Do so at your own peril, according to this application security expert, who throws in useful appsec advice as well.
Before the infamous Colonial Pipeline cyberattack, past cyber incidents include the Aurora demonstration in 2007 at Idaho National Laboratories, which destroyed a large diesel generator; Stuxnet, which destroyed a significant portion of Iran’s nuclear facilities in 2010; and Industroyer, which brought down a portion of the energy grid in Ukraine in 2016.
Governments and the private sector organizations that were the targets of these attacks are fighting back. The White House has issued a memo urging business leaders to act immediately to improve their resistance to ransomware attacks.
Anne Neuberger, President Biden’s deputy national security advisor for cyber and emerging technology, wrote: “The threats are serious and they are increasing.” Biden has also promised to confront Russia about its status of being a safe haven for ransomware criminals.
But if there is any good news, it is that the ways to resist ransomware attacks are well established. And while nothing will make an organization entirely bulletproof from skilled, determined attackers, there are ways to make a successful attack much more difficult.
Ransomware security best practices
The following list includes the recommendations in the White House memo:
- Build, maintain, and distribute secure software
While the Colonial attack was enabled by the theft of a password, better software security is still the most effective defence against hackers. That means all the software: including what an organization builds itself and what it acquires from other vendors or from the open source community.
Rehan Bashir, managing consultant with the Synopsys Software Integrity Group, said it takes “a holistic security approach—network, host, and application development. Organizations must adopt secure development processes that will produce secure software products and applications.” That requires a secure software development life cycle (SDLC) where “security is an inline function of the development pipeline rather than an out-of-band activity,” he said.
- An SDLC should start with architecture risk analysis to find and fix design flaws, and threat modeling to identify the ways malicious hackers might attack.
- Next, use application security and quality analysis tools. Throughout initial software development and updates, automated application security tools for static, dynamic, and interactive application security testing along with software composition analysis will help developers find and fix known vulnerabilities and potential licensing conflicts in open source software components.
- At the end of development, penetration testing can mimic hackers to find weaknesses that remain before software products are deployed. If an organization needs more expertise or capacity, managed services providers can guide it through the process.
- Back up data regularly
Keep backups offline and not connected to the network. If backups are isolated and protected, an organization can rebuild its system quickly at minimal expense. However, isolated backups will not protect an organization from the modern ransomware attack that not only encrypts data but steals it as well, and then threatens to make it public if the ransom is not paid.
- Build and maintain an inventory
Identify all your assets. As the saying goes, you cannot protect what you do not know you have.
- Update and patch
Failing to install an available patch for a known vulnerability is like leaving the door to a vault wide open.
- Segment networks
Ransomware attackers do not just steal and encrypt data. They also disrupt operations, which gives them more leverage with their targets. So organizations should separate their business functions from manufacturing/production operations, and limit internet access to operational networks. Especially with industrial control systems, it is crucial to isolate those networks so they can continue operating if the corporate network is compromised.
- Train workers
Most employees want to protect the organization’s assets. But if they fall for a phishing email, reuse passwords, or do not create complex ones, the best technology in the world cannot protect against those failures.
- Limit access
While organizations should value all their employees, the reality is that the more people who have access to sensitive data, the greater the risk. Network segregation is the way to limit access to only what employees need to do their jobs.
- Limit plugins
They can be an entry point. Either disable them or make sure they are updated regularly.
- Verify, then trust
All documents should have viewable file extensions from trusted sources. Do not allow downloads of irrelevant documents that may be coming from malicious sources.
Make application security a priority
For years, many organizations have complained that they have neither the time nor the money to implement those protections, and that hackers would not be interested in them anyway.
That is, demonstrably, a very risky strategy. “Security by obscurity” does not work. And the cost of paying cybercriminals and recovering from a ransomware attack will be greater, by orders of magnitude, than any ‘savings’ from failing to implement good security.
Better security is an investment. It starts with a strong software foundation, continues with careful thought about firewalls and network design, and is maintained with constant vigilance, including monitors and secure software updates.
You may never know the ROI from all this, but that is the point — you do not want to know.