The zombie apocalypse is frequently mentioned in literature and pop culture. Some have even taken steps to protect against this fictitious threat. However, there is a threat that is much more likely and very devastating to businesses and individuals alike. I am referring to the encryption apocalypse caused by ransomware. Just as zombies turn intelligent humans into mindless beings driven by instinct, ransomware threatens to turn our valuable data into an unintelligible collection of bits and bytes.
Ransomware is a concern for more executives, especially after the large number of ransomware attacks that took place in 2017. However, tools and techniques are available to survive the encryption apocalypse, and they can be divided into five main sections; data protection, cyber hygiene, training, incident response, and governance.
Ransomware targets important organizational data, so the first step in surviving the encryption apocalypse is to ensure that essential data is backed up. Organizations should conduct a thorough review of the data that exists on their systems, clouds, and BYOD devices and whether that data is present elsewhere. Next, determine which information is valuable and ensure that it is included in backup solutions.
Once a company identifies their data and configures backups for it, those backups must be tested. Restore testing is a process where data is restored and validated. Companies typically choose a sample set of data that is representative of the data types and system types. This data is then restored, and metrics are tracked to determine how much time it takes to perform the restoration. The restored data is then validated for data integrity and usability. Restore testing can identify problems with the backup solution such as lengthy restore processes, corrupt data, or additional processes that are required to make the data available or usable by end users. Such problems should be resolved promptly so that the company can have assurance of their backups when an incident happens.
Third, data protection solutions should involve a level of segmentation from the production systems. For example, data on a network may be archived to a local backup server, but then this data is replicated to the cloud or stored on backup tapes. This segmentation prevents ransomware from affecting both the production systems and the backups at the same time.
Cyber hygiene is the next major area that should be tackled to survive the encryption apocalypse. Cyber hygiene includes patch management, vulnerability scanning, system hardening, monitoring, auditing, and antimalware protection. As new vulnerabilities are discovered, software and hardware vendors will deliver patches to address these vulnerabilities. It is important for companies to have a defined process and a system of accountability to ensure that patches are deployed on a timely basis to all machines. A single missed system can be the weakest link that allows ransomware onto the network.
Vulnerability scanning can alert IT and security staff to weaknesses in systems. These could include configurations that do not meet best practices or unpatched system flaws. Organizations should have a defined method to remediate vulnerabilities through configuration changes or virtual patches that sit in front of vulnerable components until a vendor-supplied solution is available. Vulnerability scanning should regularly be performed to ensure that vulnerabilities are discovered in a timely manner.
System hardening is the process of configuring a machine to do only what is required for its function and nothing more, so as to minimize the attack surface and the exploitability of the machine. User accounts and system configuration parameters, services, and other components are evaluated and refined in the system hardening process.
Monitoring is essential for containing an incident and for preventing incidents. Incident indicators from the logs of network devices, servers, workstations, and other monitored nodes can be correlated and analyzed to identify threats. It is essential that companies have an understanding of what their normal activity looks like so that outliers can be detected.
Auditing is also important to ensure that security systems are appropriately configured, and organizational policies followed. Auditing provides accountability and assurance for security systems and procedures.
Lastly, antimalware protection is required to stop malicious code from executing on endpoints and other managed devices. Antimalware systems should be configured with a central management tool as well as notifications so that malware can be quarantined and to ensure that each system is running the latest version of the software and definitions. Network access control can be implemented to restrict the capabilities of machines that do not have current definitions or required security settings.
Employee training can go a long way in protecting against ransomware. The most widely used method of distributing ransomware is through phishing messages. These rely on users to perform some action such as clicking a link, opening an email, downloading an attachment, or running software. Training can improve the likelihood that employees will recognize phishing tactics and not interact with phishing messages. Companies need to train, not only on email phishing, but also social media, text, voicemail, and phone-based social engineering tactics that may be used by criminals to distribute malware or otherwise gain access to organizational resources.
Training should regularly be performed because people tend to forget what they have learned and to stay up-to-date on the latest tactics and techniques employed by cybercriminals. Augment in-person training with on-demand options, assessments, and then test your users by sending them test phishing messages. This will help identify areas or people that may need additional training.
It is critical to act promptly and correctly when an incident strikes. This requires a well-trained incident response team and a mature incident response plan. Develop incident response plans to address ransomware incidents specifically. Review the document and use tabletop exercises to improve the quality of the plan. Next, conduct drills to ensure that the incident response team is intimately familiar with their function and tasks in incident response. A mature plan and a well-trained team and be the difference between a minor incident and a disaster.
The fifth secret to surviving the encryption apocalypse is governance. Establish the high-level direction from senior management that will put these systems in place and create a culture that cares about cybersecurity. Ensure that employees are well aware of company policies and their responsibility when it comes to cybersecurity. Cybersecurity is part of everyone’s job role, and a company will function best when people are working together to protect company and customer information.
These five secrets, data protection, cyber hygiene, training, incident response, and governance are the keys to weathering a ransomware incident without significant loss to critical business systems and data. Ransomware is predicted to be even more prevalent in 2018, but the tools and techniques to protect against it can be yours.