Jul 27, 2021

Protecting Your Org from Ransomware: Best Practices

Suhas Nayak
Glenn Mulvaney
Protecting Your Org from Ransomware: Best Practices

Organizations around the world are making headlines after falling victim to ransomware attacks. Ransomware is malicious code designed to gain unauthorized access to systems and data and encrypt that data to block access by legitimate users. Once ransomware has locked users out of their systems and encrypted their sensitive data, cyber criminals demand a ransom before providing a decryption key to unlock the data. Organizations can lose days of productivity and revenue during these attacks, and recovery can be problematic.

The ransomware attack on the Colonial Pipeline in May 2021 demonstrated how far-reaching such a strike can be: 5,500 miles of pipeline carrying 45% of U.S. east coast fuel was shut down for four days before operations could be completely restored by paying the ransom amount of $4.4 million. It is expected that a new organization will fall victim to ransomware every 11 seconds by the end of this year.

This massive problem is top of mind for our customers when it comes to protecting their critical data. In this post, we share guidance on how organizations can make an attack less likely, increase their resilience to being ransomed, and secure their data in the cloud.

Developing a Defensive Security Posture to Safeguard your Data Against Ransomware

Protecting your data against ransomware involves putting together a multi-layer defensive plan all the way from thwarting such attacks to recovering quickly in the event of a breach. The following components are all part of a comprehensive data protection plan. Read on to understand the top 5 best practices to defend against ransomware in each component.

#1 Vendor and Supplier Management

In some recent attacks, a third-party vendor’s software for IT automation was the source of a vulnerability that attackers used as an entry point for their malicious code. While SaaS offerings bring tremendous flexibility and scalability, they also come with additional risks to evaluate and mitigate.

Steps to Take:

  • Establish a procedure by which all existing and future vendors are evaluated at least annually on the risk their services add to your organization. Understand their security posture and the maturity of their IT and information security processes. Do they have an ISO 27001 certification? A SOC 2 Type 2 report? Do they perform penetration tests from qualified security vendors, and are attestations available?
  • Request a meeting with your vendor’s security team and ask questions. Having certifications, reports, and attestations is not proof against a vendor having (or causing) a security breach, but it establishes a baseline that industry accepted best practices for information security are being observed and verified

#2 Training and Awareness

Inside of your organization, your personnel is your greatest asset. It’s a core responsibility to ensure that they are trained and aware of the risks that are posed by attackers. Social engineering techniques have played a huge role in the spike of successful attacks. Every individual in your organization should have a security “radar” running in their head whenever they’re using their computers.

Steps to Take:

  • Set up an automated monthly recurring training that gets deployed to your employees and track the results.
  • Perform internal press around these activities, at least annually, and have a company meeting dedicated to security training and awareness.
  • Perform quarterly short-subject meetings on subjects like BECs, SIM hijacking, SMS scams, etc. Frequency, relevance, and brevity is the key to establishing and maintaining awareness among your teams.

#3 Technical Mitigations

IT security has made significant strides in software, services, and techniques for the prevention of unwanted activity. Organizations need to manage a lot of physical assets, like laptops and smartphones. Many of them also need to manage a range of SaaS offerings as well, like intranets, collaboration platforms, email systems, etc. Each of these offerings can pose a risk of entry for an attacker to exploit.

Steps to Take:

  • Establish an Asset Management Policy that ensures norms. All devices with any access to company resources should have controls enforced on them that provide common protections. For example, a control disallowing the use of USB mass storage on company computing devices to protect your employees from the dreaded class of USB device exploits.
  • Ensure you have good password practices which are enforced, host-based firewalls are enabled, malware detection/prevention software is running, etc. should be applied across all systems.
  • Your email system should be configured to alert users of emails from external/untrusted sources. Many cloud-based enterprise email services provide a lot of security features; be sure to review them and activate them.
  • Establish an Access Control Policy that enforces the use of strong multi-factor authentication across all systems via a single sign-on system. Numerous cloud-based identity providers (along with the SAML 2.0 standard) make implementing this a lot easier than it used to be.

#4 Privilege and Authorization Management

When a user authenticates to a service, the user is typically granted some amount of privileges. In the SaaS and Cloud world of 2021 and beyond, permissions management of services can be quite complicated. For example, the privileges available for a user in your collaboration suite will vary significantly from the privileges of a user of your Infrastructure-as-a-Service provider. At a high level, the privileges required for these users will be role-based. Privilege management is critical and hence the guidance is to limit privileged access to the minimum level required for the user to do their job.

Steps to Take:

  • Limit the “blast radius” of what an attacker can do with a compromised account. If your systems are integrated with a SAML 2.0 based IdP, you can usually manage the levels of permissions with groups or roles in the service that the IdP will indicate when a user authenticates.
  • Review privileged access frequently. Folks change jobs; they move from one role to another within a department, and sometimes they move laterally to other departments. It’s a good idea to review at least quarterly the list of users who have admin-level access to key systems and services and resolve this list with HR to account for any changes.
  • Monitor all access logs. While the amount of data here can be voluminous, it’s a critical requirement, and there are a lot of systems and software available to help automate this process. Anomalies like seeing a particular user account attempting (and hopefully failing) to elevate its access, or access resources it’s not permissioned for, can be an indication that an account is breached. Activity logs are vitally important resources for both analytics and forensics in the unlikely and undesirable event of a security incident.

#5 Disaster Recovery

Speaking of forensics and security incidents, it’s really important that the above-mentioned activity logs don’t vanish. That would seriously hamper an investigation. Ideally, the logs are stored offsite securely, and in a form that’s tamper-proof. This brings us back around to the whole subject of ransomware.

Preparing for disaster, and ensuring recovery from it, is necessary for all organizations. Disasters come in many forms, from a leak in one of your offices making a floor unusable, to a service provider having an extended outage, and even to the worst-case of having your organization fall victim to a ransomware attack. The mitigations are important, but the worst can still happen. Your disaster recovery plan should account for and have a tested, planned mitigation for this scenario.

CISA has published a Cyber Essentials Toolkit.  I highly recommend it; it’s written in a checklist style and covers a lot of ground.  In chapter 5 regarding the protection of data, you’ll find two significant sentences:

  • Ensure the backed-up data is stored securely offsite or in the cloud and allows for at least seven days of incremental rollback
  • Periodically test your ability to recover data from backups.. Online and cloud storage backup services can help protect against data loss and provide encryption as an added level of security.

Steps to Take:

  • Protect your data in an air-gap solution, outside your production environment.
  • Ensure the data is stored in a secure and immutable manner.
  • Validate the encryption occurs in-flight and at rest with keys that cycle often.
  • Have the ability to bring your own encryption keys.
  • Test your restore procedures (and indeed, your whole Disaster Recovery plan) should be performed periodically; at least, annually.

Clumio provides good news and value on all of these points.

How Clumio Can Help:

The Clumio platform has the security, the “off sited-ness”, and the immutability designed in, from day one.  Your data is encrypted with your encryption key before it leaves your cloud accounts and is transmitted to the platform.  Built-in integrity checking and object versioning ensure immutability, and the platform is a completely separated environment from your company’s.  Check!  You can configure your backup policy to archive and retain data on the schedule that best fits with your organization and data type.

Additionally, testing data restoration with Clumio is among the easiest tasks to do.  View your protected assets, examine their backup calendar, and click to restore.  That’s it.  With Clumio’s granular recovery you can also restore individual files or database records, speeding up time to recovery. The ability to restore to any account or region also ensures that you have the flexibility to get back up and running your business in a new site while the compromised site remains isolated for investigative purposes.

Thoughts and Conclusions

The frequency and severity of ransomware attacks are truly alarming.  It’s a global, industry-spanning threat, and needs to be taken seriously.  But there’s no need to feel helpless.  The preventative and mitigating techniques discussed above are a starting point, and help to make organizations more difficult targets for attackers. There’s always more to be done, and it will be a chess game of moves and counters.

For certain, an ounce of prevention is worth a pound of cure… or fewer hours of disaster recovery and loss of business.  A strong security posture is required and needs care, sustenance, and continuous improvement. Just don’t neglect the “break-glass” disaster recovery plan, and ensure that your critical data is safe, secure, and available.  Ensure that you’re ready to engage and restore business operations within your RTO/RPO targets if the worst-case scenario happens.

Does your AWS backup expose you to ransomware attacks? Find out how to Overcome the Challenges with Backup for AWS and Recover from Ransomware Attacks.