Tags

, , , , ,


This post is from my series of short essays on cybersecurity.

November 23, a ransomware attack crippled the India’s top healthcare institution in the heart of India’s capital New Delhi – AIIMS services remain disrupted for seventh straight day. Institution switched to manual operations and even after eight days still struggling to restore the normal services. Investigation is still going on what data could be compromised in this attack. Earlier in the middle of this year, the institution conducted its regular cyber audit and found some unpatched vulnerabilities in their email system, we will know later if those vulnerabilities were patched before the incident or they were actually exploited in this attack. 

It is so unfortunate that many critical institutions are not prepared to handle the increasing threat of cyberattacks. In this post I am listing some of the basic tips that can and should be implemented by every organization to not only prevent the attack but prepare itself for a quick response. This list is basic minimum requirements instead of a comprehensive list for full cybersecurity maturity. Refer to CISA Stop Ransomware  for latest information and full resources. Another resource is published by NIST – NISTIR 8374 – Ransomware Risk Management: A Cybersecurity Framework Profile , this profile provides a detailed list of Security controls to implement and develop a comprehensive strategy to handle incidents.

What is ransomware? It is a type of malware that blocks access to the data or threatens to publish it. Typically it encrypts the device’s data using a strong encryption method and data can’t be decrypted without having the access key.  Typical attacker typically demands payment as a condition of restoring the data, but some state actor attackers may also have intention to sabotage or blackmail instead of money as their primary goal. Once the malware encrypts the data, the only possible way to restore it is through old backups (paying ransom and getting the key from the attacker is not recommended). 
What can we do? Ransomware attacks can disrupt or halt operations, they pose a dilemma for management: pay the ransom and hope that the attackers keep their word or do not pay the ransom and attempt to restore operations themselves. Techniques used by ransomwares continue to change as attackers constantly look for new ways to pressure their victims. Handling these incidents requires a comprehensive strategy and measures depending on the organization’s infrastructure and requirements. Still there are some basic preventative steps an organization can take to protect against and prepare itself to recover from the incident. These basic preventive measures should be followed as best practices throughout the company, they also work to build the foundation for developing security culture inside the organization.

Educate employees on avoiding ransomware infections. 

Employee education is the first and most important line of defense in securing the systems. All employees should have periodic training to make sure they are aware of the risks and take measures to prevent any backdoor entry of the malware into the systems. 

  • Don’t open files or click on links from unknown sources unless you first run an antivirus scan or look at links carefully. –
  • Avoid using personal websites and personal apps – like email, chat, and social media – from work computers. 
  • Don’t connect personally owned devices to work networks without prior authorization. 

Avoid having vulnerabilities in systems that ransomware could exploit.

Maintaining sanity of the systems and networks is important to protect from known vulnerabilities. You should always assume that any unpatched system or system with unauthorized software installation is exploitable by malwares. Your organization’s system maintenance staff and administrators should take the ownership to execute the following measures all the time.

  • Keep relevant systems fully patched. Run scheduled checks to identify available patches and install these as soon as feasible. 
  • Employ zero trust principles in all networked systems. Manage access to all network functions and segment internal networks where practical to prevent malware from proliferating among potential target systems. 
  • Allow installation and execution of authorized apps only. Configure operating systems and/or third-party software to run only authorized applications. This can also be supported by adopting a policy for reviewing, then adding or removing authorized applications on an allow list. 
  • Inform your technology vendors of your expectations (e.g., in contract language) that they will apply measures that discourage ransomware attacks. 

Quickly detect and stop ransomware attacks and infections.

Previous two sections discussed the proactive protective measures an organization can take to protect the attack. While protective measures provide a good shield, still malware can sneak into the systems. System monitoring and detection measures play an important role in quick detection of such incidents and guard systems from the possible damage.

  • Use malware detection software such as antivirus software at all times. Set it to automatically scan emails and flash drives. 
  • Continuously monitor directory services (and other primary user stores) for indicators of compromise or active attack. 
  • Block access to untrusted web resources. Use products or services that block access to server names, IP addresses, or ports and protocols that are known to be malicious or suspected to be indicators of malicious system activity. This includes using products and services that provide integrity protection for the domain component of addresses (e.g., hacker@poser.com).

Make it harder for ransomware to spread.

While protection and detection measures discussed in the previous section help an organization to harden the infrastructure and protect against attacks. Techniques used to launch ransomware attacks continue to evolve, attackers are constantly looking for new ways to launch an attack. Next set of measures are for damage control and minimizing the loss an attack can cause. Once the ransomware breaches your defenses and enters inside the organization, following are some of the basic hardening measures that prevent its spread across the organization.

  • Use standard user accounts with multi-factor authentication versus accounts with administrative privileges whenever possible. 
  • Introduce authentication delays or configure automatic account lockout as a defense against automated attempts to guess passwords. 
  • Assign and manage credential authorization for all enterprise assets and software, and periodically verify that each account has only the necessary access following the principle of least privilege. 
  • Store data in an immutable format (so that the database does not automatically overwrite older data when new data is made available). 
  • Allow external access to internal network resources via secure virtual private network (VPN) connections only. 

Prepare to recover stored information from the ransomware incident. 

At the end, even after all the protection, detection, and hardening measures we can’t be hundred percent sure that an attack won’t happen. It could be a mistake of an employee or an unheard of new ransomware waiting to launch a zero day attack. At this point organization’s cyber resiliency plays an important role in loss minimization and bringing everything back on track. Here are a few easy steps an organization can take to improve its resiliency.

  • Make an incident recovery plan. Develop, implement, and regularly exercise an incident recovery plan with defined roles and strategies for decision making. This can be part of a continuity of operations plan. The plan should identify mission-critical and other business-essential services to enable recovery prioritization, and business continuity plans for those critical services. 
  • Back up data, secure backups, and test restoration. Carefully plan, implement, and test a data backup and restoration strategy—and secure and isolate backups of important data. 
  • Keep your contacts. Maintain an up-to-date list of internal and external contacts for ransomware attacks, including law enforcement, legal counsel, and incident response resources.

References
NISTIR 8374 – Ransomware Risk Management: A Cybersecurity Framework Profile provide a guide of security controls required to implement and build comprehensive protection strategy. 
Cybersecurity Infrastructure and Security Agency CISA – Stop Ransomware provide latest information, guidance and resources against ransomware attacks.
NIST 800-53 – Security and Privacy Controls for Information Systems and Organizations is a catalog of security controls, IA5- Authenticator Management in this document describes the requirements of Authenticator requirements and lifecycle.