Mar 26 2020

Good Cyberhygiene Remains Critical to Thwarting Ransomware

Prevention and response planning are key for in-house teams or managed service providers.

Over the past several years, ransomware has proved particularly daunting for state and local government agencies, and it’s not going away. Attackers encrypt files, then demand a ransom — with no guarantee the files will be unlocked.

At least 70 such attacks hit U.S. state and local governments in 2019, with at least 23 Texas municipalities infiltrated in one attack during the month of August. A recent IBM survey showed nearly 80 percent of taxpayers are worried about ransomware attacks on local government. Ransomware can render emergency serv-ices or online payment systems inoperable, expose confidential and personal information, and grind services to a halt.

As Texas CIO Todd Kimbriel said during the 2019 annual conference of the National Association of State Chief Information Officers, to avoid a ransomware attack, “it is crucial that any service provider has good cyberhygiene practices in place.” 

Agencies Need Cyberhygiene, Backups and Vulnerability Scans

What exactly is good cyberhygiene? It’s all the processes and procedures that keep sensitive data organized, safe and protected from theft and attacks, and ensure system availability and reliability. Even with limited budgets and without skilled security personnel, it’s possible for local governments to build — or ensure their service providers have in place — strong defenses. First and foremost, good cyberhygiene requires prevention and response plans. 

Even the smallest municipality can start with an up-to-date inventory of all hardware, software and data (especially the most critical data). Armed with this, an agency can implement an endpoint protection system that includes spam filters, phishing detection systems, advanced firewalls, malware detection and IP blacklists. User security awareness training is a key part of the endpoint protection system: Those on the front lines need ongoing education on password management, how to spot a phishing attempt and whom to contact in case of suspicious behavior. 

Backups are an essential factor. They may be the only way to recover critical data if a ransomware attack succeeds. It’s good to follow the 3-2-1 rule: three copies of files on two different media types, with a least one offsite. Such comprehensive protection sounds like a lot of work, but a system such as the Barracuda Total Email Protection ­solution covers all the bases.

Another important prevention ­element is scanning for vulnerabilities and patching relevant systems, especially those touching critical data. A centralized patch management system, such as Bitdefender GravityZone, lets organizations keep operating systems and applications up to date across ­workstations and both physical and ­virtual servers.

MORE FROM STATETECH: Find out why ransomware awareness is up but training lags. 

Why a Ransomware Response Plan Is Critical 

In addition to patching, agencies can implement policies to prevent execution of programs in locations where ransomware likes to hide, monitor the network for systems using Microsoft’s Remote Desktop Protocol — a popular vector for ransomware attacks — and periodically check administrative rights for sensitive data. If IT is outsourced, agencies can require assurance from a provider to ensure that these elements are active. 

No set of security measures is foolproof, so it’s crucial to have a contingency and remediation plan providing policies and procedures to identify when an attack is underway; trace the source; disconnect infected machines from the network; and notify users, relevant authorities and affected citizens if required. 

Finally, the plan should involve procedures for recovering from the attack, performing a full security audit and updating systems as needed. Consider employing incident response support such as CDW Threat Check.

Notice the steps outlined above do not include making a ransom payment. Paying an attacker does not guarantee the encrypted files will be unlocked; it only guarantees the hacker will receive the money and it might even encourage a repeat attack. If an agency gets the key to decrypt the files after paying the ransom, there is no binding agreement that the malware will be removed, and hackers could retain copies of the data and threaten to expose it unless still more money is paid.

MORE FROM STATETECH: Discover why New York state may ban ransomware payments. 

Ask Cybersecurity Vendors, and Yourself, Tough Questions

No plan is complete — or relevant — unless it is tested. Just as with disaster recovery plans, a contingency plan should be tested through a tabletop walk-through involving all the relevant stakeholders: IT, communications, legal, compliance and law enforcement, among others. 

Don’t assume backups are secure or up to date: Test them. Don’t assume that a contingency plan will work in the chaos and panic of a ransomware attack: Test it. Good cyberhygiene practices matter, no matter whether IT is in-house or outsourced to a managed service provider. If in-house, a team must implement the necessary steps to prevent and respond; if outsourced, an MSP must provide proof that it has a policy in place and must follow it assiduously.

Ask questions and press for answers. Use the above list as a guideline when discussing cyber-hygiene with a service provider, going through each step and asking for detailed information on what steps the MSP is taking to prevent and, if necessary, respond to attacks. Don’t forget: Whether it’s in-house or outsourced, good cyberhygiene relies on every user.

Illustration by Rob Dobi