4 steps to reducing ransomware damage
- By Brent Hansen
- May 24, 2021
Despite recent unverified claims that DarkSide, the ransomware hacking operation responsible for the Colonial Pipeline attack, has dismantled its operations, the incident reinforces one important point for government IT managers: If data is not encrypted, bad actors will do it themselves, and agencies will end up paying for it.
While Colonial Pipeline is a private company, the attack clearly affected the government as well -- a particularly painful learning experience that demonstrates why IT must be considered part of the aging national infrastructure. Bad actors are not going away, and security breaches will continue to expose critical data to ransom demands. A strategy for surviving attacks is essential, and that strategy must focus on protecting data in motion and at rest.
Every organization is vulnerable to ransomware attacks. It’s easy to say, “Well, a gas pipeline company isn’t exactly an IT mecca, so it wouldn’t be surprising to learn that Colonial didn’t have all up-to-date patches.” But that assumes that an organization with more comprehensive IT needs might have more sophisticated cybersecurity strategies in place.
Such an assumption is not only not true, it is actually irrelevant. Bad actors do all their damage without ever leaving their keyboards, and they have nothing but time to defeat perimeter security. It’s their job, after all. Once they’ve defeated perimeter protections (which absolutely will happen), there is nothing stopping them from stealing data, encrypting it and holding it for ransom (in Colonial Pipeline’s case, to the tune of $5 million in bitcoin). And the ransom will be paid, because the cost is less than rebuilding the IT infrastructure based on the most recent backups.
The most effective strategy for guarding against ransomware attacks is to continually monitor the processes that have access to sensitive data. Access control and data encryption management is the most effective protection – not only from ransomware, but from insider threats, rogue processes, malware and more.
There are four aspects to good access control, which should be part of any cybersecurity and ransomware strategy:
- Multi-factor authentication. This is an absolute must, because it makes it more difficult for someone who might have access in an agency’s network to wreak havoc. The most aggressive implementation of access control is, of course, zero trust, which assumes that someone has already gained access to the network. For organizations that have not yet adopted zero trust, multifactor authentication is vital to making it more difficult for unauthorized users to get to the network to begin with.
- Reducing the attack surface. How do attacks typically happen? Not surprisingly, email web downloads, email links and other seemingly benign activities are the greatest culprits. Addressing those vulnerabilities requires sanitizing every email, every file exchanged through the network and every download that comes in every file. Next-generation disruptive technologies from ransomware attackers are making it increasingly difficult to reduce the attack surface, but organizations that don’t put real effort into mitigating that part of the hacker’s arsenal are absolutely opening themselves up to costly and sometimes catastrophic consequences.
- Training and empowering end users. Expanded attack surfaces are exploited by simple mistakes by users -- even those who may consider themselves to be cybersecurity savvy. Poor cyber hygiene practices must change if agencies hope to reduce the threat of ransomware attacks, so workforce training on sound cyber practices is essential. It may seem to be an expense without an immediate promise of return, but avoiding the pain and cost of acquiescing to ransomware demands makes user training one of the most effective ways to reduce the ransomware threat.
- Encrypting agency data before someone else does and holds it hostage. Ransomware is brilliant at encrypting systems, and hackers have proved to be relentless in their attempts at breaking into IT networks. An agency’s best defense is to work from the assumption that break-ins will happen, so critical data must be encrypted and protected with robust access policies. Data access policies can block bad actors from encrypting files and databases. Plus, encrypted data is worthless to hackers who may threaten to expose sensitive data if a ransom is not paid.
Of course, this advice doesn’t necessarily cover all potential attacks on government agencies, which may still be struggling with how to retrofit modern day data protection capabilities to legacy systems. Unfortunately, agencies maintain legacy systems that can’t be unplugged. While government is modernizing applications at a faster rate than ever, there are security challenges facing legacy systems. As mentioned above, that’s why modernizing IT infrastructure is an important part of any plan to improve the nation’s infrastructure overall.
Until then, however, the four steps discussed here will go a long way to limit the damage caused by ransomware attacks.
Brent Hansen is federal CTO of Thales Trusted Cyber Technologies.