James Goepel selected to present his research at Drexel University’s 5th Annual International Research Showcase

Fathom Cyber’s CEO, Jim Goepel, is an adjunct professor of cybersecurity in both Drexel University’s Lebow College of Business and Thomas R. Kline School of Law and Drexel University. Since joining Drexel, Jim Goepel has been working with Professor Paul Flanagan on an innovative approach to cybersecurity and data privacy risk management. Drexel University has asked Jim and Paul to present their research as part of Drexel’s 5th Annual International Research Showcase on May 27, 2020. Using Professor Goepel’s and Professor Flanagan’s unique approach, organizations can implement an holistic enterprise risk management program that creates an agile business environment while adding structure necessary to properly manage regulatory, legal, cyber, data privacy, and other risks. Their approach includes risk definition and management techniques, carefully tailored policies and procedures, and strong compliance and audit functions. More details about Professor Flanagan’s and Professor Goepel’s approach will be included in an upcoming technology journal published by the National University of Singapore.

Staying Safe While Traveling

Travel

As the holiday season approaches, we want to remind everyone that safe travels includes more than just driving safely; there are cybersecurity and privacy considerations as well. We strongly encourage you to always follow our Top 7 Tips for Individual Cybersecurity, even when you travel (you can download a free printer-friendly version here). We also recommend creating an electronics travel kit.  The kit should include*:

The whole kit can be put together for less than $100 and could make a great Christmas present, especially when combined with a bag (such as this: https://www.amazon.com/Electronic-Accessories-Organizer-Carrying-Earphones/dp/B07833GL7W, or https://www.amazon.com/UGREEN-Electronic-Organizer-Digital-Speaker/dp/B07DQBC6NH).

So, why do you need to carry all this stuff?  The travel extension cord is very useful in airports or other locations where power outlets can be scarce or inconveniently placed.  For example, in many hotel rooms we have recently visited, the outlets near the bed are all taken by lamps, alarm clocks, etc.  The travel extension cord allows us to use one of those outlets to charge our electronics without having half the room be dark.  Similarly, some rooms now have power outlets on the desk or nightstand, but they do not provide enough clearance for larger wall adapters.  The travel extension cord allows us to use our preferred wall adapter with those outlets. 

You’re probably thinking “but you can find USB charging ports just about anywhere; why would you need a wall outlet and extension cord?”  In short, those charging ports can be modified to allow an attacker to copy all of the data from your device, and even to plant malware on your device.  The ports can also provide inconsistent and potentially damaging amounts of electricity to your device.  Given the range of issues these public USB ports pose, we recommend to our clients that they avoid them. 

We also recommend carrying a cigarette lighter adapter for the same reasons.  Automobiles are a convenient place to charge our devices, but criminals know that they can modify the USB port on a rental car and gain access to or infect your device.  Rental car USB adapters also take more abuse than most personal vehicle adapters (think about how often you unplug your cable in your car versus during a rental) and thus are more likely to suffer electrical issues that can damage your device.  Carrying a known-good USB car adapter helps avoid these problems.

That being said, we know that wall and cigarette lighter adapters are left behind, fail, or simply fall out of a bag.  That is why we recommend also carrying a USB data blocker.  The USB data blocker prevents a potentially malicious USB port from accessing the data on your device.  It should be noted that although the USB data blocker does a good job of protecting your device from criminals, it will not condition the power supplied by the USB outlet and thus your device can still be damaged.

We recommend carrying spare cables when you travel because you don’t want to use charging cables you find lying around or that you borrow from a stranger.  There are malicious cables out there (see https://www.vice.com/en_us/article/evj4qw/these-iphone-lightning-cables-will-hack-your-computer) that can be used to give an attacker access to all of the data on your device.  In addition, some cables are poorly made or contain lower-quality electronics and can fail easily.  We encourage our clients to always use cables purchased by them, and cables that have been purchased from a reputable source (not the bin next to the gas station cash register).

Finally, we recommend carrying a portable battery for those times when other power sources simply aren’t convenient or accessible. Examples include when you are getting off a plane or train and need to call your rideshare or let your loved one know you arrived safely. We find we use ours most when attending conferences, where the wall outlets are typically already taken by others. The portable batteries are small, light weight, and extremely handy in those desperate times.

Best wishes for safe travels! Our blog has more useful cybersecurity and privacy information, and if you want to learn more about cybersecurity, register for our webinars. Subscribe to our newsletter so you don’t miss a post!

* Please note: Although we have provided links to certain products, those links are provided for illustrative purposes only. We have not tested those products and, consistent with our role as a trusted advisor and agent for our clients, we are not endorsing any product or vendor. We do not receive any compensation if you purchase the products we reference.

DoD CMMC Certification Process

The Department of Defense (“DoD”) is pressing forward with its plans to create a cybersecurity maturity program that will apply to all government contractors in the Defense Industrial Base (“DIB”). As we have previously reported, draft Version 0.6 of the Cybersecurity Maturity Model Certification was released a few weeks ago. You can read our analysis of Version 0.6 here. Version 0.7, which is due in December, is slated to address maturity levels 4 and 5, and we will provide updates on that version shortly after it is released.

Although the DoD is creating the initial version of the CMMC, including the maturity scale itself as well as training and other materials, the DoD wants a nonprofit accreditation body to take over the maintenance of the CMMC. The nonprofit will also be responsible for creating a credentialing process for the C3PAOs (certified 3rd party assessment organizations) that will provide the actual CMMC certification to a government contractors, as well as training materials for those C3PAOs. In a November 26 response to industry inquiries, the DoD indicated that it will not have the initial training guides (for CMMC Levels 1-3) available to the C3PAO until at least early February, and that training for Levels 4 and 5 may not be available until March. This means that the 3PAOs will not be able to even begin the certification process until at least late February, and there will inherently be only a limited number of people who are certified in CMMC audits at each C3PAO.

The DoD also indicated that it has received inquiries from several other government agencies and outside groups who are interested in CMMC and the overall process. We expect to see adoption of the CMMC expand to other industries and in other contexts, such as by insurance companies when assessing overall cybersecurity maturity and associated risk and insurance rates.

Finally, the DoD stressed that although written security plans and Plans of Actions and Milestones (“POAMs” or “POA&Ms”) are acceptable under DFARS 252.204-7012, DIB contractors have not done a good job in executing their POAMs. Thus, the CMMC will not give credit for plans; instead, only the current state will count toward the contractor’s CMMC level.

We strongly encourage all organizations, and especially DIB contractors, to engage an independent consultant to conduct a maturity assessment as soon as possible. The C3PAOs will have a large backlog of organizations (over 300,000!) to go through in only a few short months to meet the DoD’s September 2020 deadline, and the C3PAOs are likely to prioritize certifying those organizations that have already taken steps to assess their maturity and to address any shortcomings.

Contact Fathom Cyber today to discuss how your organization will benefit from a maturity assessment.

Webinars

Training and Advisory Services

Fathom Cyber is excited to announce our upcoming webinars for December and January:

  • December 16, 2019 – Cybersecurity Terms for Nontechnical Managers
  • January 13, 2020 – An overview of the Department of Defense’s Cybersecurity Maturity Model Certification (“CMMC”)
  • January 27, 2020 – Introduction to Enterprise Risk Management
  • February 10, 2020 – Creating Defensible Cybersecurity Strategies

All webinars will begin at 1 PM US Eastern.  To register for one or more of the webinars, please visit our webinar registration page.

Holiday Shopping Security Tips

The UK’s National Cyber Security Centre has published a useful guide for people shopping online this holiday season. Here are a few highlights:

A padlock isn’t enough – That padlock in the address bar of your browser means that communications between the browser and the site you are visiting are encrypted. However, that padlock does not mean the company you’re buying from is legitimate. Criminals can create inexpensive shopping sites that look legitimate, even down to implementing encryption to trick you into thinking they are safe

Limit the information you give – Most websites don’t need your mother’s maiden name, the name of your primary school, or other such personal information so you can buy something from them. Instead, only fill in the mandatory information, such as your name and address. Don’t create an account on the site unless you are going to buy from them again frequently in the future.

Make Cybersecurity Make Sense

Follow good device hygiene – Keep your devices up to date, use strong passwords, enable multi-factor authentication, and follow other good hygiene practices. For more information on staying safe online, see our Top 7 Tips for Improving Individual Cybersecurity.

Free Cybersecurity and Data Privacy Training Videos

Smaller entities like nonprofits, state and local governments, and small and medium businesses are frequently reluctant to devote already scarce resources to cybersecurity and data privacy.  They often feel that they are too small to be attractive to cyber criminals or that they have nothing of value.  Unfortunately, this attitude makes them targets for cyber criminals, because the criminals know that the smaller organizations are easy to attack.

For organizations looking to improve their cybersecurity and data privacy programs, employee training can bring significant returns on investment.  Educating all employees about their role in keeping the organization secure is critical to ensuring the organization stays safe, and Fathom Cyber offers a variety of training options, including training for an organization’s employees, executives, and even Boards of Directors.  We also recommend augmenting these traditional courses with short awarness videos, and we have partnered with Wizer, an innovative training system provider to help our clients achieve this goal.  Wizer offers an ever-increasing number of free, 1 minute long security awareness videos along with premium options including phishing simulation, gamification, and training videos and more, all for a reasonable fee. Wizer’s short videos are a great way for organizations of all sizes to keep security and privacy top-of-mind for their employees.

Below is an example of one of their videos. Contact us for more information or to create your free account today!

Will Your Employees Take the Bait?

Phishing attacks are a threat faced by every organization, in part because they are easy and inexpensive to launch, and they are highly successful. If you are unfamiliar with phishing or wonder if your organization is taking the appropriate steps, The National Cyber Security Centre of the United Kingdom has put together an excellent, high-level article that we highly recommend. Although it touches on some technical jargon, it is written at a high enough level that most nontechnical people should be able to follow it. One of the key take-away points is that a phishing defense needs to have multiple layers, as illustrated in the infographic above. Organizations need to be not only training users to improve their ability to spot current threats and phishing attack styles, but also putting in place appropriate policies and procedures to detect when a user has fallen for a phishing attack, responding to the resulting attack, and recovering from it. The article is available in the link below.

https://www.ncsc.gov.uk/guidance/phishing#downloads

DoD CMMC Version 0.6 Released

The US Department of Defense released version 0.6 of its Cybersecurity Maturity Model Certification program on Thursday, November 7, 2019.

More Ratings Clarity

As we have previously discussed, the CMMC will use a maturity rating system to assess not only the technical controls that are in place (which the DoD refers to in the CMMC as “practices”), but also the policies and procedures that the contractor has implemented to help guide the use of that technology.

The maturity ratings will range from level 1 to level 5, and the contractor will be rated separately for the controls and the polices. This rating system is used for each of the seventeen (17) different “domains” defined within the CMMC.

The DoD recognizes that many of its contractors are likely to still be rushing to get themselves to at least an overall rating of level 3 for each domain (which the DoD appears to suggest as a “reasonable” baseline for security), and thus this version focuses on the requirements to meet levels 1-3. Requirements for levels 4 and 5 are left for a later version.

It should be noted that a contractor’s overall maturity rating in each domain will be equal to the lowest of the two maturity ratings. That is, an contractor that has superior technical controls in a particular domain (i.e., one deserving a 5 rating) but which has yet to implement any policies and procedures (i.e., one deserving a 1 rating) will only be given an overall maturity rating of 1 for that domain.

Ratings Requirements in Government Contracts

It remains unclear how the DoD will specify the maturity level required for a given contract. For example, we know that the contractor will be rated across each of the domains, but it is not yet clear whether a contractor will have a single, aggregate rating that will be used for assessment on a particular contract, or if the contracts are expected take a more granular view, specifying each of the ratings across all of the domains. From earlier comments by the DoD, it would appear that they are likely to use a single, aggregate rating and that it will be the lowest rating across all domains. Clarity on this issue would be beneficial because it will allow contractors to prioritize their remediation and enhancement efforts within their Plan of Action and Milestones (“POAM”).

CMMC Domains

As discussed above, the CMMC divides cybersecurity into seventeen (17) domains. These domains are:

  • Access Control (AC)
  • Asset Management (AM)
  • Audit and Accountability (AA)
  • Awareness and Training (AT)
  • Configuration Management (CM)
  • Identification and Authentication (IDA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PP)
  • Recovery (RE)
  • Risk Management (RM)
  • Security Assessment (SAS)
  • Situational Awareness (SA)
  • Systems and Communications Protections (SCP) and
  • System and Information Integrity (SII)

Much like the NIST Cybersecurity Framework’s Functions (Identify, Protect, Detect, Respond, Recover) and their corresponding controls categories, at a high level, the CMMC domains can be useful for organizations’ management, including boards and the C-Suite, as a means for organizing discussions around issues to be addressed by, or being addressed in, their organization’s cybersecurity strategy. This can allow for a more granular discussion between the security/technology teams and the contractor’s senior management without the senior management having to become experts in any particular domain. For self-assessment purposes, these domains and the corresponding maturity within them can be very useful for contractors as they assess how to invest their hard-earned IT and security budgets.

A Missing Domain

However, as is common with many cybersecurity strategies, the DoD has overlooked a key domain: legal and regulatory concerns. While it appears from the comments in Appendix B that the DoD may intend the legal and regulatory aspects to be included across all of the domains, many organizations are not aware of their legal and regulatory exposure. Forcing contractors to explicitly address this as part of their maturity assessment will be beneficial. For example, many organizations’ incident response plans focus on data privacy reporting obligations and do not address their cybersecurity incident reporting requirements, such as those imposed by the Securities and Exchange Commission. The failure to address the full spectrum of legal and regulatory requirements as part of an incident response plan is a strong indicator of the overall maturity of the contractor’s approach to its cybersecurity strategy. Thus, legal and regulatory domain should be incorporated into the CMMC’s requirements.

Capabilities and Practices

Version 0.6 adds additional clarity within each of the domains as to what the DoD expects of its contractors. There are now a set of 40 defined capabilities, or achievements to ensure cybersecurity objectives are met within each domain. Each of these capabilities has associated with it at least one practice that is to be implemented to demonstrate compliance with that practice. Different practices are assigned to different maturity levels. Each practice also has associated with it one or more external references. These external references are provided to help practitioners understand how the practices are to be implemented, but strict compliance with the external references is not required to achieve CMMC certification.

Conflicting Messaging

While the CMMC represents a significant improvement over most organizations’ approach to cybersecurity, version 0.6 of the CMMC still misses the boat. The NIST Cybersecurity Framework and the Cybersecurity & Infrastructure Security Agency’s “Cyber Essentials” for small and medium businesses both encourage businesses to conduct a thorough business assessment before making any significant technology investments. However, CMMC v.0.6 encourages contractors to treat cybersecurity primarily as a technological problem. This is evidenced in part by the way the technical domains are prioritized over more business-oriented domains like risk management. For example, organizations can achieve a level 2 rating without ever even considering risk management, which is a mistake as it forces the DoD’s contractors to invest in technologies that may not be necessary and prioritizes doing something over doing the right thing. Even within the Audit and Accountability domain, a domain which by its title should be focused more on business-level issues, the proscribed practices are purely technology focused. The US Government, and especially the Executive Branch agencies entrusted with protecting our nation, should be providing consistent messaging and prioritization to everyone on this very important topic.

Conclusion

We believe the NIST/CISA approach to be the approach that will provide the best value to both the contractor and the DoD, and is also the approach that is more likely to result better cybersecurity as the contractor will have business-oriented reasons for maintaining and enhancing the programs rather than it being treated as a compliance-type expense from which the business derives limited value. In addition, under the CMMC’s current approach, contractors are likely to spend money on practices that will have only a marginal improvement on their actual security while ignoring other controls from which they would greatly benefit. The DoD needs to bring the level 1 requirements more in line with the NIST Cybersecurity Framework and CISA’s guidance.

We also want to stress that we support the DoD’s efforts with respect to the CMMC. Requiring contractors to change the way they view and address cybersecurity is a long overdue change. However, there are some fundamental issues that need to be addressed. We hope the DoD will reassess its approach and address these issues before version 1.0 is released.

Microsoft is Helping to Combat Ransomware

Image Courtesy Microsoft

Some users of Office 365 will soon have a new tool to fight ransomware.  As we noted in our recent article on corporate ransomware protection, one of the most common ways companies are infected with ransomware is through infected Microsoft Office files.  These files typically have macros, or computer programs, embedded in them that kick off the ransomware infection.  Microsoft recently announced that users of Office 365 ProPlus will soon be able to open all documents from untrusted sources (e.g., anything sent via E-mail or downloaded from the Internet) using “Microsoft Office Application Guard,” a separate virtual environment.  The virtual environment is isolated from the user’s operating system and standard programs, and is destroyed when the user logs out.  This means that any infection that may be caused by the untrusted document should not be able to infect the user’s computer, and will be destroyed within the virtual environment when the user logs out.  This should significantly limit the spread of ransomware, or at least force the criminals to find other approaches for infecting user computers.

We expect to see Microsoft make this available to lower-tier Office 365 users in the near future as well. If your organization uses Office 365, we encourage you to take advantage of this exciting security feature which should help significantly reduce your organization’s attack surface.

That being said, no security system is perfect.  For example, a file may be run in the virtual environment without any negative effects being detected, but it may include a “sleeper” version of the ransomware that waits days, or even months, before it will launch.  Others may seek to detect whether they are being launched in the virtual environment and, if detected, may postpone any malicious activity until they are outside the virtual environment.  Still others may attempt to escape the virtual environment by exploiting vulnerabilities.

In the end, as we discussed previously, disabling macros can significantly reduce your attack surface.  If you must enable macros, the Australian Cyber Security Center has created this handy chart that outlines some of the risks associated with the different levels of macros.

(Source: Australian Cyber Security Center)  

Corporate Ransomware Protection

Recent headlines have touted the fact that the number of ransomware attacks are down. However, before you breathe a sigh of relief, it is important to understand that the number of attacks has dropped because fewer criminals are indiscriminately sending malware-infected files and links to anyone and everyone (although this technique, referred to as “phishing,” does still happen quite a bit!). Instead, many have shifted to targeting corporations, healthcare providers, schools, governments, and other entities with deeper pockets. We will refer to this as “corporate ransomware,” although it is important to remember that the criminals are targeting non-corporate entities, too.

Anatomy of a Corporate Ransomware Attack

To understand what is happening in a ransomware attack, it is helpful to understand both what the victim sees and the approaches typically undertaken by the criminals. If you are already familiar with these topics, you can skip ahead.

The Victim’s View of the Attack

A ransomware attack involves the criminal locking the victim’s data with a key that only the criminal controls. The criminal then holds the data for ransom which is frequently demanded in “altcoin” or cryptocurrecies, such as Bitcoin or Etherium. The criminals typically threaten to delete the key within a certain amount of time (e.g., 3 days) unless the ransom is paid.

The process of locking the data can take several forms, and is generally called “encrypting” the data. To gain access to the data, the victim must either purchase the key from the criminal (i.e., pay the ransom) or find a tool to reverse the encryption (called decrypting the data). While decryption tools do exist, criminals change their tactics frequently and will adopt new forms of encryption to render the decryption tools useless.

The Criminal’s View of a Corporate Ransomware Attack

Corporate ransomware attacks involve more up-front work on the part of the criminals. The criminals typically choose one of two attack vectors: social engineering and spear phishing, or exploiting vulnerabilities in Internet-facing software and systems.

Social Engineering and Spear Phishing Attacks

Social engineering is the attack method preferred by many cyber criminals because it is highly effective. Social engineering involves gathering information about a victim using publicly available sources (referred to as “open source intelligence” or “OSINT”), including corporate websites, social media, print/online media, government records, and even by simply calling the corporation. The criminals use this OSINT to build a profile of their target corporation, including contact information for key individuals. Many criminals know that corporations have put in place additional features to protect their senior management, and thus the criminals may bypass those people as targets. Instead they target those in the corporation’s upper-middle-management who are less likely to think they are the target of an attack, making them easier victims. Targeting a few individuals, a practice called spear phishing, reduces the likelihood that the E-mail, text, WhatsApp, or other messages that the criminals will send to the victim will be identified as a potential problem. Spear phishing can be made even more effective through business E-mail compromise, a technique in which the criminal sends a message that impersonates someone else in the corporation, such as the CEO or the victim’s manager.

When the victim opens the message and clicks on the link or attachment in the message, they create a path through which the attacker can gain access to the victim’s corporate network account. This access allows the criminal to install additional software and change settings on the victim’s computer, and provides a footprint from which the criminal can malware laterally within the corporation. The criminal can also use the access to the victim’s account to send E-mails and other messages from the victim’s account(s) to the victim’s contacts. This practice, referred to as “Island Hopping”, can be very effective, as illustrated by the recent attack on the Los Angeles Court System and the attack on the US electrical grid.

Vulnerabilities in Internet-facing Software and Systems

As we discussed in our post about vulnerabilities, exploits, etc., computer hardware and software frequently contain flaws which create vulnerabilities in the hardware or software. In some cases the vulnerabilities are severe enough that criminals can exploit them to take control of the software or hardware. For example, a recently discovered flaw in the Remote Desktop Protocol that ships with Microsoft Windows can allow criminals to quickly take complete control over the target computer.

Identifying a target corporation’s computers and the vulnerabilities they contain can take some time, although there are automated tools like OpenVAS, Nessus, and OWASP Zap that can make this easier. The criminal uses the information gathered from these tools to identify specific exploits that can be leveraged to gain access to the system. Since this style of attack does not require a victim to take any action, these attacks can be significantly harder to detect, allowing the criminals to persist in the victim’s networks for a long time and thereby ensuring comprehensive damage when the ransomware is triggered.

The Return on Investment

The return on the criminals’ investment in corporate ransomware attacks is huge. Instead of typical individual ransomware attacks in which the victims are forced to pay a few hundred to a thousand dollars to decrypt their files, corporate ransomware victims must pay thousands of dollars, and in some cases significantly more (some have reportedly paid over $900,000 to decrypt their files).

Should you pay the Ransom?

Although it may be the only way for some victims to recover their files, paying the ransom is not typically recommended by the US Federal Bureau of Investigation (FBI) and other law enforcement agencies. This is for a variety of reasons, including the facts that it:

  • incentivizes the criminals to continue to target others;
  • encourages other criminals to turn to ransomware attacks; and,
  • may not result in the recovery of your data (yes, there are dishonest criminals).

Ransomware Protections

The best way to avoid a corporate ransomware attack is to be prepared. As discussed in detail below, Fathom Cyber’s recommended approach includes a combination of training, attack surface reduction, data backups, insurance, and planning.

Training

As described above, your company’s employees are likely to be the targets of social media/spear phishing attacks like those described above. The best way to help them avoid falling victim to the attacks is to train them on how to recognize an attack and then to periodically test them to make sure they are keeping security top-of-mind.  Services like KnowBe4.com and Cofence’s PhishMe can help with this process.  Fathom Cyber also runs custom, spear phishing tests for our clients.

Reduce your Attack Surface

Employee awareness is critical toward reducing your organization’s likelihood of being the victim of a ransomware attack, but lets face it, everyone makes mistakes.  That is why employee training should not be your only defense.  Instead, your organization should reduce its attack surface.

Enable Multi-factor Authentication

Multi-factor authentication involves the use of more than just a username and password to login to a system.  It requires at least two of: something you know (e.g., the password), something you have (e.g., your phone or a “fob”), and something about you (e.g., your face, fingerprint, etc.).  In particular, the use of a fob or token-based code (such as  Microsoft Authenticator, Google Authenticator, or Duo), as opposed to SMS/text based codes, can make it significantly harder for ransomware to spread throughout your organization.  In fact, according to a recent Microsoft study, the use of multi-factor authentication would have prevented over 99% of recent account take-over attempts.  Since account takeover is a significant part of the way ransomware spreads, multi-factor authentication can reduce this portion of the organization’s attack surface.

Take Systems Offline or Require VPN Access

As we saw with the recent discovery of the Bluekeep vulnerability in Windows’ Remote Desktop Protocol (“RDP”), vulnerabilities in the software or operating systems running on any device that is exposed to the Internet can cause significant security problems.  Wherever possible, move devices behind a firewall that has only the minimum number of ports open to the Internet, and instead make the devices accessible only via a Virtual Private Network (“VPN”) tunnel through the firewall.  The VPN should require multi-factor authentication for all users and, where practical, equipment certificates as well.  Moving devices behind a firewall will significantly reduce the organization’s attack surface.

In the age of virtualization and containers, we also often see systems or containers stood up for a particular purpose (e.g., to test a new version of software).  However, what frequently happens is that those systems stay running even after they are no longer in use.  If a system or container does not need to be running, it should be taken offline.  This lessens the administrative burden and reduces the attack surface by reducing the number of devices that can be attacked.

Disable Macros

Macros can be powerful tools for automating repetitive tasks.  Unfortunately, macros are also used extensively by criminals when attacking a victim.  Disabling macros in Microsoft Office programs like Word, PowerPoint, and Excel, as well as non-Microsoft programs that have macro capabilities such as Adobe Acrobat will significantly reduce the organization’s attack surface.

Disable Unnecessary Browser Extensions

Browser extensions are a frequently overlooked source of vulnerabilities.  Depending on their source, the extensions may not be maintained to quickly remove newly-discovered vulnerabilities, and since the browser is the user’s primary interface with a malware-laden Internet, it is wise to disable all unnecessary browser extensions.  This should be done for all browsers permitted in the environment including Chrome, Edge, Internet Explorer, Firefox, and Safari.

Patch Systems

One way in which ransomware spreads is by exploiting known vulnerabilities in various software or hardware.  Keeping systems patched with the latest versions of software will significantly reduce the attack surface by taking away potentially exploitable vulnerabilities.  We typically recommend enabling automatic updates in an environment, especially for end-user devices.  As discussed above, users are targeted by phishing and spear phishing attacks, making their devices a common source of entry to the organization.  At the same time, many end-user devices run with few if any custom applications.  This makes any changes in an automated update much less likely to cause problems on the end-user device.

Automatically deploying software updates on servers and other equipment may require more analysis.  Servers frequently run custom software, and changes to the operating system or other software may have unexpected consequences that will have a more significant impact on the organization. Similarly, networking equipment plays a vital role in keeping the organization’s communications functioning properly, and any issues created by a software update may result in a significant impact on the organization. Therefore, we recommend more thorough testing before deploying updates to servers and communications equipment.

Back up Data

The steps outlined above are straightforward, and can often be implemented with little or no cost to the organization, but can result in a significant reduction to the organization’s attack surface.  However, the organization needs to prepare to recover from eventual successful ransomware attack. One of the best ways to recover from a ransomware attack is to restore the data from backups.

Online Backups

Some organizations use online, or cloud-based, data storage, such as Box, DropBox, OneDrive, Google Drive, etc., for their data storage.  This is very convenient, as it allows access to the data from anywhere.  However, online data storage should not be confused with backed up data.  Many ransomware authors actively search for and encrypt data stored in these online data stores.  Unless the online data is backed up (some online data storage providers offer this as an additional, fee-based option), the ransomware is likely to render the online unavailable just as it does the locally-stored files. 

One exception to this is online providers who store multiple versions of a file.  In that case, the customer may be able to recover an earlier, unencrypted version of the file.  You should consult with your online data storage provider to see if this option is available and, if not, consider backing up to offline media or paying the online data storage provider to back up the data.

Offline Backups

The best way to keep your data from being encrypted is to keep it out of reach by the ransomware.  This typically involves storing the data in an offline backup, such as tape or removable drive.  However, it should be stressed that this media must be taken offline except when it is being written to/read from for backup/recovery purposes. Otherwise, it will be encrypted by the ransomware!

Testing

Whether you decide to rely on offline backups, online backups, or an online data storage provider’s version control as your way of recovering from a ransomware attack, it is crucial that the backups are regularly tested to ensure they provide the information needed to get the organization up and running quickly.  It is also important to test for other aspects of a recovery scenario, including the installation of operating systems and software on new computers should that become necessary.  Testing can provide invaluable benchmarking data that can be used to show how investing in other cybersecurity tools (e.g., a properly configured Security Incident and Event Monitor, or SIEM), can be more cost-effective than relying on recovering from backups, especially when productivity and other losses are taken into account.

Cyber Insurance

Another important consideration in an overall ransomware incident response plan is whether the organization should purchase cyber insurance.  Cyber insurance is intended to give victims of a computer attack a way of covering their losses.  The problem is, many cyber insurers aren’t yet sure how to characterize the risks, and most policies are focused on one particular type of business (typically B-to-C like an E-commerce site (like Amazon) or a forum(like Yelp or Reddit)).  If your company is in the B-to-B space, you need to be much more selective about the policy you choose, because it may not cover the losses that are most likely for your business.  Just look at the First National Bank of Blacksburg, where the bank bought cyber insurance but it had a carve-out for exactly the kind of loss it had previously experienced.  The magnitude of the pay-outs are so unexpectedly large that some insurance companies are also finding creative excuses for why they shouldn’t pay a claim.

When the policy covers the risks/events, cyber insurance can be invaluable.  Some policy types give immediate access to expensive specialists who can help ensure the organization is in compliance with its legal, regulatory, and most importantly ethical/moral obligations, including providing assistance communicating with the press and customers.

It should be noted that many carriers, including some major insurers, are exiting the cyber insurance market because they do not yet have a good way of characterizing the maturity of the customers’ cybersecurity and data privacy programs or the potential damages.  The Department of Defense’s forthcoming Cybersecurity Maturity Model Certification may help with that.

Conclusion

A ransomware attack can have serious consequences for an organization. However, though careful planning and testing, the organization can survive, or at least recover from, a ransomware attack without having to pay the ransom. A Defensible Cybersecurity program includes ransomware planning and much more. Contact Fathom Cyber to learn more about how we can help your organization build a Defensible Cybersecurity program.