By Randy Wheeler, NYSTEC Information Security Consultant
One thing is certain in 2017: the threat landscape continues to increase at an exponential rate, and so do the business risks. In my opinion, one of the biggest threats—with the greatest level of impact—is ransomware.
Challenges Shared by All
Like all threats, ransomware is gaining momentum in both sophistication and severity of impact. PC Magazine defines ransomware as “Virus software that blackmails users by encrypting their hard drives or locking them out of the computer. It then demands payment to restore it.”
If organizations fall prey to a ransomware attack, they could choose to pay the ransom—however, paying the ransom proves to hackers that ransomware works. What’s more, there’s no guarantee that if you pay the ransom, you’ll get access to your hacked files. The best recovery method is to have recent backups to restore, but many organizations fail here.
The reality is that ransomware is spreading. McAfee reported that between 2014 and 2015, ransomware across sectors nearly tripled in volume—and new variations more than quadrupled. In 2016, total ransomware grew 80%. Simply put, your organization is at risk.
If the threat of ransomware is enough to make you lose sleep, take heart: You can still protect your organization. Ask yourself:
- How prepared are you for a ransomware attack?
- Are you doing all that you can to prepare for a ransomware attack? Do you have the right resources and talent on hand?
- How informed is your executive team, and do you have the right level of commitment and funding in support of your strategic plan?
Identifying these challenges will help better define your tactical and strategic security goals.
Tactical Adjustments: Preventive Defense
Below are tips on how to minimize the risks from known ransomware threats and vulnerabilities.
- Ensure that all of your important systems are properly backed up and that backups are stored in a safe, offline location.
- Implement well-defined security policies, standards, controls, and procedures for compliance and accountability.
- Execute a robust security awareness program to reduce the risk of unsecure behaviors, such as visiting malware-infected websites.
- Ensure that your training plans develop the in-depth skills required to utilize effectively the security tools and investments being made by your company.
- Increase network sub-netting and firewall/Intrusion Prevention System (IPS) to lessen the risk of compromise throughout the enterprise.
- Mature your group policy structure so that privileged accounts have a higher level of control and protection (e.g., multifactor authentication, restricted use, distribution of authority).
- Streamline patch management to remediate known vulnerabilities quickly.
- Put in place thoroughly defined incident response, risk assessment, and audit programs that are fully supported by your staff.
- Include encryption and certificate management, both of which are critical in securing confidential/protected information.
- Mature your reporting of work being done to support asset, risk, and impact assessments (quantitative and qualitative), as well as Business Continuity and Disaster Recovery (BC/DR) plans.
Strategic Adjustments: Proactive defense
The cybersecurity industry is maturing to address the challenges of ransomware and other threats. The following are strategic initiatives to consider in your long-term security plans.
- Grow the sources from which you learn about current threats and how they function, and continue to develop your intelligence networks for information gathering and sharing. (Be sure to use only trusted sites when doing your research.)
- Subscribe to external Open Source Intelligence (OSINT) feeds specific to malware, which may provide insight into the latest techniques used to bypass security defenses. (Note that Ransomware-specific OSINT sites are limited.)
- Mature your use of global threat awareness offerings that automatically update your systems to protect against behaviors associated with “zero-day” threats, which exploit an unknown computer security vulnerability.
- Consider migrating toward cloud-based services for additional advanced security capabilities.
- Establish performance baselines on network, system, application, and end-point devices. This will greatly improve your monitoring abilities to identify unusual or unsecured behaviors.
- Start researching Data Loss Protection (DLP) technologies and the skills required to enhance your control of outbound traffic to ensure security compliance.
- Back up your data. Because restoring the data in a timely manner can often be a challenge (especially if a large volume of data needs to be recovered), leverage virtualization technology to help streamline the recovery process. For example, a Virtual Desktop Infrastructure (VDI) used internally can greatly minimize the time and effort required to restore a compromised system. Be sure to incorporate point-in-time copies of critical data into your BC/DR planning.
- Leverage Security Information and Event Management (SIEM) solutions to centralize critical system logs and customize dashboards so that they quickly display useful information.
- Leverage in-depth forensic assessment and researching skills on how ransomware variances are constructed, how they behave, and what threat vectors or vulnerabilities they target. This will enable you to define custom rules within your security tools (Firewall, IPS/IDS, DLP, AV, AMP, URL Filtering, etc.) to alert you to unauthorized activity or system changes.
- Look for ways to lower the risk of ransomware attacks quickly and cost effectively. For example, quarantine all inbound messages with .ZIP or .RTF attachments and manually review until you have an automated means in place that is proven effective in eliminating these threats or lowering the risk to an acceptable level.
The threat of ransomware doesn’t have to keep you up at night. If you understand the risks, identify your organization’s challenges, and develop a plan that defines both tactical and strategic change—one that includes investing in the right technologies and developing the in-depth knowledge and skill on how to leverage those technologies effectively—you will position your organization to be better prepared for the constantly changing threat landscape.
Links in this article are provided because they have information that may be useful. NYSTEC does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author and do not necessarily represent the opinions of NYSTEC.