Issue link: https://iconnect007.uberflip.com/i/1267313
44 DESIGN007 MAGAZINE I JULY 2020 it's been let in-house; it was very difficult to root out where it came from. With the nature of cyber- security today, we had tools in place that allowed us to determine—from an intru- sion detection perspective and traceability of what went outbound—that our data was compromised internally. We were able to even have a third party look at it, and they verified that as well. We had a third party review every- thing and found that nothing was compromised externally, which meant that while our data was affected, it wasn't transferred out of our networks. Matties: And they were able to access it through a piece of equipment that somebody had clicked the link on, or was it an open port that they found through this equipment? Cormier: It required user intervention. Again, the best security is only as good as how far you can train your people on looking for and spotting things because 90% of all this kind of stuff comes down to a user error. When a certain user does trigger something, the ran- somware gains the rights within the company network, and then it spawns beyond that. It's what started the whole process. Matties: From that point of view, these ransom- ware people and hackers are pretty clever, and they disguise their emails to look like normal business emails and trick people into clicking. Cormier: A lot of times, it could be an attach- ment that has a link in it that says, "You have to click this link to unlock the document," and it looks like it comes from a valid customer source. Sometimes, we see things come from a fake shipping company that looks like UPS and FedEx. They say, "Here's your invoice on your account or from your last shipment." Peo- ple click it without realizing what it is. And that's where the "fun" begins. Matties: Once they got in, they were able to go from system to system. However, they weren't there to access and steal information; they were there to lock you out of your data. Cormier: Correct. It didn't affect servers, shared docu- ments, or things that we had on our network. It encrypted those, but then it also spawned itself and hit local machines, like your mailbox store on your local PC. It encrypted it, and the ransomware had the key. With the level of encryption that they used, it was almost impossible to decrypt without having some piece of the puzzle, like what passphrase or what key they used. Matties: You were locked out of the system, and your business screeched to a halt. At that point, you had to make a decision: Do you pay ransom or not? That can be a tough choice one way or the other. Regardless of whether you pay, you were faced with having to reboot your entire system. You were vulnerable. Cormier: And that's where the threat comes in: how far did it go and what was compromised? After a great deal of time spent analyzing that question, we looked at the amount of time that it would take to either patch all the holes or do a complete rebuild. We decided we didn't want to invest the time—especially with the number of resources that we had available to us. The numbers didn't line up for us to patch the holes and find out how far it went. It was to our benefit to get things back up and run- ning as fast as possible by starting from scratch and restoring what data we had from backups. Matties: Even if you took the patch approach, in the back of your mind there would always be Eric Cormier