11 Steps to Protect Your Data from Being Held for Ransom
The year 2021 may be remembered as the year ransomware surged as a cybersecurity attack vector. The disruption ransomware causes emphasizes the need for businesses to employ a data protection strategy so they don't fall victim to a ransomware attack, but also to recover in case a criminal penetrates their defenses.
What can you do to protect your data from being held for ransom? Begin by expecting the worst - you will get compromised. Develop a data protection plan. Test it, refine it, and test it again. Here are some things to consider in your data protection strategy:
Least Privilege. Assign accounts the minimum permissions needed for the user or service to accomplish their job duties. In the event an account gets compromised, limiting the permissions assigned to the account controls the "blast radius" of the damage an attacker can inflict.
Account Separation. Assign a separate account to users performing administrative functions. Limit the resources the account can access - for example, don't allow users to launch web browsers using their privileged account.
Protect Accounts using Multi Factor Authentication (MFA). MFA helps ensure only the intended user can access an account. There are several MFA methods, including hardware tokens (e.g. smartcard, YubiKey, key fob), virtual tokens (e.g. Microsoft Authenticator, Google Authenticator, Authy.), and SMS. If you want to read more about MFA, check out the NIST SP 800-63-3: Digital Authentication Guide.
Audit Account Usage. Implement a centralized logging solution and analyze events to find security concerns. Are your privileged accounts being used outside of business hours? Are new members being added to privileged groups? These actions could indicate an account has been compromised.
Audit Data Movement. Are files being accessed abnormally? Is data being transferred from internal systems to external sites? These activities are indicative of data exfiltration. Consider data loss prevention tools and limiting egress traffic on systems that should not need outbound internet access.
Encryption and Digital Signatures. Not all data is created equal. Sensitive data such as PII, PHI, and/or company proprietary intellectual property and financial data should be handled with extra care. Encrypting these files at rest and in transit will keep the data unusable to an attacker if it is intercepted or accessed inappropriately. Digitally signing email is a tried-and-true method for verifying the sender's identity - particularly important if you receive a request to transfer funds to a new bank account.
Patching. The recent flaw in Log4j vulnerability is a reminder that keeping systems up-to-date with current software versions and continuously monitoring your IT assets for vulnerabilities is critical to preventing cyberattacks. According to Google, more than 35,000 Java packages are impacted by the Log4j flaw. Attackers are exploiting unpatched systems to mine cryptocurrency, create botnets, and otherwise perform malicious actions.
Limit Exposure. Treat your production servers differently than those used for development and testing. Typically development and testing services have weaker defenses so as to provide developers better agility and release new features or bug fixes quicker. Separate test and development systems from production resources and replicate data for use in development and testing or better - use sanitized or dummy data. If test and development services need to be exposed to the internet, use ingress filtering to limit access.
Backup everything! Inventory your IT assets and implement a backup solution to protect data and services. Many vendors are now offering SaaS solutions that backup data into "air gapped" vaults which are designed to defend against ransomware. The vaults are immutable and thus cannot be corrupted by the attacker, allowing for quick recovery.
Training. Phishing and smishing remain popular methods used by attackers to compromise accounts. While email filtering/blocking solutions are a good defense, training users to recognize suspicious email and SMS messages is still effective and needed to prevent accounts from being taken over.
Guardrails. Misconfigured cloud resources such as AWS S3 buckets continue to inadvertently expose data. Guardrails are configuration tools which can either prevent insecure configurations or revert a change back to a secure state. For example, AWS Organizations Service Control Policies (SCP) can be applied to AWS accounts to remove unneeded services so that they are not inadvertently used to expose resources, such as attaching an Internet Gateway (IGW) to a VPC and thus enabling ingress and/or egress traffic that goes around a transit VPC providing web application firewall (WAF) and packet capture services. Other tools continuously scan the cloud environment, find services which are out-of-compliance, and auto-remediate them to a secure state.
By Eric Skiff, Chief Technology Officer
