Ransomware attacks are causing real damage – how to avoid the worst-case scenario
No one should give in to criminals’ ransomware demands. Investing upfront in security and employee education to avoid facing that awful dilemma will serve you well.
When the Colonial pipeline, which sends three million barrels of fuel between Texas and New York each day, was hit with a cyberattack last month, the impact was immediate and widely felt.
In a bid to stop the malware spreading within its pipeline control system and unable to accurately bill customers receiving the fuel, Colonial shut down operations leading to shortages at thousands of gas stations along the US East Coast. It was a ransomware attack in which hackers operating under the pseudonym Darkside infiltrated the pipeline company’s systems with malware that locked down networks, devices and data and demanded payment for them to be unlocked.
Get in touch with Mobile Mentor to book a free Modern Work Assessment.
A few days into the crippling outage, Colonial Pipeline buckled and paid the ransom – nearly US$5 million. It allowed the fuel to start flowing again, but rekindled the debate on whether companies held to ransom should pay up to get back to business as quickly as possible.
Last May also saw a ransomware attack on the city of Baltimore’s IT systems. Hackers demanded US$76,000 worth of Bitcoins be paid to unlock the system.
“That’s not going to happen,” Baltimore’s mayor, Bernard C. Jack Young declared.
“We’re not going to pay criminals for bad deeds.”
Paying up: a vicious cycle
Nearly a month later, city employees were still without access to work email and data and the bill for restoring its systems ended up costing more than US$18 million. The Waikato District Health Board is also counting the cost of holding out to ransomware demands. Parts of its IT systems are still offline and a backlog of medical appointments and surgeries has resulted from its core systems being taken out of action.
Ask anyone in IT security and they are likely to echo our government’s view that you should not pay ransoms.
Even if you do pay, there’s no guarantee the criminal hasn’t exfiltrated your data and has it available to extort you a second time,” says Jared Pedersen, Head of Sales at mobile device management and security company Mobile Mentor, a Microsoft Gold Partner.
“It emboldens the criminal and creates a vicious cycle,” he added.
While the FBI has managed to claw back US$2.3 million of Colonial’s ransom payment by tracing and seizing cryptocurrency digital wallets, the real lesson, says Pedersen, lies in examining how the Colonial hackers got into the system.
“They had an old VPN (virtual private network) password that was inactive but had not been turned off,” he explains.
“They weren’t using multi-factor authentication and the same password had been used for other personal accounts. It was easy pickings,” he says.
Such is the case in many ransomware attacks, which have targeted weaknesses in IT security, particularly in sectors such as healthcare, which have sprawling legacy IT systems that are difficult to fully protect.
Colonial broke many of the rules Mobile Mentor advises its customers to implement, says Pedersen. He has seen an uptick in demands for Mobile Mentor’s free Modern Work Assessment, in the wake of the recent flurry of ransomware attacks.
“Existing customers are also asking us to check on them to make sure they are doing everything they can to protect themselves,” he says.
Three key vulnerabilities
The three major weaknesses Pedersen sees in device and network security are also the easiest to address, he adds.
They include an adherence to typed passwords instead of more secure passwordless authentication, a lack of controls around employees clicking on links in emails and a similar lack of protection covering the opening of email attachments. Passwords can be cracked with brute force attacks or stolen if insecurely stored. Links can contain malware that can be activated within your company network and attachments such as Word or Excel files can contain macros with malware buried within them.
Pedersen says that endpoint security systems from the likes of Microsoft and other major software vendors can address all of those issues. But there’s often a reluctance to lock down IT security too much and moving to passwordless log-ons can require a technology upgrade some businesses just aren’t willing to make.
“We think there is a happy medium of convenience and security,” says Pedersen, who adheres to the “zero-trust’ mantra of the IT security industry.
“We assume that all devices are untrusted and cannot access corporate resources until proven otherwise. So it’s this mantra of guilty until proven innocent is critical,” he explains.
With many organisations, particularly with the widespread move to remote working, allowing employees to work on a wider range of devices beyond the reach of the company’s network, a more sophisticated approach to security was needed.
“Just because a company feels like they’re taking good care of their corporate fleet, doesn’t mean that their data had been accessed on other devices is also secure,” says Pedersen, who spent 17 years working at Microsoft in a number of roles.
“Even if you are not using the likes of Microsoft Endpoint Manager, you can still secure the information on the device using things like app protection policies and conditional access.”
Device attestation, which allows organisations to query the security status of devices attempting to connect to enterprise applications and workspaces is a valuable line of defence that can be applied to many legacy systems, says Pedersen. As well as geo-fencing which dictates where access can be gained from. It means that a hacker in a different country on an unrecognised device is unlikely to be able to gain access to the company network to embed malware that enables ransomware attacks.
He admits that hackers are increasingly sophisticated and organisations struggle to find resources to properly secure their systems and educate employees.
“In the end it comes down to that CIO making sure that they can look their board members in the face and say, we’ve done everything that we we can do and where we there are gaps, here’s where we need to invest.
Shoring up your defences – 5 strategic security tips from Jared Pedersen
- Be aware of your risk profile
You need to consider what your risk profile is, particularly if you are in a sensitive industry like energy, healthcare, finance, education and the food sector. Where are your people working and on what devices? Pay particular attention to personally identifiable information (PII), how it is stored, accessed and transmitted.
- IT and HR should talk more
Too often, IT and HR operate in silos and only interact with the onboarding or offboarding of an employee. What happens in between? Make sure there is training around PII management, device usage and policies around bring your own device (BYOD) usage. You can use apps such as KnowBe4 for employee security awareness training. They will actively test employees’ ability to spot threats and teach them to be sceptical of links and email attachments that might represent a phishing attack.
- Modernise your endpoint management
Mobile Mentor loves over the air updates that can issue changed security settings or to deploy updates to all devices automatically at the touch of a button. This is particularly important when a significant percentage of the workforce is based away from the office.
- Consider moving to the cloud
The cloud can be more secure. Keeping an IT team upskilled and investing in on-premises infrastructure is a relentless task. The largest multinational cloud providers put significant resource into security. You can benefit from that and the faster patching and security updates that can be applied to the major cloud platforms as zero-day threats are identified and tackled.
- Data loss prevention is crucial
Microsoft and others offer software that let you set “do not forward” and “do not copy and paste” rules to prevent data from leaking out of your organisation. Additionally, any organisation should have a good disaster recovery plan that includes regular back-ups to multiple locations, so that if the IT system is rendered unusable by a hacking attack, at least up to date versions of data are available to rebuild and repopulate fresh IT systems.
Get in touch with Mobile Mentor to book a free Modern Work Assessment.
We enable remote teams to be secure and productive. Work is an activity, not a place. We’re a Microsoft Gold partner specialising in modern work technology that enables remote teams to be secure and productive.
Compliance and Vulnerability
Cloud compliance is the general principle that cloud-delivered systems must be compliant with standards that the cloud customers face. Essentially, cloud customers need to look at the effective security provisions of their vendors the same way they would look at their own internal security. They will need to figure out whether their cloud vendor services match the compliance that they need. There are several ways to go about this. In some cases, companies can just look for vendors that certify compliance, and choose their services without any further input. However, sometimes clients may need to actually get involved in accessing the cloud vendor's security, to make sure that it complies with the industry standards and regulations.