Protecting your agency against ransomware attacks
- By Callie Guenther
- Sep 20, 2019
It’s been a challenging year for the public sector, with more than 40 reported ransomware attacks on state and local municipalities to date. Last month’s attacks on 22 cities across Texas join a lengthening list of noteworthy hacks, which had already crippled the systems of cities small and large, from Lake City, Fla., to Baltimore.
Ransomware attacks are a growing problem that are only expected to get worse. Attacks this year have already surpassed the number that occurred during all of 2018, according to a recent report by CyberEdge Group. Hackers find vulnerabilities in government systems then lock up valuable data and demand payments in return for decryption keys. Staffing issues ranging from an acute shortage of cybersecurity professionals to overworked security analysts are adding to the problem. According to new research, security operations center analysts continue to face an overwhelming number of alerts each day that are taking longer to investigate. This situation results in five times as many SOC analysts now believing their primary job responsibility is simply to “reduce the time it takes to investigate alerts,” which in turn leads to security alerts getting lower prioritization or being ignored altogether. Additional reasons that government entities are so vulnerable include outdated security systems, legacy equipment and insufficient data backup.
Despite these challenges, agencies can take proactive steps to help stave off an attack. Here are some tips to get started:
- Implement data back-up procedures that include storing data offline.
- Conduct a cybersecurity risk assessment to determine where the most impactful avenues of attack might be and test for specific vulnerabilities in those priority areas.
- Perform a perimeter penetration assessment to determine specific threat scenarios and threat actors to determine how far a malicious actor can go. Restricting lateral movement is critical to any cybersecurity strategy.
- Develop a remediation roadmap to outline the top objectives from the security assessment. The plan should strengthen the agency's security posture and include clearly identified steps to achieve specific objectives in key areas. These areas may include general security controls and policy review, network security controls, Windows platform assessments, privileged account access, vulnerability management processes, management of mobile devices, investigation, blocking, response capabilities and user awareness training.
- Assess the agency's security tool inventory to identify redundant or unused products, evaluate the security architecture to understand proper product placement and identify pain points with current security products. In addition, conduct a cost analysis of the security product inventory to ensure the agency is getting what it paid for.
Additionally, agencies should consider implementing a managed detection and response solution. An MDR can help the internal team detect cybersecurity threats in a particular environment. MDR performs a series of functions including analyzing the types of risks the agency may be exposed to, helping determine the most critical threats and closing those doors to cyber thieves.
Agencies that outsource security functions should be sure to:
- Find out how their provider deals with alert fatigue. The typical response is to cut off sections of priorities of alerts and deal only with the critical alerts, which can lead to breaches.
- Gain visibility into the provider’s operations to find out what’s happening behind the scenes. Why are some alerts ignored? What criteria is the provider using in deciding which alerts to deal with?
Ransomware attacks are not going away. Taking proactive steps can help protect agencies against an attack, potentially saving millions of dollars.
Callie Guenther is a cyberSOC data scientist at Critical Start.