Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/27/2020
02:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
0%
100%

How We Enabled Ransomware to Become a Multibillion-Dollar Industry

As an industry, we must move beyond one-dimensional approaches to assessing ransomware exposures. Asking these four questions will help.

Ransomware has been around for more than 15 years, yet it continues to be the most pervasive cyberthreat facing businesses. According to reports, in 2019 alone more than 966 government agencies, educational establishments, and businesses in the US were hit by ransomware attacks, at a potential cost exceeding $7.5 billion. And, unfortunately, when organizations choose to pay a ransom, they are adding fuel to the fire by supporting this global criminal industry.

The US is home to the world's leading technology companies, so why haven't we solved the ransomware problem by now? The answer is simple: We underestimated the challenge of finding and fixing software vulnerabilities used by ransomware. In the process, we created the perfect environment for a pandemic to take hold and thrive.

For the vast majority of organizations, both large and small, locking the windows and doors used by ransomware in their corporate networks is beyond their capabilities. But it's not for lack of trying.

Most companies routinely perform unauthenticated scans of devices on their IT network looking for vulnerabilities. But unauthenticated scans do not detect as many vulnerabilities as security scans performed as a logged-in (authenticated) user. Of the vulnerabilities they find, companies typically strive to fix the ones ranked as critical or high in severity, primarily to reduce the number of fixes, or patches, that need to be applied. Fixing "every" security vulnerability is beyond the reach of even the largest and best-resourced companies in the world.

However, due to the complexity of the average corporate network, this approach creates a never-ending treadmill where companies are never able to successfully patch all of the critical and high-severity vulnerabilities before new ones are discovered.

Even eliminating all high-severity vulnerabilities doesn't solve the problem because it means a large percentage of others (low and medium risk) are never evaluated for their potential to expose the company to a ransomware attack. For example, the high-severity selection criteria ignores the business criticality of affected devices. Are they running the company's financial systems? Or are they reachable from the Internet?

In addition, the traditional high-severity ranking approach doesn't take into account whether a particular vulnerability is being actively used by ransomware. Without a more comprehensive assessment of security vulnerabilities, it's virtually impossible for companies to know how at risk they really are because of ransomware, and whether they are making forward progress against reducing their risk.

To get the best possible assessment of an organization's risk of being victimized by ransomware, an authenticated scan — which determines how secure a network is from an inside (authenticated user's) vantage point — is needed. While unauthenticated scans can probe a system and deliver a surprising amount of detail, they don't see everything. For example, they will find a good number of vulnerabilities but may have to flag them as potential threats, since they lack the visibility to provide 100% certainty. With ransomware now targeting the application layer, it's crucial that authenticated scans are used to validate whether a patch management program is doing its job and gather data needed to improve processes going forward.

Penetration testing is another important tool in the fight against ransomware and should be performed periodically. Beyond ransomware and other threats, this type of testing offers the important benefit of validating that your controls are working properly. However, like compliance assessments, a single penetration test provides only a point-in-time view of a company's security posture. Continuous penetration testing is the proper approach.

As an industry, we must move beyond one-dimensional approaches to assessing ransomware exposures. Meanwhile, business leaders and boards should be asking for specifics pertaining to an organization's security posture and exposure to ransomware attacks.

For example:

  • What is our organization's risk of being compromised by a ransomware attack?
  • How do we measure our exposure to being victimized by ransomware?
  • What steps are we taking to proactively lower our risk to ransomware attacks?
  • How are we monitoring our progress toward lowering ransomware risk on an ongoing basis?

This line of inquiry will enable the C-suite to assess whether the organization is being reactive or proactive toward the ransomware threat and help understand whether additional investments are required to reduce the company's attack surface.

Related Content:

 

Dr. Srinivas Mukkamala is co-founder and CEO of RiskSense and a former advisor to the U.S. Department of Defense and U.S. Intelligence Community. He is an expert on malware analytics, breach exposure management, web application security, and enterprise risk reduction. Dr. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mprogers
50%
50%
mprogers,
User Rank: Apprentice
3/5/2020 | 1:37:40 PM
Flash Poll: Other - why would the political climate matter?
Security shoudl be something we all take seriously.  More seriously over time as threats increase.

The poll borders on ludicrous, but perhaps that's why there are so many vitcims out there.

The current political climate does not make cybersecurity more, or less, important.  Russian bots and Nigerian princes are always with us, as well as web redirects to tiny island nations who don't care about criminals using their web domain as long as money comes in!

Equally amazing as asking such a question is the responses saysing they are waiting on the Trump administration!  No matter how good, or bad, you think Trump is, big government is not where you will find competent help!
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/29/2020 | 11:43:23 AM
Re: Q: How Did We Enable Ransomware to Become a Multibillion-Dollar Industry?
There is definitely some truth in the weaknesses of the OS that allow ransomware. But I think the biggest reason that ransomware has become as big as it has is due to its ease of use and proliferation from an attackers perspective and the lack of training the end user has to be able to identify a campaign and act accordingly.
ConcernedCitizen
50%
50%
ConcernedCitizen,
User Rank: Apprentice
2/27/2020 | 4:31:19 PM
Q: How Did We Enable Ransomware to Become a Multibillion-Dollar Industry?
A: Microsoft.  Every ransomware incident is because of insecure MS Windows.  MS is never mentioned as having any responsibilty yet they are the basis of the hacks.

Bill Gates: Trustworthy Computing


...more important than any of these new capabilities is the fact that it is designed from the ground up to deliver Trustworthy Computing. What I mean by this is that customers will always be able to rely on these systems to be available and to secure their information.

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.