In my day job as editor of the Inside Security email newsletter, I read a lot of infosec stories from various sources: some technical, some legal, some for beginners. But I was struck by reading this piece in Dark Reading this week by this sense of failing purpose, and how IT is at best at parity with our attackers.
The piece is by a security consultant, Mark Hardy. Entitled, 7 Steps to Fighting Ransomware, it does what it says, providing some practical advice for corporate IT managers on how to prepare for the coming attack. Make no mistake: it is coming. All it takes is one person and one careless click and your network is compromised.
Some of Hardy’s suggestions are pretty predictable: make sure your systems are kept up to date on patches. Segment your network to limit the exposed systems that an attacker can easily access. Backup frequently and move them offline for further protection. Yeah, yeah, we’ve heard it before. Some corporations actually do these things too.
But one suggestion stopped me in my tracks: Buy some Bitcoin to prepare in advance, in case you have to fork over the ransom on short notice. That was a chilling point to make because it says no matter how carefully you prepare, there is still the off chance that you may have missed something and will need to pay out the ransom.
This is what I mean when I say we are at parity with the bad guys. We are fighting an asymmetric war against them: they have the ability to penetrate our networks and steal our data with a vast array of tools that are only getting better and more finely crafted. There is malware that can operate in memory and hide by using bits and pieces of software already part of your operating system that is very difficult to detect. There is malware that changes its attack signature every second. There is malware that uses flaws in the operating system (such as one that was patched this week by Microsoft, ironically in its malware protection engine program). And there are malware kits that run completely in the cloud, so all it takes is money and a few commands to launch an attack. So it is inevitable that someday your company will be hit, it is just a matter of when.
Security strategies are forged in the heat of battle when you realize that no matter how many spare copies or protective procedures, something went wrong: your copies are bad, you have mission-critical data lurking on some executive’s laptop that wasn’t part of the backup, or some phisher dangled some bait and succeeded. Game over.
I speak from sad experience. Not over ransomware, but a simple backup error. Many years ago I lost my mailing list server due to a flooded basement. All the content on my server was duplicated elsewhere, offsite, save for one thing: the actual names on my list. A pretty critical piece of information, don’t you think? If that server didn’t come back online (it did), I would be out of business. I didn’t have a spare copy of my list. All it took was a simple command to have that list of names. But somehow I forgot to include that in my workflow. Oops.
Hardy says, “Ransomware is a clear and present danger. Companies can no longer afford to take a wait-and-see attitude. If you’re vulnerable to ransomware and take no precautions to mitigate those vulnerabilities, then the only thing you’re relying upon to prevent an infection is hope — and hope is not a strategy.” So stop hoping, and start preparing.