Failing is a natural part of learning. When failure occurs, the opportunity to learn is critical in building knowledge. A fail first mentality towards the cybersecurity of systems and data, however, is not a learning experience. It is a disaster. We have three tips in starting a journey to learn techniques to prevent and recover from a ransomware attack.
Ransomware has become the new favorite venture for the bad actors. Attacks are coming full blast to all types of entities throughout the globe. No one is immune as this list shows.
- Estes Park Health, a Colorado-based health care provider – June 2019
- ASCO Industries, a Belgium based manufacturer in the aerospace industry – June 2019
- Duie Pyle, a Pennsylvania trucking company – June 2019
- MetroList, a California Multiple Listing System for Realtors. – June 2019
- Riveria Beach, a city in Florida – May 2019
- Abeil Schmidt Group, a Switzerland based manufacturer who provides municipal and agriculture machinery. – April 2019
Ransom amounts demanded vary from $10,000 to $600k. A concern security and cybersecurity insurance experts have voiced lately is the price and occurrence are rising fast. A report by Cybersecurity Ventures predicts global ransomware damages for 2019 to exceed $11.5 billion.
Protect Entry Points
Access points to a company’s system and data are plentiful, but social engineering (phishing) still leads as a significant route for ransomware actors to gain access. Others include open RDP access to systems and unpatched or outdated systems.
Tip number one – Audit the permission level of accounts on a system. The number one cardinal rule for system administrators is the principle of least privilege.
The principle is the best practice because the least amount of permissions are assigned to perform the essential functions of the job. Just because a person is in IT, doesn’t mean they should have Administrator rights to everything.
My experience when performing audits has shown that even in the best of companies, someone has access levels to a system which isn’t required to do their job. All it takes is a single slip by a person who has given away their credentials, and the system is vulnerable to a ransomware attack or data breach.
Patch and Update – Regularly
Would you fly on an airline who fails to keep its fleet of airplanes maintained? No, neither would I. Unfortunately, I continue to see outdated system software and applications operating in many types of companies.
As an example, there are still Windows 7 computers out on the network. Microsoft end-of-life support for this operating system is January 2020. Cybersecurity plans aid to identify outdated systems and applications.
My favorite is to review patch levels of on-premise and cloud servers. Updates to these devices are forgotten or pushed to a later date due to time and effort.
WordPress is another favorite of mine. It is not surprising to see outdated releases of WordPress and the installed plugins. WordPress plugins are usually the main culprit to a compromised web site.
Tip number two – Keep systems and applications on a maintenance schedule. Retaining technology at current levels is more critical today than ever before. Patches and updates do resolve bug fixes or provide new features, but they also close security vulnerabilities.
Ransomware actors exploit security vulnerabilities through unpatched or outdated software. They search for a vulnerability that gives their host user dangerous access to a system — access which allows them to upload their malicious payload.
Open-source and commercial software is available to monitor and detect software version control. Regular scans of the environment validate current patch levels of systems and applications.
Plan, Plan, Plan
Tip number three – build and execute a Disaster Recovery/Business Continuity Plan (DR/BC) with ransomware as a critical recovery scenario.
Having a DR/BC plan to recover provides a possible alternative to paying the ransom fee. Without a plan, the only option is to pay-up.
When it comes to DR/BC, executives should know two acronyms — Recovery Point Objective (RPO) and Recovery Time Objective (RTO). These two acronyms assist in the decision-making process when hit by a ransomware attack.
Recovery Point Objective
RPO represents how far back in time is it possible to recover the quantity and quality of data lost during an attack. As an example of RPO is when a company has determined it can sustain a loss of data for 24 hours with minimal impact on its business. Recovery of data during an attack experienced 12 hours of lost information.
Recovery Time Objective
RTO defines the amount of time it takes to recover from notification of a service interruption. If the process to restore information from a backup takes four hours, the minimum planned RTO is four hours. If multiple systems are impacted by an attack, time in resources and functional capability to restore have to be included in RTO.
DR/BC Plan Rehearsal
Having a plan is excellent. What makes it remarkable is to execute the program in a simulated test. Validate the program works and understand the actual RPO and RTO for different scenarios. Create a ransomware attack scenario in your DR/BC plan to help rehearse the responses need to make effective business decisions.
Technology has made the world smaller, and some entities don’t behave with the same ethical values as most people. There are many components in managing a company’s security and privacy infrastructure. This is the reason that fortune 500 firms have a Chief Information Security Officer (CISO) present at the executive table.
While not every business can afford a CISO and staff to help navigate through the quagmire of cybersecurity and privacy challenges, there are options. Such as, leverage firms who have the knowledge and understanding to:
- build DR/BC plans
- perform security audits
- assist in educating staff about their role
- define prevention tools
- craft policy and procedures managing and maintaining technology
- assist with PR and communications
Ransomware relies on those who use the fail-first mentality before taking action. In short, WAV Group is a proactive choice who can facilitate all of these challenges, plus we understand your business. Call Victor Lund or David Gumpper to discuss how the WAV Group can assist.
To stay on top of the most important issues facing real estate today, subscribe to the WAV Group newsletter HERE.
Leave A Comment