The Damage of Downtime
Downtime disruption
There has recently been a prominent example of how damaging a serious IT outage can be. The hours-long interruption in service that Facebook (and its other platforms Instagram and WhatsApp) suffered recently, made news around the world. It cut off social networks, friends, relatives, lovers and businesses. Only Twitter saw the funny side.
The root cause is still the subject of some speculation and we have no information on that, beyond what’s been published on the Internet. What was clear, however, is how disruptive and damaging an outage can be, howsoever it was caused. Facebook became the news as its share price fell almost 6%, leaving Mark Zuckerberg an estimated $7billion out of pocket. Now that’s a sizeable amount, but already the price has partly rebounded; so, he’s unlikely to starve!
Let’s speculate
The prevailing theory is that the outage was caused by a remote administrator updating the BGP routing configuration. The change meant that routing was disabled as the old configuration was removed – but the new configuration couldn’t be configured because it was being done remotely. As a result, Facebook’s application servers and DNS hosts became unreachable and, being remote, they couldn’t connect in to fix it. Reportedly someone who knew what they were doing had to physically get to site and reconfigure the settings on the routers to bring the environment back up.
Ignoring the frailty of IT systems to human error, and the difficulties and vulnerabilities of routing configurations and DNS, what can the rest of us learn from the disruption caused by the outage of such critical social infrastructure?
What can we learn?
A worst case scenario for many businesses, not just Facebook, is a complete loss of service. Facebook’s business model is totally reliant on online access and the Internet. Many other businesses don’t consider themselves to be as exposed to that kind of failure, but the reality is that in a digital world even a small outage can have a hugely disruptive effect.
This can be caused by misconfiguration or human error (as was perhaps the case for Facebook), an oversight, a physical failure or a deliberate act. The cause, as always, is much easier to pinpoint after the fact.
We have seen similar implications in non-IT businesses too – oil pipeline operators, food manufacturers and healthcare providers who businesses have suffered major outages as a result of ransomware attacks. Their reliance on IT, even though they trade in the physical world, meant that services and their delivery were similarly affected. This shows that no company can afford an IT outage – no matter how it is caused. Network misconfiguration is just one cause of failure; and ransomware another which has over recent times become more common than the calamitous events we saw in the social media world last week.
What the Facebook event shows is not how to avoid downtime, outages and blackouts –instead, it shows how small episodes that can seem almost trivial can give rise to such enormous consequences.
You can’t avoid all risks. Whether it’s a network administrator changing routes or a user with a malicious email attachment, people make mistakes. If, as the mathematician Lorenz proposes, a butterfly flapping its wings can result in a tornado, it’s important that early signs of risk are acknowledged as part of your risk management process.
We can learn about the risks of changing BGP configurations from Facebook; or when it comes to ransomware, learn how to reduce the risk of becoming infected. In both instances, however, effective mitigation strategies that prevent a risk or contain its impact are key to lessening the potential effect across an entire enterprise.
Back-ups mean so much
Maybe a backup router configuration strategy might’ve helped Facebook (if they had been easily accessible). Although, to be fair, massive on-line businesses like Facebook typically have huge backup data centres available to provide resilience and mitigation against catastrophic events.
For many other failure scenarios, however, backups are an important part of a Plan B. Loss or corruption of data can render even a fully working, internet connected, server inoperative. In the event of hardware failures, ransomware, theft, deliberate misuse or vandalism – it’s often the presence or absence of that make the biggest difference.
In some ransomware attacks, where the decryption process has been absent, unworkable or too slow, backups have provided the road to recovery. Colonial Pipeline found that; and so did Maersk when they were hit by NotPetya. They only managed to get their systems back because of a single domain controller, located in a remote Nigerian office and unaffected by the broader network outage. Incredibly, it was this only copy of the user and system Active Directory (which was ultimately flown back to head office) that enabled the recreation of the Maersk windows domain.
Summarising
We’ve seen lots of significant systems outages in the past, resulting from numerous causes, and Facebook is just the most recent high profile “victim”. We also know that such disruptive events can stem from something as small as a butterfly flapping its wings.
Effective risk management means dealing with these, and where they can be foreseen, having controls in place. Every company can learn something about network support and administration from the Facebook experience, and in the same way every company can learn something about ransomware from Colonial Pipeline and about the importance of backups from Maersk.
You do have to sweat the small stuff!
Read MoreHealthcare organisations – the top cyber attack target, again
Patient information at risk
After the ransomware attack on the Waikato District Health Board (DHB) in May 2021 the New Zealand Privacy Commissioner John Edwards, warned all 20 NZ DHBs that if any DHB was found to not have adequate security (to protect patients’ information), compliance notices may be issued under the Privacy Act 2020; and if necessary, prosecutions would follow [1].
Clearly the time has come for boards and executive teams in New Zealand’s DHBs to be ransomware ready. Concerns were raised in Australia too, when the Office of the Australian Information Commissioner’s (OAIC) Notifiable Data Breach Report for Jan-Jun 2021 confirmed that the health care sector was most vulnerable to ransomware attack. [2]
The cyber hygiene of healthcare
Meanwhile, in this climate of growing attacks globally, PwC observed that less than 50% of health sector CISOs were likely to increase their cyber budgets in 2021. Almost 75% of those executives surveyed believed they would still be able to improve their levels of cyber posture through cost containment and judicious spending[3].
According to the OAIC, in Australia, ransomware was up 24% since the last reporting period. Recent local health care attacks in both Australia and New Zealand are a wakeup call for boards and executive teams. It’s time to take cyber security and resilience very seriously. Despite the optimism of those surveyed by PwC[4], in an industry notorious for systems vulnerabilities and cyber security under-investment, it is imperative that health care organisations embrace a stronger cyber culture and seek expert advice to tighten their cyber security controls.
The recent IBM Cost of Data Breach Report 2021[5] confirmed that, for the 11th year in a row, the healthcare sector had the highest average cost of a data breach. This year, US$9.23m per breach and that excludes the lives potentially put at risk as a consequence of an attack.
Patient welfare is at risk
In Brisbane, a ransomware attack on UnitingCare’s internal IT systems forced its hospitals and nursing homes to resort to manual back up processes. While in Waikato, the ransomware outage affected all clinical services across all 5 regional hospitals. Patient appointments and surgeries were severely impacted, causing large backlogs for these important services.
The loss of modern diagnostic capability, and the speed of computer communication, meant it took twice as long to treat urgent patients. Having to resort to manual back-up systems caused major stresses for both patients and staff. The loss of radiology services severely impacted a number of seriously ill cancer patients who had to be transferred to other North Island hospitals. The then medical director of the Cancer Society of New Zealand stated that “it’s hard to understate how disruptive the loss of an IT system is on a hospital”[6].
In NZ, the government’s refusal to pay the ransom resulted in sensitive patient data being released to the media with some patient data permanently lost. IT systems took more than 4 weeks to fully recover.
The impacts of a ransomware attack on health care facilities cannot be underestimated. Financial losses, reputational damage, loss of productivity and business continuity and the risk of potential legal liabilities emerging as a result of interrupted patient health care. The disruption and loss of technology in a clinical setting can impact patient outcomes and potentially cost lives.
So too is their loss of identity
As if the loss of medical services isn’t enough for healthcare victims of cyber attacks. The potential theft of patients’ sensitive medical information and accompanying personally identifiable information adds insult to injury. Stolen information can include research data, patient records, billing information, insurance claims and social security numbers (a full set of identity records); all of which is highly prized on the dark web.
The hidden costs of the digital transformation of health care
These costs to healthcare victims can be overwhelming, particularly at a time in their lives when many are at their most vulnerable. It’s for this reason that we need to identify and resolve some of the factors that make the sector so attractive to attackers:
- E-health care records now connect patients’ healthcare providers to their medical treatment thereby introducing 3rd party cyber risks as well as significantly increasing the attack surface-area;
- A review of cyber security budgets of healthcare organisations shows significant under-investment despite the ongoing prioritisation of new technologies, resulting in increasing cyber security deficits[7];
- Add to this; more than 22% of healthcare organisations continue to use legacy and end-of-life systems without vendor support and a further 26% which are unaware of any support.[8]
Essential cyber hygiene
Fortunately, these drivers of cyber attack in the healthcare sector point to some possible solutions to this scourge. There are, for example, a number of cost-effective mitigation strategies or controls that can be relatively simply initiated across healthcare organisations to improve their cyber security maturity and as a result, reduce their risk of cyber attack.
As noted above, accountabilities are strengthening so boards and senior executives need a clear picture of their cyber security posture. Active security risk management processes that regularly measure and inform management of the state of their cyber controls are increasingly being expected by regulators everywhere.
Rapid diagnostics and remediation
Being able to monitor and assess your cyber risk against a simple set of cyber security KPIs, like the Australian Cyber Security Centre Essential Eight framework, need not be costly, but it can ensure that your organisation stays on top of its cyber security to maintain effective oversight.
The good news is that highly effective automated technologies are now available to instantly measure and enable you to manage the health of your key security controls. Huntsman Security’s Essential Eight solutions can quickly measure and clearly report cyber security posture to relevant stakeholders.
With a clear picture of the state of its prevention, containment and recovery strategies the board can regularly assess and address any shortcomings that may expose the organisation or its patients to poor cyber security outcomes.
[1] https://www.privacy.org.nz/publications/statements-media-releases/privacy-commissioner-calls-on-dhbs-to-address-it-vulnerabilities/ ; May 26 2021
[2] https://www.oaic.gov.au/assets/privacy/notifiable-data-breaches-scheme/statistics/2021-1/OAIC-Notifiable-Data-Breaches-Report-Jan-June-2021.pdf
[3] https://www.pwc.com/us/en/services/consulting/cybersecurity-privacy-forensics/library/global-digital-trust-insights/sector-analysis.html#health
[4] Ibid
[5] https://www.ibm.com/au-en/security/data-breach
[6] https://www.rnz.co.nz/news/national/443451/waikato-dhb-cyber-attack-doctors-walking-through-fog
[7] https://www.brookings.edu/blog/techtank/2021/08/09/why-hospitals-and-healthcare-organizations-need-to-take-cybersecurity-more-seriously/
[8] https://www.pwc.com.au/digitalpulse/ransomware-attack-health-sector.html
The ransomware readiness trinity: prevention, containment and recovery
Ransomware readiness is far better than cleaning-up after an attack
2021 is undoubtedly ‘the year of ransomware’. The Colonial Pipeline attack in May, highlighted the scale of the cyber risk for utilities and infrastructure industries more generally. All it took was a single password breach for criminals to demand, and receive, a US$4m ransom. Although the ransom might sound costly, the wider damage to revenue and reputation caused to a giant like Colonial Pipeline will ultimately be much higher. Even more recently, the Kaseya case highlighted the exposure that businesses can have through their supply chains and service providers. One recent report was that the Kaseya attack itself, had infected over one million endpoints with a ransom set at $70m.
A cause for alarm
Colonial Pipeline Co was fortunate in having a potential ‘quick fix’ option: to pay the ransom. That situation might soon change, if laws banning the payment of ransoms start to be passed in various countries. In Australia, there have been calls for mandatory notifications of ransomware attacks; and in the US, the SEC and OFAC are looking at banning ransom payments altogether. Interestingly, this may not mean much change for some. In a number of cases already, despite ransoms being paid, the decryption process has been so slow that companies have had to rely on backups and their own safeguards on order to return to BAU.
Cyber insurance helps businesses manage two of their biggest risks – getting back up and running quickly and reducing disruption. Insurers, however, are increasingly demanding evidence of operational security controls and even co-insurance of cyber risk for some, where these are less apparent. Everything points to the likelihood that premiums will increase even further for organisations that are less well defended. So getting your cyber risk management capabilities in place may be more important than you think. You may need them to get insurance and you most certainly will if you can’t!
A closer look at the challenges
The energy, oil and gas sectors face some specific challenges. They have extensive and often remote networks to defend; IT assets at drilling platforms or production facilities, often interconnected by both public and private infrastructure, back to HQ. Inevitably cyber security efforts are less rigorous at some of these remote sites and so security controls like multi-factor authentication are a particularly important defence for remote IT facilities.
Any relaxation of security at remote facilities is inevitably seen by an attacker as an opportunity to access assets which would otherwise be protected more rigorously back in HQ. As with environmental and other risks in the energy, oil and gas sectors, letting your guard down at a remote site can present a weak link in your risk management defences, and as a result, a costly breach to clean up and make good.
The sheer number and variety of security devices and systems in use can also pose challenges as they provide an almost endless number of points through which an attacker can access and then encrypt, even one part of the system, to render it useless. Colonial’s weak link was its billing system, rather than the technology that controlled the pipeline; but the interconnectivity of the systems meant that the pipeline network itself had to be isolated to limit the damage.
In our changing world, if paying ransoms is outlawed or too costly, and insurance becomes less of an option, the energy, oil and gas industry will need to improve its cyber risk management capabilities.
Ransomware readiness
Anti-virus software and network defences, alongside the rise of endpoint detection and response, can certainly help businesses manage attacks. But these solutions are reactive in that they rely on detecting the attack as malicious in the first place. What if your endpoint solution misses the attack without warning? Do you have a ‘defence-in-depth’ strategy or is there a single point of failure? Do you have visibility to know what’s happening? Are there other controls in place that can mitigate the threat? More attention must be given to ‘layering’ your defences to prevent or at least limit successful ransomware attacks before they do serious damage.
There are three elements of a cyber-attack sequence to focus on. The first is the prevention of any initial infection; and the second, containment or limitation of the spread, if one does occur. This then, needs to be coupled to the third element, recovery, which allows systems and data to be restored in the event of the failure of the other controls. The principles of effective risk management apply – triage the risks and manage them accordingly.
There are some important safeguards organisations can adopt to support each of these elements:
Prevention
- Application control – ensuring only approved software can run on a computer system, securing systems by limiting what they can execute
- Application patching – applications must be regularly updated to prevent intruders using known vulnerabilities in software
- Macro security – checking that macro and document settings are correctly configured and to prevent the activation of malicious code
- Harden user applications and browsers – use effective security policies to limit user access to active content and web code
- Firewalls/network gateways – and even physical on-site security – limit user access outbound and remote connections inbound
- Staff awareness – while not a technical control, building a better understanding and expertise by staff about cyber security, the threats and mitigation strategies that can minimize cyber-attacks, is vital.
Containment
- Restrict administrative privileges – limit admin privileges by allowing only those staff needing system access to do so, for specified purposes and controlling what those admins can access
- Operating system patching – fully patched operating systems will significantly reduce the likelihood of malware or ransomware spreading across the network from system to system
- Multi-factor authentication – used to manage user access to highly sensitivity accounts and systems (including remote users)
- Anti-virus – install anti-virus software and keep it updated
Recovery
- Daily backups – secure data and system backups off site and test your recovery processes
- Incident management – in preparation for a worst-case scenario make sure there is a documented and practiced plan with everyone well versed in the incident management playbook
Monitor your controls closely. If one aspect of the chain of control stops working, IT teams need to know quickly to respond. A ‘cyber culture’ and making cyber security a board level issue will improve overall corporate preparedness.
Accountabilities for cyber security are changing. The board must receive reports that provide clear visibility of these controls, or KPIs, of the security posture of their environment. The measurement of these KPIs must become part of an active cyber security risk management process. Being able to monitor your readiness and assess your risk across these KPIs provides a ’multi-point’ early warning system and confirmation that an effective cyber security program is in hand.
The energy, oil and gas sectors face many challenges and there is no easy fix for cyber security risk management. A big ransomware attack can disrupt supplies and impact broader operations for a long time, as Maersk found to their cost.
The best way to protect an organisation is with strong cyber defences and controls, backed up by regular checks to mitigate any identified shortcomings as necessary. If one control fails to identify the attack, not all is lost, as other subsequent controls are available to limit its access and the progress of any impact. That way the risk of a successful attack is minimised and hopefully you’ll be on the front foot in an attack well before any disruption to your systems and operations.
Article originally published in Energy, Oil & Gas Magazine.
Interested in the ransomware readiness topic? Read our Ransomware blog series, prevention , containment and recovery.
Read MoreRansomware readiness 3 of 3: Recovery
How to deal with a ransomware attack is currently a matter of some debate.
There is a school of thought that paying the ransom is a bad idea because it rewards the criminal and can be used to fund further attacks, possibly even on the same organisation. Many organisations run a counter argument which suggests that to get systems and data back up quickly and resume services, paying the ransom is the cheapest way out of a bad situation.
There is an increasing number of stakeholders in this decision which complicates the matter enormously.
Firstly, there are increasing moves by government and regulators to report ransom payments or even make them illegal altogether. This fits well with an international desire to stamp out this type of transnational crime. It may, however, create existential considerations for some seriously affected organisations. Some insurers, like AXA SA, are now refusing to write policies that reimburse ransoms paid by their customers in France, so, in the absence of de-encryption keys, re-instatement efforts and the likelihood of a return to BAU look unlikely for many victims.
Secondly, there is the assumption that the decryption key or system the ransom pays for will, in fact, work. It probably will (although not always) however in the case of Colonial Pipeline Co, the decryption process was so slow that they had to switch to backups anyway.
Thirdly, and briefly returning to insurers’ roles in supporting commercial cyber risk management efforts, the increasing prevalence of ransomware is resulting in underwriters seeking more and more evidence of the use of security controls in the organisations they insure. It is of concern that in the absence of such controls, and in the event of a ransomware attack, insurers may refuse to pay either the claim or the ransom money.
The “best two” ‘til last
The measure of success of any recovery from a ransomware attack is your ability to resume BAU as quickly and painlessly as possible. Again, there is no silver bullet but the successful management of these “best two” controls will significantly increase your likelihood of successfully reinstating your business and data systems. As a result, these controls will limit disruption and your potential losses as well as, hopefully, the need to pay a ransom.
1) Backups, please have backups
With ransomware being the topic of international summits, the insurance industry in such flux and future regulatory challenges to be resolved it would seem smart to have a backup plan – how your business could survive in the event of the worst possible set of circumstances.
Regular, comprehensive, tested and accessible backups that can form the basis of the reinstatement of your business. Obviously they need to be secured and safely isolated from the rest of the networks and systems, but also they need to be sufficiently accessible to enable the restoration of the business systems and data to ensure a timely return to BAU.
This includes backups of servers, file stores, workstations and in particular, systems where the integrity of the platform itself is vital – like domain controllers. Losing one of those can result in a massive amount of re-work. Don’t assume, for example, that because systems are resilient or mirrored that you will be OK. The ransomware might spread to all nodes in a cluster, or encrypted data could be replicated across all the same technologies you believed would save you.
Regular and comprehensive, reliable backups of every data store and enterprise system is still the best remedy for large-scale data loss or corruption. Having a secure and tested set of business systems and data back-ups is the best form of insurance you can have.
2) Incident response plan, please have an incident response plan
Assume that you have the ransom money (and are allowed to pay it) OR a good set of backups. Is that all you need?
In short, no.
A ransomware outbreak requires solid management just like any other cyber security incident. Reinstating your business systems and data to support BAU without impacting your business operations and stakeholders is not easy.
There will be the effects of disruption to manage, systems affected by the malware itself and those which have been disconnected to protect them. There will be communications to customers, stakeholders, regulators, law enforcement, insurers and governments to manage. If paying a ransom, who will negotiate with the attacker, and who has the sign off for a multi-million-dollar payment? These are not routine activities.
The vulnerability or security weakness that was exploited will require investigation so it can be fixed, patched or corrected to avoid further infections. Infected systems must be isolated from the network so they don’t infect systems that have not yet been affected, or re-infect the ones you are gradually restoring and bringing back on line.
Planning for how the incident will be managed is essential, and as with any other plan, identify who’s in charge, practice it, establish the pre-requisites and dependencies. Test it again. It all takes time, but if the plan works it sets the platform for a successful re-instatement of BAU whether you pay the ransom or not.
Summary
The recovery from a ransomware attack has a number of moving parts. But you will need backups. They might save you; they might be the only thing that does. Especially, if you can’t pay the ransom, or the decryption solution isn’t workable.
The wider implications of a malware-infested environment, of disruption and losses of service, of needing to communicate and to arrange rapid access to funds, forensic teams or consultants all mean having a sound, and tested, incident management plan.
As we said in the first two blogs in this series (see here and here) – having controls and safeguards is important; making sure they all work effectively is equally vital. It’s too late to test your incident management plan and system and data backups after the fact.
Read MoreRansomware readiness 2 of 3: Containment
In a previous blog, we talked about the rising threat of ransomware, how many solutions and approaches are geared towards detecting it, and how there are key things organisations they can do to prevent a ransomware attack.
We spoke about some recommended prevention controls and their prospect of success. We also, however, cautioned that there are no silver bullets and that no defence on its own is perfect. It’s for that very reason that it is wise to make plans and have controls in place to ensure that if ransomware does get through, its spread and effect is limited. It’s all about the defence in depth that can be gained through the deployment of multiple security controls. Clearly, one infected workstation is bad, but a thousand is undeniably worse.
All “Four” one…
“Containing” ransomware (in fact any attack or virus) is about limiting its ability to spread or to infect other systems and data; sometimes referred to as lateral movement. The four approaches below have been found to be the most useful defences against ransomware, if you have been unlucky enough to find it on an infected system.
In many respects they too are preventive controls, in that they are intended to limit the extent of an attack, but for this family of threats they are often containment countermeasures for “stage two” or “propagation” of an attack.
1) Restrict admin privileges
This comprises two aspects, first to minimise the number of people that have access to administrative accounts – and/or the amount of time they have access to them (e.g. for the duration of a change or a maintenance window). This is good practice – the principle of “least privilege”.
Secondly, limit the potential exposure to malware that people with admin accounts might have. This means turning off the most dangerous features and disabling the riskiest accesses that can be performed by those with admin credentials. For example, don’t give admin accounts an email address – if they need to use email, use their standard account. Don’t allow admin accounts to access the Internet, browse the web or access social media.
Admin accounts should only be required when access for maintenance is needed; so if that’s the limit of its use and someone using an admin account does stumble upon something malicious, it can’t penetrate the network using the very high level access rights of an administrator.
Limit the use of administrator accounts as much as you possible to reduce the risk of ransomware spreading across your systems.
2) Patch operating systems
Typically for ransomware the initial vector of attack is a direct network connection or via a malicious attachment, email or web page containing the initial payload.
Once that initial infection has activated and self-installed, ransomware typically seeks to spread across the network from its initial point of entry. It doesn’t spread by sending follow-up emails to all the other people in the organisation; more likely it will try to connect from system to system directly – from one host to the next, unbeknownst to the users. This can occur through several means, but if there is an unpatched operating system vulnerability that the code can identify across multiple hosts, it is relatively easy, and likely to work on every system.
If the first host and system gets infected, ransomware can quickly propagate across the network by exploiting OS vulnerabilities on adjacent interconnected systems on the same network. Maintaining patched operating systems is therefore a very effective defensive control.
3) Use multi-factor authentication
Multi-factor authentication (MFA) means that an attacker requires something other than a single stolen password, compromised account or other set of credentials to move the ransomware laterally from system to system or to gain escalated privileges. For normal users MFA can be a challenge with an operational overhead. Some systems may not support MFA at all.
When taking a risk-based approach, however, multi-factor authentication is a very effective way to protect more exposed access points such as remote access/VPN gateways (Colonial Pipeline was compromised using a single factor remote login at one such access point). MFA is invaluable for system administration accounts where the usage pattern is less frequent, but the impact of compromise can be significant.
Using MFA to protect sensitive or exposed access points and to control admin access puts operational barriers in the path of a ransomware attack.
4) Have anti-virus and end-point protection
Anti-virus and end-point protection may seem like the place to start for ransomware attacks, however the reality is that all these controls are baseline or foundational controls. Anti-virus and endpoint protection is key, but as with anything else, it is not a silver bullet – there are numerous accounts of successful attacks involving code/exploits/malware that have occurred despite that protection being operational.
Obviously, endpoint and anti-virus solutions should be current but even then, some malware and ransomware attacks seek to circumvent or disable the detection capabilities of anti-virus solutions; and it’s not unknown for attackers to undertake direct intrusions into the network, rather than seek to use malware code to gain access to a target.
Anti-virus solutions at the gateways and endpoints, however, provide significant protection against the spread of ransomware and other forms of viruses and malware. They must be regularly updated to be fully effective, and there are now emerging technologies that watch for suspicious behaviour on workstations as well as specific cases of known virus code.
Anti-virus solutions and end-point protection limit the intrusion and spread of malware of all types, and therefore they are another pivotal defensive against ransomware propagation.
Summary
The four controls described in this blog are the major components of the containment controls needed to limit the spread of ransomware.
In the first blog of this series we looked at the ways organisations could defend themselves from the initial stage of attack and then, here, we have canvassed the ways that an attack can be contained. Of course all 10 of these controls act in concert to prevent and limit the spread of ransomware – but businesses need to defend patient “zero” as well as patient “one” onwards.
As we said in the first blog, having controls that you can trust and making them measurable and effective is key. A ransomware attack will highlight at least one of the weaknesses in your cyber security posture, but you need to find them all, preferably ahead of time, so you can avert potentially catastrophic losses.
It’s important to remember that auditing and assessing your security controls are regular and on-going processes. Every vulnerability, every patch, every new admin account or newly provisioned server could introduce the weak link that allows access to a ransomware attack. Depending on the size and nature of your business operations, annual or even quarterly assessments may not be frequent enough to secure yourself in such a rapidly changing risk environment.
Read MoreRansomware readiness 1 of 3: Prevention
There is so much interest in ransomware at the moment that it almost feels like it’s the only cyber security problem we have to solve. While that certainly isn’t the case, there is undoubtedly a renewed importance in being able to deal with this increasingly debilitating threat.
Much time has been spent, as is often the case in cyber security, looking intrinsically at how to detect it. Mostly considering the network and end-point to detect host or session activity for indicators of compromise. Of course, you want to be able to detect a ransomware attack. But wouldn’t it be better to try and prevent it in the first place?
In a series of posts (this one being the first of three), we will look initially at ways to prevent ransomware attacks in the first place. Then we will move on to how to limit and contain their effects, if you do get infected. Finally, we’ll look at the recovery options if things just don’t go to plan.
Prevention is better than cure
In the vast majority of cases, ransomware attacks start in one of two ways. If you can cover both these bases there is a good chance that early “patient zero” infection can be avoided:
- An attacker getting direct access to an environment to deliver ransomware.
- An attacker getting a user to access, read or trigger a web page, email or attachment.
When we analyse these vectors, we can see that had better controls been in place, the attack could well have been evaded completely. The good news is that with little more than a handful of operational security controls these points of ransomware entry can be protected effectively.
“Six” sense
From the cases we’ve seen (including here) and other research (such as this) there are six really good anti-ransomware defences to prevent attacks. In many cases these are focussed on stopping the initial malicious payload the attacker is seeking to deliver. You can, of course, add in more controls but these are the ones that are generally recommended to limit your risk of attack:
1) Tightening up user application configurations
The settings for user applications, particularly Internet facing ones such as browsers and email clients, can often be a major point of weakness and often also the easier things to set in a central policy (assuming that it is then universally applied).
The most obvious and pertinent examples are the ability for emails and web pages to run active local code – Java/Flash etc. Removing this can sometimes lessen website functionality but importantly, it prevents attacks that enable a user to run local code.
In short, limiting what external content is able to do on a user’s system when it is accessed from a web page or an email.
2) Limiting application installation and execution
Most malware is received as an attachment or a download or at the end of a link, and will seek to self-install and run various bits of code. One way to prevent this is to control users’ abilities to install and execute their own software. This is not dissimilar to the types of policies that are often put in place anyway to prevent the installation of unlicenced software, or random applications that could expose data (for instance cloud storage applications).
If “normal users” cannot install and run other applications, then neither can the malware sender/ransomware creator either. The result is that the attack is stopped in its tracks – even if the user is “deceived” into opening a malicious attachment in the first place.
The value of this control is increased further by its ability to limit the many data theft attacks that rely on installing software, possibly the cloud storage type mentioned above, or other file transfer utilities.
Preventing installation and execution of ransomware is a big enough reason to control applications and software in this way.
3) Patching applications
It is important to make sure OS patches are applied although often, in the case of ransomware, we have seen that OS level vulnerabilities are more commonly used to spread, rather than allow entry to the malware in the first place.
Applications, however, are the more likely point of attack for ransomware attackers.. The reason is that when content arrives (email, web browser, document, PDF file) it is an application that loads it.
One example is Adobe Reader and PDF files, which have proven time and time again to be a common way in which malware is introduced. So closing this route of attack pays real dividends.
If applications have vulnerabilities that are not patched, there is a real danger that they can be exploited by any malicious file or document to allow ransomware to gain a foothold in your enterprise.
4) Controlling macros
As with active code/embedded malware in web pages and emails, another vector for ransomware infection and ingress is from within document files – Word documents, Excel spreadsheets etc. These applications can contain macro code which can be turned against a user who has unwittingly opened an innocent looking word document or spreadsheet. This can happen easily and so Microsoft applications should be configured to block all but “trusted” macros.
Preventing macros (i.e. code) running within applications is another very good way to limit the risk of ransomware, and other forms of malicious content entering your environment.
5) Educating staff
Cyber security awareness programmes are acknowledged as an important driver of cultural change and as a result are becoming more common. While they vary in quality, approach and even style of delivery, their ability to raise the level of cyber security knowledge is well-established.
The challenge with staff awareness, however, is that people can still be lured into making mistakes, and skilled social engineers can often entice quite capable people to do things they would not otherwise do. Adversaries can persuade even recently educated staff to believe that a malicious payload is in fact benign. Telling people to avoid clicking on suspicious links or unexpected and suspicious attachments only goes so far. If the attacker can induce the victim to click on a link or attachment, security teams need to rely on other technical controls as part of the defence in depth strategy.
Cyber security awareness programmes matter, but they are not a silver bullet. Refresher programs are necessary, but they also need to be accompanied by other controls. You need a mitigation strategy in place to address the absolute likelihood that someone will click on a link or allow an attachment to open and execute.
6) The network perimeter
Lastly, or firstly depending on your point of view, is the network perimeter. Defence of the perimeter is a vital enforcement point as it is where access attempts are often targeted– as in the case of Travelex (out of date VPN devices) or Colonial Pipeline (single factor authenticated access). They can also be equipped and configured to control the types of content users see.
If you have the ability to control access and prevent administrative users accessing the web, or if you can maintain a list of addresses with malicious content/bad reputations and filter the content or URLs that people access, then you can prevent a significant number of ransomware attacks.
Summary
Collectively these controls are highly effective. Of course, you want to detect ransomware, but preventing it in the first place is a better outcome. Putting up these barriers (which often only cost the time it takes to configure them) is a vital line of defence.
As with any risk management strategy, you must plan for the fact that sometimes defences like these will fail. This is the very essence of defence in depth and why, in the second blog in this series, we will look at how to deal with that circumstance when it occurs.
Once you have a set of controls in place, you can monitor these to ensure that they are working and correctly configured to provide an effective defence. This assurance is vital and forms a key part of a cyber security risk management process that will strengthen your oversight of your internal network as well as those of your 3rd party suppliers. Furthermore, cyber insurers are increasingly expecting organisations to have these basic “cyber hygiene” controls in place with evidence of their operation before taking on risks or paying out on policies.
As a starting point, these six preventive controls are simple, effective and widely recommended to assist in the fight against ransom
Read MoreWhere next for ransomware?
The scourge of ransomware continues with the high-profile Colonial Pipeline case back in May (we blogged about that here), now just another disturbing statistic in an onslaught that some have estimated to be up to 4,000 attacks a day. Ransomware, of course, is not a new problem. Past events include the famous WannaCry/NotPetya strains that affected the UK NHS and shipping conglomerate Maersk (amongst others) in early 2017 and the Travelex ransomware attack that affected travellers buying Forex in early 2020.
But 2021 so far does seem to be “the year of ransomware”. Colonial’s ransom of $4.4m (they did claw some back) has been accompanied in this year’s roll-call by insurance company CNA Financial who reportedly paid a $40m ransom, the Irish Healthcare system who despite being given the decryption tool is still seriously impacted and then JBS, who had their international meat packing production halted for a period.
So, what does this mean?
Ransomware: For Governments/Regulators
Governments are concerned at the highest level. And rightly so. These attacks are starting to impact the ordinary consumer leading to social, economic and political consequences. The disruptions have been far reaching. The Colonial attack meant changing regulations to temporarily permit large volume road haulage of fuel and a rise in pump petrol prices. Attacks on the healthcare and education sectors were more severe, with treatments and operations being cancelled. Even schools have been closed and other services disrupted.
Aside from top level talks at the G7 summit and between Presidents Biden and Putin, there are several more tactical initiatives. Guidelines issued in the USA and UK have been published and several nations, including Australia where the Essential 8 standard already has a malware focus, have increased their attention on this matter.
In Australia for example, there have been calls for mandatory notifications of ransomware attacks as with privacy breaches. France has reportedly banned the payment of ransoms by insurers and in the US the SEC and OFAC have been looking to ban ransom payments, particularly to countries where trade/economic sanctions have been imposed, and invariably from where these ransomware attacks are launched.
Ransomware: For Companies
Organisations cannot ignore the ransomware risk. Particularly those that are part of critical infrastructure, so finance, utilities, food, health, education, retail, transportation, energy etc… the list is long.
Colonial Pipeline Co was a high profile ransomware attack
In the past there has been a heavy reliance on detection, with enhancements to anti-virus software suites and network defences, the rise of endpoint detection and response (EDR and its successor XDR). These technologies are all familiar and are designed to stop a ransomware attack in its tracks and do something about it before it spreads.
It needs more than a silver bullet
Increasingly however, there has been more consideration around better controls to prevent ransomware attacks in the first place. The recent UK National Cyber Security Centre and White House recommendations on best practice to protect against ransomware each recommend the use of multiple security controls. These controls can be categorised into three avenues of effort or investment. The first two are prevention of the initial infection then containment or limitation of its spread. If these two are coupled with a third strategy, recovery, then the resistance to a ransomware attack, or the readiness of the organisation for one is heightened.
In reality, this means better cyber hygiene controls across the board. Many of these attacks penetrate the organisation through vulnerabilities that really should have been managed. If they can be contained, however, their repercussions can often still be minimised. Examples of these three areas are:
|
Prevention |
Containment |
Recovery |
|
|
|
This was precisely the approach used in the original Australian Cyber Security Centre’s Essential 8 framework (which uses a number of the controls above), but there is considerable overlap here too between the US CMMC standard, the UK’s Cyber Essentials scheme and recent UK and US guidance on ransomware.
So, detection is good, but it’s not infallible. Readiness and resistance as well are better (and ideally these should be used in concert) because they utilise the principle of layered security – defence-in-depth – to improve your overall cyber maturity. Afterall, its not just ransomware that presents a cyber risk to business.
For boards, the ability to get reports of the effectiveness of these controls is a key performance indicator; equally important is getting visibility of the state of their cyber defences. You do not want the first sign of a weakness in your controls to show up when it’s the one that’s exploited by a ransomware attacker. We’ve discussed this at length before in our blogs here and here.
Ransomware: For Insurers
Lastly, the cyber insurance market is being affected by ransomware, and not just directly as in the case of CNA Financial. When an attack occurs the victim organisation wants to claim on cyber insurance and have the ransom paid quickly; and until now that has been pretty much the case.
As noted earlier, however, ransom payments by insurers may soon be outlawed. Right now cyber insurers are taking a much greater interest in the ransomware safeguards and attack readiness of organisations seeking insurance. Supplementary questionnaires are being issued to policy holders and new customers in an effort to better quantify their readiness and so risk of attack (questionnaires may not be the best way to gain assurance) and so premiums for less well defended businesses have risen sharply. Worse, for some the inability to verify adequate ransomware readiness has meant the added burden of co-insurance or even no insurance at all.
Conclusions
The bottom line is that organisations must lift their game, both in terms of their verifiable levels of defence against ransomware (the effectiveness of security controls) and their ability to use those metrics to effectively manage their wider cyber risk management programs.
This is being demanded by boards everywhere, who do not want the risk of large-scale disruption to their businesses and who are in fact accountable for the better management of cyber security risks.
For those that are insured, there will also be an economic benefit: better controls will mean lower premiums and a realistic chance of getting a claim paid.
Read MoreThe psychology of users and susceptibility to social engineering
Ransomware has been in the news a lot recently (see our blog here) and it is not likely to change any time soon.
Read MoreSecurity Logs – which ones to keep
Security operations teams know that log management is important, yet with every operating system, network device and application writing its own set of activity-related events, how do Security Information and Event Management (SIEM) system administrators decide which security logs are important and which should be ignored. Let’s spend some time looking at today’s threat environment and from there determine a suitable answer.
Read More