With the frequency, sophistication and impact of ransomware growing each year, organisations are understandably concerned about their risk of being the next victim of a cyber attack (and possibly the next major news headline). These concerns are valid, especially considering the sheer velocity of new attacks and the sizes of the ransoms recently seen in the public domain.
“Ransomware awareness” happens when an organisation realises it could be a target. As might be expected, many organisations follow a very common response path: First, study the most recent attacks. Which types of companies are the most likely victims? Which companies appear safe? Does my organisation fit the profile at risk? Second, research new products and services to find the ransomware “silver bullet.” What works best for my organisation? Surely, there must be a one-size-fits all approach to keeping data safe?
Unfortunately, both of these responses end with two inevitable truths that business leaders must acknowledge:
Truth #1: If your business is connected to the internet, you are a ransomware target.
Recent public examples have shown us that ransomware takes many shapes and forms, but it doesn’t discriminate between large and small companies, or companies in specific industries. If your business is online, you are a target.
Truth #2: There is no ransomware “silver bullet”.
Despite marketing efforts to the contrary, there is no single-solution to defeat all forms of ransomware. The reason is intuitive. If you believe in the evolution and positive impact of “good” technology, it is not a stretch of the imagination to see that “bad” technology also evolves in both sophistication and impact. Ransomware has become a moving target that exploits older technology, incomplete solutions and (ultimately) our natural weaknesses as human beings. And it is always improving in terms of sophistication. In other words, an organisation would have to focus significant, if not all, of their resources on ransomware to stay ahead. That simply isn’t realistic.
The multi-layered approach
From my perspective, the best defense against ransomware is a multi-layered approach. This design enables organisations to secure their data from most threats, protect their data if/when a threat is successful and recover their IT systems off-site in the worst-case scenarios. Here is the approach:
Securing the data
At the data level, start with securing the data itself. This includes physical, logical, process, and accreditation and certification levels of security. Given that for all forms of computing, whether it is on-premises or in the cloud, the security of the physical data centre still represents the first line of defence against cybercrime, including ransomware. Examples of physical security include CCTV monitoring, professional security teams, facility access control and environmental security that ensures elemental systems are secure. Take note, a clear benefit of consuming cloud is that physical security and aspects described above are the responsibility of the cloud provider under the “shared responsibility model”, so ensure (and don’t assume) they do provide these layers of security.
Logical security refers to the various (and numerous) layers of technology that create a secure and stable foundation for all services and customers. In reference to layers, logical security is applied at the network, storage and hypervisor layers. Firewalls, network segmentation, zoning and encryption are all examples of logical security. At the hypervisor level, consider a combination of anti-malware, intrusion detection/prevention (IDS/IPS), web application protection and integrity monitoring, amongst other technologies to defeat threats before they reach the data.
At the process level, consider security processes that begin before an employee even joins your organisation; this includes a full background check before commencing employment and ongoing training that is conducted on a regular basis for the duration of employment. The other component of process security is access control. This includes the updated role-based access control model of least privilege; providing specific individuals the minimum access necessary, based on their function, in order to complete their job responsibilities. In addition to least privilege, elevated or privileged accounts are configured to operate with two-factor authentication. Finally, all employees should be subject to regular access reviews to determine and ensure they still need access after changing teams or departments.
The final component to consider for securing your data is accreditation and certification through a trusted third party. This independent validation of your organisation’s efforts can be a critical factor in building confidence with your customers.
Protecting the data
While securing the data itself is the first line of defense, and often effective, even the most mature IT organisations can fall victim to new techniques, malicious insiders and accidental user events (i.e. accidental deletion). So what happens when an environment is compromised? While a contingency plan defines how your organisation will operate during an attack, you must also take steps to minimise loss of data and other information after an attack. A vital part of your cyber defence strategy must be to implement a reliable backup plan to ensure rapid service restoration following an attack.
The 3-2-1 backup rule is a simple strategy to keep your data safe in almost any failure scenario. The rule is to keep at least three copies of your data, store two backup copies on different storage media, with one of them located offsite (i.e. the cloud). Keep in mind, almost every ransomware incident or data outage was introduced unknowingly by a user. Even the best physical, logical and process-based defense techniques can fail if proper policies and education are missing. In these cases, simply having another copy of the data will defeat the intent of ransomware. Backup can come in many different forms, but given the sophistication of recent threats, an off-site, air-gapped (disconnected from the internet and with limited access) repository, is ideal.
Recovering the data
The final piece to consider as part of a multi-layered approach is disaster recovery (DR). Consider DR to be a complete replica of your primary strategy (see step 1 above) including layers of security and backup. Due to the fact primary backups can still fail or become compromised as a result of a disastrous cyberattack, DR strategies provide you not only recovery capabilities, but can also buy your organisation valuable time to respond accordingly to the threat.
In today’s competitive environment, the consequences of data loss for your business are dire: downtime, lost productivity and/or revenue and long-term reputational damage. Through a dedicated, multi-layered approach to security and data protection, organisations can improve their resilience to cyber attack and quickly respond in the event of data loss or data theft.
Marc Beder, VP of Solutions Architecture at iland
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.