their power back after thirteen days. Even with a relatively small emergency caused by a hurricane, thousands of homes were lost throughout the region and tens of thousands were rendered homeless.

Where, then, might you and I find advice on how to cope with the aftermath of such an attack?

Howard A. Schmidt, the former cybersecurity coordinator for the Obama administration, a principal in Ridge-Schmidt Cyber LLC, a Washington consultancy company in the field of cybersecurity and a board member of one of our technology partners, Taasera, says, “There is no answer.

No government agency has guidelines for private citizens because, according to Schmidt, there’s nothing any individual can do to prepare. “We’re so interconnected,” he said, that in terms of disaster preparation “it’s not just me anymore: it’s me and my neighbors and where I get my electricity from. There’s nothing I can do that can protect me if the rest of the system falters.”

The electrical industry panelists agreed that best practices for cyber security protection include layered defenses, regulatory oversight, external third party assessments and internal governance. Excuse me?

As Ted Koppel points out in his book, Lights Out, it would be helpful if the political world would just accept that there are two permanent conditions that are going to affect future generations: one is the global scourge of terrorism, the other is the digital forevermore. Within that world of the “digital forevermore” lies the prospect of a catastrophic cyber-attack on one of the U.S. power grids.

And that is the existential reality that the new president faces. I hope he or she is up to the job.

Back From BlackHat, Oh My!


One major online reporter recently returned from the BlackHat Conference in Las Vegas with a list of what he thinks are the four cybersecurity topics that were rooting many conversations, both on the expo floor and among experts and analysts in the briefing rooms. If what he says is true, I now know why we haven’t made any progress in Cyber-security in the last two years.

The BlackHat Conference started out as both an opportunity to share research and to demonstrate the fragility of computing systems, and a chance to show off new tools and technologies to defend against threats. I have no idea what it is now.

This was the 19th year (amazingly) of this six day event which began with four days of intense trainings for security practitioners of all levels followed by a two-day main event including over 100 independently selected briefings, exhibits and awards.

Let me explain why the four topics depress me.

First, Behavior Baselining.

This simple-minded notion is based on the idea that a good way to determine if you have had a network infection might be to establish a baseline of normalcy and then measure subsequent variations to that baseline over time.

In order to properly establish a useful baseline, this process requires a period of around 6-8 weeks of baselining to establish these norms and accommodate for occasional one-offs and anomalies.

Three years ago DarkTrace emerged on the Cyber-security software scene with a revolutionary approach to network infection detection using just that process followed by some pretty cool detection technology. DarkTrace has successfully raised over $85m in venture capital and purportedly has 1,000 customers worldwide.

DarkTrace was dismissed by most security analysts for two reasons: One, the baselining would not be able to identify an infection that already existed at the time the baselining began nor would it be able to detect an infestation during the baselining period. Two, it generated a ton of false positives requiring tuning down the filters to such an extent that the true positives might get easily lost in the noise.

The point is not that DarkTrace is a bad product, in fact we were their first American technology partner and I regard them highly.  The point is that they and their technique have been around now for 3 years and there have been several followers and lookalikes entering the market. So, to say that Behavior Baselining is one of the four hot topics at Black Hat 2016 is either indicative if a security community that has been napping for 3 years or just plain wrong. I’m hoping for the latter.

Second, Active Response

This topic is at least an indicator that our sensitivities have swung over to detection and away from prevention and that all alone is a good sign of progress. The premise here is that as organizations get better at detecting threats, the number of alerts their systems create also increases. This results in what security operations center (SOC) managers refer to as alert fatigue. Systems like DarkTrace don’t help. Due to the inability to respond, breaches persist for long periods of time. The Democratic National Committee hack is a good example of long-term resident infection.

Active response is suddenly a hot topic when we and others like us have been developing both human and automated processes that enable our ability to respond to an attack as soon as it is detected within the monitored environment. For 3 years.

This reporter outlines processes that include communication with secondary systems such as a ticketing system, or collecting additional data, or an automatic configuration change such as modifying a firewall to block communication with a bad actor. This is neither rocket science, nor should it be a new revelation.

What we should be talking about is improved machine response and artificial intelligence applied to the response mechanisms. It is hard for me to believe that active response is a hot topic in 2016.

Thirdly, Security Analytics.

This is where we have to shout out a loud, C’mon Man!

He says that identifying trends and patterns in an organization is a good starting point to mitigate systemic problems as well as identifying threats and that there is a clear need for security and IT teams to use analytics to broaden their security and operations insights.

Security analytics have been around forever. They are better now than they were but so are most things. This topic should have been extended or applied UBA, where we are looking for corollaries and using abductive reasoning algorithms to detect suspicious behaviors or to improve access authorities in complex systems.

He describes security analytics as data analysis across multiple sources of data, often log data enriched with non-log data such as threat intel, in order to provide actionable knowledge to the security analysts and to security managers. There are over 20 such systems on the market and in addition most major software products have embedded functional analytical capabilities into their threat detection suites to provide just this capability. Again, not new technology and not new applications.

The place where we should be focusing security analytics is in IoT and in ICS and SCADA infrastructure, because it is there that we can get the best leverage for both vulnerability management and detection. And God knows we’re going to need it.

Finally, Public Key Cryptology

I frankly have no idea why this topic is even relevant today. Beyond the fact that cryptography is embedded in most of the software and hardware systems that form the core of our financial systems and healthcare systems and has been leveraged by ransomware attackers, public key cryptology seems so old school that I am shocked it is even topical at this event.

We all know that public-key ciphers have never seriously challenged secret-key ciphers as techniques for encrypting large amounts of data and they are much slower than secret-key ciphers. It is also well-publicized that the public-key encryption process computes a mathematical formula using plaintext that has allowed attackers to exploit the mathematical nature of public-key encryption to uncover data in raw form.

Public-keys have also encouraged successful brute-force attacks that break them and grab the corresponding private keys which are used subsequently for masquerading during network attacks.

These are old and well-documented problems that have restricted ways that public-key encryption can be used safely.

One BlackHat training on public-key cryptology describes a focus on drawing out the foundations of cryptographic vulnerabilities and cryptographic exploitation primitives such as chosen block boundaries, and more protocol-related topics, including how to understand and trace authentication in complex protocols.

I’m sorry, but in my humble opinion if you haven’t got a solid handle on why you shouldn’t be using public-key cryptology by now, we are in deeper doo-doo than I thought.

So, there you are. Four topics from one of the premier conferences on Cyber-Security on the planet and we are talking about 3 year old issues and technologies and approaches to solving very real, very current and very severe problems. And, none of the issues are relevant.

The next time I scratch my head and tell you how confused I am by our lack of progress, please refer me to this blog post.

The Dark Overlord: One Bad Dude.


A New Twist to Healthcare Cyber-Attacks and it’s Not Just Healthcare.

The recent cyber-attack on Banner Health Care, which was reported on August 3rd and looks like it compromised the data of 3.7 million individuals, likely will be the largest healthcare data breach reported so far in 2016 and we are barely halfway through the year.

What is unique about this attack apart from the sheer volume of records stolen was the attack vector; one not used before in the healthcare sector but hugely popular in retail. Banner Health says the breach started when attackers gained unauthorized access to payment card processing systems at some of its food and beverage outlets which led to direct access through the administrative network to the entire PHI database.

The obvious big red flashing light here is that the two networks were connected … as in, not separated.

Rebecca Herold, CEO of The Privacy Professor and co-founder of SIMBUS360 Security and Privacy Services, says breaches involving payment systems at healthcare organizations are frequently undetected. “Such systems are often maintained separately from the rest of the network, and often with the heavy involvement of the vendor who is supporting the systems. The POS systems have been shown to be notoriously lacking in strong security protections – yes, even when they have passed all PCI DSS [Payment Card Industry Data Security Standard] requirements.”

As we have reported repeatedly in the past, the Dark Overlord who has now claimed to have breached databases of a number of healthcare entities, grabbing about 10 million patient records that he’s offering for sale on the dark web may have struck yet again.

Previously an expert in ransomware for cash, the Dark Overlord has lately switched to a more remunerative resource based on stolen PHI records. Among the healthcare providers that have recently confirmed cyberattacks by the Dark Overlord is Athens Orthopedic Clinic in Georgia which reportedly lost 1,500 Athens Orthopedic patient records due to missing a Dark Overlord “ransom” deadline.

This is one bad dude. And, he is now claiming a new victim: a large healthcare software developer.

His advertisement went up on July 12 on The Real Deal, an online bazaar for stolen data, fake IDs and drugs. He is offering for sale what he claims to be the source code, software signing keys and customer license database for a Health Level Seven interface engine, a type of middleware that enables different kinds of software applications to exchange information. HL7 is a set of standards describing how electronic health information should be formatted.

In an interview over encrypted instant messaging, he declined to name the U.S. software company. Many vendors sell HL7 interface engines as part of their products. He also declined to say how he was able to compromise the company, but claimed he gained root-level access – meaning total administrative control – to its servers.

The Dark Overlord claims he also obtained the software’s signing keys. Software applications are usually “signed” with a digital signature, which then can be verified to ensure that a new version hasn’t been tampered with. Software companies guard those secret keys carefully. If stolen, an attacker could insert spying code into the application and sign it with the private key, making the modification of the code appear legitimate.

Our Dark Overlord buddy claims there are two target buyers for this data. One, a smaller country outside the United States who may be looking to purchase a complete package for a fair price and use this in their own development or retail it directly after compilation. Or two, someone who has  nefarious intentions and would intend on using the keys to push a backdoor to the original customers of the victim company.

Over the last several weeks, The Dark Overlord has placed three other batches of data up for sale on The Real Deal: 48,000 records apparently from a clinic in Farmington, Mo.; 397,000 records allegedly from a healthcare provider in Atlanta; and 9.3 million records allegedly from an unnamed health insurance provider.

The Farmington breach victims have corroborated his story, and he has also provided additional information from that breach, including scans of driver’s licenses and insurance cards. The clinic has not responded to repeated queries.

Of the 165 major healthcare data breaches  – not yet including the Banner Health attack – added to the Department of Health and Human Service’s Office for Civil Rights’ “wall of shame” tally so far this year, 51 or nearly a third are listed as hacking incidents and represented 2.8 million individual records.

As of Aug. 5, the OCR tally of major health data breaches listed 1,624 incidents affecting a total of 159.2 million individuals since federal regulators began keeping track in September 2009. And while hacker incidents represent less than 13 percent of the total breaches, those incidents account for an astounding 74 percent of the individuals affected. So, where are those records going and for what purpose?

Healthcare records contain the most valuable information available, including Social Security numbers, home addresses and patient health histories — making them more valuable to hackers than other types of data. Stolen credit cards go for $1-$3 each. Social Security numbers are $15. But complete health care records are a gold mine, going for $60 each. Medicare records, which are rarer, start at around $400 each. The reason they are so valuable is because criminals can use such records to order prescriptions, pay for treatments and surgery and even file false tax returns.

With a common healthcare record, you can basically own a person. You have all the information necessary to create a new account and fake an entire identity.

The greatest threat to the healthcare industry today is not from one-off hackers seeking quick paydays, but from organized gangs and foreign governments that can store intimate personal health data for future use against individuals.

For example, hackers last year stole the records of about 80 million customers of Anthem Inc., the second largest U.S. health insurer.

The presumption was that they were state actors, and the purpose was to harvest the database in order to create a dossier of individuals that they could use for social engineering for future attacks.

In addition, foreign governments could use healthcare information to target government employees with emails containing notices related to medical conditions they may have. When a targeted individual opens one of those emails, malware infects his or her desktop computer and heads right into the network.

The research firm Forrester recently predicted that hackers would release ransomware specifically directed at medical devices in 2016. The Independent Security Evaluators study showed that through both physical USB plants and remote attacks, hackers could take over heart defibrillators, insulin pumps and machines that emit radiation.

Cyber security in hospitals is struggling to keep up with these threats. In addition to my own view which has been repeated ad nausea herein, other security experts like James Scott argue for more investment in security systems and personnel at hospitals. Scott’s think tank recently issued a paper that calls for better security too among medical device manufacturers but the real problem, according to the paper, is the Food and Drug Administration, whose policies don’t go far enough to make sure device manufacturers are proactively addressing cyber security issues.

The agency’s voluntary guidelines are “just standards, not regulatory,” says Scott. “It’s like, ‘Do it, don’t do it, whatever.’ It’s a ho-hum mentality.”

The Dark Overlord claims to have compromised some organizations using a zero-day vulnerability in Remote Desktop Protocol, which is implemented in many remote access clients. See our most recent post https://www.netswitch.net/brute-force-ransomware/.  It’s actually more probable that the attacks have been successful due to weak passwords and RDP clients that are accessible over the internet.

It’s not just a healthcare problem. Critical infrastructures from utilities to traffic lights to municipal personnel databases are fumbling through the same jungle of cyber security unknowns. And as more and more of our physical world becomes networked and connected to the internet–the embedded sensors in our streets, the Internet of Things in our kitchen appliances, the “smart” cities all around us–there’s a sharply growing potential for cyber-attacks that have not just digital but dangerously physical ramifications as well.

And massive health data breaches are not going away anytime soon. In fact, they will get worse. As hackers become more sophisticated and organizations continue to fail to even catch up, we will see more and more reports of these types of breaches and escalation of the impacts. PHI will continue to bring high value on black markets and more of it will be stolen.

Until everyone places a higher, determined and ongoing emphasis on cyber-security, our personal healthcare data along with all other forms of stored PII will continue to remain at risk.

And, soon our interconnected physical world will start to make headlines as attacks are successfully aimed at critical infrastructure in healthcare, energy, transportation and defense.

Cyber-Crime Outpaces Cyber-Defense

Just when you thought it couldn’t get any easier, cybercriminals have just received a new gift that lowers barriers to entry even further.

Deer.io is a newly re-launched Russian website that makes it easier even for less technically skilled individuals to become cybercriminals. It handles everything one needs to run an online store, including anonymity and security, payment services, website design, and protection against DDoS attacks, all of which allows even individuals with low and even non-existent technical skills to set up a cybercrime shop, and all for only $8/month (same as Hulu).

The service has quickly amassed over 25,000 subscribers who have earned a total of 253 million rubles or about $3.8 million US, and the most interesting thing about this service is that it is readily available on the surface web, the first of its kind that doesn’t hide down in the depths of the dark web. This is clearly a thumbing of the nose gesture on the part of the Russians aimed at US attempts to counter cyber-crime and economic insurgency.

Operating on the surface web however, doesn’t preclude the site form hosting nefariously illegal sites like Darkside.global, which is used to sell hundreds of millions of compromised user accounts from LinkedIn, Myspace, Twitter, and in fact a majority of the sites hosted on the platform specialize in social media accounts registered by bots, stolen credentials, coupons for services that provide social network followers, and accounts for banking and other services that are directly monetized.

This is one of the moving parts that has led to the fact that a record-breaking half of the six million fraud crimes committed in the UK in the 12 months ending March of 2016, are cyber-related. If you have to assemble your own exploit kit and if you don’t have a channel for distribution, it is hard to make a living selling stolen IDs. Deer.io is aiming to solve that problem the same way that Alibaba created a market for everything and anything as the world’s biggest online marketplace.

One measure of this move into online crime means that people are now six times more likely to be a victim of plastic card fraud than a victim of theft from the person, and around 17 times more likely than robbery.

Victims of fraud differ from other crime victims. They come from higher income households than victims of violence. They tend to be in managerial and professional occupations rather than manual occupations, students or long-term unemployed. There is also a strong indication that those living in the most affluent communities are more likely to be affected than those in urban and deprived areas. This is not surprising since it is the same groups that are most likely to be involved in online financial transactions.

The threat grows daily and while we all continue to try and find technology solutions for technology threats, it remains largely up to the individual user to work toward combating this crime wave. As we have said so many times, people need to use reliable Internet security on all connected devices, apply security updates as soon as they become available, download software only from trusted sources and be cautiously paranoid about e-mail and other messages that include attachments and links – even and especially now if they appear to come from friends.

In spite of America’s reluctance to acknowledge we are losing the fight, most all other Western countries have echoed what the UK’s National Crime Agency (NCA) said in their recent Cyber Crime Assessment report for 2016, which is that criminal capability is outpacing industry’s ability to defend against attacks.

President Barack Obama on Tuesday instituted a new directive on cyber-attack coordination that aims to make clear how the federal government handles cyber incidents and better informs the public on what to do once they have been hacked. The directive institutes a Cyber Incident Severity Schema with a scale from level 0 to level 5 to classify a cyber-attack. According to the White House, any incident that ranks at a level 3 or higher is considered “significant.”

For the uninitiated, these attacks often take place months before they’re made public — leading to a system that’s largely in place to tell us about attacks that have already happened that we really can’t do anything about.

After all, it’s not like the criminals are tweeting that they have created a backdoor into OPM or spying on the Secretary of Defense or that they have access to Obama’s email.


In fact, the Cyber Incident Severity Schema is more likely a scoreboard for getting pwned (to conquer to gain ownership) by hackers and announcing just how badly it hurt. Instead of serving any useful purpose, this schema will, not unlike the Bush-era Homeland Security Advisory System, become a talking point on the 24-hour news cycle, a vehicle for spreading panic, a government handbook for how best to whip the population into a frenzy based on months-old threats — many of which will have seen the bulk of their damage done by the point we get to classifying it.

It is clear to us that crime and terror are becoming cyber-enabled as the world’s operational initiatives continue to become digital, and the enemies of freedom adapt to and learn to leverage technological advancements.

Without an increase in honest transparency around the scale of this problem and lacking a determined effort to create the digital equivalent of a Manhattan project,  we will continue to see news of increasingly catastrophic attacks on financial and government institutions and national infrastructure along with an increase in global cyber-crime.

The Cyber Incident Severity Schema is a disappointing and some might argue both a stupid and childish response to what is probably the greatest threat to our National security in history.

It is at least embarrassing.

If Cyber-Threats to Your Business Don’t Move You, Maybe the World is More Your Cup of Tea

Our cyber-security challenge goes far beyond our inability to secure our businesses and organizations over the past three years. As we continue to (some would say) ignore the business and financial cyber-threat on the ground here at home, there is a more serious threat developing that does indeed pose an existential test of our willingness to defend our way of life on an even larger stage.

We have seen in the last few weeks both the vulnerability and the resilience of ISIS as it struggles to hold on to territory in Syria and Iraq. A new analysis of the battlefield shows that territory held by ISIS has shrunk 12% this year, with losses in both western Iraq and northern Syria.

But then, who needs physical territory when you can build a Caliphate on the web? Cheaper, better, faster, more.

We now see that ISIS groups are using a clever variety of digital tools and online services that allow them to grow and maintain a strong online presence, while also helping them remain undetected by adversaries. This Jihadist tool box and the online campaigns are relatively unknown to the general public though their recent use of social media has begun to attract significant attention in security circles over the past few weeks.

Because mainstream communication applications do not offer the sophistication these groups require for their security needs, the jihadists are forced to seek alternative ways to communicate which now include secure browsers, Virtual Private Networks (VPNs) and proxy services, protected email services, mobile security applications, and encrypted messaging services. These guys have become cyber-smart.

In addition, they now employ mobile propaganda applications designed to help supporters disseminate and view propaganda with greater ease, speed, accessibility and complete anonymity.

They are using highly secured browsers like Tor and Opera which enable them to operate clandestinely without divulging their IP addresses and to avoid risking third-party surveillance, while the use of VPNs along with proxy services help them further obfuscate their identities during their online activities.

Their advanced use of protected email services prevent intelligence agencies from monitoring their messaging and they’re taking advantage of security features such as end-to-end encryption and temporary, anonymous account capabilities.

And just to be extra sure, ISIS now uses only encrypted messaging for social media to insure that the channels through which they broadcast their propaganda provide a layer of security that absolutely prevents detection and that their identities and the messages themselves are protected from all except their intended recipients.

Their reliance on and adoption of technology for expansion, growth and survival is now commonly known and almost impossible to defend against in an open Internet world. Even though the overall cyber capabilities of the Islamic State as an entity is still relatively weak and appears to be underfunded and poorly organized, the individual operators are managing to quickly learn, adapt, and advance through the most current and leading edge technological tools. It wouldn’t surprise me if they started showing up at DEFCON and competing in tournaments.

In addition, ISIS now employs a vast network of “fanboys” who monitor social media sites and disseminate the group’s online propaganda. It is currently estimated that ISIS’s followers have at least 96,000 accounts on Twitter, allowing it to easily distribute their favorite links to digital content hosted on other online platforms. If their Twitter accounts get closed down, they simply register under new names as they have demonstrated earlier this year on two occasions.

Thanks in large part to these Twitter and Facebook campaigns, thousands of Westerners are now fighting for ISIS in Syria and Iraq, and many who cannot reach the physical Syrian state have attempted “lone wolf” attacks in their homelands as we have recently seen both in the US and in Western Europe.

Although the jihadists’ skill at conducting information operations has thus far outstripped their capacity for cyberwar, they have managed to execute several high-profile attacks online. This past January, on the same day President Obama delivered a major address on cybersecurity, ISIS-affiliated hackers made an elaborate and well-timed statement by seizing control of CENTCOM’s official Twitter and YouTube accounts. The message wasn’t lost on many of us.

And in the incident that put the FBI and DOD on full alert, the “Islamic State Hacking Division” claimed responsibility for hacking into the social media accounts of hundreds of U.S. military personnel and published lists of more than 1,400 names, departments, email addresses, passwords, and phone numbers, warning: “We are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data.”

There are at least three reasons why ISIS’s efforts to grow a cyber-warfare capability should be taken seriously.

First, the costs of acquiring a significant cyber capacity are low enough to allow weaker states — or non-state actors — to obtain capabilities that threaten U.S. interests. ISIS may lack the educational institutions or technological resources of nation-states like China or Russia which would enable them to produce large numbers of advanced cyber warriors, but the abundance of hacking talent available on the dark net means they can either hire the services of hackers from criminal groups around the world or buy sophisticated zero-day attacks on the Dark Web to deploy themselves. As we know, these exploit kits are cheap and require virtually no skill to deploy and they are even available on eBay.

Second, as we have just seen with the tools being used currently, ISIS’s cyberwarfare capacity will not remain in a primitive state indefinitely. Both China and Iran started with simple website defacements similar to the CyberCaliphate’s, before moving on to more sophisticated and destructive attacks like the one in 2013 where Iranian hackers infiltrated the U.S. Navy’s unclassified Intranet, an incident which one former U.S. official described as “a real eye-opener in terms of the capabilities of Iran to get into a Defense Department system and stay in there for months.”

Third, cyberattacks allow potential adversaries to bypass our conventional military superiority in order to directly attack civilian infrastructure and economic targets.

While the major actors in the cyber arena (Russia, China, etc.) who have the capability to initiate a “catastrophic” cyber-attack are deterred by economies which are sufficiently integrated with America’s that a catastrophic cyber-attack on U.S. infrastructure would insure a victory in which the perps would also suffer economic damage, ISIS does not face any similar restraints or deterrents that prevent it from pursuing a total cyber-war strategy.

So, it would be a mistake to dismiss ISIS’s hackers as the jayvee team of cyberwarfare and assume the threat they pose will remain static.

Late  last year, the FBI warned U.S. lawmakers of the challenges in monitoring encrypted online communications among Islamic State terrorists, while calling for new laws requiring technology firms to provide backdoors to decrypt messages among jihadists. To date, no one company has cooperated and it continues to be an important debate as to whether in fact they should.

In the meantime, the computer networks upon which U.S. critical infrastructure depends must be made far more cyber secure not just to assure the continued freedom to conduct business, move capital, operate and support public service organizations but  in preparation for the day that ISIS’s cyberwar capabilities swell to match their intent.

Many economists believe that we are on the brink of another bank-induced global economic crisis and if I were advising ISIS, I would suggest they target an International banking institution. Any new banking crisis will do more to undermine the West than a thousand cases of stolen email or hacked social media accounts. And since most economists believe our financial system is more precarious now than even before the “Great Recession”, banks should hold a special allure to cyber-terrorists

All banks today are networked and completely dependent upon inter-bank lending and derivative transactions, both domestically and internationally. Any perceived problem at one bank will quickly infect others and spread across the financial system in electronic time. Public finance problems will immediately follow as governments and central banks are forced to prop up the infected bank to ensure continuance of essential payment and credit flows. The outcome would be instantaneous and horrendous.

Although the effort to improve cybersecurity in both government and the private sector continues to crawl along as it has now for over a decade, the persistent flood of headlines trumpeting the latest major cyber-attack demonstrates that America is clearly losing this war.

Earlier this year, the Pentagon declared the start of our first cyber war against the ISIS jihad, aimed specifically at disrupting their command-and-control communications, and as President Obama said in April, to put pressure on their cyber-ambitions.

Last week, the White House released a framework for handling cyberattacks with a vague cyber-attack severity scale. Level 4 of 5 is called critical and is supposed to turn red when the threat is “likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties.”

The key word in level 5 or severity black is “immediate”.

As Ed Lucas says in his book Cyberphobia, “Possibly even more catastrophic are hackers at a national level that have begun stealing national security, or economic and trade secrets. The world economy and geopolitics hang in the balance.”

Do you think Ed might be on to something, or is he just hyper-phobic too? 



Outsourcing higher education cyber-security defense yields healthy payoffs for IT staff and institutions.

A growing trend right now in higher education is to turn toward managed security services providers for most cyber-security support. Foremost among the many reasons is the fact that today’s higher education landscape demands relentless vigilance from a security perspective, despite heavy constraints on the very resources that vigilance requires.

The threat landscape in higher education is more dangerous than ever. In 2016 to-date, the education sector rose to the No. 2 most targeted sector in Symantec’s most recent Internet Security Threat Report, moving up from the No. 3 spot last year.

Today, the question is not if colleges will experience an information breach, but when — and how bad the damage will be.

One of the driving factors in making higher education an attractive threat target is the recognition that colleges possess vast sums of sensitive personal data from students, from Social Security numbers to financial aid records. Colleges additionally generate, in academic research and through government and industry partnerships, valuable intellectual property that is at a high degree of risk right now in these unprotected environments.

The other compelling factor is the fact that colleges have historically lagged behind the corporate sector when it comes to paying attention to data security, embracing the best cyber-security technology available or modernizing their IT environment form a cyber-security defense point of view. Thus creating a weakness that hackers are all too happy to exploit.

Compounding the issue are tight budgets constrained by dwindling state-level funding and reduced funding for IT infrastructure spending. This translates to most colleges and universities being forced to address the cyber-security issues with fewer resources, including both technology and human.

Finally, higher education faces an even larger problem than most companies competing for the severely limited available security talent pool as they are frequently unable to retain the best and brightest IT experts, particularly CISOs and analytical security specialists. Due largely to restrictive salary structures designed by unions for inter-departmental parity, those who are most capable are snatched up into lucrative private-sector positions, leaving a dearth of talent in the industry sector that needs it most.

It’s easy to see why MSSPs have emerged as a desirable alternative.

Higher educational institutions can contract out many aspects of IT, but due to the complexity and difficulty in finding, attracting and affording available expert resources, cyber-security is rapidly becoming one of the most logical functions to outsource. MSSP arrangements in education are usually taking the form of remote management or cloud-based solutions paired with internal IT management participation. Hybrid models are emerging which allow these institutions to retain greater levels of control yet out-source the commodity-level and specialized analytical services like SIEM and SOC at a fraction of the cost that they would spend trying to do it themselves.

MSSPs also deliver advantages that in-house departments find hard to match, simply by virtue of scale and logistics. By servicing multiple customers, MSSPs can easily scale and adapt to shifts in demand. They not only invest the time and energy to vet and test the latest technologies, but can also pass on cost savings when it comes to acquiring best-of-breed hardware and software.

In addition, the best MSSPs are nimble when it comes to keeping pace with the ever-evolving demands for IT expertise. Part of what the customer is paying for of course, is the providers’ depth and breadth of expertise and knowledge and their continuing commitment to maintain that expert status which gives them their competitive edge. Conventional IT staffs face the never-ending evolution and rapid morphing of malware and its various strains, and even the most competent IT teams find it nearly impossible to consistently counteract, detect and respond to vulnerabilities alongside their other duties. Cyber-security has become a full-time job.

The other major assist that these institutions can get from a qualified and compliance-certified MSSP is that layer of reassurance that they are complying with all of the constantly changing and increasing regulatory and data privacy laws.

The rise over the last 12 months in cyber-crime should be a wake-up call to everyone. The most vulnerable are those who store and process the most personally identifiable, sensitive and private information, fall under the most wide-ranging specter of federal and state regulations and are least likely to attract and afford the kind of expertise required to defend against the current crime wave.

Yet, it seems the most vulnerable continue to be the least likely to make the leap to calling on outside experts to help them out.


Even if the first step is something as simple as a security and vulnerability assessment, these institutions need to accept the reality that a breach will have devastating and long-lasting consequences. And, not just to the immediate reputation and contingency budget pool but also to future funding and the ability to continue operating as a functional educational institution.

President Obama has said, “Higher education can’t be a luxury. It is an economic imperative that every family in America should be able to afford.”

Cyber-security is another economic imperative. And every educational institution should be able to afford it as well.

The True Business Impacts of a Cyber-Attack


There is a lot of data available about the true cost of a data breach, but the toll of cyberattacks is significantly underestimated. If you thought for one minute that you have a handle on the financial impact of a breach for your company let’s take a look at the actual costs resulting from a cyber-attack on one national health-care provider in 2015 (as reported by their auditors, Deloitte).

Above The Surface Costs

The (generally well-known) “above the surface” costs are tangible and direct and include line items like the costs to notify customers and/or provide personal credit protection. They are relatively straightforward to approximate using a combination of profile information for each company, publicly available data, and cost assumptions derived from industry and market research. This has cost the company $2 million so far, but is actually a small component of the real financial impact.

Customer Breach Notifications

Following this particular breach discovery, the healthcare provider spent six months notifying customers of the event, describing the steps they were taking and the potential impacts of the remediation process. This process took six months, at a cost of $10 million. And, now that the company has real reputational impact, you can be assured that this brand-rebuilding effort will continue well into the future.

Post-Breach Customer Protection

The technical investigation following the breach revealed that cyberattackers had gained access to the patient care application using privileged credentials from a stolen laptop and had created a significant number of credible user IDs. Consequently, before service could be restored, new user accounts had to be issued for all application users, and new application and system controls had to be created and put in place. The post-breach protection efforts will cost $21 million.

Regulatory Compliance (Actual Government Fines)

Regulatory compliance factors came in the form of HIPAA fines. These amounted to $2 million. Yes, actual FINES. Health and Homeland Security’s Office of Civil Rights has decided that the world wasn’t taking HIPAA regulations quite seriously enough, so the new fines are an attention-grabbing 10x above the old fines. Ouch!

Public Relations/Crisis Communications

As the incident unfolded, impact to reputation and damage to their trade name and marketplace image mounted. Lack of confidence in the company’s data protection practices resulted in the loss of customers for the last 12 months as many corporate clients and many more individual subscribers chose other health plan alternatives. The cost for a focused public relations and communications campaign over this last year was $1 million to-date and is still on-going. Again, this cost will continue to mount as the program evolves. Customers are very expensive to acquire but twice as expensive to recover once they are lost.

Attorney Fees and Litigation

The company has faced continuing and ongoing scrutiny for its handling of the incident; many months after the breach their cyber insurance premiums were raised and legal fees accumulated as the company faced identity theft lawsuits. The impact of legal fees for the last 12 months has cost $10 million. No further comment.

Cybersecurity Improvements

Before service could be restored, new user accounts had to be issued for all application users, and new security software, appliances, application and system controls had to be researched and implemented. The cost of cybersecurity improvements to-date has exceeded $14 million. And, of course, the company has yet to address the response and remediation portion and remains stuck in the prevention phase. Much more work to do.

Technical Investigations

As a result of the breach, the company had to immediately shut down physician access to the patient care application and activate its cyber incident response team. The application was kept offline for two weeks while the incident was investigated. The full technical investigation lasted six weeks, at a cost of $1 million.

Below The Surface: Hidden or Less Visible Costs

“Beneath the surface,” impacts are less tangible and more difficult to quantify, including costs associated with loss of intellectual property (IP) or contracts, credit rating impact, or damage to the value of a trade name. In situations where intangible assets are at risk, impact can be estimated using generally accepted standard financial measures, damage quantification methodologies, and valuation methods.

Almost 89 percent of the impact was associated with just three “beneath the surface” impact factors: value of lost contract revenue; devaluation of trade name; and lost value of customer relationships. The value is still being determined.

Insurance Premium Increases

The healthcare provider incurred significant increases in its insurance premiums. These amounted to $40 million over the next three years. Yikes.

Increased Cost to Raise Debt and Reduced Premium Revenue

Higher borrowing costs resulted in the delay of a strategic acquisition and the company has been forced to mitigate reputation damage and member loss by reducing its annual premium increase over the next five-year period. The increased cost to raise debt and lost premium revenue amounted to $60 million.

Operational Disruption or Destruction

In the short term, core business functions were disrupted by the shutdown of physician access to the patient care application. While the application was unavailable, physicians and providers relied on less effective and efficient means of receiving medical alerts, increasing risk to patients.

Without full access to health insurance coverage information, physicians and providers could not be certain of the financial implications—to both their institution and their patients—associated with the choice of care they provided.

Operational disruption impacted physician treatment plans resulting in more frequent visits and the exploration of more treatment options and has cost the healthcare provider $30 million to-date.

Lost Value of Customer Relationships

The decline in annual revenues due to lost members or customers caused the value of customer relationships to decline by $143 million over the last 12 months. This is of course an estimate. The actual cost will be much higher after the dust settles.

Value of Lost Contract Revenue

Even where contracts were not canceled, the company was forced to adjust the premium increase they had historically charged their members in an effort to mount some level of damage control. This created an estimated loss of $830 million over the next five years. An important and often overlooked factor in estimating damage from a cyber-attack. Aka, you want to keep doing business with me after you have introduced this risk, then fine; what’s my discount?

Devaluation of Trade Name

Due to erosion of revenue, the company’s trade name value decreased, resulting in a $46 million loss since the incident occurred.

Loss of Intellectual Property (IP)

Their auditors have yet to associate a dollar figure loss associated with intellectual property, because it was still trying to finalize a determination. The healthcare provider had not clearly identified all of its IP and/or assigned a valuation to each component. Most companies fail to properly identify or assess the value of their IP until after a loss. There is a lesson in here.

Thinking about how each of these components might affect your own organization should a similar cyber-event occur in your company could have a sobering effect on your own cyber-security planning and programs. Even if you don’t face all of the potential issues associated with a healthcare provider, there are many categories where all businesses share common vulnerabilities.

Trade name damage, reputational impact, customer notification, data and systems recovery, regulatory fines, insurance premium increases, attorney fees and litigation are just a few of the impacts that we all have in common.

No matter how distant a cyber-attack may seem at the moment or how little attention your board may have paid so far to the whole issue of cyber-risk, I would bet that a recitation of this $1.2+ Billion loss might just get their attention.



A little over one year ago, crypto ransomware accounted for barely 10% of all ransomware infections. Even six months ago, when over 400,000 companies were infected with a ransomware-style attack, less than 10% of the victims had experienced the encryption-style of ransomware attack.

Today, that number has soared to 54% with over 2 million users now affected by encrypted ransomware according to a report issued this month by Kaspersky Labs. The report included both encryption-style ransomware as well as screen-blocker ransomware.

Much of the growth came from the proliferation of encryption malware, as the number of companies hit with crypto-attacks surged more so far in 2016 to over 718,000.

This dramatic increase in the overall number of people encountering ransomware combined with the increased use of crypto tools broadcasts a very serious problem.

The most significant difference between blocker-style and encryption-style ransomware is that blocker damage is fully reversible. In even the worst possible scenarios, the infected PCs could be fully restored by simply reinstalling their Operating Systems.

Alternatively, encryption-style ransomware renders files completely irrecoverable without a decryption key providing infected victims with no options other than to pay the ransom or refuse and buy all new systems. Following which they will have to either recover from whatever useful backups they may have or start over from scratch.

Most of the ransomware samples detected recently have been popular crypto-malware strains of CryptoWall, Cryaki, TorretLocker, and CTB-Locker, all of which along with easy-to-use exploit kits are available on the dark web to anyone with a few bucks.

Since there is no reason to assume that this tide will ebb anytime soon, there are three things that all organizations should do right now:

  1. Every company large and small should immediately implement a backup and recovery plan that accommodates off-site and off-line data storage that cannot be tunneled into through the core network and don’t forget to test it frequently


  1. End-point behavioral analytics and sandboxing software should be implemented to detect and eradicate ransomware before it infects the networks along with network behavioral analytics that can identify ransomware strains that invade through other gateways like email, downloads or software tunnels and move laterally within the network to prepare for an attack , and


  1. Employee awareness must be tuned up through continuing training and education programs that demonstrate what a phishing email looks like and the known browsing dangers that facilitate a high percentage of network infections by a broad range of malware.

Given that almost 80% of over 1,100 companies surveyed across a wide spectrum of industries recently by KnowBe4 said that they were “very concerned about ransomware attacks”, I would expect that 8 out of 10 companies will be rushing out to implement these basic protections by first light tomorrow.

But somehow, I get the feeling that I should not hold my breath.

It’s interesting. If I told you that it is a proven and indisputable fact that 80% of us would die from cancer if we didn’t stop smoking, I would assume that everyone would stop smoking. Wouldn’t they? 

Get Your Employees Involved in Security


We all know that phishing attacks have now reached a level where all companies should be concerned.

94% of malware attacks reported in the US last year originated with a phishing attack. We also know and have seen in report after report, most recently from the Ponemon Institute and Wombat Security Technologies that after employees went through an internal security awareness training program, the number of phishing attacks significantly decreased.

These types of internal security awareness programs are not difficult to organize and they save tens of millions of dollars in security breaches as a result.

A quick exploration of the types of information and advice in an effective security awareness training program might encourage everyone to get busy with their own.  I can’t stress how important it is to the overall hardening of our corporate defenses against cyber-threats and what a significant impact they usually make.

So, here goes.

For openers, a general framework should be constructed to create context. We need to ensure that employees at all skill levels understand basic security principles and by doing so, we can eliminate or at least minimize the risk of a breach, fraud or other costly mistakes that will lead to a breach downstream.

Focus first on the current IT environment, the assets that have been identified as critical to the company and the preventive measures that have been put in place to protect against an attack. People need to understand what they are protecting and the overarching consequences for failing to do so.

Understanding the risks specific to the nature of the business or industry sector add an important contextual element to your employees’ ability to absorb the information in an actionable way.

Identify the things employees can control, and, we can’t just stress the basics. We have to provide a context for understanding. We need to explain why passwords are important and why the industry best practices have been established. We need to explain how attackers enter our systems through the process of social engineering and phishing schemes. We need to explain how malicious website links and downloads work. Without context, these basics are like trying to understand Algebra in the fourth grade without understanding the role of variables.

We can’t just say that passwords must be a certain length and contain alphanumeric and special characters without explaining why and how quickly and easily cyber-thieves can crack simple protocols. We can’t just say, beware of a phishing attack and here’s what one looks like without explaining how they work and why they are successful.

Some people think that an annual training is sufficient. The way things are going now, I would say that the frequency should be quarterly and it should become a part of our everyday operational principles. It is not like learning how to use the copy machine or the intricacies of our 401(k) program. This world changes weekly. New threat vectors emerge all the time. All employees need to be continually aware of the risk environment in which they work and their role in the defense of the enterprise.

The best and most effective programs are of course, interactive and conducted over an extended time period allowing employees to operate in their normal work environment while randomly receiving bogus emails and then appraised of their responses. Lecture style programs will not captivate anyone’s attention and usually fail.

Interesting videos using animation and cartoon characters, contests, posters, etc. can all be used effectively depending on the environment and the appetite for fun and craziness.

But, the follow-up should be deadly serious. Everyone should be clear about their role and the consequences of individual participation in increased risk due to failure of situational awareness. Management must be fully committed at all levels. Leadership needs to come from the top. The CEO needs to address the troops at least annually with a communication about the importance of cyber-security and the protection of information assets for the company, its employees, customers and shareholders.

Make it fun. Make it crazy. But get it right. Your future cyber-security depends on it.

Stop Screwing Around


Here are the three biggest myths surrounding cyber-security:

Myth One:  I Don’t Have Anything worth Hacking

Every company we talk to has sensitive information stored, archived or accessible somewhere on their network. One of the major exposures is email. How would you like to publicize everything you have ever said on email? How would you like your spouse, your customers, your employees, your shareholders, your investors, and your own human resources manager to get a copy of every email you have ever sent? You wouldn’t. I wouldn’t and I am supposed to be disciplined about this stuff.

The SONY hack is a great example. In an era where WikiLeaks has made looking for words, phrases, and people amid our email rubble almost as easy as searching our own inbox, and the internet loves a viral embarrassment, you would have to be crazy to ignore the need to protect your email archives. If that isn’t something worth hacking, I don’t know what is.

The other major exposure that none of our customers think about is their role as a hidden pathway to larger fish. It may not be that their small air conditioning maintenance company has any assets worth stealing, but it may well be that their customers do. And, the access to their customers’ ERP, billing and accounting systems provides an easy gateway to attack their customers’ networks.

Remember that the Target Stores breach began with the attackers breaking into the retailer’s network using credentials stolen from Fazio Mechanical Services, a provider of refrigeration and HVAC systems. And, that was only the biggest of many similar stories in the past two years.

Whether it is your emails, your customer information, your employees’ health information or the network access credentials that your employees use to do their jobs, you have a significant responsibility to secure and protect that data, regardless of whether you think you have anything to hack or not.

Myth Two:  It’s Just Big Businesses that get Attacked

In the U.S in 2015, over 74 percent of small and medium-sized enterprises reported a security breach. But in a recent survey less than 10% expect to increase spending in information security. That makes a lot of sense, huh?

The myth that small and medium-sized businesses don’t face a threat is actually the exact opposite. From a hacker’s viewpoint, small and medium-sized organizations are great opportunities as they have made it clear they are doing less to protect data and secure their networks. This is the same data that might be information about employees, clients, customer details, bank details or it might be that path into one of their customers’ systems where they are linked through e-commerce, email or through some other digital gateway.

Actually, it is now clear that most ransomware attacks are targeted at small and medium sized businesses that are able to afford a few thousand bucks in extortion in exchange for a return of their systems and files. It is also clear that small and medium sized businesses are clueless about how to prevent or prepare for a ransomware attack and have the least amount of software detection and protection mechanisms in place or processes that are based on industry best practices to avoid a difficult ransom situation.

As we know, the ransomware entry point has been the user who clicks on links in emails or opens corrupt attachments. In a small or medium business setting, most companies have been reluctant to spend for education and training. So if anything, small and medium sized businesses are much bigger targets than big business ever was.

Myth Three:  Software, IT and Technology will keep the Bad Guys Out

While it is true that products like Windows 10 from Microsoft are better secured than any of Microsoft’s past OS products, it is a little like saying a county lockup beats a federal prison. It may be true, but they both suck.

We have demonstrated over the past three years that the bad guys are much better at what they do than the software guys are at repairing their holes or designing software that is security conscious. In fact, I would proffer that new software in the form of mobile apps and gaming (for example) is worse than it has ever been, and that instead of trying to repair existing holes, companies like Apple have just thrown in the towel and said we ain’t supporting it anymore (QuickTime for Windows).

The software part of the cyber-security market will be over $100 Billion by 2020 and there is already a burgeoning market for compliance throughout the software development life cycle. But there are already over 100 different national data privacy laws that software development companies need to consider before they build and plan to successfully market a product globally. And, it is growing as we speak. This is a huge problem that is now largely unaddressed, and if you think software developers are going to wait to bring product to market until they have reviewed against a ton of confusing compliance with little or no enforcement, you’re nuts.

We have seen extremely advanced and highly sophisticated malware morphing to avoid detection by the best security software we can devise and time after time we are leap-frogged by the hackers with seemingly just a few lines of code and an exploit kit tossed onto the black market.

A larger problem is that IT cannot keep up with the threat vectors or the swarm of software that is coming down from security software heaven (more than 500 exhibitors at RSA this year). How can your understaffed IT department possibly understand all of the emerging threats and all of the solutions and match them up while still trying to get that month-end reporting out? They can’t.

Further, even if they could, you would still be faced with the human dilemma of your users falling for the next compelling social engineering scheme or your disgruntled, soon to be former employee stealing assets on his way out of Dodge.

So, it won’t be IT or software technology that will solve the cyber-security dilemma anytime soon. In fact, on the most serious possible note, the U.S. Government is ranked dead last in cyber-readiness among all other countries, developed or otherwise. And, in spite of what those TV commercials during golf tournaments tell you about the Microsoft Cloud, it won’t solve your problem either, so don’t email your IT guy. Please.

What Can You Do?

Ah, the old “what can you do?” closer. The amusing thing about all this is that there is a ton of stuff you can do. Wringing your hands isn’t one of them.

Start with an assessment of where you stand relative to the first myth. If you truly don’t have any assets worth protecting (no customer information or employee personally identifiable information or health information, and no proprietary digital assets that your competitors would happily pay for, or emails you wish to protect from outside eyeballs) then fine, you can stop worrying. Except for that pesky ransomware thing.

You DO need to make sure that your files and systems are backed up frequently and that the backups are stored offsite and disconnected from your network. You DO need to segregate your administrative network from your operational network if you run any sort of computerized processes (like manufacturing, or surgical devices). And, you DO need to train your employees and put a program in place that raises and maintains that elevated awareness, so they can avoid the really stupid mistakes.

If you are one of those who depend on your customers networks for access, you need to work with those customers to protect the access credentials and the process through which you gain entry to their administrative systems.

If you are like the rest of us and have sensitive, proprietary, private and confidential data that is exposed to cyber-attack, you need to implement the best cyber-security you can afford and instead of trying to do it yourself, you should hire an expert to not only do the selection and implementation for you based on your specific exposures, but one who can manage the whole thing going forward, monitoring and remediating security events when they come up.

Yes, this is our business and so what? There are lots of other managed security service providers out there. Hire one of them instead.

But, please do something. The longer you wait and deny that a real threat exists, the more greatly empowered the hacker community will become. It is simply another form of paying ransoms. If you keep paying, they will keep attacking. If you remain defenseless, they will keep attacking. Stop paying. Harden up.

The only useful thing I can think of to do with the money you’ll save by not doing anything is paying the lawyers to get you out of the mess you will be in by doing nothing. Do. Something. Now.