Security

Good Cyberhygiene Remains Critical to Thwarting Ransomware

Prevention and response planning are key for in-house teams or managed service providers.

Tanya Candia is an international management expert, specializing for more than 25 years in information security strategy and communication for public- and private-sector organizations.

Over the past several years, ransomware has proved particularly daunting for state and local government agencies, and it’s not going away. Attackers encrypt files, then demand a ransom — with no guarantee the files will be unlocked.

At least 70 such attacks hit U.S. state and local governments in 2019, with at least 23 Texas municipalities infiltrated in one attack during the month of August. A recent IBM survey showed nearly 80 percent of taxpayers are worried about ransomware attacks on local government. Ransomware can render emergency serv-ices or online payment systems inoperable, expose confidential and personal information, and grind services to a halt.

As Texas CIO Todd Kimbriel said during the 2019 annual conference of the National Association of State Chief Information Officers, to avoid a ransomware attack, “it is crucial that any service provider has good cyberhygiene practices in place.”

Agencies Need Cyberhygiene, Backups and Vulnerability Scans

What exactly is good cyberhygiene? It’s all the processes and procedures that keep sensitive data organized, safe and protected from theft and attacks, and ensure system availability and reliability. Even with limited budgets and without skilled security personnel, it’s possible for local governments to build — or ensure their service providers have in place — strong defenses. First and foremost, good cyberhygiene requires prevention and response plans.

Even the smallest municipality can start with an up-to-date inventory of all hardware, software and data (especially the most critical data). Armed with this, an agency can implement an endpoint protection system that includes spam filters, phishing detection systems, advanced firewalls, malware detection and IP blacklists. User security awareness training is a key part of the endpoint protection system: Those on the front lines need ongoing education on password management, how to spot a phishing attempt and whom to contact in case of suspicious behavior.

Backups are an essential factor. They may be the only way to recover critical data if a ransomware attack succeeds. It’s good to follow the 3-2-1 rule: three copies of files on two different media types, with a least one offsite. Such comprehensive protection sounds like a lot of work, but a system such as the Barracuda Total Email Protection solution covers all the bases.

Another important prevention element is scanning for vulnerabilities and patching relevant systems, especially those touching critical data. A centralized patch management system, such as Bitdefender GravityZone, lets organizations keep operating systems and applications up to date across workstations and both physical and virtual servers.

Why a Ransomware Response Plan Is Critical

In addition to patching, agencies can implement policies to prevent execution of programs in locations where ransomware likes to hide, monitor the network for systems using Microsoft’s Remote Desktop Protocol — a popular vector for ransomware attacks — and periodically check administrative rights for sensitive data. If IT is outsourced, agencies can require assurance from a provider to ensure that these elements are active.

No set of security measures is foolproof, so it’s crucial to have a contingency and remediation plan providing policies and procedures to identify when an attack is underway; trace the source; disconnect infected machines from the network; and notify users, relevant authorities and affected citizens if required.

Finally, the plan should involve procedures for recovering from the attack, performing a full security audit and updating systems as needed. Consider employing incident response support such as CDW Threat Check.

Notice the steps outlined above do not include making a ransom payment. Paying an attacker does not guarantee the encrypted files will be unlocked; it only guarantees the hacker will receive the money and it might even encourage a repeat attack. If an agency gets the key to decrypt the files after paying the ransom, there is no binding agreement that the malware will be removed, and hackers could retain copies of the data and threaten to expose it unless still more money is paid.

Ask Cybersecurity Vendors, and Yourself, Tough Questions

No plan is complete — or relevant — unless it is tested. Just as with disaster recovery plans, a contingency plan should be tested through a tabletop walk-through involving all the relevant stakeholders: IT, communications, legal, compliance and law enforcement, among others.

Don’t assume backups are secure or up to date: Test them. Don’t assume that a contingency plan will work in the chaos and panic of a ransomware attack: Test it. Good cyberhygiene practices matter, no matter whether IT is in-house or outsourced to a managed service provider. If in-house, a team must implement the necessary steps to prevent and respond; if outsourced, an MSP must provide proof that it has a policy in place and must follow it assiduously.

Ask questions and press for answers. Use the above list as a guideline when discussing cyber-hygiene with a service provider, going through each step and asking for detailed information on what steps the MSP is taking to prevent and, if necessary, respond to attacks. Don’t forget: Whether it’s in-house or outsourced, good cyberhygiene relies on every user.

Cyberhygiene Best Practices to Follow

The Software Engineering Institute at Carnegie Mellon University recently outlined 11 baseline cyberhygiene practices for organizations to consider.

“We want organizations to understand that performing these practices are as foundational to using cyber-related assets as brushing your teeth or bathing are to personal health,” writes Matthew Trevors, acting technical manager of cybersecurity assurance for SEI’s CERT Division.

The institute makes the following recommendations:

Identify and prioritize key organizational services, products, and their supporting assets.
Identify, prioritize, and respond to risks to the organization’s key services and products.
Establish an incident response plan.
Conduct cybersecurity education and awareness activities.
Establish network security and monitoring.
Control access based on least privilege and maintain the user access accounts.
Manage technology changes and use standardized secure configurations.
Implement controls to protect and recover data.
Prevent and monitor malware exposures.
Manage cyber risks associated with suppliers and external dependencies.
Perform cyberthreat and vulnerability monitoring and remediation.