You would not be unjustified to feel as though the cyber ecosystem is becoming increasingly harder to manage with the continued spread and sophistication of ransomware. And you would not be faulted for wondering “what gives?” as you try new solutions to fend off attacks. Therefore, it is worth remembering that some of the best tactics are not flashy and purported “silver bullets” but rather, some basic work and maintenance that often gets looked over or neglected.
Strong cyber defense postures require good cyber hygiene if an organization wishes to remain resilient against attacks.
The Ransomware Threat Surge
Today’s attacks are not coming and going. Rather, they are “surging” and that overload is causing havoc. Here is what one recent blogger said regarding the attack surge:
Ransomware attack strategists continue to target zero-day vulnerabilities, execute supply chain attacks, fine-tune vulnerability chaining, and search for vulnerabilities in end-of-life products to improve the odds their ransomware attacks will succeed. Ivanti’s Ransomware Spotlight Year-End Report illustrates why ransomware became the fastest-growing cyberattack strategy in 2021 and into 2022. There’s been a 29% growth in ransomware vulnerabilities in just a year, growing from 223 to 288 common vulnerabilities and exposures (CVEs).
Last year, SonicWall recorded a 148% surge in global ransomware attacks (up to 495 million), making 2021 the worst year the company has ever recorded. The company also predicted 714 million attempted ransomware attacks by the close of 2021, a 134% increase over last year’s totals. Organizations pay an average of $220,298 and suffer 23 days of downtime following a ransomware attack, further damaging their businesses, brands, and customer relationships.[1]
We would argue that Good cyber hygiene should be the first line of defense in light of the surge in ransomware attacks and other serious cyber-attacks.
What is good cyber hygiene? It’s a combination of things that hopefully will leave the company in the best position possible to both fend on attack, and if attacked, be able to come back up to normal operations with as little downtime as possible. Hours instead of days. Days instead of weeks. And finally, maintaining the ability to work through the disruption, even if in a degraded state. Here is a non-exhaustive list of factors that we consider to be good cyber hygiene:
- Multi-factor authentication
The main benefit of MFA is to limit the possibility of unauthorized access. Usernames and passwords are not going anywhere, but poor password hygiene means accounts are vulnerable to brute force attacks, credential stuffing attacks, and open to theft. Billions of credentials sit on the dark web available for purchase, in some cases, for paltry amounts. Enforcing “always-on” MFA through additional physical controls or temporary secondary codes makes life for a cybercriminal more difficult, and sometimes, slow them down enough is also enough for them to elsewhere for their nefarious acts. Indeed, “A hacker or unauthorized user may be able to steal a password or buy it on the dark web, but for them to gain access to a second authentication factor is slim and requires much more effort. Consequently, MFA stops most bad actors before they can enter your systems and gain access to your data.”[2].
MFA is not perfect. But it helps. A lot.
- Identity and access management
Identity and access management (“IAM”) ensures that only the right people and job roles in your organization can access the tools they need to do their jobs. Through single sign on applications, your organization can manage employee apps without having them log into each app as an administrator. Identity and access management systems enable your organization to manage a range of identities including people (e.g. employees), software, and hardware like robotics and IoT devices. The two questions for organizations to ask under IAM principles are 1) is the user who he or she says they are when accessing the network whether in the office or remotely and 2) does the user have only the least amount of access he or she needs to do their appointed job. Least privileged access is more likely to be checked manually because people change, and jobs change. Getting both questions “right” is critically important to good cyber hygiene. There is a third factor that needs consideration also: privacy. It is to want some sort of biometric measure, as an example, but the moment you do that, you hold personal identifiable information (PII) and that comes with its own set of challenges.
- Strong password management
In 2020Verizon reported via its annual Data Breach Investigations Report (DBIR) that 81% of hacking-related data breaches involved either stolen or weak passwords. Businesses should accept that a strong password policy is one of the best lines of defense against unauthorized access to their critical infrastructure. And for goodness sake, a good password is not “password” or “0123456.” If you use one of these passwords, you will not “pass go” and you will not “collect 200 dollars.”
There are practical remedies to get beyond that bad habit of using easy passwords to crack. Do not use default passwords on your devices and when you do create passwords make them complicated. Consider making them long or using phrases with letters, numbers, and characters. Also, do not use the same password for multiple accounts. Make it difficult for hackers to get in with one try. Make their challenges more difficult by using multifactor or biometric authentication such as a fingerprint, facial recognition, or texts to verify it is you when you sign in. And if you want to make things less stressful on your memory (we all forget our passwords), consider using a security token and/or password manager.
- Timely updating and patching your network
Remember when Patch Tuesday meant a computer screen full of vulnerabilities that needed to be patched?. Well, for many of today’s companies, Patch Tuesday has now rolled into “patch Wednesday” as organizations need to determine which vulnerabilities apply to their ecosystem and which to begin patching first. There is nothing glamorous about patch and vulnerability management, but it needs to be done. So, CISOs, get those resources to support the function, as you don’t want to be at the helm of a company that gets hacked because a known patch was not applied.[3]
- Regular employee training consisting of phishing and social media training.
“Phishing, malware, and denial-of-service attacks remained the most common causes for data breaches in 2021. Data from Dark Reading’s latest Strategic Security Survey that more companies experienced a data breach over the past year due to phishing than any other cause. The percentage of organizations reporting a phishing-related breach is slightly higher in the 2021 survey (53%) than in the 2020 survey (51%). The survey found that malware was the second biggest cause of data breaches over the past year, as 41% of the respondents said they experienced a data breach where malware was the primary vector.”[4]
Given that phishing is one of the leading causes of data breaches, phishing testing should come standard in employee training nowadays Training modules can be pre-programmed at the network level and done regularly (quarterly is great, if you have the resources). Does testing work? According to one report, it is not perfect, but it is effective to lessen the chances that an employee will click on the link or attachment contained is a phishing email.[5]
Your second line of employee training should be social media training from the perspective of protecting the organization. This sort of training is dedicated to keeping your employees safe while perusing the internet and to make them more “aware” that not every post they make to their Facebook account regarding their job or workplace is wise or safe. Indeed one article describes the problem really well: “All photos and videos shared from workplaces can contain sensitive information that employees don’t even realize they are sharing. Posting pictures and videos is a personal brand to many. They post dozens of times a day without ever realizing the security fallout or the threat of personal and business identity theft. And they don’t realize it’s a problem because it isn’t a focus of cybersecurity awareness training. It’s an issue across every industry, across every type of workplace.”[6]
Given the creativity of attackers, social media training is a critical addition to your cyber employee training regimen. Without such training, employees can run the risk of clicking on the “wrong” website or popup or disclosing private company data or intentions. Train them not to do either one.
No one is invulnerable to a crafty phish, but steps can be taken to lessen the chances and costs of a breach. For one thing, do not click on any attachment you do not know, and even if you think you know it, double-check and verify the sender. Beware of visually appealing pop-ups on your computer too. Cybercriminals are sophisticated and creative. An easy rule to follow is to automatically discard any communications asking you for personal information. Chances are you are not the recipient of long-lost funds found in an obscure bank account, nor did you randomly win a contest. If something is too good to be true, it likely isn’t.
- Maximizing the utility of logs
“If you can’t see it, then you can’t find it.[7]”
Logs are powerful assets that can be used to detect anomalous behavior. Yes, it is a heavy lift to review, but an organization can leverage automation and integrate security analytics.[8] Just remember, you need to strike balance with your privacy program also.
- A robust backup program is critical to recovery.
The use of ransomware forces a change to backup strategies. If backups are left on the network, as they often are, they are just at risk to the malware as any other piece of data on your network. Similarly, if your backups are too close to your production environment, even a natural disaster can leave you with useless or inaccessible backups. Therefore, not only recovering within a certain amount of time is essential to define, but so is where you are backing up (accessibility), what you are backing up, how far you are backing up (atrophy), and what you are doing about testing your backups.
Conclusion
There is no “perfect” cyber hygiene method. Rather, find what is right for your organization. Also, do not underestimate the importance of an assessment either, especially if you are unclear on where you stand on the breach readiness maturity scale. Good cyber hygiene may allow you to catch an actor in the act, or improve your employee’s ability to spot something on their own that can be reported. And if all other measures fail, a strong backup strategy gives you a little peace of mind, even if recovery does come with frustration. Perfect is the enemy of good enough, so do not let an eternal search of the “perfect” solution slow you down as you improve your cyber hygiene stance. It’s good business.
MORE ABOUT Paul Ferrillo & George Platsis
[1] See Cybersecurity’s challenge for 2022 is defeating weaponized ransomware, available at https://apple.news/AQvRasL2iSWGlAu6Jd6eJfg Attackers have doubled down on companies and hammered them, not just with ransomware attacks but with data theft/extortion demands as well (ie. “give us millions or we will publish the information we stole from you on our ‘name and shame’ blog”). Coupled with no or low barriers to entry, and a reasonable chance for attackers to quickly monetize their tradecraft, attackers are creating a big and expensive problem that we have deal with.
[2] See “8 Benefits of Multi-Factor Authentication,” available at 8 Benefits of Multi-Factor Authentication (MFA) (pingidentity.com)
[3] See Missing Patches, Misconfiguration Top Technical Breach Causes, available at https://www.darkreading.com/vulnerabilities-threats/missing-patches-misconfiguration-top-technical-breach-causes (“Nearly 60% of data breaches in the past two years can be traced back to a missing operating system patch or application patch, researchers report. Poor patch management can be linked to the high costs of downtime and disruption, both of which are magnified in larger organizations and are poised to escalate as businesses rush to support fully remote staff as COVID-19 spreads”).
[4] See Phishing Remains the Most Common Cause of Data Breaches, Survey Says, available at https://www.darkreading.com/edge-threat-monitor/phishing-remains-the-most-common-cause-of-data-breaches-survey-says
[5] See Anti-Phishing Training: Is It Working? Is It Worth It? Available at https://insights.sei.cmu.edu/blog/anti-phishing-training-is-it-working-is-it-worth-it/
[6] See Cybersecurity Training: Why You Should Train Employees on Social Media Discretion, available at https://securityintelligence.com/articles/cybersecurity-training-employees-social-media-discretion/
[7] See Inadequate Logging and Monitoring a Big Concern for Enterprise Cybersecurity, available at Inadequate Logging and Monitoring a Big Concern for Enterprise Cybersecurity (lepide.com) (“A critical part of cybersecurity is generating audit logs for changes being made to your sensitive data and critical systems and monitoring those logs for signs of potential cybersecurity threats. Logging and monitoring should cover the entirety of your IT infrastructure, as wherever your users are able to make changes, there is the potential for breaches in security”).
[8] See What is Cybersecurity Analytics, available at What is Cybersecurity Analytics? | Splunk (“Security analytics is a proactive approach to cybersecurity that uses data collection, aggregation and analysis capabilities to perform vital security functions that detect, analyze and mitigate cyber threats”).
