Ransomware Threats are Increasing and Getting More Sophisticated
IBM Security investigated 524 organizations of various sizes across 17 industries that experienced data breaches, documenting their findings in a report titled "Cost of a Data Breach 2020". They found ransomware attacks and destructive malware attacks have grown more common and are more expensive on average ($4.44 million) than more typical malicious breaches ($4.27 million) or average data breach ($3.86 million).
Other key findings in the research were:
- The two most common threat vectors were (1) stolen or compromised credentials and (2) misconfigured clouds, each representing 19% of the breaches studied
- Lost business continued to be the largest cost factor associated with breaches, accounting for 40% of the average total cost
- Incident response preparedness was the highest cost saver for businesses
The large cost associated with ransomware attacks warrants an investment into policies, procedures, and systems to significantly reduce the chances of experiencing a successful ransomware attack. The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) jointly released "Ransomware Guide - September 2020", a set of best practices for preventing, protecting and/or responding to a ransomware attack. It outlines general security measures and measures specific to different infection vectors used by ransomware. While the CISA / MS-ISAC document contains excellent recommendations, implementing them all would require a very large effort, taking months of time planning, implementing, testing, and documenting. As a result, this series of blog posts will review the recommendations in a more prioritized manner. Additional recommendations and details will be added where important.
This post (Part 1) in the series discusses the first step in protecting against ransomware attacks - implementing general security best practices. Subsequent posts will discuss how to protect against specific infection vectors as outlined below.
- Part 2 - Internet-facing Access and Services
- Part 3 - Phishing
- Part 4 - Precursor Malware
- Part 5 - Third Party and Managed Service Providers
Security measures need to be continuously evaluated and adjusted as attack methods used by ransomware evolve. Because security measures can't be 100% complete, a final post (Part 6) will discuss steps needed to prepare for ransomware remediation, if ever necessary.
Ransomware Prevention Best Practices - Part 1: General Security Measures
Before trying to secure specific ransomware infection vectors, it's best to start by implementing fundamental yet very important cyber security measures that are needed for security concerns beyond ransomware. Those measures are:
- Adopt a strong password policy
- Use sophisticated access lockout techniques
- Implement multifactor authentication
- Employ principle of least privilege
- Harden system
Adopt a Strong Password Policy
In a breach study, security expert Troy Hunt counted the number of passwords used by individuals and found the following frequently used passwords:
- 123456 - used by 23.2M individuals
- 12345678 - used by 7.8M individuals
- password - used by 3.5M individuals
Those numbers are simply mind-boggling for such weak passwords.
And, according to research by Precise Security, weak passwords accounted for 30% of the ransomware infections in 2019, making it the third leading cause of ransomware behind spam/phishing emails and lack of security training. This statistic is so unfortunate because the steps to eliminate weak password are relatively straightforward and simple - educate and require users to:
- Use passphrases instead of passwords
- Not build passwords using personal information
- Limit the use of dictionary words
- Not share passwords
An easy way to help users adopt strong passwords is to provide them with a password manager such as KeePass or LastPass. Password managers include random password generators that can quickly create, and remember, passwords that are long and sufficiently complex. These password managers can be configured to require re-authentication on regular intervals, making them a much better choice than relying on the password managers built into most web browsers. Many of the password managers support all the common platforms - Windows Mac, Linux, Android, and IOS.
Use Sophisticated Access Lockout Techniques
The Center for Internet Security (CIS) suggests that implementing sophisticated account lockouts following failed login attempts may be more effective at thwarting attacks than focusing solely on passwords. The lockouts make brute force dictionary attacks difficult to accomplish. They recommend policies such as enforcing temporary lockouts (15 minutes or more) after five consecutive failed attempts, or using a time-doubling login throttling technique, combined with failed login monitoring. It should be noted however that using account lockout may not be appropriate in all environments because attackers could use it as a way to implement a denial of service.
Implement Multifactor Authentication
Multifactor authentication (MFA) is a security mechanism that requires an individual to provide two or more forms of credentials to verify their identity. These credentials include items such as passwords, hardware tokens, numeric code, and biometrics. With MFA, you can reduce the risk of credential theft by requiring a second method of identity verification that cannot be easily stolen remotely. Many MFA implementations combine a password with a token from either a hardware device or authentication application.
In their CIS Password Policy Guide, the Center for Information Security goes as far as saying that MFA should be the first choice for all authentication purposes, especially for administrator access and other privileged accounts. They acknowledge however that MFA can be technically challenging, in part because not all systems support MFA. Therefore, it makes sense to approach MFA in a step-wise and incremental fashion, focusing first on areas where the security vulnerability is the highest, such as VPN access and cloud-based applications and services .
Because administrative accounts are the highest value targets for malicious actors, MFA implementation should also start with users across the organization who access sensitive information or have elevated privileges, especially users in IT. These initial users can be part of a pilot or proof-of-concept, with lessons learned from the pilot helping to optimize and streamline the rollout across the remainder of the organization.
Employ Principle of Least Privilege
The principle of least privilege (PoLP) recommends that users, processes, and systems only have permission to access resources that are necessary to perform their assigned function, thereby limiting potential damage, whether intentional or unintentional. For example, only HR staff should be given access to the HR files and systems. Likewise, only the accounting department should be allowed access to accounting files and systems. A key part of PoLP is limiting the organizational impact if a single account is compromised.
Another key part of PoLP is to limit the accounts with elevated administrative permissions that will allow ransomware to navigate through the network, hopping from system to system to inflict maximum damage.
CIS specifically outlines the following steps for implementing PoLP:
- Identify what users, systems, and processes are on the network and determine the minimum access level that each requires for their assigned job function.
- Limit the system privileges of senior officials and administrative assistants as they are frequently targeted by malicious actors because of their high access levels.
- Once the policy is implemented, make sure there are at least annual checks on who has what privileges to prevent "privilege creep." Privilege creep is when an employee changes role and keeps their previously assigned privileges, while also gaining new privileges.
- Implement checks after an incident, as part of the remediation process, to ensure that user, system, and process privileges were not modified.
Today's IT infrastructure components, both on-prem and cloud, include a large number of configurable controls, of which many have security implications. It is important to implement best practices across all of the infrastructure components. However, it can sometimes be difficult finding documentation detailing the best practices. In some cases, vendors provide white papers with best practice information. Other sources of guidance are system configuration baselines, containing a list of well-defined security controls. The two most common baselines are:
- Center for Internet Security's CIS Benchmarks
- US Department of Defense Systems Agency (DISA) Security Technical Implementation Guides (STIG)
Both of these are widely deployed, trusted, and expansive. For example, CIS Benchmarks is a set of more than 100 configuration guidelines across 25+ vendor product families including operating systems, server software and cloud providers.
The big advantage of using the configuration baselines is that they have been defined and tested by sets of cybersecurity experts. Configuration baselines can be used as is, or can be tailored to meet the operational needs of an organization, then saved for re-use by the organization later.