All Posts by Bob Lewis

|In: Technology|Last Updated:

Enterprise risk management (ERM) recognizes four responses to risk:

  • Prevent, aka Avoid: Reduce the odds of the risk turning into reality.
  • Mitigate: Reduce the damage should the risk turn into reality.
  • Insure: Share the cost of the damage should the risk turn into reality.
  • Accept, aka Hope: Do nothing, figuring the cost of prevention, mitigation, and insurance exceeds the cost of the damage should the risk turn into reality.

Which brings us back to what you ought to do about ransomware.

Last week’s KJR provided a starting point for recognizing that Accept is an unacceptable response. “Oh, dear, there’s nothing we can do except hope, and pay the ransom if we have to,” is just plain wrong.

In cop shows, kidnappers provide “proof of life” before anyone pays the ransom. There’s no such thing as proof of life following a ransomware attack; no reason to expect attackers to follow through on their restoration promises.

That leaves Prevent, Mitigate, and Insure. This week we’ll go deeper on these subjects, courtesy of my There’s No Such Thing as an IT Project co-author Dave Kaiser. Dave?

# # #

Here are some ways to prevent and mitigate an attack:

Prevent: To reduce the odds of successful ransomware penetration, create a very hard exterior defense:

  • The biggest challenge with ransomware is that most victims have no idea that they’ve been penetrated, let alone when. We’ve seen lags as long as six months between infection and discovery. If you detect it anywhere, infer it’s everywhere.
  • Remove admin rights from all PCs. This is critical, as PCs remain the #1 entry point, mostly via phishing attacks.
  • Block executable files at the firewall so users can’t install them without assistance.
  • Run an enterprise-grade PC/Server protection software system (my company uses Crowd Strike). Norton isn’t an enterprise-grade match for the newer, more sophisticated attacks.
  • Segment your network and have tight rules on what traffic can flow from PCs to your backbone and cloud servers.
  • Require multi-factor authentication for any web-facing email (including Microsoft 365), and for all system logins as well.
  • Filter all email through a filtering service. Even the best of these services can’t eliminate phishing attacks, but they do improve the odds.
  • Conduct quarterly (at least) phishing tests with your employees. Provide additional training for any employee who falls for the simulated attacks. While you’re at it, test your employees for vishing (voice phishing) attacks too.
  • Engage a white-hat service to continually attempt to break into your network. Also conduct an annual deep dive security audit.
  • Put a law firm specializing in this area on retainer. The legal challenges are complex, especially as applicable laws and regulatory requirements vary from state to state.
  • Physical security: For intruders, “tailgating” into a victim’s offices and sitting down at an unoccupied, logged-in computer is still a popular intrusion strategy.
  • Finally, patch, patch, and patch. Patching is critical, especially for preventing zero-day attacks.

Mitigate: To reduce the damage from a ransomware attack, take steps to recognize attacks early and facilitate rapid restoration:

  • Run a tool that monitors the network for suspicious activity. The tool you select should be AI/machine-learning-based, capable of autonomously discovering good versus bad patterns.
  • Deploy honeypots. Only intruders will hit these, warning you you’re being targeted.
  • Snapshot your data frequently. Snapshots can help you determine when malicious encryption began, supporting both data and system recovery. Backup your data too, of course, but when you’re trying to recover it from a ransomware attack, you’ll find snapshots are sometimes more valuable.
  • Establish IT security breach procedures and document trails.
  • Operations staff should practice tabletop ransomware recoveries at random times – “pop quiz” style.
  • Everyone else needs to plan how they’ll limp along until their systems and data have been restored.
  • Make recovery plan updating a CAB (change advisory board) responsibility so recovery plans don’t get outdated.
  • Keep your platforms and applications current. If you don’t or can’t, reinstalling them might not be possible – the versions you were running may no longer be available from the vendor and your installation files may be corrupted. Server snapshots and change logs are essential.

Insure

Buy cyber security insurance. If you do decide paying the ransom is the prudent course of action, and/or you have to pay penalties for one reason or another, it will help defray the costs.  Your cyber insurance company can also provide prevention, mitigation, and response expertise in the event of a breach.

Dave’s last word:

  • Align ransomware recovery priorities with those defined in your business continuity plan. You won’t be able to recover by flipping a switch. Your business continuity plan will help you with triage.
  • Have a forensics firm under contract and on speed dial. You want them to know you and help you prepare for a ransomware hit by determining in advance what logging they’ll need in the event of a breach.
  • Remember that perfect is the enemy of good. Insisting on unbreakable protection will interfere with establishing better protection.

Bob’s sales pitch: Dave and I hope it’s clear that ransomware isn’t an attack on your company’s information technology. It’s an attack on your company.

That’s one more reason the old-fashioned view that IT has to be “aligned” with the business is inadequate. Check out my recent CIO.com article, “The hard truth about business-IT alignment,” for guidance on how to go beyond alignment, to integrate IT into the business.

Comments

|In: Industry Commentary|Last Updated:

Are you as tired as I am of movie and television series plots that revolve around super-hackers and super-counter-hackers?

It was bad enough when a bad guy sat down, cracked his (or, less commonly, her) knuckles, started typing, and five seconds later told the uber-bad-guy (no, not a tailgating ride-share-driver), “I’m in!” (Fair’s fair: In the first Die Hard movie the hacker needed a more reasonable hour or so.)

If you’re working on a hacking-related script, please: Have the bad-guy-hacker open a desk drawer, pull out a Post-It®, and type in the password written there. While in the real world this isn’t a reliable method … in a typical office the hacker would have to visit at least five desks … it would at least be plausible.

Accuracy would depict the hacker sending out a spear phishing attack, but I’ll make a concession, given that, unlike your average caper movie, in a hacker plot the process isn’t the point.

Which (in admittedly slow motion) gets us closer to the point of this week’s epistle. But to get there … my wife and I were catching up on a couple of television shows we enjoy. Both of their plots, back to back, were based on ransomware attacks. And no, I’m not going to identify the shows. My guilty pleasures are none of your business.

What is your business is protecting your organizations from ransomware attacks. On a pain scale of one to ten, where one is your level of discomfort following a vaccination and ten is what you experience during an anesthetic-free amputation, these rate about twelve.

What’s most shocking about the ransomware epidemic, both on television and in the real virtual world (now, now, don’t be like that!) is that they are, so far as I can tell, both more preventable and remediable than your typical write-up on the subject would suggest.

But only if you’ve prepared.

What follows are a few basics to get you started. Most are steps you should have taken even before ransomware became prevalent. Next week we’ll dig deeper.

Data can’t be infected. Data can be encrypted, making it inaccessible, which is what ransomware does. But except for macro viruses, data can’t be infected, because … it’s data, not executable. So make sure all of your data resides on different physical servers than your executables. That’s physical, not just virtual.

More important, make sure all of your data backups are read-only, managed by different, air-gapped physical servers.

More important yet, take frequent snapshots and preserve all journal files and change logs for an excessive period of time.

Ransomware discontinues business operations. So include recovery from a ransomware attack in your business continuity plan. Additional thoughts about this:

  • If you have two overlapping recovery plans to keep synchronized, they won’t stay synchronized.
  • Know how you’ll continue business operations during a ransomware attack. Improvisation after you’ve been attacked is considered industry worst practice.
  • As with the rest of your business continuity plan, an untested ransomware recovery plan isn’t a plan, just wishful thinking.
  • Hope wasn’t a plan before ransomware became a threat. It’s even more not a plan now.

Reinstall. Make sure you can reinstall, not only applications, but also the platforms they run on. Document every procedure required to rebuild every piece of your production environment, starting with the original installation files. That’s the only way you can be confident you aren’t recovering ransomware executables in your attempts to restore an uncompromised production environment.

Cloud due diligence. Review your cloud vendors’ ransomware recovery plans and make sure they’re up to your standards, especially with respect to data protection. Consider adding on-site, read-only, snapshotted, air-gapped data backups to your cloud architecture.

Bob’s last word: In addition to making sure you have a professional-grade ransomware response plan, rationalize your application and platform portfolios. If you do have to recover from a ransomware attack, recreating the production environment is polynomially simpler in organizations that have consolidated redundant applications and platforms, and whose platforms are sufficiently current that reinstallation will work.

Bob’s sales pitch: I don’t claim to be an expert on this subject (thanks to Mike Benz, who is, for reviewing it).

This isn’t intended to be either gospel or complete. Consider it a nudge, and guidance on where to start digging. If you haven’t been taking this threat seriously … take this threat seriously. It’s shocking how many IT organizations have succumbed to ransomware attacks with little or no preparation. The pandemic-level growth of these attacks is even more shocking, and we’re still at the pre-vaccine stage of dealing with it.

Safe behavior is the best defense. Make sure you’re practicing it.

Comments