TEQ Magazine

(By Justine Kasznica)

Be Prepared

According to the CISA and the FBI the first and most important step towards protection is preparation. Being prepared includes creating, maintaining, and exercising a cyber incident response plan, resilience plan, and continuity of operations plan; ensuring personnel are familiar with key steps that must be followed during a cyber breach incident; identifying a resilience plan that addresses how to operate if you lose access to-or control of- your company’s systems; and implementing back data back-up procedures. In addition, companies need to minimize gaps by ensuring all security protocols and protections happen around the clock, including holidays and weekends.

Enhance the Organization’s Cyber Posture

Enhancing an organization’s cyber posture is imperative to its safety from any form of cyberattack. An organization may ensure proper identity and success management, protective controls and architecture, and vulnerability and configuration, by requiring strong passwords and multi-factor authentication for all users. By monitoring and detecting abnormal activity like various unsuccessful logins or unlikely geographic access, a company can spot attempted breaches early enough to prevent any damage from occurring. It is also helpful to update software in a timely manner and to be sure to use industry recommended antivirus programs.

Stay Vigilant

Simply implementing initial data privacy, security, and response measures is not enough. Cybercriminals and their methods are constantly evolving. Taking a proactive approach to data privacy and security, and being willing to invest in same, is vital to ensuring that a company’s safeguards are adequate and up-to-date. As necessary, internal and external annual audits and/or reviews of a company’s systems and policies is crucial to its data security. For example, companies should:

  • Review existing segmentation and preventative controls that may have atrophied over time.
  • Identify shared systems or infrastructure on the IT side that could allow an adversarial group to pivot and deploy ransomware to the OT side.
  • Review dataflows of critical business system applications reliant on OT communications and document them.
  • Ensure backups are being performed across critical OT systems. Periodically test the backups and ensure there is an offline copy in the event that an online system becomes encrypted from ransomware.
  • Engineering and OT teams should evaluate what systems should leverage remote access.
  • Remote access requirements should be determined, including what IP addresses, communication types, and processes can be monitored. All others should be disabled by default. Validate your external exposure of IT and OT systems.
  • For remote access, all communications should be centrally logged and monitored. Various detection techniques should be implemented on remote access systems, such as looking for brute force attempts or specific exploits for known vulnerabilities. Multi-factor authentication should be implemented.

In addition, data privacy and security laws, both in the United States and abroad, are frequently being updated to combat cyberthreats, and oftentimes impose new requirements on companies meeting certain thresholds. A company can increase organizational vigilance by staying up-to-date on government notifications and being sure to receive information on current security issues or vulnerabilities.

Ransomware Attacks:  Pay or Not to Pay

As a general rule, the FBI does not support paying ransom to cybercriminals in ransomware attacks for two reasons.⁴³ First, paying a ransom will encourage and incentivize cybercrime. If hackers’ demands are met, they will be more likely to target other victims. Further, if others perceive that this kind of crime does, in fact, “pay,” they will be incentivized to become involved in cybercriminal activity. Second, there is no guarantee that paying a ransom will result in the release of data.

The other side of the argument can be equally compelling. Paying a ransom can be an attractive option when the alternative is to shell out millions of dollars to restore and remediate the systems. Additionally, the chaos that the disruption in services can cause cannot be discounted. In contrast, a company who decides to pay the ransom, while also working with the FBI to recoup some of the ransom and ultimately obtaining the decryption key in short order. While these results should not be expected, it is difficult to argue that, in this instance, the wrong choice was made by paying the ransom.

When faced with a ransomware attack, there are no “good” options. On one hand, organizations must consider the potential consequences of not paying the ransom: employee/customer health and safety; costs of disrupted services; internal and external impacts from potential shutdowns; release of confidential data stolen by the attacker; etc. On the other, the ransom itself may be a substantial, unrecoverable cost — one that may or may not achieve the end goal.

Ultimately, as ransomware attacks become more common and sophisticated, the safest organizations will be those that take these threats seriously and proactively fortify their networks — prevention always beats intervention.

To view the full article, click here.

Top