[BreachExchange] Combatting ransomware with a few easy threat mitigation steps

[Audrey McNeil]

http://www.itproportal.com/2016/03/10/combatting-ransomware-with-a-few-easy-threat-mitigation-steps/

Ransomware is a variant of malware that is so easy to use that it has
become the choice tool of malicious script kiddies and wannabe hackers. The
plug and play aspect of this astonishingly simple to use adversarial
mechanism has wreaked havoc on organisations of all sizes and genres with
devastating results. Of course, amidst the gloom and doom of recent
ransoming success there are charlatans and faux experts venturing to
capitalise on the sheer chaos and palpable fear plaguing computer users
across the globe. These swindlers will make promises of ‘silver bullet’
solutions that can thwart everything from malware and viruses to drive by
downloads and malvertising; however, their promise, like their product is
only an empty simulacrum of a solution.

The truth is, the only real cyber defence is a layered defence. No amount
of administrative, physical, or technical controls can prevent a breach
from happening if the adversary is persistent and well resourced.  Instead,
a layered defence allows your organisation to detect and respond to threats
rather than assume that your systems are immune to attack. Consider your
organisational Internet of Things as if it were a medieval castle. The
various layers of defence would be a sprawling expanse to allow visual
surveillance of the surrounding area, a moat, archers around the fortified
wall, a heavily constructed drawbridge and of course the robust
construction and layering of the outer walls. As the adversary breaches the
perimeter, your stalwart defences raise the alarm and engage
pre-established procedures to thwart the attack and defend the critical
assets. The coordinated systems function in an efficient concert to slow
and counter the advances of the threat and to fortify vulnerable areas of
the system to diminish the adversarial foothold. There are multiple
fail-safes in this example just as there should be with your company’s
cybersecurity strategy.  Security centric cyber hygiene must become part of
the cultural DNA of any organisation aspiring to minimise its attack
surface and thwart threat. Like electricity and water, attackers follow the
path of least resistance. They attempt to exploit the network where it is
least defended. Consequently, your personnel, the least trained and yet
most vital resource of the organisation, are both your strongest and your
weakest link. If they make a mistake, then your organisation has made a
mistake. If they fail to rebuke an adversarial advance, then the
organisation has failed to resist the adversary’s influence.

The most profound component to any corporate cybersecurity strategy is the
introduction of an information security team, separate from your IT team,
whose sole purpose is ongoing, all-encompassing cybersecurity of all
systems and personnel. First and foremost, this team will run a risk
assessment in order to identify vulnerabilities and to identify critical
assets. After all, network defence is a blind gambit if you do not know
where to focus your efforts and what to protect according to its value. The
team will enumerate and map the network and restrict changes to the network
and network devices. They will update and patch applications as threats
emerge, audit technology vendor contracts for language demonstrative of
security maintenance throughout the lifecycle of the device, and they will
audit vendors who have virtual access to the company’s network to confirm
vendor cyber hygiene is up to par with the new direction of theirs. The
infosec team will notify employees of the latest threats while providing
ongoing cyber hygiene training on prominent attack vectors such as: spear
phishing, watering-hole attacks, drive by downloads, malvertising and
social engineering defense. The security team will also introduce and
monitor automated technology that detects abnormalities in user and network
behavior. User Behavior Analytics and intrusion detection/prevention
systems should support a whitelisted firewall to detect and deny suspicious
activity such as remote system access, escalation of user privilege, abuse
of the principle of least privilege, or connection to Tor or I2P traffic.
Finally, the team will implement the most important cybersecurity strategy
to mitigate the catastrophic outcome of a successful ransomware attack.
Critical systems and data will be regularly and automatically backed up,
protected in real-time, and encrypted in transit and while stationary.
These backups will be segmented from the rest of the network to remain
immune to adversarial corruption and critical systems will be supported by
redundancy systems to ensure that the organisation has continuous access to
its data. In short, the information security team will act as battle
commanders in maneuvers against the adversary by shoring up systems and
personnel to ensure that the confidentiality, availability, and integrity
of the network remains constant.

This very foundational cybersecurity strategy will be expanded upon and
built upon as the infosec team adapts to the industry genre and niche and
the latest threats.  Breach anxiety is wasted energy that could otherwise
be spent on proactive threat mitigation. Why worry about the potentially
infinite number of external threats when you know that your organisation
has information security that has ensured internal defence? The
hyper-evolution of technology in the last decade, compounded by the
emergence of the vulnerable IoT attack surface and the rising ubiquity of
credible cyberthreats, means that cybersecurity vigilance must be a
fundamental cornerstone of corporate culture and decision making. There
will always be a ‘latest’ threat distributed along some novel and stealthy
vector by a foreign, invisible adversary. However, cyber hygiene, a
security-centric corporate culture and the perpetual efforts of a stable
information security team will provide the layers of protection necessary
to mitigate threats, defend the network, and recover from crises.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160310/742aba53/attachment-0001.html>