Have a plan for isolating and cleaning infected devices and recovering data from backups... you do have good backups, right?
The WannaCry ransomware attack highlights the need for organisations to develop a ‘digital extortion decision tree’, according to Forrester analyst Jeff Pollard.
This includes planning your response to digital extortion attempts in advance. This also means incorporating a ransomware exercise in your IR tabletops moving forward, Pollard states in a blog post.
“The worst time to discover that you are unprepared for the emergency is during the emergency,” he adds.
Pollard, together with Forrester analyst Amy DeMartine, released last month the report The Top Seven Recommendations For Your Security Program In 2017.
In his blog post, Pollard references the report which explains why organisations need to prepare for their data and systems to be taken hostage.
The combination of Bitcoin’s anonymity, easy-to-use attack tools, and a thriving marketplace on the dark web has provided fertile ground for digital extortion based on threats of ransomware and DDoS attacks, the report states.
It says ransomware alone is expected to grow to a US$1 billion market this year, as attackers hold victims’ data and assets hostage in exchange for money.
If you’re open to paying the ransom, make sure you know how to access Bitcoin.
The report advises organisations to plan the response to digital extortion in advance.
“The temptation to just pay the ransom will be strong, but just because you live up to your end of the bargain doesn’t mean the cyberthieves will,” the report states.
Paying up may make the organisation a target for future cybercrime with the reputation of being a complicit victim.
Instead, Forrester advises chief information and security officers to work with business leaders to build a ‘digital extortion decision tree’ that will guide their response should such an attack happen.
“For example, healthcare security leaders should consult with clinical staff to understand the impact of ransomware to patient care. And if you’re open to paying the ransom, make sure you know how to access Bitcoin.”
They also recommend adding ransomware and distributed denial of service (DDoS) to the incident response plan.
“In the case of DDoS, know who to call for remediation assistance; your service provider or DDoS mitigation service are two likely options.
“For ransomware, have a plan for isolating and cleaning infected devices and recovering data from backups,” they state, adding, “you do have good backups, right?”
Prepare for the second wave of attack
Despite a temporary fix that has slowed the spread of the WannaCry ransomware attack, there is the possibility that a second wave of the malicious software or ‘copycat’ attack could be released, warns Peter Bailey, general manager of Aura Information Security.
“New Zealand’s location does not make companies exempt from cyberattacks and there are reports that the virus may have affected some NZ businesses, therefore companies must be vigilant and proactive in order to avoid being affected,” says Bailey, in a statement.
If you are running legacy unsupported operating systems or software with known vulnerabilities, isolate them from the rest of your network.
He recommends the following measures and precautions:
Backup your data
Companies should immediately back up all data to an external hard drive to ensure that all files are not lost if computers are hacked. This ensures data can be retrieved and recovered without paying a ransom. If your business is affected by the attack, it is recommended that you do not pay the ransom at all as this may not result in files being recovered.
Ensure all company computers are updated
Businesses should immediately ensure all staff computers and company servers are up to date with Microsoft’s latest updates and patches so that they are not openly vulnerable to the attack.
Know your vulnerabilities
If you are running legacy unsupported operating systems or software with known vulnerabilities, isolate them from the rest of your network. Make sure you add extra protection like configuration hardening, host based firewalls, or application whitelisting. Upgrade unsupported operating systems to the latest platforms wherever possible.
Educate your staff
Educate your staff on what to look out for and what to do if their workstation is infected with malware. The advice for WannaCry is that users should immediately unplug their machine from the network, and call their IT support help desk. It is likely their workstation will need to be wiped and rebuilt.
To ensure your business fosters a culture of cybersecurity awareness, and is prepared in the case of future attacks, regular training and education is key, he says.
Step back and take a holistic view of your security, including people and processes to address any areas of weakness
Matt Lord, security expert at Dimension Data New Zealand, meanwhile, says the company's latest Global Threat Intelligence Report found 47 per cent of cybersecurity breaches exploited vulnerabilities that were more than three years old.
“So focus on the basics – your desktop will be only be 99 per cent patched within 30 days of the release of a patch so perform a security scan of your network to identify any gaps and high risk areas,” he states.
The report finds a third - 32 per cent - of organisations did not have an incident response plan.
“Prepare and practice a response plan now. The plan must include all of the business.”
Dimension Data says the report was based on the assessment of networks of 10,000 clients across five continents, 3.5 trillion security logs, 6.2 billion attempted attacks, and global honeypots and sandboxes located in over 100 different countries.
He points out investing more in IT is not always the best way to stay cyber safe.
“Instead, step back and take a holistic view of your security, including people and processes to address any areas of weakness,” he states.
As well, he advises organisations to consider next generation security technologies that have additional features such as automatically sharing threat data in the cloud and artificial intelligence to reliably block suspicious activity.
Send news tips and comments to firstname.lastname@example.org
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.