Ransomware is a hot topic at the moment and the “attack du jour” for cybercriminals. The code is easy to obtain and campaigns simple to execute thanks to the industrialised infrastructure that supports it. The result – a rapidly growing market that is already estimated to be worth in excess of $1 billion.
Criminal gangs provide “ransomware as a service” with everything from code provision through to the monetisation of the attack making it easy to both execute and profit from. Other types of cyber-attacks may involve complex, time-consuming or risky steps for the criminals but ransomware profits are immediate, usually via Bitcoin payment into the criminal’s wallet.
The traditional approach to cyber security has been to deploy more and more technology to protect against the evolving threat. This has led to uncontrolled technology sprawl creating a security management nightmare. Throwing more technology at the problem implies more resources to manage the estate and security resources are hard to come by. According to research by the recruitment company
Despite the increased level of sophistication and frequency of ransomware attacks, by following the steps described below, organisations can significantly reduce their risk.
Step 1: Security Awareness Training
Although technology plays an important part, the majority of malware and ransomware attacks involve a user doing something they shouldn’t, such as clicking on a malicious web link, opening an email attachment or installing a new application. Usually this is due to a lack of understanding of the security risks associated with such actions. Phishing, a form of social engineering is a common technique used to get ransomware inside an organisation, effectively duping users into downloading malicious code or otherwise opening up the organisation’s network to cyber-attack.
Many organisations provide basic security training as part of company induction or as one-off exercises to address audit requirements. However, security training should be a regular part of users’ development and regularly updated. Training should be delivered at a pace and frequency that fits in with the employees’ work schedules with progress monitored and tested for effectiveness as part of the program. Security awareness is a critical part of any organisation’s security program and is fundamental to several security frameworks such as the UK National Cyber Security Centre’s “10 Steps to Cyber Security” program
Step 2: Vulnerability Management
Most malware infections, including ransomware, compromise our systems due to vulnerabilities in the operating systems and applications. All too often, these vulnerabilities remain unpatched for months or even years allowing criminals to exploit the same flaws time and time again.
In 2015, of exploited vulnerabilities have had a patch for more than one year and it doesn’t look as though that’s changing. In addition, IBM research shows that when new vulnerabilities are discovered, the average time taken for hackers to exploit them has decreased from 45 days ten years ago to 15 days today.
Effective vulnerability management is critical in ensuring that existing vulnerabilities are dealt with and new ones are patched quickly before they can be are exploited.
Step 3: Web Protection
Almost all ransomware is delivered across the web. Regardless of whether the initial infection is via email or a malicious/compromised web site, the malware will normally attempt to contact a remote server to download additional software such as exploit kits or encryption software. Web security solutions can be used to detect this suspicious activity, preventing the dangerous malware payloads from being downloaded – even if the initial infection is successful. Modern web security solutions make use of advanced threat intelligence to identify malicious domains and web servers and prevent the malware from receiving its instructions.
Step 4: Endpoint Protection
Ransomware infection inevitably happens at the endpoint. Typically, a laptop, PC or server will be compromised and used to propagate the malware throughout the network. Traditional signature-base anti-malware solutions are largely ineffective against modern malware due to rapidly changing code and the time taken by security vendors to identify new malware variants and create and distribute signatures. Behaviour-based endpoint protection is much more effective in dealing with modern malware as it will identify malicious behaviour such as file substitution and registry changes rather than looking for a specific malware fingerprint in an ever increasing signature database.
Step 5: Security Analytics
Steps 1 to 4 above will provide an effective defence against ransomware and malware in general. However, it is impractical to expect your systems never to be breached so it is imperative that you have visibility into the activity in your environment and the ability to identify breaches and react when they occur. This visibility and identification is provided by a Security Incident & Event Management (SIEM) platform. This software will ingest logs from your security infrastructure, servers, routers etc. and search for suspicious activity that could signal a breach. SIEM provides a “single pane of glass” view into disparate technology overcoming many of the problems associated with the technology sprawl mentioned earlier and enabling security events to identified so they can be dealt with quickly.
Ransomware is a plague that threatens the availability of the data we rely on for our businesses to operate. If successful, ransomware attacks can bring organisations to their knees and result in substantial financial loss in ransom payments, system restoration, clean-up and the growing impact of regulatory fines. Following these 5 steps will significantly reduce the risk of ransomware attacks. Logicalis can help you with solutions to address each of these steps helping you navigate to a more secure environment. For more details, please feel free to contact us.