“I asked the bartender for a double. He brought out a guy who looked like me.” – Rodney Dangerfield
Year: 2021
Not just alarmism
Are you as tired as I am of movie and television series plots that revolve around super-hackers and super-counter-hackers?
It was bad enough when a bad guy sat down, cracked his (or, less commonly, her) knuckles, started typing, and five seconds later told the uber-bad-guy (no, not a tailgating ride-share-driver), “I’m in!” (Fair’s fair: In the first Die Hard movie the hacker needed a more reasonable hour or so.)
If you’re working on a hacking-related script, please: Have the bad-guy-hacker open a desk drawer, pull out a Post-It®, and type in the password written there. While in the real world this isn’t a reliable method … in a typical office the hacker would have to visit at least five desks … it would at least be plausible.
Accuracy would depict the hacker sending out a spear phishing attack, but I’ll make a concession, given that, unlike your average caper movie, in a hacker plot the process isn’t the point.
Which (in admittedly slow motion) gets us closer to the point of this week’s epistle. But to get there … my wife and I were catching up on a couple of television shows we enjoy. Both of their plots, back to back, were based on ransomware attacks. And no, I’m not going to identify the shows. My guilty pleasures are none of your business.
What is your business is protecting your organizations from ransomware attacks. On a pain scale of one to ten, where one is your level of discomfort following a vaccination and ten is what you experience during an anesthetic-free amputation, these rate about twelve.
What’s most shocking about the ransomware epidemic, both on television and in the real virtual world (now, now, don’t be like that!) is that they are, so far as I can tell, both more preventable and remediable than your typical write-up on the subject would suggest.
But only if you’ve prepared.
What follows are a few basics to get you started. Most are steps you should have taken even before ransomware became prevalent. Next week we’ll dig deeper.
Data can’t be infected. Data can be encrypted, making it inaccessible, which is what ransomware does. But except for macro viruses, data can’t be infected, because … it’s data, not executable. So make sure all of your data resides on different physical servers than your executables. That’s physical, not just virtual.
More important, make sure all of your data backups are read-only, managed by different, air-gapped physical servers.
More important yet, take frequent snapshots and preserve all journal files and change logs for an excessive period of time.
Ransomware discontinues business operations. So include recovery from a ransomware attack in your business continuity plan. Additional thoughts about this:
- If you have two overlapping recovery plans to keep synchronized, they won’t stay synchronized.
- Know how you’ll continue business operations during a ransomware attack. Improvisation after you’ve been attacked is considered industry worst practice.
- As with the rest of your business continuity plan, an untested ransomware recovery plan isn’t a plan, just wishful thinking.
- Hope wasn’t a plan before ransomware became a threat. It’s even more not a plan now.
Reinstall. Make sure you can reinstall, not only applications, but also the platforms they run on. Document every procedure required to rebuild every piece of your production environment, starting with the original installation files. That’s the only way you can be confident you aren’t recovering ransomware executables in your attempts to restore an uncompromised production environment.
Cloud due diligence. Review your cloud vendors’ ransomware recovery plans and make sure they’re up to your standards, especially with respect to data protection. Consider adding on-site, read-only, snapshotted, air-gapped data backups to your cloud architecture.
Bob’s last word: In addition to making sure you have a professional-grade ransomware response plan, rationalize your application and platform portfolios. If you do have to recover from a ransomware attack, recreating the production environment is polynomially simpler in organizations that have consolidated redundant applications and platforms, and whose platforms are sufficiently current that reinstallation will work.
Bob’s sales pitch: I don’t claim to be an expert on this subject (thanks to Mike Benz, who is, for reviewing it).
This isn’t intended to be either gospel or complete. Consider it a nudge, and guidance on where to start digging. If you haven’t been taking this threat seriously … take this threat seriously. It’s shocking how many IT organizations have succumbed to ransomware attacks with little or no preparation. The pandemic-level growth of these attacks is even more shocking, and we’re still at the pre-vaccine stage of dealing with it.
Safe behavior is the best defense. Make sure you’re practicing it.