I’m very late to the party, and not fashionably so. Much of the ransomware discussion has flared and faded after the Hollywood Presbyterian Medical Center story hit the feeds. Last week at work, a call went out for an executive brief on CryptoLocker and ransomware in general, and I was buried in a client deliverable and the chance passed me by. Unfortunately, my brain doesn’t let things go very well, and during quiet moments it keeps coming back to how I’d approach the question of how organizations can prepare for these sorts of threats. The thought I keep coming back to is this:
CryptoLocker variants hit IT departments in the fundamentals. If your practices around backups/restores, least-privilege, web filtering, malware defenses, and user training are weak, it will expose them. While there are excellent products and services that can help with any of these things, there is no replacement for doing the fundamentals well.
It’s a lot of work to get these fundamentals drilled in to the point they’re second nature. Backups seem simple but there’s a lot of time and attention needed to make sure you can restore what you need, when you need it, and in a reasonable amount of time. One-off tests restoring a single file every month don’t quite cut it. You need to understand what and where all of the critical data is, then map out comprehensive tests that confirm you can get it back. Also, those backups need to be offline in such a way that replication, either good or bad, cannot harm what you intend to retain. When you can do that at-will, the idea of someone locking up or deleting all your data is much less scary.
Least-privilege is another thing that sounds easy but takes even more time and attention. If you’re a large organization that’s never done a Role-Based Access initiative, you may not know what each person needs to access in order to do their job. For new access, many places take the “it’s working now, let’s just copy it” approach. So if Mike leaves the company, you hire someone with similar skills for what you think Mike did, and you tell IT to make the new person’s account “just like Mike’s.” The problem arises in the fact that Mike grew in his responsibilities while he worked for you, so he had a bunch of access rights that he held onto so he could backup his old teammates. Mike’s great, we love Mike, and we’re gonna miss him, but he’s got a lot of cruft. So when you copy his rights to a new person, that person has access to a lot more things than they need. It doesn’t happen just once, it happens all the time and for years at a time, and these things build. Superfluous rights then become the devil’s playground.
In the case of web filtering and malware defenses, you setup browser filtering so users can’t stumble into known malicious territory, and you install various antivirus/anti-malware solutions. You’re not only watching what’s coming into your organization, but you’re looking at the traffic that’s leaving and making sure none of it contains credit card strings, social security numbers, or other key data you collect. Because the attackers will likely use encryption to hide the traffic, you should be watching and possibly decrypting that traffic, and treating confidential browsing data responsibly. If you’re doing it right, you’ve tuned the false positive rate down far enough that people can get their jobs done but it gets your attention immediately if something’s wrong. Again, tuning that solution takes focus by your IT staff, and it’s not a one-time effort.
The last tier of your defense is one that’s often maligned, overlooked, or underrated: User Training. You should train your staff to understand the basics of the threats that are out there, and how to act when they detect something that’s not quite right. You hire competent professionals with good critical thinking skills, you should absolutely use them to defend your organization. Building good security habits takes time and effort to instill as part of your culture, but it is imperative to maintaining a healthy defense.
And in looking at all of these fundamental practices from an executive perspective, these things are expensive in work hours and expertise. It may seem like it’s just cheaper to pay the ransom. The problem with that mindset is that it only solves the problem as it exists today. $17,000 to keep a hospital running and save patient lives seems reasonable, and many of us might make that same trade if we had to make that decision. But these equations are going to change. The attackers will get bolder, the ransom demands will increase, or the type of threat will increase either in severity or scope. When the stakes change, you need have more than one option available to you.
The beautiful thing about taking the time to do security fundamentals right is that it will help you against more than just ransomware. When these practices and habits are ingrained in your operations, you significantly decrease your exposure to a myriad of threats as they exist today and in the foreseeable future. The path to good security travels right through efficient operation, and empowers and enlightens your organization. You shouldn’t chase good security to avoid punishment, you do it because it pushes aside the noise and lets everyone focus on bigger and better things.
Note: I’ve listed only a few security controls for the sake of brevity (too late?). For a more comprehensive list, the CIS Top 20 Critical Security Controls is an excellent framework to approach a better security foundation.