Author – Uilson Souza – Information Security Specialist – Brazil
Nowadays, even having the experience of several past cases to take into account and several tools to avoid problems, some companies definitely don´t take security seriously, and the consequences are exposed in each data breach case published in the press and particularly in the ransomware cases still happening.
After being aware of the ransomware attack which happened on Dec-31st affecting L.A. Times, I´ve been amazed at how this attack still demands attention for a couple of reasons still missed by corporations.
You might be wondering what points I´m talking about and the answer is clear – Processes, Awareness and a good Security Management.
I don´t want to put the quality of security leadership inside these organizations in doubt, but every time we witness an event like this it´s because one of the pillars below is not being considered:
Since all these attacks came to light, we can note that pillars 1 and 2 are the ones most missed during a post-mortem analysis.
We always need to take all these pillars into account when analyzing and / or planning the Information Security for your organization. We still have the misconception that Security and Information Technology are the same and unfortunately, most companies have Information Security within the Information Technology Department organization chart, decreasing Security budgets and are overloading IT with something that should be completely independent and focused on the company´s core business.
Let me emphasize:
- Security is not (only) Information Technology! Security must be part of the core business strategy and executive and board support is crucial.
- Once you have this support from the board, you need to understand not only your own concepts or technical measures but also fully understand what your company does and if the processes related to the core business are flowing in a secure manner.
- Work with the core business to understand all processes and its associated risks in terms of confidentiality, integrity and availability. After having this landscape you can think about the third pillar (Technology) and plan what you can do to have all critical data protected. Are your computers really hardened? Are the technical resources being used for something other than the purpose for which they were designed? Try to figure out some way to avoid the execution of some kind of files (.exe for instance) and restrict the software installation to the technical team only. Another important point to consider is regarding external devices like Pen Drives, Cell Phones or External Hard Disks. The permissions assigned to this equipment can be a huge point of vulnerability as the user is bringing to your environment everything that you work hard at to keep away… think about and evaluate it according to your needs. Make sure all critical servers (File Servers, Database Servers, and Critical Application Servers) are properly segmented and the access to sensitive and financial information is defined only to the right ones.
- Backup – one of the most important aspects in order to guarantee your data and to comply with market rules like PCI, HIPAA, ISO27k1, etc. Make sure your restoration process is reliable by testing it regularly. It´s recommended that you don’t pay ransomware attackers given that there is no guarantee that you will get your environment back.
- How is your Change Management Process working? Is it fully mature? And your Patch Management Process? Both need to flow in the same way. Several companies were affected by WannaCry Ransomware just because they forgot to apply the patch MS17-010 some months before getting infected. A Security Bulletin from Microsoft or another vendor was not created just for reading… it needs to be fully applied and tested in your own environment – following the known deployment strategy – Development – Quality and Production.
- Having all this information handy helps you to focus your attention on the People pillar – last, but by no means least! Who´s gonna access what, when and how? What´s the level of information that a specific department should have access to? Don´t forget to take into consideration the physical access too, where everyone can get access and where you have to restrict this access to only part of the staff.
- Moreover, with regards to the People pillar, a security awareness program is important to keep everyone on the same page about how to help the company to keep the environment safe, understand the security policy designed for the company and also enabling your end user as your Partner in terms of Information Security. The best way to get collaboration from the users is to make them a significant part of the Security Process for the organization, and that´s one of the strongest points you can use to avoid external threats as, even having the most sophisticated cybersecurity infrastructure, a single click on an infected link might put it all at serious risk.
There are a lot of other metrics and measures you could consider and the ones listed above could be more deeply exposed. However, this article was intended to give you some tips to help avoid the ransomware attack in a more efficient way.
Think and work safely!
Uilson Souza is an Information Security Specialist. Uilson is currently working on Information Security Architecture projects at MARS Global Services in the Process, Compliance and Security Team. Uilson has certifications from EXIN (Privacy and Data Protection Foundation), CompTIA (Cloud Essentials) and ITCerts (InfoSec and Cloud Security Foundation).