5 minute read
Cyber Extortion is on the Rise.
Here’s How to Guard Against Ransomware Attacks
By Carl Cadregari Executive Vice President Fox Point Solutions | The Bonadio Group
I’VE GOT SOME BAD NEWS.
According to a NordLocker analysis of 1,200 companies in 35 industries around the world that were the victims of cyber extortion between 2020 and 2021, construction is the top industry targeted by ransomware attacks. In the event of a ransomware attack, your company may be prevented from accessing computerized records such as drawings, engineering notes, communications, contracts and change notices as well as the systems and portable devices used daily. This loss of essential access to your data can be catastrophic.
Sophisticated and ever-changing ransomware infections —the malicious software (malware) that fully encrypts data on the computer device and/or those that steal data and then require you to pay for the decryption key —have been advanced to the point of daily prevalence. The costs associated with these attacks and the damage done increases nearly every day. Cybercriminals have advanced the capabilities of malware to not only encrypt your data, but they can send the accessed data externally. And even if you pay, they can come back to extort funds and cause additional data breaches.
A recent U.S. government interagency report found that, on average, there are thousands of daily ransomware attacks, and cybercrime damages are expected to exceed $6 trillion annually in the next 12 months.
Ransomware exploits human and technical weaknesses to gain access to data and technical infrastructure in order to deny an organization access to its own data by encrypting it. Ransomware is likewise known to carry additional malware infections with other malicious payloads, including spyware applications that may be installed, including ones that steal, and then exfiltrate usernames and passwords, non-public information (NPI), and other confidential information about the computer, the user, and the data used by the organization. Given how lucrative it is for those who deploy it, one can assume these attacks will continue to grow.
Fortunately, there are measures known to be effective in preventing the introduction of ransomware and recovering from an attack. Here are several areas that, with proper implementation and ongoing assessment, will help support your efforts in ransomware attack prevention and recovery from a general data privacy and cybersecurity perspective.
Complying With Data Privacy And Cybersecurity Laws
The data you use must be assessed at least annually to confirm you are meeting the laws and regulations for utilizing that data. It is mandatory that covered organizations and their business associates (vendors, third-party, etc.) conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the protected data the entity creates, receives, maintains, or transmits or otherwise interacts with.
It is expected that organizations will use a documented and standard process of risk analysis and risk management that satisfies the specific standards and implementation specifications of the laws. It is likewise expected the organization is implementing security measures to a reasonable and appropriate level to protect that data.
VENDORS AND OTHER THIRD-PARTY CONTRACTS
An effective vendor management program is key in your ongoing protections. You need to know how, where, and when your vendor will protect your data. Not all contracts with a vendor share the protections with you and many times they place the full burden on you. It is critical that you understand what both your responsibilities are and that you bind them via those contracts to meet your needs.
A program with at least annual vendor audits is required in many instances and should be in place now.
Additional Guidance
Here are some ongoing prevention controls to consider:
1. Conduct ongoing, documented and thorough information security risk assessments
Maintain an ongoing information security risk assessment program that considers new and evolving threats and adjusts to changing standards for user authentication, layered security, and other controls in response to identified risks. Identify, prioritize, and assess the risk to critical systems, including threats to applications that control various system parameters and other security and fraud prevention measures. In addition, ensure that third party service providers meet your expectations, not theirs.
2. Securely configure systems and services
Protections such as patch management, logical network segmentation, offline backups, air gapping, maintaining an inventory of authorized devices and software, consistency in configuration, physical segmentation of critical systems, and other controls may mitigate the impact of a cyber-attack involving ransomware.
3. Protect against unauthorized access by:
● Limiting the number of credentials with elevated privileges across the organization, especially administrator accounts and the ability to easily assign elevated privileges that access critical systems.
● Reviewing access rights twice a year to reconfirm access approvals are appropriate to the job function.
● Establishing stringent expiration periods for unused credentials, monitor logs for use of old credentials, and promptly terminate unused or unwarranted credentials.
● Implementing multi factor authentication protocols for systems and services (e.g., virtual private networks) and access to any data.
4. Perform security monitoring, prevention, and risk mitigation
Monitor system alerts to identify, prevent, and contain attack attempts from all sources. Wherever possible, implement an Endpoint Detection & Response (EDR) solution and Mobile Device Management (MDM) applications.
5. Update training programs
Conduct mandatory information security awareness training across the organization at hire and at least annually. This should include how to identify, prevent, and report phishing attempts and other potential security incidents. Ensure the training reflects the functions performed by employees, and if possible, include random email phishing and social engineering tests.
6. Implement and regularly test controls around critical systems
Ensure that appropriate controls, such as access control, segregation of duties, audit, fraud detection, and monitoring systems are implemented for systems based on risk by:
● Limiting the number of sign-on attempts for critical systems and lock accounts once such thresholds are exceeded. Implement alert systems to notify employees when baseline controls are changed on critical systems.
● Testing the effectiveness and adequacy of controls at least annually.
● Encrypting sensitive data on all portable, internal, and external facing data storage devices and systems, for data in transit and, where appropriate, at rest.
7. Document, review, update, and test computer security incident response and business continuity plans periodically but no less than twice annually
Test the effectiveness of incident response plans at the organization and with third party service providers to ensure that all employees, including individuals responsible for managing risk, information security, vendor management, fraud detection, and customer inquiries, understand their respective responsibilities and their organization’s protocols. Ensure processes are in place to update, review, and test incident response and business continuity plans addressing cybersecurity threats involving extortion. Ensure that incident response and business continuity plans are updated to address notification of service providers, including Internet service providers (lSP), as appropriate, if the organization suspects that a DDoS attack is occurring.
8. Utilize the standard practice for backing up data (known as the 3-2-1 rule)
● (3) Create up to at least three copies of the data;
● (2) In two different storage formats;
● (1) With at least one copy located offsite and if needed, air gapped.
9. Participate in industry information-sharing forums Incorporate information sharing with other organizations and service providers into risk mitigation strategies to identify, respond to, and mitigate cybersecurity threats and incidents. Since threats and tactics change rapidly, participating in information-sharing organizations can improve an organization’s ability to identify attack tactics and to mitigate cyber-attacks involving ransomware malware on its systems successfully. In addition, there are government resources, such as the U.S. Computer Emergency Readiness Team (US-CERT), that provide information on vulnerabilities.
There is no one silver bullet that will protect you and your data. The programs and processes noted above must work in concert with all your other controls to help in effectiveness; however, you must still be prepared to respond to an event or breach, and that requires auditing, assessing, training, and testing diligence across your environment.
The Bonadio Group introduced a new brand, FoxPointe Solutions, in 2019 to support businesses’ growing and evolving needs for information risk management (IRM). FoxPointe Solutions offers a full range of IRM services, including cybersecurity, HITRUST, PCI compliance, IT internal audit, penetration testing, and more.
Carl Cadregari, executive vice president in FoxPointe Solutions’ Information Risk Management Division, has more than 28 years of experience providing actionable technology, cybersecurity and data governance architecture, controls auditing and general cybersecurity planning.
