Read how a vulnerability analysis can help avoid an event or mitigate its consequences
Not long ago someone reached out to me and asked if I’d heard an interview with Dave Ryder, President of Prototron Circuits. It appeared, along with an article I wrote, in the January 2022 issue of SMT 007, devoted to cybersecurity. I’d followed the Prototron ransomware story, and I had heard Ryder’s “Lessons Learned” update. It’s compelling, and I urge you to listen to it as well.
My friend then asked if a vulnerability assessment might have helped Prototron avoid the massive headache and expense of rebuilding their critical infrastructure from scratch.
Before I tell you my answer, I must stress that I do not know Dave Ryder, nor have I ever worked with or for Prototron-which means I am speculating. Mr. Ryder is remarkably forthright in the interview, but he did leave a few things to the imagination. Unfortunately, it’s not very hard for the imagination to fill in the blanks because these types of ransomware attacks and their consequences generally have similar patterns.
Prototron Circuits is a successful printed circuit board manufacturer in operation since 1987. In December 2019, it was hit by a ransomware attack. According to this interview-two years later, the company is still not completely back to normal. At the time, the company had facilities in both Redmond, WA, and Tucson, AZ. Their analysis indicated that the malware was let in because an employee in Redmond clicked the wrong link somewhere on the internet. The Redmond facility was particularly hard hit-Ryder says it took a year before they were back into their normal turnaround times. Tucson lost some data access, but it was far less than Redmond.
Now, back to the question and it’s a good one-how might a vulnerability analysis have helped to avoid such a successful attack or mitigate its consequences? Central to a vulnerability assessment is a deep network scan. Our sniffer software maps every internal and external connection of every piece of hardware and software on a network. It’s trying to penetrate everywhere, through firewalls, computers, servers, manufacturing machines, and so on. In the process, it diagrams the complete network, giving us a comprehensive view.
Based on what I’ve seen from other incidents, I assume the first thing we would have noticed was the lack of an endpoint detection and response (EDR) system, and likely that any antivirus or security software it had in place was not arrayed to protect the entire system. EDR is much more robust than your typical antivirus tool. It operates in real-time, at the kernel, which is the core of the operating system. If it detects anything anomalous, it goes hunting for the cause and blocks it nearly instantly. Networks with this type of protection are rarely breached-but no network is perfect.
Again, I have no relationship with Prototron, and what I’m about to say seems to have no direct relevance to how it was breached, but I have run into it elsewhere and it’s a real threat. Especially when a manufacturer has been around for a while, it’s not uncommon to see older equipment-sometimes running on operating systems that haven’t been supported in a while. Yet these machines are key to some process or another. The threat comes when everything-even the outdated machines are connected together on one big network. Bad actors can more easily exploit older technology as an entry point.
No one wants to replace costly equipment if it still works. The “if it isn’t broken, don’t fix it” approach to spending makes sense on the surface but can lead to extremely costly results. A vulnerability scan makes these outdated access points visible, giving us the opportunity to create a closed network for the machinery. Sealed off from the larger network, old technology can run without threatening the whole.
Key Takeaways
Here’s the most important takeaway from Dave Ryder’s interview: When asked about lessons learned, he replies: “Make sure you have backups that no one can get access to without your permission.” If Prototron had done this one thing before the attack, the ransom threat would have been moot. At that time, Prototron kept its backups on the same network they were backing up. We come up against this issue often as well.
Let’s say your IT folks are backing up regularly off your network, to external hard drives for example. The question you should ask is: where are they stored? I’ve talked to business owners who think they are safe because their IT person takes the backups home at night. But what happens if that person goes to a coffee shop and has a spill or worse, leaves them behind?
Ryder is right when he says backups should be offsite and accessible by permission only. We take that a step further for our clients, creating encrypted immutable cloud backups that cannot be changed or deleted.
There is no magic wand to ensure complete safety against determined attackers-even the intelligence community gets hacked from time to time. But there are four layers, that when stacked on top of each other create a very, very strong barrier: protect from outside threats, isolate vulnerabilities inside the network, train the staff, and have off-site immutable backups in case all else fails.