[BreachExchange] Ransomware: Five questions you need to ask about your defences, before you get attacked

[Sophia Kingsbury]

https://www.zdnet.com/index.php/recent/index.php/article/ransomware-five-questions-you-need-to-ask-about-your-defences-before-you-get-attacked/

Ransomware is one of the most dangerous cybersecurity threats facing
organisations today, yet many are still under prepared when it comes to
protecting networks from attacks, and about what to do if ransomware causes
disruption.

High-profile and highly disruptive ransomware attacks have recently hit
Colonial Pipeline, Ireland's HSE health service and global food producer
JBS. In the case of Colonial Pipeline, the organisation paid a ransom of
over $4 million in Bitcoin for the key required to restore the affected IT
network.

A ransomware attack can, therefore, be highly damaging when it comes to
providing services, it can damage the reputation of the organisation and it
can cost a lot of money, both in terms of paying the ransom – if the victim
chooses to pay, despite warnings it just funds and encourages criminality –
and for restoring and securing the network after an incident.

It's vital that the CEO and the rest of the board are fully equipped with
the knowledge to deal with the prospect of a ransomware attack hitting
their organisation and are doing as much as possible to ensure this doesn't
happen. And in the unwanted event of an incident, they need to be ready
with a plan to restore the network, preferably without paying a ransom.

In an effort to provide guidance to CEOs, the UK's National Cyber Security
Centre (NCSC) has detailed five key questions for board members to ask
about ransomware.

1. As an organisation and as board members, how would we know when an
incident occurred?

One of the reasons why ransomware attacks have become so successful is
because the attackers are able to lurk within the network for a long time
without being discovered.

Organisations should, therefore, know what their IT infrastructure looks
like, what monitoring is in place on their network – especially with
regards to critical assets – and be able to identify when something is
potentially suspicious, as well as having mechanisms for reporting and
investigating that malicious activity.

By identifying potentially suspicious activity on the network,
organisations can go a long way to cutting off ransomware attacks before an
intruder has had the time to move around the network.

2. As an organisation, what measures do we take to minimise the damage an
attacker could do inside our network?

One of the key aims of a ransomware attack is to encrypt as much of the
network as possible, so organisations should examine what they can do to
slow down or stop ransomware from spreading through systems.

In order to help make it more difficult for malicious intruders to move
around the network, organisations can segment networks, preventing the
whole network from being compromised by an attacker gaining access to just
one device.

Organisations should also look to implement two-factor authentication
across the network as an additional line of defence that makes it harder
for malicious intruders to move around the network.

3. As an organisation, do we have an incident management plan for cyber
incidents and how do we ensure it is effective?

"Organisations should think in terms of 'when' rather than 'if' they
experience a significant cyber incident," warned the NCSC blog post, so
it's essential to plan incident response carefully and to practice for it.

The NCSC's recommendations for an incident management plan include
identifying the key contacts who need to know about it, clear allocation of
responsibility, a conference number for emergency incident calls, as well
as contingency measures for critical functions.

4.  Does our incident management plan meet the particular challenges of
ransomware attacks?

Some ransomware attacks simply encrypt data and demand a ransom in return
for the key. But increasingly, ransomware gangs are engaging in double
extortion techniques where they'll steal sensitive data and threaten to
release it if they're not paid.

Situations like this might not be in the incident response plan, so it's
recommended that plans are made for what would happen in the event that
data is stolen – and what a recovery looks like when stolen information,
potentially including sensitive data about customers, is published online.

5. How is data backed up, and are we confident that backups would remain
unaffected by a ransomware infection?

One of the key things an organisation can do to help protect against the
impact of a ransomware attack is to store backups and to regularly update
them, as this provides a method of restoring the network relatively quickly
without giving into the ransom demand.

However, the board should also seek assurances over what data is deemed
critical, how frequently it's backed up and how the backups are stored.
Some ransomware attacks will target backups, so it's important to make sure
the backups are stored offline and on a separate network to the rest of the
organisation.

By asking questions like the above, the boardroom can help make sure that
the organisation is as resilient against the growing threat of ransomware
attacks as possible.

"Cybersecurity is a board-level responsibility, and board members should be
specifically asking about ransomware as these attacks are becoming both
more frequent and more sophisticated," said the NCSC guide.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210603/63cbc91a/attachment.html>