A podcast Connecting the Dots, Exposing Threats and Navigating Cybersecurity

 

Episode 2: Ransomware: To pay or not to pay. The moral dilemma of the 21st century.

 
 

"I think it's fair to say that ransomware and data breaches have no sign of stopping. The more we do things like click on links and phishing emails, or use easy to guess credentials, or store those credentials insecurely, it has the effect of leaving the front door wide open to our critical infrastructure. We humans still tend to be the weakest link in the chain."- John McArthur

In this episode, we examine COVID-19’s impact on cybersecurity, ransomware and the challenges companies face in the 21st century. Neustar’s John McArthur and Paige Enoch discuss data breaches, data exfiltration, cyber espionage and the solutions needed to protect your infrastructure.

And most importantly, what are the implications of paying a ransomware demand to gain access to your resources?


Have feedback or a cybersecurity topic you would like us to dig into on this podcast? We would love to hear from you! Drop us a quick note at lockandshield@team.neustar.

Highlights:

  • Growth of ransomware attacks during COVID-19 – John and Paige explore how attackers are getting bolder with the average ransom demands continuing to increase.
  • Hospitals as targets – John and Paige discuss why the hacker ceasefire with hospitals is over and why that should terrify us.
  • Election security – Although there was no evidence of interference in the 2020 election, there were foreign actors who were intent on disrupting the election. What does that mean for election cybersecurity going forward?
  • Attacks on our infrastructure – John discusses the potential infrastructure attacks that keep Americans up at night.

Discover how Neustar can help secure your organization online.

Contact Us

 
 

Episode Transcript

John McArthur: Ransomware attacks certainly grew numbers but also in scale and sophistication. The average ransom demand increased more than twofold and amounted to $170,000 on average in 2020. And Paige, let me ask you, how long do you think the average downtime was for impacted organizations?

Paige Enoch: Well, it's certainly not a problem that's resolved quickly. So, I would guess definitely not a matter of days, I would say a week to a month or more.

JM: That is definitely in the ballpark, so on average caused 18 days of downtime for affected organizations.

Unknown Speaker The time is not too far ahead, when you will be able to have a box about so big on your desk, which has a little screen on it, and a dial. And after dialing a key code, you will dial the catalog number of any books in the Library of Congress. And at any rate that you wish the spread pages of that book will appear on your television screen.

JM: Welcome back to the second installation of the Lock and Shield podcast presented by Neustar. I'm your host John McArthur, Director Product for Security Intelligence with the Neustar Security Solutions division. Today's episode we're covering the COVID pandemics’ impact on cybersecurity. And thinking about the trends we've seen over the last 15 months or so. Joining me again is our special guest Paige Enoch who runs the day-to-day product management of UltraGeoPoint and UltraReputation data sets. Paige, you want to talk a little bit about what you do day to day to manage those products.

PE: Hi, John. Absolutely. Hello everyone. My name is Paige Enoch. I'm the Product Manager for UltraGeoPoint and UltraReputation. And I really spend my days kind of talking to various teams, talking to engineering, talking to our sales teams, our data team and really moving our product forward and delivering something that's impactful and useful for our customers.

JM: Thank you. And I should ask, I feel like I need to share. I'm here in southwest Ohio. Summer is upon us. We're talking about cybersecurity and attacks. Although not we're not under attack. We are dealing with a major brood of Cicadas that have hatched and as I was walking into to my house, just a few moments ago, I had to peel off a Cicada for my ear. So if you hear me give a quick scream, you know what's going on. Paige, I assume there are no Cicadas back in California.

PE: No, I think that's a distinctly Midwest problem.

JM: So alright, well, on to today's topic. Really again, we're talking about some of the cybersecurity landscape that we encountered during COVID. And we're certainly as we record, we're still going through COVID. But really, there's been a lot of things that have happened. We've heard a lot about ransomware impacts the hospitals. Recently we've heard about colonial pipeline and the shutting down of a major gas fuel provider on the East Coast. There's also been a lot of talk about data breaches, data exfiltrations, you might have heard the term Solar Winds. We'll talk a little about that. And then obviously one of the one of the biggest concerns throughout this pandemic was related to our election. So, we can talk a little bit about election security. So, threat hunting, let's get started here. And I was going to say I think as we think about ransomware, I think the only word to use as we experienced it during 2020, is it was “ruthless”. The threat hunting and Cyber Intelligence firm Group ID estimates that the number of ransomware attacks grew by more than 150% in 2020. Ransomware attacks certainly grew numbers, but also in scale and sophistication. The average ransom demand increased more than twofold and amounted to $170,000 on average in 2020. And Paige, let me ask you, how long do you think the average downtime was for impacted organizations?

PE: Well, it's certainly not a problem that's resolved quickly. So, I would guess definitely not a matter of days, I would say a week to a month or more,

JM: Certainly that that is definitely the ballpark. So, on average it caused 18 days of downtime for affected organizations, and the demand for payment and we talked about on average being 170,000. Some of the demands got up to a million dollars. And actually, most recently, we know colonial pipeline paid four times that over $4 million to address their ransomware attack. So, the one thing, and the reason I use the word ruthless to describe ransomware, was they targeted the most vulnerable organizations in 2020. Hospitals. A Fortune article in December titled “The Hacker Ceasefire with Hospitals is Over and that Should Terrify us”. As honor among thieves with hackers is no longer present and they're no longer sparing hospitals, like they were earlier the pandemic. So, by the end of the year, the FBI Department of Homeland Security and other Federal agencies were warning against credible and imminent attacks against us hospital networks. And with COVID hospitalization spiking, it made hospitals attractive targets, as our dependency was never higher, and higher ransoms could be demanded. And just sort of the attractiveness or the vulnerability of the healthcare system is the sheer amount of mergers over the past decade, there were 680 mergers of hospital facilities the last 10 years. And when you start to think about the complexity of managing your digital assets, managing that inventory, keeping track of it, keeping a record or truth on all the hardware and ensuring they're up to date with the latest patching, that makes them a huge target for cyber attacks. Not to mention, you also have you know, you have cloud infrastructure where you might have operations folks spinning up instances in the cloud without, you know, formal knowledge by IT administrators also adding to a larger attack surface and again, talking about the attacks in 2020, and really attacking the most vulnerable. The other target that was quite large was Education. You know, an article title that we found colleges, a Juicy Target for Cyber Extortion wrote Insidhighered.com, cyber criminals using ransomware increasingly to focus on colleges and universities. The FBI Cyber Division published an advisory March warning that criminals using malicious software called PYSA ransomware are increasingly targeting education institutions, in the attempt to extort them. They’re doing this using phishing emails and stolen credentials for IT networks. Criminals are leveraging ransomware to steal sensitive information and block access to essential data. And then they're demanding payment in exchange for returning access to these institutions. And the University of California San Francisco, a very well regarded institution, admitted last July, it paid $1.1 million to hackers, who encrypted and threatened to publish sensitive information stolen from the School of Medicine. UCSF along with other institutions, Michigan State Columbia College Chicago were targeted using a type of ransomware also targeted using a type of ransomware called Netwalker. And again, the studies continue to bear this out the research continues to bear this out that ransomware attacks and colleges doubled between 2019 and 2020, according to research, firm Blue Voyant, there are several variants of this, which is of this ransomware which makes it exceedingly scary. There's Netwalker and Clop, and Rayuk, and DoppelPaymer are all these names, it sounds scary. And these are some of the most prevalent ransomware used. NC Soft actually reported there were 26 ransomware attacks involving colleges and universities in 2020. There are also 58 attacks involving school districts, and since school districts encompass multiple institutions, Emsisoft estimated that something like 1700 schools, colleges and universities were impacted. The number of these organizations that had data exposed as a result of ransomware attacks on vendors and other third parties, is still unknown. It's such a big target and such a complex issue. Now, Paige, are you aware or have you heard about the recent Colonial Pipeline attack?

PE: I have. Yes.

JM: And this is when it really and certainly attacking hospitals is scary, again, educational institutions, especially in the time of the pandemic, when education was hard enough. But what really opened my eyes to how bad this problem was, was this colonial pipeline attack in May. So they were a victim of a ransomware attack where they eventually paid and I mentioned this earlier $4.4 million to regain access to over 100 gigabytes of critical data. So, in the scope of this is crazy. The attack affected the operations of this pipeline, and other field pipeline, providing two and a half million barrels of fuel, or approximately 45% of the US East Coast supply fuel, creating long lines for fuel at some of the gasoline stations. I don't know if you've any folks out there saw this, but it was scary. It actually looked like a bank run of you know, people, people who, when they hear about it, bank issues are pulling out cash, there's their accounts to make sure it's safe, the same things seem to be occurring with gasoline. Also, Bose disclosed that in March, Bose the you know, the headphone company audio company, disclosed in March that they were hit with a ransomware attack that allowed hackers access to internal administrative human resource files. So now we're starting to get to that area of PII personal identifiable information that contains social security numbers, addresses compensation information. They did not share whether or not they paid a ransom to resolve the attack. And then literally as we're recording this and Paige ping this to me, we're about to hop in the podcast. The Washington Post is reporting that the world's largest meat processor JBS has been hit by a ransomware attack. The company said in a news release, and it detected an intrusion on its computer networks in North American Australia just a few days ago. It doesn't look like their backup servers were affected. So that seems like the issue could be mitigated more quickly as opposed to if the backup servers have been impacted. Now, I think this brings up an interesting ethical question - almost a 21st century moral dilemma for us, is whether or not we should be paying ransomware demands. We used to, you know, certainly we've seen movies and there's cases in real life where ransoms were demanded for kidnapping or potentially plane hijacks. But now we're seeing them on our most critical institutions. And I think a lot of factors had to be considered here, especially the human impact of the attack, you know, if we’ talking about the health care system, where time is of the essence, and having medical records quickly at hand is absolutely necessary. Can you wait to negotiate? Should you negotiate? But I think it also you also have to think about where does this money go? Is it funding additional cyber attacks? Or even worse, is it making this money making its way to terrorist organizations who might be using the money to recruit new members to launch, you know, more physical or kinetic attacks against civilians, you know, effectively, another 911? It's interesting to think about this and scary, but at the same time, I think we're starting to see our governments start to push force legislation in United States, the Treasury Department is has stated paying ransomware demands are violation of its policy, and some states, like California and Texas have enacted cyber extortion laws to discourage to discourage payment of ransomware. I'm really like, I'm torn here about what the right thing to do. And I think it's probably very much a gray area. And Paige, what do you think? What are your thoughts around? Is this you know, is this a moral dilemma of the 21st century, we should be thinking very critically about?

PE: Yeah, absolutely. And I agree that it's certainly a gray area where we may get some Federal guidance or guidance at the Federal level around what to do. But if you're a hospital administrator, and you have patients that need care, and you can't provide that care, that decision suddenly gets maybe a lot murkier. So, to your point, the perspective of who's making the decision and what guidance is available, would be really key.

JM: Absolutely.I don't think there's like we're saying I don't think there's one right answer one answer that that serves all use cases, but it is something we'll be watching as these threads start to develop and evolve.

PE: Alright, let's take a break from the podcast and talk about kind of a fun story about hacking a phone system. So, according to Atlas Obscura, Captain Crunch used to include a toy that could be used to hack phone systems. Cereal companies have long used box prizes as an inducement for children to nag their parents into buying sugary breakfast food. So, these toys might be movie tie ins to video games on CD ROM. But the cereal box baubles tend to be momentarily thrilling and then quickly forgotten, except when they can be used for hacking. Only one cereal box toy has that distinction, the Captain Crunch Bosun whistle. This was meant to replicate the whistles used by sailing officials Bosuns to signal meal times or commands. And the multicolored whistle came along with boxes of Captain Crunch starting in the mid 1960s. One fell into the hands of John Draper, a former US Air Force electronics technician. Draper was part of an underground culture that predated hacking as we know it, phone freaks PHREAKs. These early hackers played certain tones through their telephones to bypass AT&Ts is analog system and get free long distance phone calls. Draper heard about the whistle from other PHREAKers. The whistle easily played at 2600 hertz the perfect tone to, in Apple Inc’s co-founder Steve Wozniak's words, “seize a phone line”. Though many PHREAKers used instruments for the same purpose the mass produced whistle became iconic, Draper became known for using it and gave himself the nickname “Captain Crunch”. He even built devices called Blue Boxes to replicate that town and other useful ones. After a story about blue boxes was published in Esquire in 1971. The then college student was Wozniak and his friend Steve Jobs tracked Draper down to learn all they could. Though Wozniak did admire Draper he was intimidated by his intense energy, disheveled state and many missing teeth. The boxes could also be used for mischief. Wozniak tried to prank call the pope, while Draper boasted that he once got President Nixon on the horn. All right, I wanted to share it share that story with you. I thought it was fun. What fun facts Do you want to share reach out to us at lock and shield at team dot Neustar that's LOCKANDSHIELD@team.neustar. Now back to the podcast.

JM: One of the other big attack vectors that that we saw during the pandemic was also data exfiltration. So also, in the healthcare industry, an article from the from HealthITsecurity.com stated that data exfiltration jumped 20% during the fourth quarter of 2020 and it's now occurring in 70% of ransomware attacks and email phishing is now the leading entry point. So again, these are very much related. Not only is a ransom being asked for to return hijacked systems, this data is being stolen, and then you know, potentially sold off to black market entities or just published somewhere on the dark web accessible to all. And one of the biggest example of data exfiltration was a Solar Winds attack that was discovered in late 2020, where malicious code was inserted into Solar Winds network performance monitoring system. So, I'm not sure if everyone has heard of this, I'm pretty sure you have you listen to this podcast you probably have, but solar winds told the told the SEC that up to 18,000 of its customers installed updates that left them vulnerable to hackers. So just to replay this, the hackers actually manipulated a patch to the solar winds performance monitoring system. And when clients patched their system with the latest patch, like we're always told to do stay up to date with patching, this actually introduced malware. And again, solar wind has many high-profile clients, including fortune 500 companies and multiple agencies within the US Government. So the breach impacted a broad scope of organizations. And just to be clear, The Wall Street Journal is reporting that the US agencies involved including parts of the Pentagon, Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury. So, these are all institutions that have incredibly confidential information that were attacked. And so were private companies like Microsoft, Cisco, Intel, Deloitte, and other organizations like California Department of State Hospitals and Kent State University. Now, this past April, the Biden administration announced sanctions against Russia for its involvement in recent cyber espionage operations against the United States, including the Solar Winds attack, but per Techtarget.com, the purpose of this particular hack remains largely unknown. There are many reasons hackers would want to get your organization system including having access to future product plans, employee or customer information to hold them for ransom. But it's not clear yet what information if any hackers stole from government agencies, but the level of access appears to be deep and broad. So very scary. And if you think about too organizations that could be running this software, not only government agencies, or high tech companies, also be defense contractors with valuable intellectual property that we would necessarily want shared with adversaries. And I think as we bring this more, you know, more topical to say the individuals, Paige, have you ever had your sort of personal information or identity stolen?

PE: Yeah, I'm knockin on my desk here. I've never had my full identity stolen - yet. But I've certainly had credit cards, probably scammed or debit cards skimmed and exposed and used and also passwords exposed for certain services or accounts.

JM: And I'm in the same boat, I have definitely received notification from my credit monitoring service of my email addresses potentially passwords exposed on the dark web, I've definitely been a victim of credit card fraud. Now whether it was really an exfiltration or frankly, somebody took the credit card flyer out of my mail. That certainly has happened to me, and it is worrisome to think that some of our most closely guarded secrets could have been stolen. Now finally, when we talk about some of the big topics around cybersecurity during the pandemic, certainly last, but not least, is really around election security. A recent article from the National Conference of State Legislators, a bipartisan association of sitting state legislators, found that after the 2020 election, the Cybersecurity and Infrastructure Security Agency and other members of the Election Infrastructure Government Coordinating Council, proclaimed it was - we're finally getting to it - it was the most secure election in American history. So, we have a lot of agencies involved here securing the election. More recently, Departments of Justice and Homeland Security released a final report finding no evidence of foreign interference in the election. But that same report also discovered that Russian and Iranian campaigns did compromise did compromise the security of several networks that managed some election functions, and materially impacted the security of networks associated with or pertaining to US political organizations, candidates or campaigns. So, although the election results themselves were found to be unaltered, you could certainly be introducing risk or inviting attacks into the election process. Most of the foreign actors according to this article, intent on disrupting the election came from Russia, China, Iran and North Korea. Though other countries including Cuba and Venezuela, have made similar smaller attempts. Attacks can do more than disable our systems. According to Cliff Newman, a computer science professor from University of Southern California, malware, viruses, worms, Trojan Horses, and other cyber attack methods can also steal data or worse, modify a system to do things like change votes. So even though we dodged the bullet here in 2020, this is still an ongoing threat. And phishing was a very popular attack approach. And that really is when and for those who don't this is really when adversaries send messages that appear legitimate and ask the user to click on a link or log into a website that looks secure but isn't. And once the user has logged on to the fake website, they've just given a criminals their password and possibly access to voter registration data, internal documents or other sensitive materials. So, you can think about this. If you happen to be an employee working on a critical election function, you click on an email that looks legitimate, but it's takes you to a website that is not, you enter credentials, you could certainly be jeopardizing the accuracy of the election in some cases, or the validity of the election. In some cases, there are other attacks such as supply chain subversion, and this is very similar to Solar Winds, where malware is embedded into software other systems during the manufacturing distribution process. Or there's denial of service attacks when cyber criminals try to shut down systems by overwhelming them with fake queries or massive amounts of communications, which a little scary here is, an article from Governmenttechnologies.com called out that due to financial constraints, a handful of states are still using paperless voting machines, considered by cybersecurity professionals to be the most insecure and most vulnerable to hacking. And when Paige and I were prepping for this podcast, Paige brought up the importance of having a paper trail that can be audited. And again, without an auditable paper trail security experts say that vote tabulation runs the risk of producing results inconsistent with voter choices, either because of hacking or technical errors. So, most states are starting to adopt a hybrid digital paper solution that involves a voter verifiable paper audit, but not all states have them. Now, while this sort of the sounds a bit overwhelming in terms of election security, Adam Clayton Powell III, the executive director of USC election Security Initiative stressed that one of the great strengths of the American elections is that we're decentralized. So again, we're a Republic 50 individual states, that actually adds complexity to the hackers and sort of the systems need to break through. So, it doesn't mean the systems and Adam Clayton Powell goes on. It doesn't mean our systems don't have weaknesses, just that it is very difficult to tamper with the election at the point of voting because there's so many different targets. And Paige, let me ask you, we're in different locations. You're in California. I'm Ohio. What was your voting experience like? And did you have any concerns?

PE: My voting experience was very easy. I did an absentee ballot I sent it and really far ahead of time signed up for ballot tracking so that I could get text messages for when it was received just for my own state of mind. Of course, there is some trust there that that's actually happening and has been received. But I took the easy path to voting this year or last year, I suppose.

JM: Very convenient. I would have had I've been more on the ball and signed up for an absentee ballot before the deadline here in Ohio. But I would say I did vote and from what I recall I was very impressed. It was digital but I received a bar a paper barcode that I scanned and so while I was touching the screen for candidates and the like I was I also had a barcode that was scanned that did provide some auditability. So, I was very impressed with the system. And I didn't necessarily have concerns for myself in my voting, but certainly, you know, the things we're touching on here. You know, knowing that election and voting systems are a target definitely was coming across my mind as we as we went through the election. Now, what's interesting, there's a great survey released in May from PC Matic and the title of the survey, “PC Matic Survey Finds a Majority of Americans Lack Confidence in the US Federal Government Cybersecurity Preparedness”. So, they PC Matic effectively surveyed 1400 Americans across all 50 states, and again 57%. Talked to them about, you know, rank their opinion of state governments and their cybersecurity preparedness. And 57% of the Americans responded that they don't believe that the US Federal Government is prepared to defend itself from cyber threats. 60% of Americans felt that the Federal Government should be doing more to protect American citizens, the interesting stat here, 46% of the of IT professionals surveyed lacked confidence in the US Government's ability to defend itself. Now, what's interesting is only a quarter of Americans believe Congress need to allocate more funding to prevent cybersecurity attacks. Now, it's interesting, because certainly, you know, we're talking today about some of the ransomware attacks, we've had election security, data exfiltration. And it seems like it is it is something that citizens are concerned with, but there is you know, we're always mindful of being taxpayers, only a quarter of Americans believe that we need to allocate more funding. So it's an interesting dynamic there. You asked me we need to do more, but we have to figure out how to do it with what we have now. And I think one of the interesting questions they asked, and I'm curious to four Paige’s perspective, if the United States fell victim to a cyber attack, how worried are you about the following, in identity theft, 90%, in the ability to access financial institutions was very close to 90% as well, personal privacy hacked again, 87%, losing access to personal computer or other devices 85%, in infrastructure, you know, things like electricity, water telephone systems being disabled 85%, so that that infrastructure was the last although it pulled it 85%. Now Paige, I'm not sure about you. But I think that last one would by far be the biggest concern I'd have in terms of being attacked and not having services available. How about yourself?

PE: Yeah, absolutely. I mean, something like identity theft is annoying, but fixable, ultimately, but something like infrastructure going down, whether that's electricity or water, or telephone for any extended period of time would be pretty disastrous for large regions of people. If that was the case.

JM: We joke like I can, I could deal with the pain, I've dealt with it, at least the credit card fraud of having my identity stolen, and it's happened a couple of times, but not having access to water for a week or two would be absolutely devastating. I'm sure things would be done to take care of that, you know, supplies and to be shipped in. But that sounds truly devastating. And a little bit of what we saw on the East Coast when the Colonial Pipeline hack.

Hey, there want to take a quick break from the podcast and talk to you about our UltraGeoPoint database. Are you looking for an easy to integrate IP geo database, UltraGeoPoint provides powerful IP geolocation and proxy data. To help you identify and block fraudulent transactions, deliver OTT and streaming media, ensure compliance and mitigate security threats. The UltraGeoPoint data is made available in a few different ways, via RESTful API, an on-premise virtual server and flat file to seamlessly integrate into your application stack. And this summer, we are launching a Splunk Technical Add on to allow Splunk users to leverage the insights of UltraGeoPoint in their security and traffic management use cases. To learn more, please visit home dot Neustar and navigate to the security solution section.

Now I want to talk a bit about the Neustar data set that we have that can help address some of the cybersecurity concerns we've been seeing. And Paige, could you talk a bit about how Neustar UltraGeoPoint and UltraReputation address cybersecurity use cases?

PE: Yeah, absolutely. So UltraGeoPoint is our data set offering that has over 40 fields with attributes containing information about IP addresses. And these attributes range from everything from geographic to more contextual information about that IP. UltraReputation provides some more kind of subjective or reputational based on what we've seen on information about IP addresses. And ultimately, these attributes can be taken and considered in as part of a of a decisioning workflow. So, if you are an entity, and you're approaching a problem like access management, where you need to decide who can get access to what resources, what requests are okay to proceed, and who can access what, these attributes can really help you add some context to those requests and see, oh, this request is coming from this country, I don't want to allow them access to this resource or this network. Our data can also be leveraged in a firewall to block traffic, whether that's malicious, or whether you want to put some rules in place around geography or users that might be trying to change something about their IP, it can really help flag what might be malicious incidents or malicious requests. Finally, incident response. So, if there is an incident that is in progress, or has happened recently, you might be looking to do some research and understand more about that incident. And we're in the process of releasing a Splunk Technical Add on, which will allow our data to be tied into Splunk and consumed into Splunk, which will be really powerful for incident response. So, if you're investigating an incident, you can see, oh, this is the ASN, this is what I've seen in previous incidents. Maybe there's a pattern here and I can build that into my firewall, and block those preemptively. So really helping add context to requests and understanding when something might need to be blocked are changing how you're treating requests based on IP attributes.

JM: And that makes sense and I was going to say, I know for those who listen to our to the previous podcast around streaming, Paige, you walk through some of the critical fields for that particular use case, you have folks who are streaming movies online and protecting the content. They're protecting their content. What fields are important as we talk about cybersecurity use cases, are they the same, or shade different?

PE: Some of them are the same. There is certainly overlap. Geographic, somewhat basic, as far as the attributes go, where is that IP address located? There may be certain countries that you do not want to allow access to under any circumstances. And our data can help you identify the geography for an IP address. We also offer confidence factors for location assignments. So, we will tell you how confident we are in a location assignment, which can help you evaluate that IP and evaluate where it might be located. Other data attributes include network information, so around connection type, routing type, how is that IP connecting to the internet? How is that traffic being routed? Who owns it? Who is it allocated to? So is the registering organization, an ISP, an educational institution, a military organization, who is responsible for the content being carried on that network, and then ASN autonomous system number who is actually routing the traffic and the carrier as well. So, who is responsible for making routing decisions, and all of those fields can add context and understanding to maybe how an IP is behaving or how you should treat it. And some of the other kinds of major attributes are our proxy data, or anonymizer fields. So, anonymizer can be a great indicator for when a user might be trying to obfuscate something about their behavior, whether that's their location, or their end IP address. So, we offer the anonymizer status, which is an indicator saying, hey, this IP has been detected as an anonymizer. You might want to treat this differently. It might be a VPN, it might be a public proxy. Also hosting facility, if it's coming from a hosting facility, anyone can rent rack space, effectively and a hosting facility. So you don't really know where the end user is. And that might be very suspicious for serving content or allowing them into your firewall, if it's coming from a hosting facility.

JM: Got it. Got it. Now, you also mentioned, we've gone through the UltraGeoPoint fields and again, they serve, we joke internally called the Swiss Army Knife of data sets, right? It serves things like content streaming, but also has cybersecurity use cases as well. Tell me a little about UltraReputation. how might that particular data sell data set serve cybersecurity use cases?

PE: Yeah, absolutely. When we think about UltraReputation, it's somewhat more subjective than UltraGeoPoint. So, we can think of UltraGeoPoint as being a little bit more objective. UltraReputation is based on information that we have collected from our Neustar data exhaust and patterns that we have seen. So ultimately, in UltraReputation, there's the primary fields that are used most for cybersecurity use cases are the Real User score. So this is a score that goes from one to five, and it differentiates human traffic from non-human traffic. So if an IP has a real user score of “one” it is likely to be an end user, a person, someone who's generating that traffic organically. If it's a “five”, that is more likely to be a bot, a server, a hosting facility, something that's more machine generated. The other primary field in UltraReputation is the Risk Score. And this is a score that evaluates how risky and IP addresses. So, it's a score of between one and 100, with higher the score, the riskier that IP is likely to be. And again, that's based on behavior that we have seen. And it's our understanding of that IP address.

JM: So effectively, using both the subjective data set of geolocation and other network attributes along with the more subjective UltraReputation. You can combine the power of those to address cybersecurity in addition to other use cases.

PE: Yep, absolutely.

JM: Got it. Thank you for that overview. With that, it's time to conclude the podcast but I want to leave some parting thoughts as we've talked through a number of ideas and sort of the cybersecurity attacks we've seen throughout the COVID pandemic. I think it's fair to say that ransomware and data breaches have no sign of stopping and again, the largest meat processor in the world was just attacked by ransomware. As we rise, we're recording this, operations professionals will attest that it is difficult to keep up with an inventory of all your assets and protecting them and keeping these things patched, keeping these assets patched. But I would say again, Solar Winds occurred because enterprises had deployed the latest patch. So, it is really a very difficult security landscape to manage. We talked earlier about a moral dilemma as it does come to ransomware, where I think we're probably going to see more guidance from the state and federal governments around handling ransomware. We talked, likely there isn't a one size fits all policy that's viable, and each case needs to be evaluated individually. And you know, the edict that we've always heard, we don't negotiate with terrorists, it may not always apply depending on the criticality of the data. It's certainly a gray area. And in general, it's just fair to say cyber attacks are going to continue to grow. We should continue to invest in our public and private networks, especially those that contain healthcare information, personal data, valuable intellectual property to stay abreast of those attack vectors. But one thing that should be noted, we humans still tend to be the weakest link in the chain. The more we do things like click on links and phishing emails, or use easy to guess credentials, or store those credentials insecurity has the effect of leaving the front door wide open to our critical infrastructure.

With that, I'd like to thank our special guests for today, Paide Enoch for providing insight and how Neustar data assets can help enterprises address security. And thank you all for listening to the Lock and Shield podcast. We look forward to catching up with you next time.

View Full Transcript
 

Let's Connect

Contact Me