Tuesday, February 11, 2020
piece from the New York Times that show the devastation that can be caused by a ransomware attack. A ransomware attack used to be little more than an annoyance. If you got hit, you would just restore your important files from back-ups, and carry on with your day. (You did make back-ups, didn't you?) Then, likely as a result of the increased threat of ransomware, we started backing up everything, all the time. Then the hackers started also encrypting our back-ups since they were on the network. Now, the hackers are being much more selective in their targets and going after large enough enterprises to make for a great pay-day. But those large enterprises wouldn't always pay. Now, smaller businesses would get hurt by the downtime experienced by the larger players in the supply chain. So the hackers started sharing sensitive files to prove that they had them, and to add blackmail to the ransom. (Hey, in for a penny, in for a pound. Right?) The internet is crying out for a solution, but few are provided. Unfortunately, there is no magic bullet.
What the problem calls for is some good old-fashioned risk analysis and mitigation. The reason ransomware works is because your data is valuable... even if to nobody else but you. If the hackers can't get at your data, you're golden. Unfortunately, most networks are completely open once the firewall is breached. (You did set up a firewall, didn't you?) Now before you start envisioning hackers wheeling up some medieval war machine to the edge of a moat, consider that the majority of security breaches are initiated from the inside. Social Engineering is responsible for more security violations than any other penetration method. So before you spend any money hardening your network, harden your staff. This involves more than just circulating a memo telling everyone to be careful. The reason there are companies dedicated to security awareness training is because it's hard work. However, purely from a bang-for-the-buck perspective, instilling a security mindset in your employees is the best investment.
Next on the risk-awareness parade is locking your doors. It is a security best practice to only grant access to those who have reason to access. Many, if not most, organizations mount network drives by default. While that makes getting data and transferring data quicker, it also makes it easy for hackers to travel from one computer to the entire network. As a result, the hacker often only needs to fool one person to get at everyone. Restricting access to other network devices to only the time that they are actually needed will stop an attacker from being able to browse with ease. Should all documents be available to everybody? Probably not, at least not all the time. Should database backups be available to the whole team? I doubt it. A hardened network may be inconvenient for your employees, but it is probably less inconvenient than looking for a new job because the company was shuttered after an attack.
Now that we have locked our doors, let's put things away. As mentioned earlier, the current trend among ransomware hackers is to look for files or data that may be sensitive and steal that to be used as blackmail if the ransom is not paid. This is where protecting data at rest comes into play. If all hard drives, devices, and databases are encrypted, The hackers won't have any way of knowing what is sensitive, and won't be able to use that as leverage.
This brings me to the backups themselves. Your risk analysis is going to have to take into account managing your backups. Backing up your databases and documents is only a small part of the equation... important, yes, but small. What good are the backups if you cannot access them? The ability to retrieve the data on backups is the real goal. Doing it quickly enough is almost as important. When considering the risk of a ransomware attack, one must consider how long the network can be shut down before losses become critical. For some companies, an hour may feel like an eternity. For others a week could go by and they could still recover. For the latter, it may be sufficient to do daily backups and rotate them with off site storage once a week. For the former, a near real-time duplicate network and database may be the only option.
Obviously, this brief discussion is sadly superficial. Each business/organization is different, and each requires a different set of components in its security strategy. The security measures themselves must also be applied within reason. Too strict, and the employees will find ways around them. Too lose, and they serve no purpose. The real message here is don't just wring your hands in fear. Take a strategic look at the threats you face and align it with your risk tolerance like you would any investment.