Given the sheer number of security products on the market today, you’d think cyberattackers wouldn’t stand a chance. We have numerous amounts of boxes, blinking lights, and apps at our disposal that are supposed to protect us from just about every conceivable cyber malady. And yet nearly every day we hear about some unfortunate organization that’s ceasing operations because it can’t recover from a ransomware attack. This is usually due to simply failing to ensure you have basic cyber hygiene within your organization.
Complicating matters is the new reality that bad guys are targeting entities they know a)are typically behind the curve in terms of cyber hygiene, and b) really don’t have the option of “going out of business” if recovery isn’t possible (read: they may have no choice but to pay the ransom). Municipal and county governments and school districts are on the front line here.
Granted, earlier this year more than 225 mayors of US cities pledged to not acquiesce to attackers’ demands in the event of a ransomware infection. However, when faced with the likelihood of being unable to provide essential services for an extended period, what can a city be reasonably expected to do? Pensacola is a recent, high-profile example of a municipality faced with this dilemma.
And yet, for every entity struggling with ransomware, there are many others that have not. Why is that the case? Is it just a matter of dumb luck, or is there some systemic difference that is driving the outcomes?
I posit that it is the latter. Just as the best sports teams and players work hard on fundamentals, so do the best organizations work hard on basic cyber hygiene. Now, these measures don’t need to be expensive, time-consuming, or inconvenient to implement. They should be treated as components of an overall risk-management strategy—not as “whack-a-mole” reactions to specific cyber threats—and should be embraced and promoted top-down by executive management (after all, cybersecurity is a business problem, not an IT problem). When that happens, an organization greatly reduces its likelihood of having a cyber incident.
There are some great vendor-neutral, objective references to help guide your organization’s cybersecurity efforts. These include the NIST Cybersecurity Framework and the Center for Internet Security (CIS) Critical Controls, among others. The cybersecurity concepts promoted by these guides are similar, and in terms of basic cyber hygiene, include:
- Security awareness training and testing. Condition employees to be on the lookout for suspicious e-mail messages. When they know they’re being tested and that failure has consequences, security awareness tends to dramatically improve. Which is, of course, the outcome we want.
- Limit account privileges. The privileges assigned to an employee’s account should include those necessary for his or her job role, but nothing more. If these credentials are stolen, extra privileges mean extra damage that can be inflicted by an attacker.
- Use a password manager. The problem with passwords isn’t just that they might be weak, it’s that they also tend to be reused. When this happens, the likelihood of credential theft increases exponentially. Using a password manager allows your employees to maintain strong, unique passwords for every app and website on which they have an account.
- Use multi-factor authentication everywhere. If an attacker steals your password, it no longer matters how long or complex it is. Coupling strong, unique passwords with multifactor authentication is a surefire way to keep from being low-hanging fruit in the metaphorical attack orchard.
- Prevent malicious DNS lookups. Before it can take hold, most ransomware requires the ability to resolve malicious DNS names. But by using technologies like Cisco Umbrella to remove this capability, an organization can dramatically stack the deck in its favor.
- Deploy web and email security. Prevent onsite and remote users from communicating with malicious IP addresses or URLs. Sandbox all attachments to incoming e-mail messages and inspect all embedded hyperlinks. Perimeter security is still an important part of a good risk-management strategy.
- Protect endpoints. Attackers have become adept at disguising malware to evade detection by antivirus software and other traditional mechanisms. But by protecting its workstations, servers, and mobile devices with a good Endpoint Detection and Response (EDR) app, an organization can keep malware in check and proactively hunt for threats within its environment.
- Patch operating systems and apps. Many variants of ransomware spread by exploiting vulnerabilities for which patches are already available. By keeping systems and apps up-to-date, and organization can severely inhibit ransomware’s ability to take hold and spread.
For some organizations, implementing these basic controls in-house may be a tall order given budgetary requirements and the capabilities of the IT staff. But in today’s cyber threat landscape, they are critical.
Ross is the CISO at Corsica Technologies. He has achieved CCIE Security and CISSP certifications, an MBA from the University of Notre Dame, and has 20 years of experience in the fields of computer and network security engineering and consulting. Ross provides virtual CISO services for our Symplexity Secure clients and helps them to identify information security risks and implement administrative, procedural, and technical controls to mitigate. He works effectively with both technical and managerial personnel and is a trusted resource for our clients..