[BreachExchange] Beyond Robust Technical Defenses: Three Simple Ways to Protect Your Organization from Ransomware

[Audrey McNeil]

http://www.corpcounsel.com/id=1202782400846/Beyond-Robust-
Technical-Defenses-Three-Simple-Ways-to-Protect-Your-
Organization-from-Ransomware?mcode=0&curindex=0&curpage=ALL

The Romantik Seehotel Jägerwirt in Turracher Höhe, Austria, has survived
and thrived since the days of the Austro-Hungarian Empire, welcoming guests
who enjoy skiing in luxury. But nothing in its 111-year history prepared it
for the magnitude of the attack that crippled its computers in January 2017.

The ransomware attack targeted operational systems, and almost every aspect
of the hotel was affected: The computerized key system was disabled.
Reservations could not be located. Payments could not be processed. Packed
to capacity and faced with paralysis during peak season, the hotel’s
management had few alternatives. With every passing minute compounding the
damage, the hotel paid the ransom.

The episode offers an unwelcome lesson: ransomware attacks increasingly
target critical operations, rather than just back-office systems. And while
an attack on the hospitality industry could pose a “Hotel California”
scenario, locking guests into their rooms, one on a critical system at a
hospital, for example, could have life-or-death consequences.

How does an organization handle this frightening new reality—a world with
the risk of ransomware? Technical professionals know the advantages of best
practices such as encryption, backups, redundancy, monitoring, and similar
measures. However, as the CIA and NSA could testify, even the most robust
technical defenses can be insufficient. Three simple practices can help.

Limit Electronic Integration

In an age of enterprise software, integration is often seen as the sine qua
non of IT systems. However, organizations will want to consciously decide
whether full electronic integration is desirable—and it’s not an easy
judgment call. Too, the burgeoning Internet of Things offers an
irresistible allure: even more data, from even more devices.

All an organization’s data can be analyzed and put to work as a tool to
support client service and sales, in detecting and remedying potential
problems, and in identifying, cultivating, and converting prospects.
Moreover, data has direct monetary value: it can be “monetized” by being
sold to others. Third-party brokers and other data vendors provide a ready
market and are ever eager for every last byte.

Integrated systems greatly facilitate data collection, of course, so
questioning the need for connectivity may seem counter-intuitive. But does
a toaster really need to be connected to the Internet? It may make better
toast. But it is also vulnerable to a ransomware attack: A low-grade attack
could deny your customers toast until you pay up.

Just a toaster, you think? But what if a hotel’s refrigerators and ovens
all shut down at once? What if a pharmacy’s drug compounding equipment can
be hacked? Malicious attacks can present unforeseen risks—and an actual
physical threat to customers and employees.

Certainly, remote connectivity can offer advantages. The Seattle Police
Department recently recovered a stolen BMW by disabling it. The hapless
thief was remotely locked inside the vehicle until officers arrested him.
However, the same technology that enables police to apprehend a suspect may
allow hackers to physically detain your customers or employees.

Such scenarios were speculative as recently as three years ago. But today
businesses must weigh the vulnerabilities inherent in such connectivity
against the potential gains. While the disabling of keys in the ransomware
attack on the Romantik Seehotel Jägerwirt did not imprison guests, it did
stop the front desk from coding new keys, and guests could not re-enter
their rooms.

The hotel’s management found the decision to disconnect its key system
easy: it is reverting to physical keys. Indeed, organizations ranging from
the United States Navy, which has reintroduced celestial navigation, to the
Kremlin, which has brought back typewriters, have recognized the advantages
of limiting electronic integration.

Enable Manual Override

If limiting connectivity is not feasible, a second option is to ensure that
critical systems include physical switches that can override ransomware
locks. High-end systems, such as aircraft controls, already incorporate
manual redundancy to handle emergency situations. In assessing their cyber
vulnerabilities, businesses should map their critical-path systems—a
regulatory mandate in the state of New York and in the European Union. If
systems are entirely computer-controlled, manual overrides should be added
at critical points.

Manual intervention gives organizations a potentially significant
safeguard. Its effectiveness is compounded if, as is often the case,
multiple computer systems are connected. In regular operations, connected
systems are a useful tool, providing more accurate assessments and enabling
organizations to offset problems in one area with measures in another. But
in a ransomware scenario, inter-system connectivity is a threat multiplier
that can escalate a significant problem into a potentially catastrophic
one. Ransomware injected into one system can cascade throughout the
enterprise, shutting down work and leaving every system it touches at the
mercy of the attackers.

The introduction of a manual “kill switch” significantly alleviates this
problem. The manual workaround enables enterprise operations to proceed
while buying management valuable time. Virtually all cars, for example, now
incorporate a brake pedal specifically designed to override alternative
commands.

Moreover, grafting a “one switch to kill them all” mechanism on top of
existing systems is more economical than a systemic redesign.

Limit Internet Access

Third, an organization should consider limiting outside Internet access.
Many companies devote considerable resources to protecting technology
systems, yet the very computers employees use to control those systems are
often connected to the Internet. When employees use them to check personal
email or social media accounts, it represents a largely unguarded backdoor
access point to the organization’s critical systems.

In my experience, many ransomware incidents are traced to an apparently
innocuous email. While business email systems are not immune, their
defenses are generally more robust than those of personal accounts.
Organizations should consider limiting access to personal email and social
media accounts on official computers. Many industries, including law firms
and hospitals, already impose such restrictions.

Conclusion

The practices described above are not silver bullets: in today’s world,
there are no guarantees of cyber safety. However, implementing these
measures will strengthen cyber defenses. Simply by taking steps that others
have not yet taken means an organization is no longer the lowest hanging
fruit for hackers; that alone may divert ransomware efforts elsewhere. At a
minimum, these practices are low-cost methods for either avoiding a
ransomware situation or improving your hand. As the Romantik Seehotel
Jägerwirt learned, an improved hand is worth something.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170330/9068d5c7/attachment.html>