Your Computer is Sick

Sick Computer: Your computer is sick. Not sick in a good way. Many people believe that when they buy a brand new computer, it was designed and configured with security in mind, but it wasn’t. It was designed and configured with usability in mind. Years ago I worked for a small Wireless Internet Service Provider (WISP) in Ogden Utah. Once the owner told me that whenever a customer called his technical support line for help, the company lost the profit they would have made from that customer for the entire month. The margins were that small.

Shiny, But Not Secure: When you buy a shiny new computer, the manufacturer wants you to be able to easily set it up yourself. They have gotten much better about secure setup than they used to be. Indeed, your Microsoft Windows 10 Operating System is much more secure than the previous Windows versions, but there is still a balance that the manufacture is trying to strike. They don’t want you to call tech support.

Usability vs Security: Security is a spectrum with usability on one end and security on the other. The closer you get to security, the further you move from usability.  That is where the problem resides. YOUR goal may be to have the most secure computing experience, but the company that made your computer and the Operating System want it to be usable so you don’t call tech support.

Most end-users simply don’t have the experience to securely configure their computer. It takes time to become enough of an expert in the field to securely configure your PC or Mac. Hiring someone to secure your computer is very costly as well.

Preventive Measures: Secure configuration of your computer is preventative. You are trying to prevent threats from causing harm to your computing assets. The ways a threat can cause harm are called vulnerabilities. Bugs in software are one example. Things that reduce vulnerabilities are called “controls”. A software patch (or update) is a control to reduce the vulnerability of a software bug.

Asset, Control, Threat: You can think of it this way. It’s not unlike putting in a chain link fence (the control) to keep the javelina (the threat) out of your garden (the asset). You are not naïve enough to think the fence will keep tiny birds off the peach tree. That’s not what the fence was designed for. So you add a different control designed for birds. Many people will place a large fake owl close by. It’s a deceptive control to fool the birds into thinking a predator is lurking.

Real Life Example: Your house has controls to reduce the vulnerabilities a burglar might use to break in. Locks on the doors and windows. But a determined burglar can still get in if they have the opportunity. You may have installed motion sensors to alert the police in the event of a break-in. That’s a detective control to further reduce the vulnerability your preventative controls may fail to mitigate.

Prevention Always Fails: In the face of an advanced threat, prevention always fails. Eventually. You should consider installing some detective controls to alert you when they have.

Options: Lastly, prevention and detection are not your only recourse. You can get out in front of this dilemma by introducing a deception control. As an example, every time you visit a website, your browser announces to the web server a tremendous amount of valuable information, namely, what browser, and what Operating System you are using. This is usually enough information for a threat to deploy an attack. But you can change your browser settings to lie about it. Then when you visit a compromised website, the threat will deploy the wrong attack. This deception technique isn’t 100% foolproof, and it may cause some of your favorite websites to not display properly, but it’s something you should look into.

It’s a Risk Call: Like the WISP I worked for back in Ogden, profits are on the line. The vendor of your computer is more concerned with you having a usable experience. It’s up to you to make it secure by adding deception and detection controls to your quiver.

Dwelling on Dwell Time

OPM Hack: Sierra Vista is a military town. Therefore, many of us have personal or family ties to the military. I’m sure that many of you were in the same boat I was during the summer of 2015 when we found out about the Office of Personnel Management (OPM) breach. Hackers had exfiltrated (the technical term used when hackers pilfer data) the personal information for almost 20 million people related to the security clearance background investigation applications. The attack occurred in two phases.  The first phase, called X1 by Congressional investigators, started in November, 2013.  OPM discovered it in May, 2014. The hackers had stolen very little documentation.  Before OPM could clean up the mess, the hacker obtained credentials and installed key-loggers and other malware to create a “backdoor” on May 7, 2014.  This second attack, known as X2, went unnoticed for over 11 months.  That boat I mentioned earlier? The one we were in together? It was leaking. And in the water? There were sharks.

How & How Long: While the sharks explored the OPM network they escalated their privileges so they had access to more and more information.  In December 2014, they plundered 4.2 million personnel records.  In March of 2015 they stole fingerprint data.  It wasn’t until mid-April 2015 that security personnel identified the unusual activity.  For over a year, the attackers had set up shop on the OPM network. Imagine how much damage an attacker can do to your organization with almost a year of dwell time!

What is Dwell Time: Dwell time, AKA “the breach detection gap”, is the period of time between malware executing within a network, when it is detected, and when the hemorrhaging is stopped.  During this time, adversaries have access to your organizational assets. Certain types of malware and cyber-attacks require a great deal of dwell time to escalate privileges to achieve their objectives.  Detecting the presence of malware early is critical to minimizing damage and protecting your assets.  In the cyber ocean of malware, avoiding the sharks is ideal, but early detection is a must! According to Ponemon Institute’s 2017 Cost of Data Breach Study  (, there is a 25% increase in the average cost of a breach found after 30 days. 

A Chain-Link Fence: Hoping anti-virus and anti-malware programs will protect you against all of this is like hoping your chain-link fence will stop mosquitoes. Anti-malware detects “signatures” of known malicious files.  However, today’s malware can easily modify its signature thereby appearing normal to antivirus engines. And attackers are creating new, advanced malware daily. Avast, McAfee, and the gang still catch most simple malware, but you need more advanced security to protect yourself from the uglies.  Similarly, firewalls and intrusion detection systems are another layer of protection. OPM had those too. The big one still made it through. It wasn’t enough.

Protect Yourself: To protect your organization, consider installing endpoint detection “agents” on your laptops and servers.  Endpoint detection agents monitor your system for unusual activity and notify the security operations center.  Some tools even offer endpoint deception, where the attacker opens a “canary” file. We call this a cyber tripwire. The canary file traps the hacker in a virtual network separate from the real network. There the hacker may wander around investigating fake data and fake networks, unbeknownst to him (think of the holodeck on the U.S.S. Enterprise). Shortening the malware dwell time for your organization means reduced risk of a breach, of a malware outbreak, or of being trapped in a botnet scheme or ransomware.  Early detection sure is better than remediation!  Ask OPM, where they will spend over $350 million in credit monitoring services alone.

Rise of the Cyber Lamb Chops

Sock Puppet Fame: In the 1950s, a ventriloquist, named Shari Lewis, put a sock on her hand and became famous. Lewis created the persona of a 6-year-old sheep, named “Lamb Chop,” that spoke the punch-line to her jokes. A sockpuppet helped her rise to fame with a very popular 1990’s children’s program. Fame and fortune from a sock!

Cyber Sockpuppets: Social media today has thousands of sockpuppets. No, Lamb Chop hasn’t taken over. A sockpuppet is a phony online identity using “real” accounts for the purpose of deception. Originally, this term referred to people who responded to their own blog posts, or authors who applauded their own books, while criticizing their competition. Nowadays, sockpuppets are used for a wide range of objectives. They are used to shower praise on a person or organization or to antagonize them; they are used to manipulate public opinion, to circumvent restrictions and suspensions, or get others banned from web sites. For instance, Utah Senator Mitt Romney acknowledged operating a secret Twitter account, “Pierre Delecto,” in order to defend himself against criticism — his sockpuppet.

Impact: The impact of sockpuppets would be marginal, except for the fact that nation-states create armies of sockpuppet bots to divide people and dispense misinformation. A single operative may monitor hundreds of sockpuppets, and an organization may use hundreds or thousands of operatives. The bot may simply “re-tweet,” “like,” or “re-post” a divisive headline or comment. 

The Difference: While a human Twitter user may post a few times a day, a bot may tweet hundreds of times per day, all day, on a specific topic. One study by USC analyzed election-related tweets sent in September and October 2016 and found that 1 in 5 were sent by an automated sockpuppet. Some social media platforms have developed software to identify and block bots, so puppeteers have developed something called Cyborgs. These Cyborg accounts mix human subtleties with the 24/7 work ethic of a bot. These are much harder to identify.

U of A: Awareness of threats is a step in the right direction. Michelle Menninger, a student in the University of Arizona’s Cyber Operations program recently made this comment to me,

“Technology opens up an entire world to my kids that could easily destroy their innocence. Being in the Cyber program gives me the opportunity to speak openly with them about the dangers of technology and allows me to be in control of it, instead of letting technology control us.”

Nation States Involved: Nation-state actors use technology to attack the U.S. and spread misinformation in order to destabilize our republic. An article on Wired calls the Russian campaign of disinformation “Active Measures” ( Their objective is to get Americans to argue about an issue – any issue, as long as it’s divisive. These sockpuppets may appear as someone trusted in your community to draw you into the fray and make you think there is an actual human behind an idea or a movement. They spread lies or half-lies, innuendos, and fake news. They are looking to degrade civil discussion of a given topic and inflame opposing views. For these actors, a divided America is much less of a threat than a united one. 

Be Alert: We are all susceptible to these propaganda campaigns on social media. With all the re-posting and re-tweeting, sometimes it is hard to find the origin of a comment. However, awareness that a sockpuppet army, whose intent is to manipulate public opinion, is out there may provide some protection from taking the bait.

So, the next time you are on social media responding to a post that got your blood boiling, keep in mind that you may be arguing with “Lamb Chop.”

Beware of the Dark Web

Lord of the Flies: Imagine a world where children are left entirely to their own guidance and education. One where the only instruction they ever receive is from peers. What kind of a world would that be?

Internet Born: When the Internet was born, it was called the DARPANET. Initially its creators tried to maintain control over its growth and development, but as it grew, that control became untenable. Eventually, a dark side emerged there.

Surface, Deep, Dark: The Internet can be subdivided into: the Surface Web (that which you can Google), and the Deep Web.  You may be surprised to hear that most of you regularly visit the Deep Web.  Accounts such as Facebook, Twitter, or your company network that require sign-in credentials are not index by search engines and are a major part of the Deep Web.  Estimates put the Deep Web as over 95% of the internet.  The Dark Web is a subset of the Deep Web that is intentionally hidden, requiring a specific browse to access. No one really knows the size of the Dark Web, but most estimates put it at around 5% of the total internet.

Dark Web: The Dark Web is best known as a place for illegal and nefarious activities.  You can buy drugs, guns, credit card numbers, credentials, and hacked Netflix accounts.   You can buy malware or pay hackers to breach your competition for intellectual property.  There are even E-Commerce sites. Dark Web commerce sites have the same features as any e-retail operation, including ratings/reviews, shopping carts and forums.  However, sellers have been known to suddenly disappear with their customers’ crypto-coins without providing the service.  The old saying, “There is no honor among thieves,” applies.

Legal Activities: Not all activities on the Dark Web are illegal.  Around half of the Dark Web is used for legitimate activities.  It allows political dissidents to communicate anonymously with journalists without fear of persecution. People go to the Dark Web for mundane activities like joining a chess club or to exchange recipes.   Facebook even has a presence called BlackBook.  The New York Times has a presence.  The Dark Web attracts those that are interested in being anonymous.

The Onion Router: The most common way to get on the Dark Web is through an anonymizing browser called a Tor (the onion router). The Tor browser routes your web page requests through a series of proxy servers operated by thousands of volunteers around the globe, rendering your IP address unidentifiable and untraceable.  It is difficult to find your way around as there are no indexed search engines.  The experience is unpredictable, unreliable, and often incredibly slow.

Why Should I Care: This is all very interesting, but I am not interested in a seedy journey to the Dark Web.  Why should I care?  The Dark Web is full of Personally Identifiable Information (PII) and password credentials recovered from breaches and sold, or just dumped to a site.  Large identity theft companies, like Experian, offer services that search for your information on the Dark Web and notify you of their findings.  Companies can look to their trusted security advisor to obtain a Dark Web monitoring service that tracks your company domain.   For your own email address, you can check for yourself at   Enter your email address to see if your credentials have been caught in a breach.  If so, it is time to change passwords and verify your account information.

Self Governance: In the novel Lord of the Flies, a group of boys is stranded on a deserted island. Their attempt at self-governance is a disaster. A dark side emerged. Civilization eroded and chaos reigned. Kind of like the Internet.

Business Owners: Red or Blue Pill?

The Choice: The choice is yours. Continue to read this article, and you choose the red pill. The true nature of existence will be revealed. Leave now, and you’ve chosen the blue one. You will remain blissfully ignorant. This article isn’t intended to terrify you. However, at the end of it, you might wish you’d chosen blue instead. Sometimes truth is a bitter pill. 

The Ransom: In July, 2019, on a sticky summer’s day in Rockville Center, NY, the IT administrator for the school district had a message pop-up on his monitor: “Your data has been encrypted.” He frantically pulled the plug on the infected computer.  He limited the damage, but key files were being held for ransom.  Fortunately, the school district had cyber insurance. The insurance company paid almost $100K to get the decryption key from the attacker.  

A Different Result: Contrast this with the recent ransomware payment by University of California at San Francisco (UCSF) of $1.14M, where they did not have any cyber insurance to pay the ransom.  The cost of the ransomware and recovery came from the university’s pockets. 

Cyber Insurance: Cyber insurance is protection against the CONSEQUENCES of cyber attacks. This includes data breaches, and ransomware.  The insurance covers the costs of:  the investigation and forensics, notification and identity recovery for clients, restoring compromised data, and system downtime.  Some policies cover losses from social engineering and, like the policy held by the school district mentioned above, cover the cost of a ransomware attack.  Like other insurance policies, some items are not covered, such as the loss of future profits and theft of intellectual property.  

Just a Piece of the Puzzle: You may consider cyber insurance a part of, but not a replacement for, your cybersecurity business strategy.  Insurance companies have been known not to pay out if they find negligence on the part of the insured. Covered companies are supposed to implement industry best practices, policy, and training.  Some underwriters will require company-wide training programs prior to issuance of the policy. 

What About Me: You might be wondering, “Does my business need cyber insurance?” If you lived in a flood plain, would you get flood insurance?  Your business “lives” on a cyber flood plain. One out of every five cyber attacks are against small- and medium-sized businesses.  Of those that suffer an attack, over 60% cannot recover from the residual financial loss.  So, it’s not only big companies that need it.  Small businesses have been flooded right out of business from cyber attacks, when not properly covered.  

Transfers Risk: Cyber insurance transfers the financial component of cyber risk from your company to the insurance carrier.  If your organization deals with a reasonable volume of Personally Identifiable Information (PII) or Protected Health Information (PHI), you should look into insuring it.   The cost of an attack could shut your doors.  So, if you are a health provider, a utility, or a government organization, it would be sensible to get a quote.  If you run an AirBnB or a small-repair shop, you may be OK without it.  Several local organizations have been impacted by cyber attacks, so don’t think it only happens in the big cities.   Calculate the risk. If your company was attacked, what would be the impact?  There could be stiff penalties from the Department of Health and Human Services — or worse, government scrutiny! So, is your organization prepared for the risk of the cyber world?  Would you be like Rockville Center or  like UCSF?  Consider the options, then … choose wisely.

Replacing the Irreplaceable

Dinosaurs Are Back: In 1993 Dinosaurs came to life.  We were assured they were in a controlled environment. Dennis Nedry was the underappreciated system administrator/programmer/network engineer/aspiring dinosaur cloner.  Paid less than he thought he was worth, Dennis struggled to make a living. Eventually, he turned on Jurassic Park owner John Hammond and stole prized dinosaur embryos, intending to sell them to a rival theme park owner who had failed to clone his own. To facilitate his crime, Dennis leveraged his unique position to shut off the security controls that protected the park. He was the only one with the knowledge to control the system. If Dennis had not possessed a criminal mind and to preserve the security of the park, he should have been required to do two things:

  1. Document his processes.
  2. Educate his coworkers.

Identify Risks: As a business owner, you may like risk. Risk means opportunity. But sometimes risk also means, well, risk. If, on the other hand, you DON’T like risk, you may also dislike change. But “change averse” does not equate to “risk averse”. Change is good when your current business practices carry unseen and unprofitable risk. One unseen risk that should be glaringly obvious is an employee who knows all the intricate workings of a spreadsheet, a system, or a network, and is unwilling or unable to share the knowledge (Nedry, dressed like a loyal minion).

Best Practice: One critical best-practice in cyber security is job rotation. Job rotation is just that. Rotating employees through different jobs on a somewhat regular basis. While it’s different for each company, it may be as frequent as every two weeks, or as far out as every few months. A challenge with this procedure for small businesses is your staff may be so small that everyone wears many hats, thus you are rotating by default; or the complexities of each role may make it prohibitively burdensome to train everyone sufficiently to have each person proficient in each role. It may seem like tiring work, but the security and productivity benefits will pay off. Such a goal will make everyone more valuable to you, yet none will become irreplaceable. In truth, some employees are really valuable, while others do little more than execute their own self-preservation strategic plan. They are nothing but a bottleneck between you and successful growth.

Self Preservation: Self-preservation is an inherent human trait. It is inherent in every living thing, really. You need to be aware of the risk this can pose to your business. You may have an employee who is acting out of self-preservation instead of looking out for the success and growth of your business.

What to Look For: According to a Forbes article, there are ways to spot the self-preserving employee:

  • They are embroiled in drama.
  • They complain–about everything.
  • They seek attention.
  • They gossip.
  • They don’t simply perform their jobs without a need to draw attention to their professional or personal challenges. 
  • They see a need to remind others of how challenging the task might be.
  • They call attention to the fact that someone else didn’t complete their task.

Single Point of Failure: I’m not suggesting you have a self-serving Dennis Nedry lurking among your IT staff. But experience has proven over time that having a single point of failure in the form of an irreplaceable employee is no less concerning than a cloned T-Rex run amok. For Jurassic Park, the warning signs were there. Ignoring them resulted in a business disaster. Implementing a job rotation procedure could have mitigated the threat.

Gone Phishin’

Happy to Help: An entry level accountant, “Sebastian”, receives an email from his CEO. Sebastian is excited the CEO recognizes him and needs his help on a major acquisition. The CEO requests a wire of 50 million Euros immediately sent to a bank account for the acquisition. Sebastian quickly executes the transfer. He feels like a hero. He can almost smell that promotion.

Oops: Unfortunately for Sebastian, and his large Austrian aerospace company, FACC, the email was not from his CEO. This was one of the most profitable phishing expeditions ever. The company could only recover 20% of the funds.  The CEO was fired and most likely, Sebastian. 

Phishing: Phishing is a type of cyber-attack that uses email to trick the recipient into doing some particular action or providing private information.  The term was coined in 1995 as a variant of fishing and refers to the “bait” used to get the victim to “bite.”   There are several variations of phishing.  Whaling refers to targeting high-level personnel in an organization.   Spear phishing refers to a phishing attack targeting a specific group of people like the military, a specific company, or certain professionals.

More Complex Today: With the techniques used today, it is not always simple to identify a phishing attack.  Although the Nigerian Prince scam, with its poor grammar and misspelled words, is still around, there are new scams that look extremely legitimate and appear to be from legitimate organizations. 

What to Watch For: Here are some methods to skillfully spot the phishing email. If an email is asking for personal information or asking you to verify details like bank or credit card information, don’t take the bait.  Established companies never ask for sensitive information. Be cautious of emails presenting dire warnings and potential consequences which require urgent action. Some examples might be a warning that an account of yours has expired or has been hacked.  Similarly, be wary if there is an urgent deadline to go along with the dire consequences.  Another common phishing tactic is to offer large financial rewards. This could be winning a lottery that you did not enter or being the prize-money winner for a bogus contest. If it sounds too good to be true, it probably is. 

What Next?: Now that you are starting to smell something phishy, how do you determine what to do? First, don’t click on the provided link, if there is one.  Hover over the link and look at the bottom left corner of your browser or email client.  It should show the full web address.  Some bogus web addresses will have extra words or letters added which do not belong to the legitimate address. Carefully scrutinize the address. (For example, g00gle is not the same as google.)  Also, beware of short URLs (hyperlinked website addresses).  Hackers can hide their true address inside a tiny URL link.  When you get an email that seems like it really came from your bank, for example, mentioning dire consequence and an urgent deadline, call the bank using a number YOU KNOW is good, or check the official website. (Google the website; don’t click the link in the email to determine if the email is legitimate.)  Many spear phishing attacks can be thwarted with policies requiring a second method of approval prior to email requests for funding (which Sebastian should have looked for).

Protection: To protect your business, you should look at increasing your cyber defenses. This may be something like using email services that stop most phishing attempts. Businesses can use email certificates to digitally sign emails so recipients can verify they came from you.  

The Keys: Training and awareness are the key.  There are services you can leverage that provide phishing training. It’s even better if the training also includes simulated phishing attempts targeting your employees to determine how well the training is sinking in.

Perhaps if “Sebastian” from FACC had the proper training, he might still be enjoying his employment there – along with his CEO. 

On A Hot Day

Not The Droids You’re Looking For: On a hot day (which was not unusual for the desert planet of Tatooine), overlooking the Mos Eisley space port, the Jedi master warned his freshly-minted apprentice to be careful, with good reason. No sooner had they hovered into town in the weathered X-34, when they were stopped at an impromptu checkpoint. The gleaming troopers searching for stolen imperial plans demanded to see identification. Waving his aged fingers, the holy man muttered, “You don’t need to see his identification.” In a perplexing turn of events, the menacing guard robotically repeated those words, thereby blasting that exchange into galactic popular culture.

Cyber Jedi Mind Tricks: You may compare your computer to the weak-minded fools vulnerable to a Jedi mind trick: It does what it is programmed to do. Nothing more. For example, when an operating system looks for files (like when it hunts for malware), it does so in a methodical manner. Malware authors know how this is done, and they modify the list the operating system uses to find files, hiding their secret plans deep in the file system. They may even modify registry settings, install additional user accounts, and set up scheduled tasks.

Defender: According to several reputable sources, the Windows Defender component of Windows 10 is all the antivirus you need. It will take care of commodity malware, and it does so quietly. It doesn’t alert you when it finds malicious files. That’s good and bad. You won’t have a lot of alerts you have to investigate–that’s good, but you also won’t have a lot of alerts to investigate–that’s bad. You want to know when you get infected, so you can do something about it.

Don’t Fall For It: You also need to be aware and avoid falling for the Jedi mind trick yourself. It may come to you in the form of a popup, warning you that your computer is infected. It’s a lie. Don’t click anything in that window of warning. The red “x” in the upper right corner isn’t the close button. Every part of that window is the “install” button. Instead of clicking anywhere in that window, use the Windows Task Manager to find your browser instances, and end the task on all of them.

If Infected: What do you do if your computer legitimately becomes infected with malware? Like the stormtroopers on Tatooine, you can systematically check the identification of every program, and visit every mysterious dark hole within the Windows Operating System; however, be aware there are Jedi that will prevent your successful search. The most effective way to be sure you’ve deleted all the secret plans the malware left behind is to reinstall the operating system then reinstall all the necessary programs. Just make sure you create a backup of all your irreplaceable files before you do.

Let’s just be clear: Malware wants to hide, and it’s very good at it. A knot of Stormtroopers  fitted with pure white armor briefly interrupted the Jedi concerning his mismatched metal companions at Mos Eisley. They were rebuffed. You will be rebuffed if you think you can find the malicious secret plans embedded in your computer.

We Have A Problem

Risks While Fishing?: A few weeks ago, I was fishing in the White Mountains. Fishing, not catching, but that was ok. I was there to escape the steadily building heat of a Sierra Vista June, and to receive lessons in patience and perseverance. While the former was intended, the latter was an unwelcomed bonus. Everything was going according to plan. The weather was enviable. White puffy clouds cast occasional shadows that provided mild relief for a beleaguered amateur angler, and the pine scented air had an unexpected autumn crispiness. Then my fourth and last golden Acme Kastmaster snagged on a mossy rock in the middle of the East Fork of the Black River (which was more of a creek really). I had a choice to make. Retrieve the lure and try, try again; or snap the line and accept defeat.

Assess: I was alone on the river and miles from help. What if I slipped? A good friend slipped on a rock in THIS river; after facing THIS choice. The difference was he had a family to drive him the 30 minutes or so to Springerville for his fiberglass arm charm.

Choices: We all have to make choices every day. Maybe not this exact choice, but still choices that involve risk. Without even thinking, most of us can conduct risk assessments in real-time. Risk is a function of probability, impact, and asset value. In the scenario I was facing, the probability of a fall was somewhat likely, the impact of a fall COULD have been high, and the asset was either my arm, or my life. Again, high. A quick mental calculation contrasted with ending my fishing trip early and I stepped solidly into the river. My worn leather ropers quickly filled with cool river water.  I found sturdy footing and successfully rescued the remainder of my fishing excursion.

Business Risks: By now you’re asking me, “Tom, is this Field and Stream, or the Cyber Tripwire?” Stay with me. I’m getting to the point. On your business computer network, you have assets. I want you to calculate something. If you went into work today, and found that none of your computers worked, what would be the monetary loss? What if it took a week to recover? Now, I’m no Dallin Haws, so you may want to check with him first. But here is a recommendation from Dr. Eric Cole one of the leading cyber security experts in the country.

Calculating Risks: In calculating risk, two general formulas are used: SLE (single loss expectancy) and ALE (annualized loss expectancy). SLE is the starting point. With it you determine the single loss resulting from a malicious incident. The formula for SLE is:

SLE = asset value x exposure factor

While the SLE is a valuable starting point it only represents the loss for one incident. Since many organizations suffer the same loss multiple times a year, you have to include the ARO (annualized rate of occurrence) and use them both to calculate the ALE:


The ALE is what you always use to determine the cost of the risk and the TCO (total cost of ownership) and is used to calculate the cost of a solution.

Your Cybersecurity Budget: So, this leads to the question. How much should you spend on cyber security prevention, detection, deterrence, and recovery? Calculate the ALE, and spend less than that annually.

In retrospect, I probably should have cut bait on the river that day. The consequences could have been disastrous. But for your business, the consequences could be far worse if you remain in the dark regarding risk.

Riddled by Ransomware

Ransomware. The word sends chills up your spine; or it should. Ransomware is essentially a cyber-criminal holding hostage your digital life in a binary bag. Cyber-criminals do this by zipping all your important, irreplaceable files and setting a password on them. The crooks “generously” offer to sell you the password for a “minor” fee. Truth is, the fee is not so minor, nor convenient.

How It’s Delivered: Most ransomware comes as either an email attachment, or it comes by infecting you when you visit a compromised website. For example, a few weeks ago, the actual website for the World Health Organization was compromised and serving up malware to every visitor to the site!

Protection: You used to protect yourself from this type of attack by creating a daily backup of your critical files. Files like Quickbooks, family photos, and the digital scan of your high school diploma. I said keeping backups used to work. The crooks have changed their tactics. As more and more of us got better at backing up our files, fewer and fewer of us paid the ransom; therefore, we cut into their profits. That’s bad for business.

Lockout or Stealing: Before, they just stole your access to the files by encrypting them. Now they actually steal copies of the files. If you don’t pay up, they will dump your files on the dark web–not to the highest bidder–but for free. Maybe you’re not concerned if your pictures of Fluffy end up in the darkest corners of the Internet, but how about your Quickbooks, or the scans of your birth certificate, social security card and driver’s license? It is not uncommon (nor is it recommended), for people to keep spreadsheets of all their bank and investment account numbers and the associated usernames and passwords. These are certainly not the files you want to become public!

Anti-Virus Enough? I know what you’re thinking. “I have anti-virus so I don’t have to worry, right?” Wrong. Your antivirus won’t stop it. If it could, you’d rarely hear about these attacks in the news. Don’t delete it though; it will stop some malware.

Two Keys: It is imperative for every user to do two things. First, ensure you don’t surf the web with an account that has administrator privileges. Second, become suspicious of EVERY email you receive; if your gut tells you an email looks “fishy”, then it is probably “phishy”. Additionally, if you receive an email, and the tone is one intended to terrify you with dire consequences for inaction, be on your guard. That is a favorite tactic of cyber-crooks.

Helpful Hint: One last suggestion, if you do store critical files like those I mentioned, then you should zip them and password-protect them yourself with an annoyingly long password. Finally write the password in a book and lock it in your desk drawer. If you follow this recommendation, it won’t matter if those files get dumped onto the dark web, because you have protected them.  You turned the tables on crooks. They will be unaware that the bag they hold is filled with digital dust.