[BreachExchange] How to Prevent Ransomware and Cyberattacks

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jul 14 14:58:27 EDT 2017


http://infosecisland.com/blogview/24955-How-to-Prevent-
Ransomware-and-Cyberattacks.html

The impacts of ransomware and other breaches, which exploit failures in
risk management, are preventable. The WannaCry ransomware attack was the
most widespread of its kind in history. It took advantage of a Windows
vulnerability – one detected and resolved months ago – encrypting victims’
data and demanding a ransom payment for un-encryption.

More recently, many organizations in Europe and the US have been crippled
by a second ransomware attack, known as “NotPetya” or “GoldenEye.” NotPetya
was a malicious, destructive attack disguised as ransomware.

The scope and speed of these new attacks are major wakeup calls for
organizations around the globe; an attack can come at any time, and failing
to implement a strong prevention strategy is a recipe for disaster. Often,
when a cyberattack is resolved (or even while it’s still ongoing),
unaffected organizations may instinctively dismiss its significance,
assuming the dangerous mindset that their business’ operations are
different and won’t be affected. This frame of mind fails to acknowledge
that mistakes made by cyberattack victims are typically shared by many
others.

Consider the ever-increasing capabilities of cyberattackers. Constantly
improving technologies allow attackers to evolve their strategies, find new
points of entry, and make themselves harder to detect. Your security and
business continuity programs must stay one step ahead of this evolution, a
process that requires implementation across departments and levels.

Cyberattacks – alongside all risk management failures – are entirely
preventable with good governance and integrated risk management processes.
The standardization and automation of these components does not require a
revolution in your operational structure. They are achieved by using
centralized monitoring and policy operationalization, making sure you
adhere to best practices without exception. Senior leadership can then use
the information gathered to make informed strategic decisions.

The traditional understanding of departmental interaction – namely that
each department conducts its own operations and is most qualified to
evaluate its own risk profile – creates cracks through which incidents and
attacks can slip. A truly integrated approach, requiring strong governance
and board oversight, illuminates vulnerabilities shared by departments.
This allows for efficiency (and efficacy) through collaboration and
allocation of responsibilities.

Poor governance and operationalization have led to risk management failures
including those seen at Target, Ashley Madison, Dwolla, and Wendy’s. These
breaches would have been prevented not with complex, expensive technology,
but with improved governance processes.

Strengthening Cybersecurity and Preventing Surprises with Good Governance

Enterprise risk management accomplishes more than simply identify new risks
and to-do items. By revealing the interdependencies and interactions
between departments, applications, vendors, and other resources, it closes
the gap between policies and everyday operations. This makes it easier to
resolve known issues and prevent scandals. For example, which applications
contain sensitive data that might have a material impact on your
reputation? Which departments use those applications, and which policies
and controls (if any) currently address those weaknesses? Are these
policies and other mitigation activities effective in addressing this risk?

Going back to WannaCry, prevention would have been as simple as automated
alerts. Alerts would have prompted verification that appropriate Windows
patches were implemented, followed by a report of all critical systems not
covered by patch deployments. This is a good example of the importance of
governance over existing processes, as opposed to the wasteful alternative
of expensive technology solutions that may not even address future issues.

It’s a known fact in the security community that, due to human or
technology errors, 10-15% of authorized, scheduled patches are not
implemented. Resulting vulnerabilities are often detected by the “right”
people (in this case, Windows itself) before they are the “wrong” people,
but when fixes aren’t implemented punctually, the risk remains.
Notifications remove the possibility that risk goes unaddressed.

Mitigating risks presented by any cyberattack can take place at your
organization today. If necessary, the following steps can be performed on a
manual basis, but for long-term sustainability, use a centrally managed,
risk-based approach.

Off-site backups are your first and most basic line of defense. Frequency
and scope will be different for each organization; your security team
should collaborate with senior leadership to determine minimum standards.
Has a restoration test been performed, ensuring that your infrastructure
and applications infrastructure can be restored? Can back-up data actually
be used within your stated recovery time objective (RTO)? Your RTO is the
maximum “downtime” window that can be tolerated for a particular process
before financial, reputational, or legal damage occurs.

Most organizations have formal internal policies, but few identify the
risks associated with these policies. After risks are identified,
regularized tests and notifications verify risks they are mitigated.
Backups take time, and without using a risk-based approach to prioritize
data and the application infrastructure, much existing activity is wasted.
The relationships between your people and resources, once identified,
reveals what is integral to critical functions.

Backups will compose a piece of your overall business continuity and
disaster recovery (BC/DR) plan. The BC/DR plan needs not just be created,
but tested regularly. Most back-up systems only preserve data, not the
application infrastructure. Doing so requires a second level of testing;
can the applications and infrastructure be reestablished, and will they be
compatible with restored data? Test your organization’s ability to
implement a “clean recovery,” or total restoration of all data. The program
cannot be made fully operational until those regular tests are implemented.
Without an operationalized BC/DR program, it’s difficult to impossible to
recover from an attack within the required timeframe.

Most organizations also understand of access rights from a policy point of
view. However, are access rights managed effectively by all the users? The
principle of least privilege, by which a company grants employees only the
access they need to perform their duties, limits vulnerability without
compromising efficiency. Begin this process by implementing and enforcing
password complexity/change requirements. Rights then need to be defined and
updated regularly by engaging front-line managers. Ransomware and breaches
target the weakest links in an organization, often through vendors and
supply chains.

With an ERM solution, you can maintain an effective asset management
process by determining which applications, devices, and other resources
require access rights protection. The next step is to create transparency
into how effective policies are over these processes.

Through good governance, you can make sure everyday activities are aligned
with leadership’s strategic goals. An integrated risk management approach
reduces overall exposure and allows the organization to better leverage
existing assets and prevent potentially disastrous disruptions like the
WannaCry attack – without using additional budget to security technologies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170714/833e43ad/attachment.html>


More information about the BreachExchange mailing list