Ransomware attacks have become unsettlingly common. While they’ve been making headlines for nearly a decade now, the past two months have brought a startling number of high-profile ransomware attacks that have spanned the public, non-profit, and private sectors.
Victims of this string of recent attacks include the University of California, San Francisco (UCSF) School of Medicine, Blackbaud, the town of Florence, Alabama, CWT, and Garmin. In all cases, the victims were ultimately forced to pay ransom, causing large financial losses and even greater damage in less tangible costs, such as downtime, reputation loss, and a possible increase in insurance costs.
If you’re looking for ways to shore up security and protect your enterprise from a ransomware attack, keep reading. This blog post will provide 9 actionable tips for you to make sure your organization isn’t the next victim.
A Brief Overview Of Ransomware
Ransomware comes in many different flavors, but ultimately it all falls into one of two categories:
- Malware that steals the victim’s data with the intention of publishing it, if the victim refuses to pay the ransom.
- Malware that seizes and encrypts the victim’s data, such that the victim will never be able to regain access, unless they pay the ransom.
Of course, both varieties of ransomware are designed to extract financial resources from the victim. The primary difference is that the former is an attack on confidentiality of data, while the latter is an attack on availability of data (but also on integrity of data, in some cases).
There are two primary protection mechanisms to defend against the confidentiality attack: encryption and access control. If your organization’s data is encrypted, then it is unintelligible to attackers, even if they manage to gain access to it. Strict access control is also an important measure, as it ensures that potential attackers are unlikely to obtain the necessary credentials to access sensitive data in the first place.
As for the availability attack, there are three main defensive mechanisms: backups to write-only media, backups to multiple locations, and, again, access control. It’s best practice to use write once, read many (WORM) storage devices that ensure your data isn’t being tampered with after you’ve created the backup. It’s also important to backup to multiple locations, in case one of the backups is corrupted, compromised, or deleted. Lastly, just as with confidentiality attacks, it’s crucial to have strict access control measures in place to limit the attack surface for hackers.
A Closer Look At Encryption
Encryption is essential to cyber security but it’s helpful to note that there are different levels of encryption, as well as different encryption algorithms and various ways to manage encryption.
For instance, encrypting data at rest is distinct from encrypting data in transit. There are also significant distinctions between file-level encryption, disk-level encryption, and application-level encryption. Similarly, data can be encrypted using different algorithms. These include symmetric encryption, asymmetric encryption, or a hybrid model that leverages both methods. Lastly, some enterprises handle encryption internally (self-managed) while other businesses outsource cyber security needs like encryption to third-party service providers.
Any variety of encryption will help defend against ransomware, but carefully selecting the right design and implementation for your enterprise environment will provide the highest level of protection.
9 Tips To Protect Your Enterprise From Ransomware Attacks
While every environment is a little different, the following 9 best practices will help you protect your organization from falling victim to a ransomware attack no matter how your environment is structured.
1. Encrypt Data At Rest With A Self-Managed KMS
If you aren’t already doing so, you should encrypt data at rest using a self-managed (i.e. on-premise) Key Management Service (KMS), wherever possible. Using third-party encryption is better than not using any encryption, but it doesn’t prevent the third-party from decrypting the data. This is especially important when the third-party is the one storing the data, as is the case with cloud providers. By encrypting the data before it is sent to the storage provider, you are able to take advantage of the storage provider’s scale without sacrificing the confidentiality or integrity of your own data.
2. Protect Data At Rest With An Enveloped Data Structure
You should protect data at rest with an enveloped data structure (also known as a hybrid asymmetric/symmetric scheme). Stated simply, this means encrypting your backup with a symmetric key and then encrypting the symmetric key with an asymmetric key. This technique comes with a significant added benefit: your backup systems do not need to have an online channel to the KMS because only the public keys are being used from the KMS.
3. Keep Private Keys For Decryption In A Disabled State
Another best practice for defending against ransomware attacks is to keep the private keys for decryption in a disabled state by default. Since they are only needed when restoring backups and are therefore not needed frequently, you should only enable them when there is a need to do so, and immediately disable them after they are used. The process for enabling, disabling, and using private keys should be tightly controlled and auditable. A tool like GaraSign provides out-the-box support for this.
4. Timestamp Your Data Prior To Encryption
While encrypting data is essential to the security of your enterprise’s data, it’s important to cryptographically timestamp your data before you encrypt it. This allows you to easily identify if the data has been tampered with at any point in time. This can be useful later on to prove that data hasn’t been altered since a given point in time, such as during e-Discovery or other legal proceedings.
5. Protect Data In Transit With TLS
Always protect data in transit with TLS 1.3, or at least TLS 1.2. First published by the IETF in August 2018, TLS 1.3 is considered the strongest security currently available for data in transit, though TLS 1.2 is currently considered acceptable if your enterprise has not yet made the update. Anything below TLS 1.2 should not be utilized.
6. Use Storage Provider Encryption Controls
Wherever available, use storage provider encryption controls, in addition to self-managed encryption. This adds an extra layer of encryption to your data and may provide more assurance to auditors of your environment.
7. Test Backup and Restore Procedures
Backups are only valuable if they can be restored. While ensuring the data can be decrypted is a critical aspect of the restoration process, other factors must also be considered, such as how to get the data from the backup location to where it is needed in order to be used. Verifying that this process works seamlessly is critical to ensuring minimal downtime, should the need arise.
8. Stop Malicious Software/Users
This is a subject all on its own that covers a wide range of topics. Topics include, but are not limited to, endpoint security, user training, log monitoring, and strong authentication.
9. Monitor, Maintain and Train
Like any system, your backup and anti-ransomware systems need to be monitored and maintained. The team members who use them need to be thoroughly trained. While keeping systems up-to-date with patches and upgrades is important, it must also be balanced with backwards compatibility, especially when dealing with long-term backups.
With all of these defense mechanisms in place, any ransomware attackers that target your organization will be wishing they had ran somewhere else to deploy their malicious software.
Jokes aside, ransomware attacks are a serious and persistent threat so you may be looking for some outside expertise to bolster your organization’s cyber security. That’s where we come in.
Garantir is a cyber security company experienced in integrating high-performing security solutions into the enterprise. The team has worked on the digital security needs of many of the Fortune 500 companies and is available to work with your firm now.
Get in touch with the Garantir team to find out how you can maximize security in your environment.
