No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Ransomware: Believe the Risk and Be Ready for It

8 Considerations in Strengthening Your Organization’s Defenses

by Alan Brill and Eric Thompson
October 1, 2019
in Cybersecurity, Featured
padlock and chains on keyboard with red screen

What does the next major terrorist attack look like? 9/11 spurred an overhaul in security against physical harm, but many organizations are still woefully underprepared for terror’s latest iteration: cyberattacks. Kroll’s Alan Brill and Eric Thompson discuss how organizations can bolster cybersecurity.

On September 11, 2001, the attack on the World Trade Center resulted in the total loss of the Port Authority of New York and New Jersey’s data center. In just a few days following the tragic event, the families of those working for the Port Authority – whether they worked in the twin towers or not – would need the money distributed through the regular payroll cycle. But without access to the data center, the Port Authority was forced to activate their emergency backup plan.

Several years earlier, the Port Authority had built a replacement data center in a secure facility on New York City’s Staten Island. Thanks to the incredible work of very dedicated people, within two days following the attack, the necessary computer hardware, backup data files and blank forms for the checks and payroll statements were in place. The payroll run was successful. Funds were distributed to grief-stricken families and surviving employees alike.

This immense effort was successful largely because the prior unsuccessful 1993 bombing at the World Trade Center forced the Port Authority to contemplate the impact of a catastrophic event, such as the loss of the data center.

But what if, in addition to a terrorist attack on the World Trade Center, the attack included a coordinated, successful systemwide compromise and ransomware attack? In 2001, the disaster recovery plan did not include a concurrent cyber-based assault. The Port Authority’s systems would not have been prepared, as it was not a focus of the plan built in response to the 1993 event. If the 9/11 attack had been accompanied by a preemptive cyberattack, the outcome for the Port Authority and their employees would have been significantly different.

Understand the Threat

Every disaster recovery plan is based on an organization’s understanding of perceived risks and the systems that need protection. Risks evolve, and as a result, disaster recovery plans must similarly be flexible, adaptable and frequently reviewed. It is impossible to fully predict the form a cyberattack will take. A disconnect between risk and readiness can lead to substantial impact on an organization and its stakeholders.

Traditionally, the risk that drove most disaster recovery plans was the physical failures of technology, or physical damage by fire, flood and natural disasters. Backups focused on recovery from hard-drive crashes, tape-backup drive failures or data center fires. Today, solid-state drives (SSDs) have a mean time to failure of over 150 years, and cloud storage permits remote backups in areas unlikely to be hit by fire and/or natural disasters. While technology failures still can and do occur, they are comparably infrequent. For many companies, this has resulted in complacency, opening them up to be particularly susceptible to ransomware.

In recent weeks, more than 22 towns and cities in Texas as well as cities in Florida were hit by successful ransomware attacks, with Florida’s Lake City paying more than $460,000 and Riviera Beach announcing that they would be paying a ransom of $600,000 for their data. Though unpublished, many Fortune 1000 companies have been forced to pay ransoms in the millions of dollars. For hackers, it’s becoming what ProPublica calls “The Extortion Economy.” Cybercriminals associated with ransomware are out for money, plain and simple. Upon executing the attack, cybercriminals demand payment within 72 hours. If money is forthcoming, the organization receives the decryption key and regains access to their data. In as much as 90 percent of attacks, the ransomware group will provide the decryption key upon receiving payment. Failure to provide the key would negatively impact the business model and cause hackers to lose credibility in securing payment for future attacks.

In the future, terrorist groups, nation-state actors and anarchists may not always be satisfied with simple economic gain. As a society and country, we should begin to prepare for when threat actors rotate from being cybercriminals motivated by financial rewards to terrorist groups and nation-states motivated by destruction, civilian fear and social disorder. What is the recourse when an anarchist group hostile to a country or organization focuses on a crippling attack for nothing more than impact on society (Mr. Robot, USA Network 2015)? Using ransomware with no intention of ever providing a working decryption key would render a devastating blow to any government agency, financial trading house or company and represents the substantial attack capability of a terrorist group or hostile government.

Given constant media stories describing organizations and governments victimized by criminals spreading ransomware, it might seem like companies are defenseless in the face of losing control of their data. In our experience, this is not the case. Cyberattacks can be vicious and devastating, but there are steps every organization can and should take to strengthen its cyber fortification and mitigate the collateral damage of a malware or ransomware attack.

The loss of data is not just a technical question to be left to an overworked IT employee. For many companies, their actual survival as an organization will depend upon a disaster recovery plan and access to the data in the wake of a ransomware attack. Based on our work on hundreds of malware and ransomware incidents, some observations might prove useful to a wide range of organizations.

1. Senior Management Should Understand the Magnitude of the Risk

The threat of data loss at the hands of threat actors is real and needs attention from members at the highest levels of the organization. There are many ways a ransomware infection can hit a company. An employee might click a link in an e-mail, plug an infected laptop into a docking station or connect a compromised cell phone to the Wi-Fi access point. Malware and ransomware are constantly evolving. Regardless of promises made by cybersecurity vendors, there are no perfect defenses. Zero-day vulnerabilities will always be present, providing the threat actor with techniques able to overcome the most sophisticated of defenses. Organizations in which top-level management recognize the nature of the risk are more likely to survive a cyberattack. At that level, resources can be allocated and priorities set for taking defensive measures and requiring incident response plans. We recommend senior management and boards be briefed at least quarterly on ever-evolving cyber threats and the organization’s contingency plans to ensure continuity of access to data.

2. Identify the Location of Vital Company Data

What information does the organization need to maintain the key elements of the business or governmental function? While the answer might seem obvious, in most instances, it’s much more complicated. It’s not uncommon for employees to have files stored on their local machines that are critical to supply chain or other ongoing operations. Since operating systems and applications can be relatively quickly reinstalled, the focus should be on user-created data. Given today’s architecture, which combines locally managed hardware, infrastructure as a service and storage as a service, understanding where the data resides may be far from trivial. But it is the necessary first step in the disaster recovery planning process.

3. Consider the Impact of a Threat Actor as Having Secured the Highest Level of Network Administrative Rights

If backup files are online and accessible 24/7 to members of the IT staff, then those same backup files are potentially accessible to a threat actor. When developing a disaster recovery plan, consider that the threat actor has the same level of network access and privileges of the senior-most members of the IT staff. Also consider that most ransomware attacks follow weeks, months and sometimes years of detailed reconnaissance and infiltration. So, many cyberattacks are successful because the threat actor has spent weeks surreptitiously observing the behavior of employees and IT staff members and gathering user credentials. If using a cloud-based backup as a service, is the system ransomware hardened? This means that in the days prior to a ransomware attack, a threat actor with the highest level of administrative rights cannot encrypt the backup files and terminate the system’s ability to roll-back to earlier file versions. To understand the degree of vulnerability, disaster recovery plans can benefit from an objective review by experienced cyber specialists. These experts can be in-house or external to the organization. If the company’s systems architecture for “backups” can be destroyed or encrypted with ransomware at the same time as the primary file, they cannot be considered ransomware hardened. Backup implies survivability. For example, relying exclusively on mapped drives to a cloud storage system may or may not be problematic. Check with the vendor to determine the level of protection.

4. Will the Backups Survive a Cyberattack?

What is a survivable backup? Has a malware/ransomware attack been considered when designing the disaster recovery plan? How are vital files backed up? Identify systems or architecture changes that will allow the organization to successfully survive an attack by a highly skilled and extremely talented threat actor. Before an attack, identify the resources that would be needed to counter such an attack. Make sure senior management understands and supports the incident response and survivability plan.

5. Restoring Operational Status

Simply having backup files is not enough. Consider how backup files and system images would be deployed in the event of a systemwide breach. For systems to be functional, they must be able to be restored to operational status so employees can do their job.

6. Test

In the military, there is a saying that battle plans often don’t survive the first contact with the enemy. Backup and recovery plans are no different. It is difficult to know if a disaster recovery plan will be effective until it is tested. Are the plans practical? Will they work in the hours or days following a ransomware attack? Experience has shown us that most disaster recovery plans require some tweaking to make them effective. Finding the shortcomings of a disaster recovery plan during a test is far better than working through challenges amid a real attack.

7. Revisit the Disaster Recovery Plan Regularly

Recognize that every plan has moving parts. Threats will continue to evolve as cybercriminals discover new vulnerabilities and build new forms of malware. Similarly, organizations and their data systems evolve. Companies outsource more and more of their IT services, creating a new exposure through the IT security of third parties. Managed Security Service Providers (MSSPs) and IT contractors hold the keys to access many organizations. MSSPs are high-value ransomware targets. An effective backup and recovery program can become ineffective if it is solely dependent on the security of a third-party IT provider. Security plans should be maintained, modified and re-tested periodically as the network infrastructure changes and adapts.

8. Backups and Disaster Recovery Plans are Only One Piece of a Cyber Plan

There are many important pieces to cyber armor (anti-virus software, patch management, VLAN segmentation, e-mail security gateways, firewalls, etc.). These proactive tools are particularly effective against the amateur cybercriminal and can even provide a level of protection against a protracted siege. An organization should not be lulled into complacency, thinking this armor will provide an impenetrable defense. As stated, no defense is perfect. Cybercriminals are diligent, skilled, patient and highly motivated; there is a good chance they will eventually find a weakness they can exploit. The reason to focus on a ransomware-hardened disaster recovery plan over other technologies is that once fortification defenses fall and battle with the enemy is over, the disaster recovery backups will be the difference between rebuilding and failure.

One additional important item to consider in connection with the post-attack rebuilding effort is cyber insurance. Just as every organization should have liability or fire insurance, every organization should have some type of cyber insurance.  Regularly revisit the policy to determine if the right level of coverage meets the current level of malware/ransomware threat. For small companies, the cost of fighting a cyberattack can quickly exceed $100,000. Medium-sized and larger organizations regularly face incident response and breach notification costs well more than $1 million. Many insurance companies now offer cyber insurance. Coverage and rates differ, as do underwriting standards. At the very least, it is wise to determine the extent to which cyber-insurance policies cover ransomware and other cyberattacks, and that coverage is appropriate given senior management’s full understanding of the organization’s cyber-risk exposure.

Unfortunately, ransomware and other cyber risks are not likely to subside. Using experience as a guide, if there is a financial incentive, the methods of attack will evolve, often in ways we cannot predict. The basic concept of ransomware-hardened backup and recovery is typically the first level of protection from a wide variety of threats.


Tags: Cyber RiskRansomware
Previous Post

Confidence Falls as Cyber Threats and AI Add to the Challenges of Risk Management

Next Post

The Final Countdown: The Final, Final Version of the CCPA (Until Next Year)

Alan Brill and Eric Thompson

Alan Brill and Eric Thompson

Alan Brill Alan Brill is a Senior Managing Director at Kroll, a division of Duff & Phelps, and founder of the firm’s cybersecurity practice. He serves as an expert witness and consultant on complex litigation and is an Adjunct Professor at the Texas A&M University School of Law.
Eric Thompson is a Managing Director at Kroll. Before joining Kroll, he founded AccessData and was the author of the Forensic Tool Kit, (FTK) a widely used set of digital forensic tools. He is a recognized cyber cryptanalyst having published articles with other recognized cryptographers including Bruce Schneier and Ron Rivest.

Related Posts

castle pixel art

Building a Defense-in-Depth Culture to Combat Phishing

by Perry Carpenter
March 22, 2023

Phishing attempts are only growing more sophisticated by the day, and effective cybersecurity means defending all the vectors of attack,...

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

cisa website

What Can Your Organization Learn From the New CISA Strategic Plan?

by FTI Consulting
January 11, 2023

Cyber threats against organizations of all sizes are only rising as scammers and fraudsters become more and more sophisticated. Kyung...

data minimization practices_w

Ransomware Threats Are Growing. How Can Boards Protect Mission-Critical Assets?

by Jim DeLoach
December 14, 2022

As the sophistication level of cyber attackers continues to rise, there’s probably not a business on Earth that isn’t at...

Next Post
hourglass with blue sand on laptop

The Final Countdown: The Final, Final Version of the CCPA (Until Next Year)

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT