Encryption – a King’s Ransom
Encryption is used to help protect critical data from unauthorised access and undetected alteration, but now underpins a key tool box of the cybercriminal seeking financial enrichment – ransomware. The malware known as “ransomware” is distributed and deployed from booby-trapped email attachments or hyperlinks. It denies data owners access to their digital assets by encrypting that data using keys known only to the attacker. The ransom must be paid by the victim to the attacker, usually in a difficult-to-trace cryptocurrency (another use of encryption!) before their assets are unlocked.
The devasting effects of ransomware, including WannaCry and NotPetya on large conglomerates are well reported. In the past, small and medium enterprises (SMEs) were somewhat protected by being less conspicuous; unfortunately, this is no longer the case. Malwarebytes and Osterman Research found that around one-third of SMEs in the US, UK, France, Germany, Australia and Singapore will experience a ransomware attack each year. Amongst those impacted, more than one in five will experience downtime as a direct result of the attack, of these, around two-thirds will involve revenue loss, some threatening the organisation’s viability. Compared to the large and often well-funded organisations, SMEs operate on a tighter budget and thus typically have lower defences against cyber security threats. Even when toolsets are in place, some SMEs lack confidence in response, which hinders their cyber defence and recovery capabilities.
The pivot in attacker targets is yet to filter through to the SMEs; Datto’s survey of more than 2400 managed service providers (MSPs) found that only around one-third are highly concerned about ransomware. Furthermore, many SMEs underestimate their threat level as they do not believe their assets would be of value to an attacker. Unfortunately, with ransomware, it is the value of the information and system to the affected organisation which drives attacker behaviour, thus the former’s willingness to pay for their release. Attackers know that as long they set the right price, some asset owners will pay the ransom to restore operations. In terms of direct costs, the financial effects of the downtime from a ransomware attack is 10 times the cost of the ransom itself.
Attackers are adapting, instead of trying to extract a King’s ransom from large multi-nationals, they are increasingly targeting SMEs for more princeling-sized sums. SMEs need to take care, the following steps could help:
1. Deploy network segregation to reduce likelihood of spread of malware or its effects.
2. Implement redundant systems, in logically isolated networks, again to reduce the likelihood of malware spread.
3. Monitor key data stores and data sources for unexpected changes to file contents or filenames, both indicators of compromise for ransomware.
4. Regular and secure backups of key data will minimise downtime and / or prevent the need to pay the ransom which anyway would not guarantee recovery; after all, why should you trust a cyber-criminal to give you something in return for the ransom payment?
5. The human factor is often an organisation’s biggest security weakness, so engaging and memorable cyber security awareness training can be one of the most effective ways of protecting an SME, with the added bonus that it simple to implement. Indeed, providing appropriate training to staff is part of ‘due care’.
6. Ensure critical security patches for systems and applications are applied promptly, to keep the windows of opportunity for cyber attackers as short as possible. Best-practice models for vulnerability management suggest that critical security patches should be applied within 30 days of vendor release, but make sure that patches are tested on “test” systems to discover and iron out any issues they might cause; consider also using a managed service provider to maintain your critical IT systems, including conducting vulnerability and patch management activities.
7. Build resilience into your IT systems; that is, the ability to recover operations in the event of a successful attack. Organisations need to be prepared and to test their resilience measures regularly.
8. Understand regulatory commitments in advance of a successful attack, including requirements for orderly and timely disclosure to customers and relevant authorities.
9. Identify externally-sourced technical and compliance expertise who could assist with control, remediation and recovery activities in the event of a successful attack – but make sure to identify that expertise before any such attack occurs, and agree a service level agreement (SLA) for their services.
10. Collaborate with peers and adopt strength-in-numbers. Attacker success is partly due to the dynamism of the hacker / cyber-criminal community and the ready sharing and sale of vulnerability and exploit information amongst that community.
Dr Wendy Ng, CISSP, CCNP; 18th December 2018