For this reason, he said, “I don’t think we’re at the point where we can ban ransomware payments across the board yet.”
Practicing Cyber Hygiene
Yang said the companies he talks to aren’t worried about the vulnerabilities they find or the ones that are publicized. Their biggest concerns are the threats “they can't see, the ones that aren't flagging up with traditional [security monitoring] tools.”
Adding to the pressure has been the rapid uptake of remote work during the past 18 months of the COVID-19 pandemic, which has left organizations more exposed to credential theft, phishing attacks, and VPN hijacking.
Deploying multifactor authentication (MFA) and endpoint protection software is important. “Passwords alone are obsolete at this point, easily compromised by a phishing email or brute force attacks,” said Goodwin.
To detect a ransomware attack, set up an alert to look at the overall CPU and memory utilization, advised Yang. “Utilization should be pretty consistent for systems that have been stable for a while,” he said. “When an incident occurs, it typically goes up because a data set is being encrypted. Also, your data almost doubles in a very short amount of time, because [the intruder is] encrypting a second set of data.”
Make sure admins, users and applications don’t have access to data resources beyond what they require to perform their jobs. Also, stay current with software patching to minimize exposure to any software vulnerabilities.
Preventing an attack in the first place is ideal, but not always possible, noted Hake. “So beefing up incident response/disaster recovery practices is essential,” he said. “Most businesses haven’t given enough thought to what happens immediately following an incident and how they can quickly pick up the pieces to make sure the event isn’t catastrophic.”
By combining analytics and machine learning, businesses can analyze past and current data to identify “normal” patterns of usage, then train their systems to alert when there’s a deviation and hopefully thwart an attack.
Replicate the security layers from data center to the cloud. Many companies have DevOps staff build business applications in the public cloud, “where they don’t have to ask permission to poke holes to open something up – the things that slow them down,” said Goodwin. “But as soon as you open something on the Internet, hackers act immediately. We used to have one stack of security tools in the data center; now, we need a similar stack in each cloud we use.”
The rise of software as a service (SaaS) has everyday business applications like Office365, Google Drive, Salesforce.com, and Slack sitting on the Internet. “If they’re not locked down, you leave an application open, or create an account with a simple password, hackers take advantage,” warned Goodwin.
Tackling Security from All Angles
In a business landscape that no longer has identifiable physical perimeters to secure, enterprises and government agencies must deploy cyber defenses in multiple dimensions. That means at the user device, admin and user authentication, network access, and application levels and in conjunction with others’ detection and mitigation efforts.