#AccountexUSA: Ransomware is rampant

Roman H. Kepczyk, CPA, Director of Firm Technology Strategy for Right Networks, joined the show at Accountex in Boston to talk security for accounting and bookkeeping firms. Listen to learn what you need to be doing as a firm owner to protect your firm and your clients' data from phishing, ransomware and malware attacks!

Roman Kepczyk: The threats change so rapidly ... The hacker groups are professional organizations. You need a team. You can't just have local Joe Screwdriver guy doing it as a part-time gig, because we are a target.

Blake Oliver: Welcome to the Cloud Accounting Podcast, I'm Blake Oliver.

David Leary: And I'm David Leary.

Roman Kepczyk: And I'm Roman Kepczyk, Director of Firm Technology Strategy for Right Networks.

David Leary: Wow, Roman, thanks for joining us. We're here at Accountex USA in Boston, interviewing lots [00:00:30] of important people; you being one of them.

Roman Kepczyk: Well, I'd like to see one of those, too.

David Leary: You have the ability to speak about a billion things. One of the things I was thinking is like why don't we just do a security one [cross talk] views of security ... We talk about security all the time on the podcast. Ransomware is rampant right now. Again, we talked about ransomware ...

Blake Oliver: Malware-

David Leary: Malware.

Blake Oliver: -and with desktop-hosting providers that are getting ransomed ... The iNSYNQ outage attack; CCH getting shut down temporarily [00:01:00] by- what was that? That was malware-

Roman Kepczyk: Yep.

Blake Oliver: Not ransomware in that case, but-

David Leary: That Dentist Safe ... There's something called Dentist Safe, and they back up dental medical records. They got ransomwared last week.

Blake Oliver: Many city/local government- cities have been taken down and had to completely rebuild their systems, right?

Roman Kepczyk: I think there was like 22 cities in Texas that were all using kind of the same infrastructure, and they all got hit with the same ransomware that's out there. Matter of fact, I was at a conference last month, and Gene Marks was speaking. One of his [00:01:30] predictions was that four out of five firms and companies in the next year will be hacked by something and have ransomware that they have to work around. That's why it's so important to make sure you have a process of good backups; that you're testing them, so that, in the event your firm does get hit, the solution, honestly, is wipe out the servers, restore the data, and get the people back up and running.

Blake Oliver: What does that actually look like? Because it sounds like, in a lot of these cases, there weren't backups being made, or the backups got themselves infected-

Roman Kepczyk: Infected, exactly.

Blake Oliver: How do [00:02:00] you ensure that you actually have backups that are up to date and that you can actually restore in the case of one of these attacks?

Roman Kepczyk: What happens is you've got to be doing constant shadow copies. Microsoft, by default, has the capability on the servers, where every hour, any file that's been changed, those components that have changed can be backed up to the main server. We do what's called disk-to-disk-to-offsite. If a firm is doing their own stuff, they'll have a set of ... Like I said, there are standard servers; then they'll have their backup servers and they'll be shadowing and copying nonstop [00:02:30] to that secondary set. Then, during the evening, or when there's a slow time, they'll backup all those images up there, so you can restore to a different version.

Now, what's unfortunate is you've got to be able to catch the malware as it's spreading out there. There's tools - intrusion detection, and prevention software - that kind of identify it. If you catch it quick enough, then you can restore to that last version. I've had scenarios, where firms were not checking their backups. Basically, when they tried to restore, they found, like months back, there was malware and stuff in there- [00:03:00]

Blake Oliver: Malware was in there.

Roman Kepczyk: Yep. They had to keep going back, and back, and losing data the whole time. That's one of the benefits of the cloud. That software is a higher-level quality software that's testing more frequently, and it knows when something weird is going on; it all the sudden starts encrypting files randomly, they can shut it down much quicker.

David Leary: There's this over-assumption, like, "Well, it's in the cloud. I don't have to take any personal responsibility ..." and make more backups yourself; but yes, you need to pull your own stuff down occasionally; put it on an external hard drive; throw it in your safe. It's not that the cloud's not reliable. It's just if there is an outage, if there's a ransomware attack, [00:03:30] you can keep working if you have your own stuff. People, I think just- there's this assumption, like, "Well, it's in the cloud ..." and it's really confusing with the hosting-type situations, because-

Roman Kepczyk: That's why you need to ask your hosting provider what is the scenario? Having them explain to you examples where clients have clicked on ransomware, and how did they recover from those things? We have scenarios every week where one of our clients' employees clicks on a phishing email and, all of a sudden, you realize the credentials have been compromised. We have a procedure that basically [00:04:00] knows immediately how to shut it down, pretty much contain where the damage is and then get them back up and running.

It brings up what's important - the phishing training of employees. That is what's gotta happen. It seems like the two routes to all the attacks - whether it's ransomware, or malware - is either compromised credentials, that's someone gets your password, or they click on that phishing email. We do a bunch of surveys through a group called the CPA Firm Management Association. That's the larger firms, between 10 and 200 members. The [00:04:30] top three products they use is PhishMe, KnowBe4, and Wombat Security. These are services that will send phishing emails to your people and then let you know who clicks on them. Then it does constant training; just-in-time training. With Right Networks. We always use KnowBe4. We're required every six months to go through ... Actually, it's like almost every three months, now, where they send us emails and that we have to do a training module.

David Leary: So, that one-

Blake Oliver: That's really smart-

David Leary: "Your FedEx package is ready. Click here for the status." I'm like, "What did I order?" I don't click [00:05:00] those links.

Roman Kepczyk: We were getting close to the holiday season, so the Better Business Bureau puts out their list of the Dirty Dozen phishing threats. We tell all of our firms, look through that list, because exactly what you said - FedEx; Target gift card; "Hey, we noticed your Costco membership, it's time for renewal," and they get somebody. That's like someone clicking on a Bank of America link. They send you a Bank of America, Wells Fargo, Chase-

Blake Oliver: "Click here to log in." Takes you to a fake login page that looks exactly like the regular one [00:05:30] except for the URL.

Roman Kepczyk: Yep, and they're doing it on your smartphones now, too. That's what's crazy is they can ... With the smartphone, you can't see the full URL; whereas, on your computer, you can hover over it, and see it all the way, but not on smartphones.

Blake Oliver: Wow.

This episode of The Cloud Accounting Podcast is sponsored by Right Networks. In a perfect world, everyone would have 100 percent of their clients on a cloud-based accounting system using cloud-based apps, but the world isn't perfect, and clients have a wide range of needs. For some, this means using desktop-based software. That's where Right Networks comes in.

Right Networks is your 100-percent accounting-focused desktop in the cloud that also includes an ecosystem of over 250 connected apps. As you and your clients take the journey to the cloud, Right Networks will be at your side innovating the best ways to leverage the true cloud future by investing heavily in cloud apps, like Transaction Pro and Autofy. They've created an always-on environment that supports 24/7 data transfer. Right Networks also offers no scheduled downtime for maintenance or application updates and meets the industry's highest security standards.

To join the more than 50,000 firms that use Right Networks daily with their clients, head over to CloudAccountingPodcast.promo/rncloud. That is Cloud Accounting Podcast dot promo forward slash R-N-C-L-O-U-D. Be sure to visit the Right Networks booth in San Jose at QuickBooks Connect 2019.

Blake Oliver: You said there are two ... I think you said there's two [00:07:00] main vectors of attacks?

Roman Kepczyk: Yeah.

Blake Oliver: The phishing emails are one. What was the other one?

Roman Kepczyk: Well, it's compromised credentials-

Blake Oliver: Compromised credentials.

Roman Kepczyk: What happens is the hacker groups have these bots, and utilities that ... For instance, if I hack into your Marriott account, I will use that login and password I know automatically to go to your IHG account, to your Hilton account, Kimpton account. It goes to all those and tests. They do the same thing in the CPA firm. There's groups that attack accounting firms. Once I know that ... Let's say I've compromised your cPaperless SafeSend credential, I'll [00:07:30] try that on your Thomson Reuters, your CCH. They have these tools that just go through automatically-

David Leary: Because you're not using a random password for every single site; you're using the same password. I probably did for the first eight years of me being on the internet-

Roman Kepczyk: We all did.

David Leary: Using that same password everywhere.

Roman Kepczyk: We all did, because it was easy to remember. For small practitioners, we do recommend password wallets, and that would be like LastPass, RoboForm, Keeper, all those type of products. But as soon as you get to four or five members, you want it managed. [00:08:00] Honestly, the tools like Duo and Okta, what happens is it creates ... Once you log into any website, it sends a code to your phone or your smartwatch that you can click on, and then it allows access-

Blake Oliver: These are the single sign-on tools that you mentioned.

Roman Kepczyk: Well, multi-factor authentication-

Blake Oliver: Multi-factor authentication.

Roman Kepczyk: Sometimes, it's called dual-factor authentication. What happens is, let's say, I'm an UltraTax user, and someone tries to log into my account - because on the dark web, you can buy ... There's [00:08:30] lists of UltraTax users' passwords and logins - you try to log into my account at 3:00 in the morning, it sends a code to my phone. I sleep through it. The next morning, when I wake up, I see that someone tried to log in. They couldn't get in because I didn't authorize it, but then I know my credentials have been compromised and I have to get- change them immediately.

David Leary: Yeah, and I think there's layers, right? Like your Google account, your Apple account, your Verizon, your T-Mobile - there's certain accounts that you have to have super-extra security levels, [00:09:00] right?

Roman Kepczyk: Yeah.

David Leary: And you'd better have two-factor on because if they get your Google one, then it's just a domino effect. They can probably get everything, because they can start resetting the passwords you have on other sites. One thing I have on my most secure account, I us a YubiKey. They have a physical hardware device now, as well, because I would hear these horror stories of cell-phone swapping.

Blake Oliver: Oh, yeah, the SIM attacks, right?

David Leary: SIM-ing attacks, right [cross talk]

Blake Oliver: They can steal your phone number-

Roman Kepczyk: Well, YubiKey got hacked, too. I don't know if you saw that.

David Leary: No!

Roman Kepczyk: What happened is they have a series of-

David Leary: Breaking news!

Roman Kepczyk: No, they had six different formats, I [00:09:30] guess. In one of the formats, someone had figured out the algorithm and posted it, because within Right Networks, we use ... We have a security profile. It's like a Yammer Talk. Basically, I was doing a speech on YubiKey, and someone popped that up there and said, "Hey, all these have to be replaced." They replaced like a million of them.

They fixed it immediately, but it's one of those things you always have to be very cognizant of those tools. But I agree with you, the YubiKey is better multi-factor authentication with credentials than not having it. In [00:10:00] a lot of our markets, there are local consultants working with small firms that prefer those products. You know what? If it's installed by qualified installer, it as a secure as you're gonna get.

Blake Oliver: For our listeners who have never seen a YubiKey, it looks like a very small USB drive-

Roman Kepczyk: Yeah, with the skin cover pulled off of it.

Blake Oliver: Yeah, so you plug that in, and then you press a button on it, and it generates this random code-

Roman Kepczyk: It authenticates [cross talk]

David Leary: Yeah, so the workflow ... GoDaddy has done it very, very well, which is good, because if you [00:10:30] get into GoDaddy, now, you get in my email, and now everything's domino, right?

Roman Kepczyk: Yep.

David Leary: But GoDaddy ... You set the key to associate with GoDaddy. You log into GoDaddy, but instead of getting a text message like everybody else gets, I have to touch my key. Now Firefox has good support for it. Actually, Windows 10 now has good support for the hardware-based keys. I don't set it up on every single website I go to, but just the important ones.

Roman Kepczyk: Absolutely.

David Leary: The super ones that I want to make sure nobody can log in unless they have the physical device.

Roman Kepczyk: If it's anything that's financial; [00:11:00] if it's got personally identifiable information, that stuff is what you'd block in there. I've gotten to the point, actually, where I do certain things on my iPad; like when I'm doing browsing and just looking, I just don't do that on my computer, or in my smartphone.

Blake Oliver: Right, because-

Roman Kepczyk: If that gets messed up, no one cares. I don't care. But I do have to use multiple devices. I have a routine I do with my banking online. In the morning, I check all my accounts, because I travel about 120 days a year, so I'm swiping both the company card and my personal card everywhere. Every [00:11:30] morning, I check to see what is impending; you catch things before they get passed through.

Blake Oliver: Pulling things back to firm security, I just want to review what we've talked about so far. We've talked about multi-factor authentication-

Roman Kepczyk: Absolutely.

Blake Oliver: -whether that's a YubiKey, a physical key, or authenticator app on your phone. I don't know if we talked about that, but that's another option. Do you have any recommendations for a firm, like somebody's listening, and they want to get started with it. What do you like?

Roman Kepczyk: Well, one thing we always ... If it's a firm [00:12:00] that does their own network infrastructure and support-

Blake Oliver: Yeah, it's a small firm.

Roman Kepczyk: -ask how much training their internal IT person has. We find that they don't.

Blake Oliver: Yeah, well, they often don't have an IT person-

Roman Kepczyk: Even if they have an external person, ask how much security training they've gotten. It's better to have a third party look at what they're doing and check their work. That's one of the things, within Right Networks ... We have two or three different security providers who are constantly checking us and doing different testing-

David Leary: External security providers.

Roman Kepczyk: External, correct. We have a strong team doing this. You [00:12:30] have to have other people checking because the threats change so rapidly. The hacker groups are professional organizations, and once they learn how to hack one tool, they use that same tool on all similar situations. They've recorded information. They've captured everyone's servers, so they know who to attack. So, you need to constantly be vigilant. You need a team. You can't just have local Joe Screwdriver guy doing it as a part time gig, because we are a target.

Blake Oliver: One [00:13:00] of the problems with some hosting companies is that one firm will get infected, and then it spreads. How do you, at Right Networks, prevent that from happening - a spread within, from firm to firm, from server to server?

Roman Kepczyk: I can tell you that we are a SOC 2-certified data center and all that, and we follow all the protocols for that. We can't tell you what we're doing internally. Our clients know. We have a document that tells them and explains what that is-

David Leary: Don't worry, no hackers are listening to The Cloud Accounting Podcast. You can disclose these things ... [00:13:30]

Blake Oliver: You never know.

Roman Kepczyk: You know, it's a very small world we live in. We all know each other. Everyone knows everyone ...

Blake Oliver: You have ways of putting up walls.

Roman Kepczyk: They're already housed; they're housed separately.

Blake Oliver: Okay, gotcha.

Roman Kepczyk: What happens is, with the three hacks that happened previously, we all learn from them. It's not like CCH, and CTerm were in a vacuum and all that, when it happened. The information was spoken in the background, and all that. We're all in the same game.

David Leary: What recommendations do you have for [00:14:00] accountants and accounting firms, when dealing with their clients' passwords and records? Because you're seeing this a lot with banks ... Only a couple of banks have an ability to, if I wanna add Blake is my accountant, I can invite him to my account, and he has his own username and password, but he has access to my bank account. Lots and lots of bookkeepers and accountants have their clients' usernames, passwords ... Some of them are setting up-

Blake Oliver: For all sorts of things, not just banks.

David Leary: -phone numbers to route through a second-form authentications ... What do you recommend firms do? Would you recommend [00:14:30] don't do it at all, because you're liable?

Roman Kepczyk: There's just no good answer to that, honestly. We find that most commonly what we see is, honestly, a spreadsheet that's encrypted. We know that there's hacker tools for every spreadsheet that's out there that's stored under a weird name on their machine, and we recommend against that. If the client can use the product like a password vault, where there's a one unique code and then that is utilized, that's probably as good as you can get. As a CPA, I've got to say you shouldn't [00:15:00] share your passwords out there, but we know firms are doing it, because they're getting access to those business accounts.

David Leary: Even, I always think ... Which I, even on a personal level, with my wife or my kids, you could email me the username, but then text me the password, or-

Roman Kepczyk: Separate them. Yep.

David Leary: You can never let them travel together in the same conversation.

Roman Kepczyk: No, because there's always one person listening ... Where we're concerned is sometimes, even with the email, good hacker tools now are actually looking out there for those weird ... It's something that's not a word in the English language; it's [00:15:30] really long, or a passphrase, they can pull those out of the texts now. It's scary.

Blake Oliver: Roman, the thing I learned today- today, I learned that these companies exist that will test your employees with fake phishing attacks. What was the name of the service that you like?

Roman Kepczyk: Well, there's three that always show up in the surveys. Number one is called KnowBe4. Then there's PhishMe, phishme.com, and then, Wombat was the third that showed up on our survey.

Blake Oliver: Is [00:16:00] this something that I, as a CPA firm, could sign up for?

Roman Kepczyk: Absolutely. Yeah. It's an annual fee per user. I don't know the prices. I know it came with ... At Right Networks, that we signed up for it, and all 300 of us have to go through it.

Blake Oliver: What a great way to educate your team, because if they fall for it, they know that they won't do it again, or hopefully they won't do it again.

Roman Kepczyk: Correct. Then, the training that follows up - it knows the type of thing you fell for, so they have very specific training for that type [00:16:30] of thing. When you see someone, even if they hover over the name, there's ... If it says like bank.com and has a slash afterwards with a word, that's okay, but it's another dot and another word, we're going down ... They have training on how to look at that specifically.

Blake Oliver: That's great. Well, thanks so much for all this insight on security, Roman. If people wanna follow you online, get in touch with you, where's the best place for them to do that?

Roman Kepczyk: Probably on the Right Networks blog. I write for CPA Practice Advisor, Thomson Reuters. [00:17:00] I write eight columns for the AICPA, and we retain the right to publish those all on RightNetworks.com/blog.

Blake Oliver: All right, and, as always, you can find me on Twitter. I'm @BlakeTOliver.

David Leary: And I'm on Twitter: @David Leary.

Blake Oliver: Thanks for joining us.

Roman Kepczyk: Thank you, guys.

David Leary: Thanks, Roman.

Creators and Guests

#AccountexUSA: Ransomware is rampant
Broadcast by