Cloud

10/26/2018
10:30 AM
Joe Merces
Joe Merces
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Keys to Reducing the Threat of Ransomware

Following these steps could mean the difference between an inconvenience and a multimillion-dollar IT system rebuild -- for the public and private sectors alike.

When I was a CIO in New York City government, we used to say there are two types of organizations: those that have been compromised and know it, and those that have been compromised and don't know it. That (and the anxiety of whether data is being stolen or changed) keeps CIOs awake at night.

As recent ransomware attacks are making news globally for their mounting costs, it's obvious that once they've been hacked, these organizations discover there are deeper problems in their infrastructure or security hygiene that ransomware has exploited.

You've probably read about the city of Atlanta, which was infected by the SamSam ransomware, and the $17 million headache it caused. The city opted to rebuild its entire IT infrastructure, which accounted for most of that cost.

But Georgia is not alone.

This spring, the Erie County Medical Center in Buffalo, N.Y., was infected and blackmailed to release private keys held for ransom. ECMC opted to rebuild its infrastructure rather than pay a ransom; the cost has rocketed to $10 million.

At the same time, the Colorado Department of Transportation was hit twice by the same ransomware, when a SamSam variant reinfected its cleaned system. It has decided to rebuild all of its IT systems, at a cost approaching $2 million.

These are real head-scratchers. You'd think that spending taxpayer dollars to rebuild everything from A to Z would be a last resort. Wouldn't it be more sensible to pay for a third-party review of security hygiene and posture, and bolster it wherever it's lacking, including penetration testing?

Why rebuild? Maybe there was something wrong in the IT architecture, or the systems were outdated and needed replacement. Maybe the fear of something being left behind that might cause reinfection was too much to bear. We may never get the full story, but we do know the enormous cost of rebuilding these systems.

As a CIO, I experienced numerous attempted ransomware attacks and several instances of server encryption, or attempted encryption, where we were able to take servers out of rotation. Fortunately, ransomware then was not what it is now, and though we were attacked our backups were not affected.

Luck wasn't the only reason we were able to recover so quickly. We used good cyber hygiene and best practices to reduce the hacking threat. We also took snapshots of our infrastructure every 30 minutes, with full backups nightly. We always recovered with minimal data loss.

Avoiding ransomware problems boils down to three basic approaches that apply in general to both private and public sector organizations: good cyber hygiene and user training, best practices, and routine testing of backup and recovery plans.

Cyber Hygiene and User Training 
Starting at the obvious, good cyber hygiene must require regular password changes, with passwords of certain lengths, and special characters.

Have passwords for everything. Remote Desktop Protocol (RDP) accounts are sometimes overlooked, but public-facing servers must have passwords to avoid exposing information to prying eyes. Passwords for RDP accounts should be complex and not something simple as "password123," which hackers will try in brute force attacks.

Phishing is still commonplace. You'd be surprised how much spam floods into private and public sector organizations. You'd also be surprised by how many people still click on infected emails, PDF images, and documents.

Routine user training is essential for users to understand the ramifications of clicking without thinking.

Best Practices 
Best practices start at the desktop, by continuously pushing patches and updates. Keep up with updates or you'll risk infection from problems across multiple desktops and connected server resources.

Regularly push out operating system patches, zero-day vulnerability patches, and security updates. Be tenacious in keeping operating systems up to date. If you're sitting on an unpatched vulnerability, you risk having it used against you.

You also need preventive security technology to survive in today's world. Cloud web application firewalls must be used and appropriately set, and ports blocked. Otherwise, you will be hacked.

Good communication is essential. The IT experts putting together your servers may not also be security experts. They need to be very tightly coupled with your security information officer and his team — and the team responsible for backup.

Testing Disaster Recoverability Plans 
Most organizations do not actively test whether their backup and disaster recovery plans actually work. They are just making backups, and when they restore, they may be going backward into backups that don't actually work or may not bounce back from advanced persistent threats.

The cloud makes it simple to back up, take snapshots and replicate objects to other regions and accounts, adding layers of disaster recoverability that can benefit any enterprise when recovering from a cyber disaster.

These simple steps may not completely protect you from ransomware, but in my experience, they're the difference between an inconvenience and a multimillion-dollar IT system rebuild.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Joe Merces is the CEO and co-founder of Cloud Daddy. He brings more than 30 years of extensive experience in cloud services, information technology, cybersecurity, and data communications, with a diverse background in both private and public sector settings to his role. Prior ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/29/2018 | 9:20:34 PM
User training
To speak more to the point of user training... It's not enough to have the training; it also has to be effective.

The best solutions often tend to be rooted in training users/employees in good cyber hygiene for their personal lives and demonstrating how it's personally beneficial to them -- and then it's just that much more natural and that much easier to get them to extend that into their at-work lives.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/29/2018 | 9:18:42 PM
Re: RECOVER PLAN? HAHA
@REISEN: Of course, it's not enough to just have a backup anymore. We've even seen scenarios where entities paid the ransom even though backups existed because the ransom was less than the cost of restoring from backups.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/29/2018 | 8:08:20 PM
Backups
Backups are generally not the solution for ransomware unless a good strategy is followed and old data is not overwritten. For example, moving into a table and not using that tape for a while is important.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/29/2018 | 8:04:48 PM
Re: RECOVER PLAN? HAHA
ONE SIMPLE BACKUP SOLUTION would have solved that, right? I hear you, backup does not mean anything unless we can restore it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/29/2018 | 8:03:19 PM
Re: RECOVER PLAN? HAHA
IT cannot do everything when disaser strikes and a constantly updated PLAN for rebuild, for backups, Unless they use proper tools to do these in an efficient ways. There are tools available for us to fail over DR site without so much effort.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/29/2018 | 8:01:42 PM
Re: RECOVER PLAN? HAHA
Most firms THINK they have one - those guys in IT will know how to rebuild 37 servers and 402 workstations without a plan or documentation, right? I hear you, there has to be somebody who can understand security implications.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/29/2018 | 8:00:21 PM
Good options
All good options. They are not for only ransomware but for overall security of the business.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/29/2018 | 1:09:13 PM
Re: RECOVER PLAN? HAHA
And I hate posting here - the response type is soooooooooooooooooooooo tiny. LOL
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/26/2018 | 3:28:55 PM
RECOVER PLAN? HAHA
Most firms THINK they have one - those guys in IT will know how to rebuild 37 servers and 402 workstations without a plan or documentation, right?  That is what they get paid for, right?   Only they undersand it so we can let them do their thing when disaster strikes. HAHA big JOKE.  Nope, IT cannot do everything when disaser strikes and a constantly updated PLAN for rebuild, for backups, for restoration of damn near anything and everything HAS to exist.  Often they do NOT and rebuild EVERYTHING is a poor joke.  A waste of time and effort.  Atlanta lost EVERY SINGLE POLICE DASHCAM VIDEO.   Throwing hundreds of cases off the books in court.  ONE SIMPLE BACKUP SOLUTION would have solved that, right?    BUT FIRMS don't think they need one because only those guys in IT would understand it and, again, they can restore everything without a plan at 2:30 am.  (I had plans when I was consulting, tested because at 2:30 am I AM NOT THINKING STRAIGHT.  WHO IS?)

 

Stupidity rules.   Ignorance rules.  Blindness rules. 
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Empathy: The Next Killer App for Cybersecurity?
Shay Colson, CISSP, Senior Manager, CyberClarity360,  11/13/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15769
PUBLISHED: 2018-11-16
RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server could potentially cause a Denial Of Service (DoS) on TLS clients during the handshake when a very large prime value is...
CVE-2018-18955
PUBLISHED: 2018-11-16
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resour...
CVE-2018-19311
PUBLISHED: 2018-11-16
Centreon 3.4.x allows XSS via the Service field to the main.php?p=20201 URI, as demonstrated by the "Monitoring > Status Details > Services" screen.
CVE-2018-19312
PUBLISHED: 2018-11-16
Centreon 3.4.x allows SQL Injection via the searchVM parameter to the main.php?p=20408 URI.
CVE-2018-19318
PUBLISHED: 2018-11-16
SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=manager&a=update to change the username and password of the super administrator account.