People want to trust and we’re inquisitive beings. So, we like clicking on links and opening attachments. No amount of security awareness training is going to completely change that basic aspect of our human nature. More than anything else, this is the flaw ransomware exploits.
Ransomware grabs headlines pretty regularly these days. The last few weeks have been a great example of this. When I last checked, a vanilla Google Search on “ransomware” yielded just over 9 million results and over 2.5 million news results around WannaCry, GhostCtrl and many others.
All of us in the security community have shared our perspectives as well. Malcolm Harkins, the Chief Security and Trust Officer at Cylance, was recently interviewed about Ransomware on i24NEWS. At Verodin, we contrasted WannaCry and Petya.
While ransomware isn’t new, ransomware attacks certainly do seem to be increasing in terms of reach and impact. As such, many organizations are scrambling to answer a relatively foundational question, “Are we safe from ransomware?”
In 2017, the Ponemon Institute released a report titled: The Rise of Ransomware. One section of the report focused on employees and claimed that, “Employees are the weakest link in the defense against ransomware.” It’s a bold statement, and, while not absolute, it’s likely justifiable in many cases.
For decades, organizations have implemented security awareness training and security policies. Posters have been put in break rooms. CBTs have been required for new hires. Mandatory lunch and learns with the security team have been enacted.
It’s hard to argue with the fact that people are more security savvy today than they were just one or two decades ago. However, humans haven’t fundamentally changed – we still like to assume the best from people and are therefore genuinely shocked when a document, email, link, etc. is discovered to be nefarious.
The Ponemon study found that:
So, if education, awareness and training will only take us so far in our fight against ransomware, prudence dictates that we look to technology for help.
There are plenty of guides talking about mitigating ransomware risks. But, honestly, it comes down to just a few fundamentals.
Everyone wants to prevent ransomware from penetrating their systems. If you can prevent it, there is less dependency on incident detection and response, thus saving time and money while mitigating risk.
When it comes to ransomware, there are some key capabilities that make some types of prevention better than others such as:
While incident prevention is always the gold standard, it is by no means the entirety of a security strategy. A bank has a vault, but it also has video cameras, security guards and a button, that when pressed, calls the police.
If ransomware does hit and you are forced to make a decision regarding to pay or not to pay, the decision is typically predicated on how important the data is and how recent and holistic your backups are.
Like backups, there is nothing new or exciting about patching. But, as we’ve seen, many organizations are caught with lagging patches and exploitable vulnerabilities that open the door to ransomware.
Configuration assurance helps ensure that things are working as expected, and haven’t regressed because of changes to network segmentation, taps, spans, rules, alerts and the like. In some cases, patches have been applied, solutions have been tuned, and configurations have been updated, but, because of a lack of configuration assurance and validation, the risk remains because you simply don’t know what’s being prevented, what’s being detected, what’s logging to your SIEM, etc.
This results in an inability to empirically answer the question, “Are we safe from ransomware?” Security needs more evidence-based answers and fewer assumptions.
Employing a strategy that combines these security variables will greatly minimize ransomware risks, regardless of humans being human.