Cyber Security Essentials

Learnings from Black Friday and Manic (Cyber) Monday

With the recent past focussed on COVID-19, and lockdowns now starting to end around the world (certainly in the UK, Australia and the US), for many it’s time to turn their attention to one of the biggest retail events on the calendar. This year, in fact, it may even determine whether you get that Christmas gift for someone special or end up emailing an apology because it’s still clearing customs!

Black Friday and Cyber Monday

Traditionally, “Black Friday” and “Cyber Monday” are the focus of as much retail activity as shops can generate and shoppers can bear. In 2020 for example, despite COVID-19, there were an estimated 100 million on-line shoppers searching for bargains. In only a few short years it has become a pre-Christmas phenomenon, globally. Friday and Monday span the US Thanksgiving weekend, and with it being close to the last pay period before Christmas, they are now as important to traditional stores as they are to online retailers.

Despite the disruption (and frustration) from the pandemic, this year Black Friday could become the touch paper that sets consumer driven economies back up and running up. The only possible cloud on the horizon is the ongoing and significant supply chain issue which is creating shortages in just about everything, everywhere.

Hopes are certainly high that Black Friday and Cyber Monday will meet expectations. There’s already a buzz. People want to be able to shop for deals, and they want bargains. After two years of disruptions, you can’t blame them for wanting to get their Christmas shopping done early – like shopping for gifts and even starting to get hold of the other things they plan to celebrate with – alcohol, food, treats, Christmas jumpers etc.

Vulnerable supply chains

What we’ve also seen this year, however, is an increase in high profile ransomware attacks. Colonial Pipeline was forced to shut-down its pipeline systems which resulted in petrol shortages on the US east coast. JBS Foods suffered processing disruptions that led to food deliveries being delayed.

Ransomware has shown its ability to seriously disrupt businesses and the services they provide; increasingly vulnerable organisations are now being targeted for maximum impact. We have seen DDoS attacks used to impact companies at critical times, such as major sporting events and peak shopping periods. A cyber disruption to the finance sector in two weeks’ time would not be helpful – impacting retail momentum and re-enforcing the anxiety that has emerged during an unprecedented year of ransomware attacks.

For this reason, all parts of the supply chain need to maintain a level of diligence during the Black Friday/Cyber Monday season. Many retailers have already hedged against fulfilment concerns but with hopes of a bumper sales season, all supply chain participants should assess their risks and make a contingency plan where necessary.

Check now, prepare, feel safe

Ahead of any peak trading period or highly critical time window, organisations take steps to ensure everything goes well: DDoS protection, the ability to scale bandwidth, extra delivery slots, warehouse space, additional inventory for sale products and staff overtime rosters.

Ransomware is a business risk – it can affect your business at any time, but especially at times when a disruption to activities would be most damaging. So, if the Black Friday/Cyber Monday sales are important to you or your business, it’s important from a cyber perspective to assess any potential risks ahead of time, and put safeguards in place as part of your risk management plan. The time is now!

Don’t let ransomware risks in critical infrastructure keep you awake at night

The challenge of 2021 for security professionals is undoubtedly ransomware. It has, of course, been around for some years – but really gaining notoriety when the WannaCry and NotPetya attacks affected the NHS in the UK and the global shipping giant Maersk.

More recent attacks have cemented this malware genre at the high end of the risk spectrum; with recent examples being the Colonial Pipeline attack in May that led to fuel shortages and impacted US gas prices, the subsequent JBS Foods outbreak that caused food supply chain disruption, the continued attacks on healthcare in Ireland and New Zealand and even an attack on the insurance giant AXA SA.

Ransomware is disruptive

The problem with ransomware is the level of disruption it causes. When you’re faced with encrypted and inaccessible data it doesn’t just mean that you can’t open files; on some systems the loss of that data stops many more important things from working. If, for example, it’s a domain controller or database the IT team will try to contain the spread of the infection by turning systems off, quarantining systems or even disconnecting the Internet.

This means that parts of the business that are otherwise unaffected can also lose the ability to operate. We saw this with Colonial. The billing system was affected by ransomware, but the pipeline systems were impacted (and deliberately isolated) by the response to it.

Additionally, the recovery process itself might not go entirely to plan. Colonial paid the ransom but found the decryption tool was too slow, so they had to revert to backups anyway. In the case of a food distribution business, getting data back and systems running again may not be quite as time dependant, but the concentration of food producers could quickly create a single point of failure. In healthcare the stakes are even higher, where interruption to IT medical systems can have immediate and fatal implications. Sadly, it’s for this reason that cynical ransomware attacks on healthcare systems are so prevalent. The implications of ignoring the threat are too high; and criminal groups know that.

Critical Infrastructure is … critical

Everyone is concerned about ransomware and they are right to be; but in the critical infrastructure sector the problem of loss of data and availability of systems is acutely felt, and not just by the company. Depending on the victim it can affect every one of us.

The problems come when the services and supply chains affected are time critical or they have the potential to impact our wellbeing. Petrol supplies can run low or be rerouted before there are major issues, food supply chains likewise, but in sectors like healthcare substitution is more difficult. Yes, you can postpone operations or treatment but that may lead to life threatening consequences.

If water supplies are disrupted, the power goes out, gas supplies are cut, or telecoms are down the effects are much more immediate and widespread. If people can’t heat their homes, cook food, or access clean water – these things impact our wellbeing and quickly take their toll. The threat of ransomware attacks in these types of business are of most concern because of their potential to have major ramifications for our society, much more severe than even the worst scenarios we have seen so far in 2021.

Be ready

Initially the threat models that were contemplated and planned for in these sectors were intrusion by skilled and malicious hackers intent on disrupting service delivery – someone who would gain access and subvert systems to disable pumps, alter flows, disable control systems or destroy machinery.

The concerns were that the attacks would be focussed on the industrial controls systems (ICS) themselves or SCADA equipment. Defending against ransomware in the wider IT environment as it spread across the more traditional (and less important) platforms, and progressively turn systems into an encrypted logjam, was a priority.

It was these more sector focussed attacks on ICS/OT/SCADA that were front of mind when initiatives like the NIS directive was instituted by the EU back in 2016 and when the US National Protection and Programs Directorate (NPPD) was set up in 2007 (and its successor CISA in 2018).

More recently, the NCSC in the UK has published guidance on mitigating ransomware, ACSC in Australia likewise and the Whitehouse issued a “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems” on 28 July 2021 (read it here) which followed hot on the heels of “Executive Order on Improving the Nation’s Cybersecurity” in May (read that here).

In Australia things are moving quickly. A new Critical Infrastructure Bill (CIB) seeks to (i) expand the sector beyond traditional utilities and, (ii) in consultation with participants, agree a regime of enhanced cyber security safeguards for the sector. Following the Colonial and JBS attacks, Australia has seen the risks of cyber attack on infrastructure targets as so urgent they have sought to accelerate legislation by splitting the CIB. Part 1 of the CIB, currently before Parliament, seeks to quickly give the government last resort powers to “step in” to assist an organisation during a cyber attack. Part 2 of the Bill which includes the definition of protective risk management programs, yet to be agreed to by each industry, will then follow.

As its variants continue to yield worsening consequences for victims, ransomware sits menacingly between specialist SCADA and OT controls systems and the wider IT network security environment. The implications of an attack, therefore, can be highly disruptive either in the IT or OT environments and even worse if it impacts the provision of critical services to customers.

The recent events confirm, absolutely, that critical infrastructure providers need to avoid ransomware at all costs. This means that while they can contemplate specific detection systems and malware controls, they also need to focus on the basics of cyber security protection across both the OT and IT environments. Defending risk vectors with acknowledged security controls that can measure and report effectiveness levels to cyber risk management teams is vital.

Prevention is better than detection

The aforementioned guidance from Australia’s ACSC sums up the best approach concisely:

“Investing in preventative cyber security measures, such as keeping regular offline backups of business-critical data and patching known security vulnerabilities, is more cost effective than the comparative costs incurred when attempting to recover from a ransomware incident.”

Ransomware Readiness means having controls to:

Prevent – The initial infection (ie. avoid a patient zero)
Contain – Should that fail, stop the spread of an infection across systems
Recover – Restore data and systems and initiate a well rehearsed incident management playbook

Prevention is obviously vital, but Containment is especially critical for CI organisations where the knock-on effects, regulatory pressures, and affected parties can quickly become overwhelming.

A commercial business might have no qualms about closing off parts of its systems and slowing its ability to take orders for a few days. A power company, however, cannot shut off electricity supplies in the same way.

Get visibility of your risk

From what we’ve discussed, the logic is simply:

For boards and senior managers of CI organisations it is important to have confidence that security controls are in place and operating effectively.

There are numerous Information Security Management Systems standards and frameworks that operate effectively across the sector. What is most important in the CI sector, however, is that operations and senior management teams can quickly gain visibility of the state of their security control effectiveness, on-demand, from a baseline set of quantitative KPIs. If shortcomings are identified in any of the controls they can then be quickly mitigated and the risk of a security breach effectively managed.

If the best policy is to prevent impacts – through stopping initial infection, containing the spread and recovering data – these controls must be managed just like safety critical systems are in OT environments. This is where risk management comes in: you might have controls, but you can’t wait until they fail to be alerted to their potential for failure. If there are vulnerability gaps, they need to be quickly identified, and mitigated and corrective actions taken. Accurate reports need to clearly evidence the state of security maturity.

Lack of understanding and adequate oversight are arguably two of the biggest challenges when it comes to effective security management. The presence of basic security controls, like patching, must be confirmed and their effectiveness measured so that any deficiencies can be quickly identified and fixed. Failure to mitigate these weaknesses are the gaps that attackers search for; and so systematic risk assessments can improve your intel and reduce the risk of ransomware attack.

Downtime disruption

There has recently been a prominent example of how damaging a serious IT outage can be. The hours-long interruption in service that Facebook (and its other platforms Instagram and WhatsApp) suffered recently, made news around the world. It cut off social networks, friends, relatives, lovers and businesses. Only Twitter saw the funny side.

The root cause is still the subject of some speculation and we have no information on that, beyond what’s been published on the Internet. What was clear, however, is how disruptive and damaging an outage can be, howsoever it was caused. Facebook became the news as its share price fell almost 6%, leaving Mark Zuckerberg an estimated $7billion out of pocket. Now that’s a sizeable amount, but already the price has partly rebounded; so, he’s unlikely to starve!

Let’s speculate

The prevailing theory is that the outage was caused by a remote administrator updating the BGP routing configuration. The change meant that routing was disabled as the old configuration was removed – but the new configuration couldn’t be configured because it was being done remotely. As a result, Facebook’s application servers and DNS hosts became unreachable and, being remote, they couldn’t connect in to fix it. Reportedly someone who knew what they were doing had to physically get to site and reconfigure the settings on the routers to bring the environment back up.

Ignoring the frailty of IT systems to human error, and the difficulties and vulnerabilities of routing configurations and DNS, what can the rest of us learn from the disruption caused by the outage of such critical social infrastructure?

What can we learn?

A worst case scenario for many businesses, not just Facebook, is a complete loss of service. Facebook’s business model is totally reliant on online access and the Internet. Many other businesses don’t consider themselves to be as exposed to that kind of failure, but the reality is that in a digital world even a small outage can have a hugely disruptive effect.

This can be caused by misconfiguration or human error (as was perhaps the case for Facebook), an oversight, a physical failure or a deliberate act. The cause, as always, is much easier to pinpoint after the fact.

We have seen similar implications in non-IT businesses too – oil pipeline operators, food manufacturers and healthcare providers who businesses have suffered major outages as a result of ransomware attacks. Their reliance on IT, even though they trade in the physical world, meant that services and their delivery were similarly affected. This shows that no company can afford an IT outage – no matter how it is caused. Network misconfiguration is just one cause of failure; and ransomware another which has over recent times become more common than the calamitous events we saw in the social media world last week.

What the Facebook event shows is not how to avoid downtime, outages and blackouts –instead, it shows how small episodes that can seem almost trivial can give rise to such enormous consequences.

You can’t avoid all risks. Whether it’s a network administrator changing routes or a user with a malicious email attachment, people make mistakes. If, as the mathematician Lorenz proposes, a butterfly flapping its wings can result in a tornado, it’s important that early signs of risk are acknowledged as part of your risk management process.

We can learn about the risks of changing BGP configurations from Facebook; or when it comes to ransomware, learn how to reduce the risk of becoming infected. In both instances, however, effective mitigation strategies that prevent a risk or contain its impact are key to lessening the potential effect across an entire enterprise.

Back-ups mean so much

Maybe a backup router configuration strategy might’ve helped Facebook (if they had been easily accessible). Although, to be fair, massive on-line businesses like Facebook typically have huge backup data centres available to provide resilience and mitigation against catastrophic events.

For many other failure scenarios, however, backups are an important part of a Plan B. Loss or corruption of data can render even a fully working, internet connected, server inoperative. In the event of hardware failures, ransomware, theft, deliberate misuse or vandalism – it’s often the presence or absence of that make the biggest difference.

In some ransomware attacks, where the decryption process has been absent, unworkable or too slow, backups have provided the road to recovery. Colonial Pipeline found that; and so did Maersk when they were hit by NotPetya. They only managed to get their systems back because of a single domain controller, located in a remote Nigerian office and unaffected by the broader network outage. Incredibly, it was this only copy of the user and system Active Directory (which was ultimately flown back to head office) that enabled the recreation of the Maersk windows domain.

Summarising

We’ve seen lots of significant systems outages in the past, resulting from numerous causes, and Facebook is just the most recent high profile “victim”. We also know that such disruptive events can stem from something as small as a butterfly flapping its wings.

Effective risk management means dealing with these, and where they can be foreseen, having controls in place. Every company can learn something about network support and administration from the Facebook experience, and in the same way every company can learn something about ransomware from Colonial Pipeline and about the importance of backups from Maersk.

You do have to sweat the small stuff!

Patient information at risk

After the ransomware attack on the Waikato District Health Board (DHB) in May 2021 the New Zealand Privacy Commissioner John Edwards, warned all 20 NZ DHBs that if any DHB was found to not have adequate security (to protect patients’ information), compliance notices may be issued under the Privacy Act 2020; and if necessary, prosecutions would follow [1].

Clearly the time has come for boards and executive teams in New Zealand’s DHBs to be ransomware ready. Concerns were raised in Australia too, when the Office of the Australian Information Commissioner’s (OAIC) Notifiable Data Breach Report for Jan-Jun 2021 confirmed that the health care sector was most vulnerable to ransomware attack. [2]

The cyber hygiene of healthcare

Meanwhile, in this climate of growing attacks globally, PwC observed that less than 50% of health sector CISOs were likely to increase their cyber budgets in 2021. Almost 75% of those executives surveyed believed they would still be able to improve their levels of cyber posture through cost containment and judicious spending[3].

According to the OAIC, in Australia, ransomware was up 24% since the last reporting period. Recent local health care attacks in both Australia and New Zealand are a wakeup call for boards and executive teams. It’s time to take cyber security and resilience very seriously. Despite the optimism of those surveyed by PwC[4], in an industry notorious for systems vulnerabilities and cyber security under-investment, it is imperative that health care organisations embrace a stronger cyber culture and seek expert advice to tighten their cyber security controls.

The recent IBM Cost of Data Breach Report 2021[5] confirmed that, for the 11th year in a row, the healthcare sector had the highest average cost of a data breach. This year, US$9.23m per breach and that excludes the lives potentially put at risk as a consequence of an attack.

Patient welfare is at risk

In Brisbane, a ransomware attack on UnitingCare’s internal IT systems forced its hospitals and nursing homes to resort to manual back up processes. While in Waikato, the ransomware outage affected all clinical services across all 5 regional hospitals. Patient appointments and surgeries were severely impacted, causing large backlogs for these important services.

The loss of modern diagnostic capability, and the speed of computer communication, meant it took twice as long to treat urgent patients. Having to resort to manual back-up systems caused major stresses for both patients and staff. The loss of radiology services severely impacted a number of seriously ill cancer patients who had to be transferred to other North Island hospitals. The then medical director of the Cancer Society of New Zealand stated that “it’s hard to understate how disruptive the loss of an IT system is on a hospital”[6].

In NZ, the government’s refusal to pay the ransom resulted in sensitive patient data being released to the media with some patient data permanently lost. IT systems took more than 4 weeks to fully recover.

The impacts of a ransomware attack on health care facilities cannot be underestimated. Financial losses, reputational damage, loss of productivity and business continuity and the risk of potential legal liabilities emerging as a result of interrupted patient health care. The disruption and loss of technology in a clinical setting can impact patient outcomes and potentially cost lives.

So too is their loss of identity

As if the loss of medical services isn’t enough for healthcare victims of cyber attacks. The potential theft of patients’ sensitive medical information and accompanying personally identifiable information adds insult to injury. Stolen information can include research data, patient records, billing information, insurance claims and social security numbers (a full set of identity records); all of which is highly prized on the dark web.

The hidden costs of the digital transformation of health care

These costs to healthcare victims can be overwhelming, particularly at a time in their lives when many are at their most vulnerable. It’s for this reason that we need to identify and resolve some of the factors that make the sector so attractive to attackers:

E-health care records now connect patients’ healthcare providers to their medical treatment thereby introducing 3^rd party cyber risks as well as significantly increasing the attack surface-area;
A review of cyber security budgets of healthcare organisations shows significant under-investment despite the ongoing prioritisation of new technologies, resulting in increasing cyber security deficits[7];
Add to this; more than 22% of healthcare organisations continue to use legacy and end-of-life systems without vendor support and a further 26% which are unaware of any support.[8]

Essential cyber hygiene

Fortunately, these drivers of cyber attack in the healthcare sector point to some possible solutions to this scourge. There are, for example, a number of cost-effective mitigation strategies or controls that can be relatively simply initiated across healthcare organisations to improve their cyber security maturity and as a result, reduce their risk of cyber attack.

As noted above, accountabilities are strengthening so boards and senior executives need a clear picture of their cyber security posture. Active security risk management processes that regularly measure and inform management of the state of their cyber controls are increasingly being expected by regulators everywhere.

Rapid diagnostics and remediation

Being able to monitor and assess your cyber risk against a simple set of cyber security KPIs, like the Australian Cyber Security Centre Essential Eight framework, need not be costly, but it can ensure that your organisation stays on top of its cyber security to maintain effective oversight.

The good news is that highly effective automated technologies are now available to instantly measure and enable you to manage the health of your key security controls. Huntsman Security’s Essential Eight solutions can quickly measure and clearly report cyber security posture to relevant stakeholders.

With a clear picture of the state of its prevention, containment and recovery strategies the board can regularly assess and address any shortcomings that may expose the organisation or its patients to poor cyber security outcomes.

[1] https://www.privacy.org.nz/publications/statements-media-releases/privacy-commissioner-calls-on-dhbs-to-address-it-vulnerabilities/ ; May 26 2021
[2] https://www.oaic.gov.au/__data/assets/pdf_file/0013/2803/oaic-notifiable-data-breaches-report-jan-june-2021.pdf
[3] https://www.pwc.com/us/en/services/consulting/cybersecurity-privacy-forensics/library/global-digital-trust-insights/sector-analysis.html#health
[4] Ibid
[5] https://www.ibm.com/au-en/security/data-breach
[6] https://www.rnz.co.nz/news/national/443451/waikato-dhb-cyber-attack-doctors-walking-through-fog
[7] https://www.brookings.edu/blog/techtank/2021/08/09/why-hospitals-and-healthcare-organizations-need-to-take-cybersecurity-more-seriously/
[8] https://www.pwc.com.au/digitalpulse/ransomware-attack-health-sector.html

Ransomware readiness is far better than cleaning-up after an attack

2021 is undoubtedly ‘the year of ransomware’. The Colonial Pipeline attack in May, highlighted the scale of the cyber risk for utilities and infrastructure industries more generally. All it took was a single password breach for criminals to demand, and receive, a US$4m ransom. Although the ransom might sound costly, the wider damage to revenue and reputation caused to a giant like Colonial Pipeline will ultimately be much higher. Even more recently, the Kaseya case highlighted the exposure that businesses can have through their supply chains and service providers. One recent report was that the Kaseya attack itself, had infected over one million endpoints with a ransom set at $70m.

A cause for alarm

Colonial Pipeline Co was fortunate in having a potential ‘quick fix’ option: to pay the ransom. That situation might soon change, if laws banning the payment of ransoms start to be passed in various countries. In Australia, there have been calls for mandatory notifications of ransomware attacks; and in the US, the SEC and OFAC are looking at banning ransom payments altogether. Interestingly, this may not mean much change for some. In a number of cases already, despite ransoms being paid, the decryption process has been so slow that companies have had to rely on backups and their own safeguards on order to return to BAU.

Cyber insurance helps businesses manage two of their biggest risks – getting back up and running quickly and reducing disruption. Insurers, however, are increasingly demanding evidence of operational security controls and even co-insurance of cyber risk for some, where these are less apparent. Everything points to the likelihood that premiums will increase even further for organisations that are less well defended. So getting your cyber risk management capabilities in place may be more important than you think. You may need them to get insurance and you most certainly will if you can’t!

A closer look at the challenges

The energy, oil and gas sectors face some specific challenges. They have extensive and often remote networks to defend; IT assets at drilling platforms or production facilities, often interconnected by both public and private infrastructure, back to HQ. Inevitably cyber security efforts are less rigorous at some of these remote sites and so security controls like multi-factor authentication are a particularly important defence for remote IT facilities.

Any relaxation of security at remote facilities is inevitably seen by an attacker as an opportunity to access assets which would otherwise be protected more rigorously back in HQ. As with environmental and other risks in the energy, oil and gas sectors, letting your guard down at a remote site can present a weak link in your risk management defences, and as a result, a costly breach to clean up and make good.

The sheer number and variety of security devices and systems in use can also pose challenges as they provide an almost endless number of points through which an attacker can access and then encrypt, even one part of the system, to render it useless. Colonial’s weak link was its billing system, rather than the technology that controlled the pipeline; but the interconnectivity of the systems meant that the pipeline network itself had to be isolated to limit the damage.

In our changing world, if paying ransoms is outlawed or too costly, and insurance becomes less of an option, the energy, oil and gas industry will need to improve its cyber risk management capabilities.

Ransomware readiness

Anti-virus software and network defences, alongside the rise of endpoint detection and response, can certainly help businesses manage attacks. But these solutions are reactive in that they rely on detecting the attack as malicious in the first place. What if your endpoint solution misses the attack without warning? Do you have a ‘defence-in-depth’ strategy or is there a single point of failure? Do you have visibility to know what’s happening? Are there other controls in place that can mitigate the threat? More attention must be given to ‘layering’ your defences to prevent or at least limit successful ransomware attacks before they do serious damage.

There are three elements of a cyber-attack sequence to focus on. The first is the prevention of any initial infection; and the second, containment or limitation of the spread, if one does occur. This then, needs to be coupled to the third element, recovery, which allows systems and data to be restored in the event of the failure of the other controls. The principles of effective risk management apply – triage the risks and manage them accordingly.

There are some important safeguards organisations can adopt to support each of these elements:

Prevention

Application control – ensuring only approved software can run on a computer system, securing systems by limiting what they can execute
Application patching – applications must be regularly updated to prevent intruders using known vulnerabilities in software
Macro security – checking that macro and document settings are correctly configured and to prevent the activation of malicious code
Harden user applications and browsers – use effective security policies to limit user access to active content and web code
Firewalls/network gateways – and even physical on-site security – limit user access outbound and remote connections inbound
Staff awareness – while not a technical control, building a better understanding and expertise by staff about cyber security, the threats and mitigation strategies that can minimize cyber-attacks, is vital.

Containment

Restrict administrative privileges – limit admin privileges by allowing only those staff needing system access to do so, for specified purposes and controlling what those admins can access
Operating system patching – fully patched operating systems will significantly reduce the likelihood of malware or ransomware spreading across the network from system to system
Multi-factor authentication – used to manage user access to highly sensitivity accounts and systems (including remote users)
Anti-virus – install anti-virus software and keep it updated

Recovery

Daily backups – secure data and system backups off site and test your recovery processes
Incident management – in preparation for a worst-case scenario make sure there is a documented and practiced plan with everyone well versed in the incident management playbook

Monitor your controls closely. If one aspect of the chain of control stops working, IT teams need to know quickly to respond. A ‘cyber culture’ and making cyber security a board level issue will improve overall corporate preparedness.

Accountabilities for cyber security are changing. The board must receive reports that provide clear visibility of these controls, or KPIs, of the security posture of their environment. The measurement of these KPIs must become part of an active cyber security risk management process. Being able to monitor your readiness and assess your risk across these KPIs provides a ’multi-point’ early warning system and confirmation that an effective cyber security program is in hand.

The energy, oil and gas sectors face many challenges and there is no easy fix for cyber security risk management. A big ransomware attack can disrupt supplies and impact broader operations for a long time, as Maersk found to their cost.

The best way to protect an organisation is with strong cyber defences and controls, backed up by regular checks to mitigate any identified shortcomings as necessary. If one control fails to identify the attack, not all is lost, as other subsequent controls are available to limit its access and the progress of any impact. That way the risk of a successful attack is minimised and hopefully you’ll be on the front foot in an attack well before any disruption to your systems and operations.

Article originally published in Energy, Oil & Gas Magazine.

Interested in the ransomware readiness topic? Read our Ransomware blog series, prevention , containment and recovery.

Ransomware readiness 3 of 3: Recovery

How to deal with a ransomware attack is currently a matter of some debate.

There is a school of thought that paying the ransom is a bad idea because it rewards the criminal and can be used to fund further attacks, possibly even on the same organisation. Many organisations run a counter argument which suggests that to get systems and data back up quickly and resume services, paying the ransom is the cheapest way out of a bad situation.

There is an increasing number of stakeholders in this decision which complicates the matter enormously.

Firstly, there are increasing moves by government and regulators to report ransom payments or even make them illegal altogether. This fits well with an international desire to stamp out this type of transnational crime. It may, however, create existential considerations for some seriously affected organisations. Some insurers, like AXA SA, are now refusing to write policies that reimburse ransoms paid by their customers in France, so, in the absence of de-encryption keys, re-instatement efforts and the likelihood of a return to BAU look unlikely for many victims.

Secondly, there is the assumption that the decryption key or system the ransom pays for will, in fact, work. It probably will (although not always) however in the case of Colonial Pipeline Co, the decryption process was so slow that they had to switch to backups anyway.

Thirdly, and briefly returning to insurers’ roles in supporting commercial cyber risk management efforts, the increasing prevalence of ransomware is resulting in underwriters seeking more and more evidence of the use of security controls in the organisations they insure. It is of concern that in the absence of such controls, and in the event of a ransomware attack, insurers may refuse to pay either the claim or the ransom money.

The “best two” ‘til last

The measure of success of any recovery from a ransomware attack is your ability to resume BAU as quickly and painlessly as possible. Again, there is no silver bullet but the successful management of these “best two” controls will significantly increase your likelihood of successfully reinstating your business and data systems. As a result, these controls will limit disruption and your potential losses as well as, hopefully, the need to pay a ransom.

1) Backups, please have backups

With ransomware being the topic of international summits, the insurance industry in such flux and future regulatory challenges to be resolved it would seem smart to have a backup plan – how your business could survive in the event of the worst possible set of circumstances.

Regular, comprehensive, tested and accessible backups that can form the basis of the reinstatement of your business. Obviously they need to be secured and safely isolated from the rest of the networks and systems, but also they need to be sufficiently accessible to enable the restoration of the business systems and data to ensure a timely return to BAU.

This includes backups of servers, file stores, workstations and in particular, systems where the integrity of the platform itself is vital – like domain controllers. Losing one of those can result in a massive amount of re-work. Don’t assume, for example, that because systems are resilient or mirrored that you will be OK. The ransomware might spread to all nodes in a cluster, or encrypted data could be replicated across all the same technologies you believed would save you.

Regular and comprehensive, reliable backups of every data store and enterprise system is still the best remedy for large-scale data loss or corruption. Having a secure and tested set of business systems and data back-ups is the best form of insurance you can have.

2) Incident response plan, please have an incident response plan

Assume that you have the ransom money (and are allowed to pay it) OR a good set of backups. Is that all you need?

In short, no.

A ransomware outbreak requires solid management just like any other cyber security incident. Reinstating your business systems and data to support BAU without impacting your business operations and stakeholders is not easy.

There will be the effects of disruption to manage, systems affected by the malware itself and those which have been disconnected to protect them. There will be communications to customers, stakeholders, regulators, law enforcement, insurers and governments to manage. If paying a ransom, who will negotiate with the attacker, and who has the sign off for a multi-million-dollar payment? These are not routine activities.

The vulnerability or security weakness that was exploited will require investigation so it can be fixed, patched or corrected to avoid further infections. Infected systems must be isolated from the network so they don’t infect systems that have not yet been affected, or re-infect the ones you are gradually restoring and bringing back on line.

Planning for how the incident will be managed is essential, and as with any other plan, identify who’s in charge, practice it, establish the pre-requisites and dependencies. Test it again. It all takes time, but if the plan works it sets the platform for a successful re-instatement of BAU whether you pay the ransom or not.

Summary

The recovery from a ransomware attack has a number of moving parts. But you will need backups. They might save you; they might be the only thing that does. Especially, if you can’t pay the ransom, or the decryption solution isn’t workable.

The wider implications of a malware-infested environment, of disruption and losses of service, of needing to communicate and to arrange rapid access to funds, forensic teams or consultants all mean having a sound, and tested, incident management plan.

As we said in the first two blogs in this series (see here and here) – having controls and safeguards is important; making sure they all work effectively is equally vital. It’s too late to test your incident management plan and system and data backups after the fact.

Ransomware readiness 2 of 3: Containment

In a previous blog, we talked about the rising threat of ransomware, how many solutions and approaches are geared towards detecting it, and how there are key things organisations they can do to prevent a ransomware attack.

We spoke about some recommended prevention controls and their prospect of success. We also, however, cautioned that there are no silver bullets and that no defence on its own is perfect. It’s for that very reason that it is wise to make plans and have controls in place to ensure that if ransomware does get through, its spread and effect is limited. It’s all about the defence in depth that can be gained through the deployment of multiple security controls. Clearly, one infected workstation is bad, but a thousand is undeniably worse.

All “Four” one…

“Containing” ransomware (in fact any attack or virus) is about limiting its ability to spread or to infect other systems and data; sometimes referred to as lateral movement. The four approaches below have been found to be the most useful defences against ransomware, if you have been unlucky enough to find it on an infected system.

In many respects they too are preventive controls, in that they are intended to limit the extent of an attack, but for this family of threats they are often containment countermeasures for “stage two” or “propagation” of an attack.

1) Restrict admin privileges

This comprises two aspects, first to minimise the number of people that have access to administrative accounts – and/or the amount of time they have access to them (e.g. for the duration of a change or a maintenance window). This is good practice – the principle of “least privilege”.

Secondly, limit the potential exposure to malware that people with admin accounts might have. This means turning off the most dangerous features and disabling the riskiest accesses that can be performed by those with admin credentials. For example, don’t give admin accounts an email address – if they need to use email, use their standard account. Don’t allow admin accounts to access the Internet, browse the web or access social media.

Admin accounts should only be required when access for maintenance is needed; so if that’s the limit of its use and someone using an admin account does stumble upon something malicious, it can’t penetrate the network using the very high level access rights of an administrator.

Limit the use of administrator accounts as much as you possible to reduce the risk of ransomware spreading across your systems.

2) Patch operating systems

Typically for ransomware the initial vector of attack is a direct network connection or via a malicious attachment, email or web page containing the initial payload.

Once that initial infection has activated and self-installed, ransomware typically seeks to spread across the network from its initial point of entry. It doesn’t spread by sending follow-up emails to all the other people in the organisation; more likely it will try to connect from system to system directly – from one host to the next, unbeknownst to the users. This can occur through several means, but if there is an unpatched operating system vulnerability that the code can identify across multiple hosts, it is relatively easy, and likely to work on every system.

If the first host and system gets infected, ransomware can quickly propagate across the network by exploiting OS vulnerabilities on adjacent interconnected systems on the same network. Maintaining patched operating systems is therefore a very effective defensive control.

3) Use multi-factor authentication

Multi-factor authentication (MFA) means that an attacker requires something other than a single stolen password, compromised account or other set of credentials to move the ransomware laterally from system to system or to gain escalated privileges. For normal users MFA can be a challenge with an operational overhead. Some systems may not support MFA at all.

When taking a risk-based approach, however, multi-factor authentication is a very effective way to protect more exposed access points such as remote access/VPN gateways (Colonial Pipeline was compromised using a single factor remote login at one such access point). MFA is invaluable for system administration accounts where the usage pattern is less frequent, but the impact of compromise can be significant.

Using MFA to protect sensitive or exposed access points and to control admin access puts operational barriers in the path of a ransomware attack.

4) Have anti-virus and end-point protection

Anti-virus and end-point protection may seem like the place to start for ransomware attacks, however the reality is that all these controls are baseline or foundational controls. Anti-virus and endpoint protection is key, but as with anything else, it is not a silver bullet – there are numerous accounts of successful attacks involving code/exploits/malware that have occurred despite that protection being operational.

Obviously, endpoint and anti-virus solutions should be current but even then, some malware and ransomware attacks seek to circumvent or disable the detection capabilities of anti-virus solutions; and it’s not unknown for attackers to undertake direct intrusions into the network, rather than seek to use malware code to gain access to a target.

Anti-virus solutions at the gateways and endpoints, however, provide significant protection against the spread of ransomware and other forms of viruses and malware. They must be regularly updated to be fully effective, and there are now emerging technologies that watch for suspicious behaviour on workstations as well as specific cases of known virus code.

Anti-virus solutions and end-point protection limit the intrusion and spread of malware of all types, and therefore they are another pivotal defensive against ransomware propagation.

Summary

The four controls described in this blog are the major components of the containment controls needed to limit the spread of ransomware.

In the first blog of this series we looked at the ways organisations could defend themselves from the initial stage of attack and then, here, we have canvassed the ways that an attack can be contained. Of course all 10 of these controls act in concert to prevent and limit the spread of ransomware – but businesses need to defend patient “zero” as well as patient “one” onwards.

As we said in the first blog, having controls that you can trust and making them measurable and effective is key. A ransomware attack will highlight at least one of the weaknesses in your cyber security posture, but you need to find them all, preferably ahead of time, so you can avert potentially catastrophic losses.

It’s important to remember that auditing and assessing your security controls are regular and on-going processes. Every vulnerability, every patch, every new admin account or newly provisioned server could introduce the weak link that allows access to a ransomware attack. Depending on the size and nature of your business operations, annual or even quarterly assessments may not be frequent enough to secure yourself in such a rapidly changing risk environment.

Ransomware readiness 1 of 3: Prevention

There is so much interest in ransomware at the moment that it almost feels like it’s the only cyber security problem we have to solve. While that certainly isn’t the case, there is undoubtedly a renewed importance in being able to deal with this increasingly debilitating threat.

Much time has been spent, as is often the case in cyber security, looking intrinsically at how to detect it. Mostly considering the network and end-point to detect host or session activity for indicators of compromise. Of course, you want to be able to detect a ransomware attack. But wouldn’t it be better to try and prevent it in the first place?

In a series of posts (this one being the first of three), we will look initially at ways to prevent ransomware attacks in the first place. Then we will move on to how to limit and contain their effects, if you do get infected. Finally, we’ll look at the recovery options if things just don’t go to plan.

Prevention is better than cure

In the vast majority of cases, ransomware attacks start in one of two ways. If you can cover both these bases there is a good chance that early “patient zero” infection can be avoided:

An attacker getting direct access to an environment to deliver ransomware.
An attacker getting a user to access, read or trigger a web page, email or attachment.

When we analyse these vectors, we can see that had better controls been in place, the attack could well have been evaded completely. The good news is that with little more than a handful of operational security controls these points of ransomware entry can be protected effectively.

“Six” sense

From the cases we’ve seen (including here) and other research (such as this) there are six really good anti-ransomware defences to prevent attacks. In many cases these are focussed on stopping the initial malicious payload the attacker is seeking to deliver. You can, of course, add in more controls but these are the ones that are generally recommended to limit your risk of attack:

1) Tightening up user application configurations

The settings for user applications, particularly Internet facing ones such as browsers and email clients, can often be a major point of weakness and often also the easier things to set in a central policy (assuming that it is then universally applied).

The most obvious and pertinent examples are the ability for emails and web pages to run active local code – Java/Flash etc. Removing this can sometimes lessen website functionality but importantly, it prevents attacks that enable a user to run local code.

In short, limiting what external content is able to do on a user’s system when it is accessed from a web page or an email.

2) Limiting application installation and execution

Most malware is received as an attachment or a download or at the end of a link, and will seek to self-install and run various bits of code. One way to prevent this is to control users’ abilities to install and execute their own software. This is not dissimilar to the types of policies that are often put in place anyway to prevent the installation of unlicenced software, or random applications that could expose data (for instance cloud storage applications).

If “normal users” cannot install and run other applications, then neither can the malware sender/ransomware creator either. The result is that the attack is stopped in its tracks – even if the user is “deceived” into opening a malicious attachment in the first place.

The value of this control is increased further by its ability to limit the many data theft attacks that rely on installing software, possibly the cloud storage type mentioned above, or other file transfer utilities.

Preventing installation and execution of ransomware is a big enough reason to control applications and software in this way.

3) Patching applications

It is important to make sure OS patches are applied although often, in the case of ransomware, we have seen that OS level vulnerabilities are more commonly used to spread, rather than allow entry to the malware in the first place.

Applications, however, are the more likely point of attack for ransomware attackers.. The reason is that when content arrives (email, web browser, document, PDF file) it is an application that loads it.

One example is Adobe Reader and PDF files, which have proven time and time again to be a common way in which malware is introduced. So closing this route of attack pays real dividends.

If applications have vulnerabilities that are not patched, there is a real danger that they can be exploited by any malicious file or document to allow ransomware to gain a foothold in your enterprise.

4) Controlling macros

As with active code/embedded malware in web pages and emails, another vector for ransomware infection and ingress is from within document files – Word documents, Excel spreadsheets etc. These applications can contain macro code which can be turned against a user who has unwittingly opened an innocent looking word document or spreadsheet. This can happen easily and so Microsoft applications should be configured to block all but “trusted” macros.

Preventing macros (i.e. code) running within applications is another very good way to limit the risk of ransomware, and other forms of malicious content entering your environment.

5) Educating staff

Cyber security awareness programmes are acknowledged as an important driver of cultural change and as a result are becoming more common. While they vary in quality, approach and even style of delivery, their ability to raise the level of cyber security knowledge is well-established.

The challenge with staff awareness, however, is that people can still be lured into making mistakes, and skilled social engineers can often entice quite capable people to do things they would not otherwise do. Adversaries can persuade even recently educated staff to believe that a malicious payload is in fact benign. Telling people to avoid clicking on suspicious links or unexpected and suspicious attachments only goes so far. If the attacker can induce the victim to click on a link or attachment, security teams need to rely on other technical controls as part of the defence in depth strategy.

Cyber security awareness programmes matter, but they are not a silver bullet. Refresher programs are necessary, but they also need to be accompanied by other controls. You need a mitigation strategy in place to address the absolute likelihood that someone will click on a link or allow an attachment to open and execute.

6) The network perimeter

Lastly, or firstly depending on your point of view, is the network perimeter. Defence of the perimeter is a vital enforcement point as it is where access attempts are often targeted– as in the case of Travelex (out of date VPN devices) or Colonial Pipeline (single factor authenticated access). They can also be equipped and configured to control the types of content users see.

If you have the ability to control access and prevent administrative users accessing the web, or if you can maintain a list of addresses with malicious content/bad reputations and filter the content or URLs that people access, then you can prevent a significant number of ransomware attacks.

Summary

Collectively these controls are highly effective. Of course, you want to detect ransomware, but preventing it in the first place is a better outcome. Putting up these barriers (which often only cost the time it takes to configure them) is a vital line of defence.

As with any risk management strategy, you must plan for the fact that sometimes defences like these will fail. This is the very essence of defence in depth and why, in the second blog in this series, we will look at how to deal with that circumstance when it occurs.

Once you have a set of controls in place, you can monitor these to ensure that they are working and correctly configured to provide an effective defence. This assurance is vital and forms a key part of a cyber security risk management process that will strengthen your oversight of your internal network as well as those of your 3^rd party suppliers. Furthermore, cyber insurers are increasingly expecting organisations to have these basic “cyber hygiene” controls in place with evidence of their operation before taking on risks or paying out on policies.

As a starting point, these six preventive controls are simple, effective and widely recommended to assist in the fight against ransom

Where next for ransomware?

The scourge of ransomware continues with the high-profile Colonial Pipeline case back in May (we blogged about that here), now just another disturbing statistic in an onslaught that some have estimated to be up to 4,000 attacks a day.

The psychology of users and susceptibility to social engineering

Ransomware has been in the news a lot recently (see our blog here) and it is not likely to change any time soon.