[BreachExchange] Don’t Get Complacent About Ransomware

Thu Dec 15 20:42:57 EST 2016

http://www.infosecurity-magazine.com/opinions/dont-get-complacent-about/

When you live and breathe IT and information security, it is easy to forget
that not everyone in your organization is on the same page.

What we forget is that not all employees within our organization are as
aware of cyber-threats, or as risk adverse as we are. On the one hand they
often do not know what the risks are, and on the other they do not fully
appreciate the consequences of an attack.

One type of threat that is exposing this vulnerability is social
engineering, including ransomware, phishing emails and CEO fraud. Scams
such as pay rise/redundancy phishing emails work because they appear to
come from a company director (using an address that is very similar to
their genuine email address), and contain information that cannot help but
interest their recipients.

Picture that member of staff who receives an email with the subject line
‘Company Redundancies 2017’; they will to struggle to contain their
curiosity and concern, and unless they know otherwise, are highly likely to
click on ransomware macros.

I should add that IT professionals are not immune to this kind of attack,
so imagine how convincing they seem to someone in the finance department or
other areas of the business.

What Security Managers and IT Professionals can do

Prevention is always better than the cure, and these three steps will go a
long way to reducing your exposure to ransomware attacks.

Step 1: Raise awareness and educate all employees

If technologies for detecting, deleting or quarantining phishing emails
fail, the last line of defence is the user. Awareness raising programmes
will inform employees of the threats, what they may look like, how
sophisticated they are, and what the consequences of enabling attacks such
as ransomware can be.

Step 2: Have clear guidelines of what to do if employees suspect a
cyber-threat

Employees also need to know what to do if they suspect an email is not
genuine. Often phishing emails work because they have a sense of urgency
about them – if an employee receives an email from a senior member of staff
that says ‘urgent’, they jump to it. A culture of always questioning
whether an email is genuine must be encouraged, as well as the reassurance
that doing so – i.e. questioning a senior manager’s email - will not
reflect badly on that employee. Furthermore, when an employee is unsure of
an email they need a rapid response from the IT team, so that if authentic
they can respond appropriately.

Step 3: Make sure you have a robust data backup and disaster recovery system

The final steps are to protect your organization should an attack take
pace. To avoid paying a ransom a robust data backup and disaster recovery
system is essential, ensuring that it is possible to restore data to the
point before the infection occurred. Disaster recovery / business
continuity plans must address specific risks to be effective. We recommend
looking explore all potential threats and tailoring strategies and
procedures for each scenario.

We may be aware of the threats of social engineering campaigns like
ransomware, but never presume that everyone else within your organization
is.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161215/6de9b986/attachment.html>