Editor's Note: This article was submitted prior to yesterday's LG attack and has been brought forward for publication due to its timeliness.
WannaCry and NotPetya, the two recent ransomware attacks have clearly illustrated that organisations are paying little attention to, or struggling with the fundamentals of security. While investment in the latest sophisticated security solutions is important, blatantly ignoring basic hygiene to protect the organisation is counter-productive. A simplistic analogy – by all means, install security cameras in the building, but first invest in a lock on the main door.
The unprecedented global scale and impact of events like WannaCry and NotPetya is a clear warning to organisations, they need to revisit their security basics with vigour. The following areas are the obvious ones, but clearly are not being given the level of attention they deserve:
Back-up your data – According to Kaspersky Lab, one in five SME businesses never got their data back even after paying the ransom. Back-up your data, it will allow you to be up and running quickly, in the event of an attack – without yielding to ransom demands from criminals.
Today, several low-cost back-up tools and storage solutions are widely available, so there really isn't an excuse not to back-up data. Identify what data is business-critical and establish back-up processes. It's also worth exploring your business' appetite for cloud back-up services, it will simplify the back-up, storage and restoration processes too.
Be mindful that you don't need to keep all the data forever. Your back-up strategy must take into account the duration that specific data needs to be backed-up for. Ensure that you ‘age' the data accordingly; and now with the upcoming GDPR, having a fast way to remove any requested data – even from backups – will be essential.
Patch – It isn't far-fetched to say that enterprises could have mitigated the impact of WannaCry to a large extent had they patched the vulnerability in Microsoft that the ransomware exploited. Patching is security 101. If there is push-back in the organisation to patching, education on the impact of not patching is essential, as is finding ways of de-risking concerns. Patch secondary systems first and put into place test plans. With the right focus, you'll be able to automate these processes and find that you are in fact patching daily!
Segment the network – Splitting the network into segments is important as in the event of an attack, the portion of the infrastructure that is affected can be disconnected (or may already be isolated) from the rest to protect the larger organisation.
WannaCry and NotPetya exploited a vulnerability that is also present in embedded Windows XP, which is still used in medical and factory equipment (and some ATMs). Many organisations didn't replace these systems as they ‘did the job' and so in their mind, the expense of replacing them was potentially unjustified. By segmenting the network to place these risky systems in isolated environments, perhaps the impact of the ransomware could have been significantly reduced.
Today, the Network Access Control (NAC) technology space has come leaps and bounds, and micro-segmentation is a fast-emerging area. It's worth exploring.
Provide security awareness – Email is the main vehicle that is used by hackers to breach security. Impart meaningful training to staff so that they are able to protect themselves, no matter what the environment, as threats don't necessarily stop at the office door. Also, it's a good idea to combine mock phishing attacks with security awareness training to test the organisation's security readiness. It's proving to be an effective approach.
Security maturity assessment
To truly protect the business, organisations need to look at security more holistically. With the basics firmly in place, organisations should undertake a Security Maturity Assessment to gain an in-depth and comprehensive understanding of the security measures (people, processes and technology) already in place, to then determine where changes are needed to mitigate the impact of potential attacks.
A key precursor to Security Maturity Assessment is Threat Modelling. Inventory data and identify the assets that need to be protected, and then create a threat profile of those individual assets to determine where the vulnerabilities exist and which ones are most at risk. This will allow you to determine the gaps in your security processes and technology; and help identify the solutions that need to be layered on to the basic measures already in place.
For instance, you may find that a content threat removal technology is needed to strip out all the malicious content from documents before they are passed through the organisation via the Internet or email – thus pre-empting a major threat vector. In large organisations, there may be a case for deploying behavioural analytics to detect anomalous behaviour of employees and systems.
A word of caution, however – with the abundance of technology, enterprises frequently lose their true security focus. Over-tooling can be as risky as under-tooling. Devising a tailored security strategy to mitigate the actual risks of your individual organisation is the answer. Security Maturity Assessment facilitates this.Contributed by Gary Evans, chief technology officer, Reliance acsn
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.