Playing the Odds
The odds that an unidentified (or unpatched) vulnerability in your network defenses will be exploited by ransomware are no longer negligible. This is dues to the porous nature of modern networks and applications, coupled with the realization by hackers that poorly secured midmarket enterprises and SMBs are far easier to hack into than the large enterprises with their dedicated security operations and endless resources.
As a business owner or MSP in charge of security – what can you do to prepare?
1. Consider undergoing an ISO27001 or similar audit. Even if you don’t need it – the audit process will make you consider the entirety of your data protection operations. From access controls, to IPS/IDS, to verifying data stores, to managing endpoint security.
2. Consider your DR policies. Sure – storing just one PITR (point-in-time-restore) is cheaper than months of LTR (long-term-retention) – but consider that modern ransomware takes its time to find data and encrypt it and by the time you realize what happened your PITR may have been contaminated. Keeping a few months of LTR may help you recover data that the ransomware corrupted a long time ago.
3. Consider a layered defense: No defense mechanism covers 100% of exploits. In fact, some recent exploits were only ever addressed by 1-2 AV/EDR vendors. It is unfortunate that the law of diminishing returns works hard here – security products overlapping by 99% of their coverage, and worse, affecting performance. Yet, that is what enterprises have been doing for 15-20 years.
4. Manage and protect your data: Hackers are not after exploits or vulnerabilities. They are after your data. Specifically, they are after data they hope will cause you to pay their ransom requests. Since we all know selling IP is hard, they will look for easy to use data like medical records, PII and financial records. Understanding what type of data you store could be used for ransom, or will put your company in difficulty – is an important first step in scoping of the risk.
5. The last line of defense: Reducing the amount of data available to steal should be a high priority. Finding the data, protecting it by encrypting it or locking it up in a safely guarded server or in the cloud – or even deleting it if possible should be a high priority.
While the risks are high, preparing for an inevitable even requires a clearly laid out plan that identifies the data targets, reduces their footprint, and addresses as much of the threats as possible.