[BreachExchange] How to protect the company from ransomware and to restore data following a breach?

[Audrey McNeil]

http://www.itproportal.com/features/how-to-protect-the-
company-from-ransomware-and-to-restore-data-following-a-breach/

The datacentre is the castle. You can pull up the drawbridge, fill up the
moat, or pull down the portcullis. But at some point you have to let data
in and out, and this opens up the opportunity for ransomware attacks. No
longer is it a matter of pride and peer recognition in the hacker community
for circumnavigating and exposing the security of an organisation because
it is now a fully-fledged industry in its own right with the use of
ransomware.  That cybersecurity company Herjavec Group estimates to top a
$1 Billon in 2016. In the past, those under siege used to flood the moats,
pull up the drawbridges and drop the portcullis to protect themselves but
with the modern data centre organisations life blood is the movement of
data in and out of the datacentre.

The question now is not just how can organisations protect themselves from
ransomware, but also what are the best practices and policies for recovery
in case they get through.  Data has to flow in and out and that opens up
the route in for security breaches and the most profitable one is
ransomware. So can it be prevented from ever occurring, and how can that be
achieved? After all, as always, prevention is better than cure and the
first line of defence has to involve firewalls, email virus scanners and
other such devices. The problem is that the writers of the code of computer
viruses are always one step ahead of the data security companies that offer
solutions to protect their customers. This is because the industry tends to
be reactive to new threats rather than proactive.

With so many devices connecting to the corporate network, including bring
your own devices (BYOD), there will always be an attack that gets through,
especially as many end users are not totally savvy with how viruses and
other such scams can be attached to emails while masquerading as normal
everyday files. A certain amount of end user education will help but there
will be the one that gets through.  So to protect ourselves, organisations
have to have back-up plans on policies to deal with the situation when it
does happen because we can’t keep the drawbridge up forever.

Is ransomware new?

So how long have ransomware attacks been around? Well excluding the viruses
written by governments for subversion, we have always had viruses that
hackers write for fun, notoriety, or to use as a robot in a denial of
service attack. They may also use an email relay. With the coming of
Bitcoin, where payments can be received anonymously and as you see from the
Herjavec Group’s estimates it can be very lucrative while also being very
costly to the organisations that are attacked. This is why companies should
be creating their very own data castles, and they should only drop their
drawbridges whenever it is absolutely safe or necessary to do so. Due
diligence at all times is otherwise crucial.

One of the key weapons against ransomware is the creation of air gaps
between data and any back-ups.  A solid back-up system is the Achilles heel
of any ransomware and it has been proven many times over, such as in the
case of Papworth Hospital. However, with the ever increasing sophistication
of ransomware and the use of online back-up devices, it won’t be long
before it turns its attention to those devices as well. It’s therefore
important to have back-up devices and media that have an air gap between
themselves and the corporate storage network. This is going to be crucial
in the future.  When you think about it, there is a lot of money at stake
here on both sides if ransomware becomes back-up aware. So it’s important
to think and plan ahead, and it’s perhaps a good idea to make back-ups
appear less visible to any ransomware that might be programmed to attack
them.

Disaster recovery

So what is the most effective way to recover from an attack? Any and every
back-up strategy should be based around the recovery strategy for the
organisation. Once the offending programs, and all its copies are removed.
Obviously, the key systems should be recovered first, but this will depend
on the range and depth of the attack. One of the things that is easily
overlooked in a recovery plan is the ability to reload the recovery
software with standard operating system tools – it is something that is
often overlooked in recovery scenario tests.

The key is to have a back-up plan. In the future that ransomware will,
rather than blasting its way through the file systems, work silently in the
background encrypting files over a period of time so that these files
become a part of the back-up data sets. It is therefore important to
maintain generations of data sets, not only locally but offsite in a secure
location. Remember the old storage adage that your data is not secure until
you have it in 3 places and in 3 copies.

I’d also recommend the following top 5 tips for protecting your
organisation against ransomware:

Educate your end-users to make them more aware of the implications of
ransomware and how it is distributed.
Ensure that you deploy an up-to-date firewall and email scanners.
Air gap your back-ups and archives from the corporate network.
Maintain good generation controls for back-ups.
Remember that back-up is all about recovery; it’s better to prevent the
need to recover by planning ahead for disasters such as a ransomware attack
to maintain business continuity.

These principles don’t change for enterprises that are based in the cloud.
Whilst the cloud provides some resilience through the economies of scale
that many could not afford in their own data centre, one should not assume
that the data is any more secure in the cloud than in your own data
centre.  Back-up policies for offsite back-ups and archive should still be
implemented.

Inflight defence

But how can you prevent an attack while data is inflight? Whilst we have
not seen this type of attack yet, it is always a strong recommendation that
data inflight is encrypted preferably with your own keys before it hits
your firewall. However, as many companies use WAN optimisation to improve
their performance over WAN networks transporting encrypted files means
little or no optimisation is possible. This can affect those all-important
offsite DR, backup and archive transfers.  Products such as PORTrockIT can,
however, enable organisations to protect their data while mitigating the
effects of data and network latency. Solutions like this can enable you to
build and maintain your data castle.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170112/ad98bd93/attachment.html>