The National Institute of Standards and Technology (NIST) released a comprehensive guide on cybersecurity risk management with a special focus on risk-based ransomware detection, response, and recovery. The Framework released by NIST is a quick start guide that can help your organization prevent ransomware attacks. Even organizations with limited financial and operational capabilities as well as those with limited resources can use this NIST guide, as it outlines priorities in managing cybersecurity risks that every company should address first regardless of company size and resources.
The Framework lists five major categories of ransomware risk management:
- Identify – Get a better understanding of your critical infrastructure, resources, business context, and critical functions to improve your cybersecurity risk management.
- Protect – Establish and apply proper security means to ensure the operability of critical services in the event of an incident. Mitigate the impact of a cyberattack.
- Detect – Implement security measures that will help you rapidly identify a cybersecurity event.
- Respond – Develop and implement actions to contain the impact of a cybersecurity incident.
- Recover – Devise and execute actions to restore services that were damaged by the incident. Recover your systems.
Let’s take a look at what every organization can do to bolster its security against ransomware attacks.
1. Identify
It is beneficial to maintain an inventory of physical devices used in your organization, even if only in the form of a simple spreadsheet. Such an inventory facilitates the assessment of whether the devices in your organization are vulnerable to ransomware. In the case of a successful ransomware attack, a hardware inventory makes the recovery phases easier.
To remediate vulnerabilities that may lead to a successful ransomware attack, organizations should also keep software inventories with a special emphasis on software version, devices where software is currently installed, the last update date, and known vulnerabilities.
Furthermore, companies should document information flows with records of important enterprise information such as where data is located, what are the connections between devices, and what protocols are used. During a cybersecurity attack, an attacker often gains access to one resource and then moves laterally to other resources. For that reason, it is important to document information flows.
Moreover, your company ought to catalog all external information systems to which the enterprise connects and devise a way to temporarily disconnect from all external systems after your company falls victim to a ransomware attack. Cataloging all external information systems should also help you identify areas where controls may be shared with third parties and put access rights in place.
In addition to all of the above, your company must determine critical resources, processes, and assets whose failure would render you inoperable. This information is crucial to understanding the true impact and scope of all possible contingencies and better preparing your company to face a ransomware attack. Prioritize your resources based on that information.
Finally, create an incident response plan that will determine cybersecurity policies and explain the roles and responsibilities of everyone in your organization in preventing, responding, and recovering from ransomware attacks. Exercise the plan through an incident simulation at least once a year to refine your plan and teach employees their roles in practice.
2. Protect
Companies should manage access to their assets and resources using the principle of least privilege. Users should only have access to devices and applications that are absolutely required for their jobs. Whenever possible, the user account should have standard privileges as opposed to administrator privileges to minimize damage in the case it gets compromised. Users should use a strong password and, above all, Multi-Factor Authentication (MFA).
Access should be granted only after the user has been successfully authenticated using MFA techniques. The Framework names Multi-Factor Authentication a key way to reduce the likelihood of account compromise as far as Identity Management, Authentication, and Access Control go.
Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) should be a crucial part of each company’s security safeguards against ransomware. A common ransomware attack vector involves gaining access to an account through compromised credentials. User identities should be proofed and then bound to Two-Factor Authentication to decrease the likelihood of unauthorized access using a compromised user account.
Companies should restrict access to official networks from personal devices and control organization-wide physical access to all devices, from personal computers to critical components of an industrial control system (ICS).
Large enterprises should implement microsegmentation, network segmentation, and segregation to prevent malware and ransomware from spreading, which is especially dangerous in industrial control systems (ICS) and safety instrument systems (SIS).
Companies should keep all applications and operating systems up to date by enabling auto-update whenever possible. Keeping software patched remediates vulnerabilities and reduces the high likelihood of a cybersecurity incident. Additional software tools can be used to scan devices for potential vulnerabilities, and all devices should be protected with antivirus and/or antimalware software. Companies should employ consistent configurations to all devices to ensure uniformity. It is a good idea to disable all device features that are not required.
Companies should protect sensitive data using Multi-Factor Authentication (MFA) to ensure the confidentiality and integrity of data. Digital signatures and other integrity checking mechanisms must be used to verify software. Such checks ensure that the software has not been tampered with and does not contain malware.
Companies should conduct regular backups, including offline data backups that are not connected to the corporate network. Frequent backups are essential to reducing the impact of a ransomware attack. Each company should be able to painlessly restore its data by using backups. It is highly recommended to keep all backups offline so that backups are not damaged or infected by a malicious actor or ransomware during a security event.
Next to deploying Two-Factor Authentication (2FA), training all employees and users is by far the most important aspect of protecting your company against ransomware and other types of cybersecurity incidents. Companies ought to both train new employees as well as retrain employees to ensure that not only are they aware of the cybersecurity risks, but also realize their part in remediation and protection of corporate devices, applications, and accounts. All employees should be aware of cybersecurity policies and procedures used in a company. Many ransomware attacks stem from users engaging in unsafe practices, administrators misconfiguring application policies, and employees with a poor understanding of cybersecurity threats making mistakes. It is human to err. That is why you must conduct organization-wide security training for all your employees and additional training for administrators responsible for the installation, configuration, and maintenance of software.
3. Detect
Companies should implement a set of procedures that detect anomalies and unusual occurrences in the workforce. Examples of anomalies include unauthorized access of an unknown entity and shady activities within a network. Organizations should also be able to identify the impact of an incident and conduct an appropriate response and recovery based on that information.
While Security Information and Event Management (SIEM) solutions are a recommendation for large enterprises, logs are crucial to identifying anomalies. Logs record all events and can easily point to out-of-ordinary occurrences that differ from the expected behavior. For example. the Authentication Logs in the Rublon Admin Console aggregate all log-in attempts within an organization. This allows administrators to detect anomalous behavior such as a user trying to gain access using a shady email address or an employee suspiciously trying to sign in to an application from another country. Rapid detection is a requirement for a good response, and all modern Multi-Factor Authentication systems, including Rublon, can log all authentication occurrences in the company.
Companies should train their employees to understand the corporate infrastructure well, including an understanding of expected data flows. A good understanding of expected behavior allows employees to report all unanticipated events. Quick recognition of the impact of cybersecurity incidents is crucial in remediating the ransomware attack before it reaches its maximum scope and effect.
4. Respond
Develop a ransomware response plan that will help you mitigate and contain a potential ransomware incident. Your ransomware response plan should also allow you to determine the impact of the cybersecurity incident.
Companies should maintain and regularly update a list of internal and external contacts for ransomware attacks, including law enforcement, legal counsel, and incident response resources.
A ransomware response plan (or plans) should be constantly tested and updated. By testing your plan, you train your employees and help them understand each person’s responsibility in executing a ransomware response. Testing your plan will most likely reveal the need for changes and improvements. Implementing improvements found during testing results in a more refined ransomware response plan.
5. Recover
Companies should make a contingency plan that will outline how to restore the systems and critical infrastructure within a company as well as correct vulnerabilities that led to the incident. As soon as an incident is detected, companies should contact their internal and external stakeholders and give them more information about the ransomware incident. Recovery plans have to be tested and updated just like response plans do.
A successful ransomware attack damages the reputation and public relations of a company. To prevent that from happening, consider how you will manage public relations and share information about the security event. Your information sharing should be matter-of-fact and to-the-point, but also timely.
Prevent Ransomware With MFA and 2FA
Take the steps outlined in this guide to prevent ransomware attacks on your company. Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) play a big part in not allowing malicious actors to access your network.
Need to feel safer? Get Rublon Multi-Factor Authentication (MFA) now by starting a 30-Day Free Trial.
