[BreachExchange] Look first within your business to protect yourself from ransomware

Audrey McNeil audrey at riskbasedsecurity.com
Mon Nov 13 19:51:53 EST 2017


https://www.bizjournals.com/stlouis/news/2017/11/13/look-
first-within-your-business-to-protect.html

A well-known national newspaper recently published a series that presents a
bizarre medical case and invites the general public to play “Dr. House” and
identify the health condition. Along those same lines, we present a case of
a cyberattack that disrupted a business.

“Crypto” malware was able to disrupt a business, resulting in hundreds of
thousands of dollars being lost over four days of consecutive downtime.

The company had three-layers of network security, including (1) a firewall
with intrusion-detection, (2) anti-virus protection, and (3) automated
patch management.
Nonetheless, the entire internal infrastructure was compromised, including
seven servers that hosted business-critical applications. Their CRM,
SharePoint, and project estimating and scheduling systems that are core to
the way the business operates were effectively destroyed.
The company even had a file backup system, but the backup was not able to
restore the company’s systems to full functionality.

Despite these defenses, how was the malware able to corrupt the company’s
vital infrastructure so quickly and comprehensively?

Was there an unidentified vulnerability in the security layers?
Was a software patch applied too late?
Did the malware contain a novel, machine-learning algorithm that was able
to adapt and overcome the company’s defenses?

Actually, none of these is an appropriate diagnosis. The cyberattack was
actually triggered within the network by one of the firm’s employees who
unknowingly downloaded the malicious file. In fact, lack of awareness by
internal users is one of the most common causes of malware infections. In
the case of cyberattacks, we are dealing less with an obscure Dr.
House-style diagnosis than with a persistent common cold virus.

Unfortunately, the company’s backup system added insult to injury. The
company used a tape-backup system that was run on a weekly basis. While the
files on the tape-backup were intact and restorable, the firm lost seven
days’ worth of transaction data, as well as the past week’s entire work
product from every one of its associates.

Similar to recovering from a stubborn cold, the business infrastructure and
data recovery took about five days. The extended timeframe was due mostly
to the weaknesses of the backup system. All the servers and workstations
had to be rebuilt from scratch and all applications re-installed and
re-configured (rather than have a complete image restored) before the last
seven days of data could be reconstructed and re-entered.

Mitigating the risk of a cybersecurity attack

It can seem like new threats emerge every day and malware developers find
new vulnerabilities to exploit on the hour. It is true that the “bad guys”
keep up a relentless pace, and the “good guys” must work ceaselessly to
counter this kind of innovation. However, the best security tools are now
available to all sizes and types of businesses, even those that may think
that advanced security defenses are out of financial or technical reach.

If your business is looking to assess where it stands in terms of
cybersecurity risk and take steps to raise your defenses, we recommend the
following basic initiatives.

Initiative 1: Conduct an information security audit and security risk
assessment

The purpose of a cybersecurity audit is to identify vulnerabilities in your
business. If you know the points of weakness, you can better predict where
cybercriminals can gain entry. An IT infrastructure assessment identifies
out-of-date protections such as anti-virus, anti-malware, and patch
management. Additionally, the network infrastructure scan detects
firewalls, switches, wireless access points, and any peripherals attached
to your network.

An audit can also look beyond the network and the software, at policies,
procedures and employee training. Each of these audit layers results in a
project roadmap to identify updates at network operating system, network
device, and organizational levels.

Initiative 2: Deploy a hybrid cloud backup/business continuity solution

A hybrid cloud backup/business continuity solution minimizes the risk of
downtime in the wake of a cybersecurity attack because backups of data and
applications are stored on both a local device and in a secure cloud
environment. Because the data and applications are virtualized, your
business can define your own risk tolerance in terms of backup frequency. A
virtualized backup environment can allow your business to be up-and-running
within hours, minimizing the business cost of downtime.

Initiative 3: Conduct security awareness training

As with our case-study company, if an associate winds up clicking on a
dangerous ransomware link inside the organization’s network, it’s possible
that all defenses will have no impact, leaving only the backup solution as
the firm’s last line of survival.

Nearly every security audit results in a recommendation to provide more
comprehensive security awareness training. More valuable than trainings
that simply tell a user not to click on a link, or to be wary of certain
kinds of emails or senders, are behaviorally-based security awareness
training programs. Such programs launch real phishing links to users and
provide them with immediate feedback if their actions would have resulted
in a potential threat.

Call to Action: Take a multi-faceted approach to security and security
technology

The daily news reports of hacked corporate data can make cybersecurity
investments feel futile. However, there are steps that every organization
can take to reduce its risk to these threats. Each additional step can be
the difference between being an insecure institution to being one that can
repel and withstand the vast majority of attacks. Multiple layers of
security solutions reduce the threat landscape, prevent hacker attacks on
the network, and alert the IT teams to persistent threats so that action
can be taken.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171113/c592c69c/attachment.html>


More information about the BreachExchange mailing list