Best Practices to Minimize Negative Impact,Downtime After a Ransomware Infection

by Jim Varner, President, and CEO, SecurityFirst

Ransomware has become a scourge to businesses around the globe and always manages to find a way to infiltrate even the best defenses. Whether it was a well-known recent outbreak from WannaCry or Petya/NotPetya, which spread worldwide in a matter of minutes, or a more random incident on small business, school district, city, or healthcare provider, any one of these can be detrimental to an entities infrastructure and business operations.

After getting hit with ransomware, companies may lose data and have to spend money as they try to recover their sensitive assets, either through paying a ransom or a solid recovery process or risk disrupting business continuity. Beyond any monetary figure, it’s also possible they’ll damage their reputation in the eyes of their clients and customers due to downtime and potential data loss, which can be even more detrimental to the business. By better understanding the threats ransomware presents, there are several essential preventative measures that can be done early to mitigate the impact, minimize potential disruption to business operations and more importantly – loss of critical data.

Ransomware – Preparation is Key

The growth and sophistication of ransomware variants have caused many companies to anticipate a potential infection, regardless of whether they’re actually hit. Having a contingency plan in place is essential to both minimize the potential risk and the impact of ransomware.

Ransomware’s attack vector is typically through email attachments, hijacked websites and adware, making it nearly impossible to protect against everything. However, there’s a common thread linking all of these: the human touch. You can prepare and educate everyone in an organization to be wary of suspicious emails, downloads, content, and websites, but sometimes even the best prevention simply isn’t enough. And that’s not all. Ransomware variants are spreading, with many slipping past even the best and most up-to-date defenses so it’s important to remain vigilant, regardless of your role in an organization.

You might ask, “What about paying the ransom; it’s not that much and it seems a lot easier and cost-effective?” That’s one way to go, but there is no guarantee you’ll get access to your data again just like there’s no guarantee you’ll rid yourself of malware or viruses that are now on the network.

The fastest and safest way to recover is through strong preparation and a quick reaction to isolate the infected computer or server and shut it down before implementing your recovery plan. The complexity and speed of recovery rely on advanced planning and preparation including data backups.

Take a Layered Approach to Ransomware Prevention

There are several steps companies can take to prepare themselves if they’re hit with a ransomware attack:

  • Updates are essential: Update all systems, anti-malware, and firewalls, and ensure all operating systems and software is up-to-date with the latest patches. This is basic security hygiene any company should do on a regular basis.
  • Practice data governance: Determine what data exists across your organization and the stakeholders who are responsible for it. Data governance makes a difference – greater accountability including executing access policies and reinforcing best practices across the board will significantly narrow the potential attack.
  • Limit the attack surface: Narrow the attack surface with more stringent access controls, advanced encryption, key management, and real-time access monitoring. This also helps improve overall company operations while preventing other data losses and potential issues.
  • Encrypt your data: If your files are compromised in a ransomware attack, strong data encryption ensures the data cannot be decrypted and exfiltrated without the proper authentication and authorization. It’s a small but simple measure that goes a long way to protecting your assets.
  • Access controls matter: Companies should limit data access to only those roles that absolutely need the data to perform their job functions by implementing role-based access controls (RBAC) and privileged access management (PAM).
  • Whitelist your applications: Isolate workloads whenever possible by using a process of default-deny “zero trusts” and whitelisting, which only allows access to decrypted data through a specific application or process. Put systems in place to always monitor who is accessing the data and when, so you aren’t left surprised when unauthorized access attempts occur.

Data Backups Help

Back up data, specifically sensitive data, as a standard practice. A 2016 alert from the

U.S. Department of Homeland Security (DHS) suggested data backup as a key element of any

ransomware recovery:

“Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from the network for optimum protection.”Having a backup and recovery strategy is a best practice, but the enormous amount of data organizations generate can be challenging to back up and if backups are stored on the network it can still be compromised. That is why DHS also suggests data be backed up offsite and air-gapped from the network, which is where cloud, and specifically object storage, come into play.

What About the Cloud?

The cloud is growing in popularity as a viable option for data storage, allowing for easier data recovery since not all data is kept in the network and at risk for attack. However, just because data is in the cloud, doesn’t mean it is secure. Without the right data security that encrypts data before it is sent to the cloud, cloud storage is just an open extension to your network and can be vulnerable as well. You should also control all aspects of access and visibility once the data is in the cloud.

Additional benefits to cloud storage come from using object storage and geographic dispersal to provide the redundancy and resiliency needed to quick recovery from ransomware.

While only about 10 percent of an organization’s data is used on a regular basis, companies may need to store the other 90 percent, sometimes for several years at a time, due to various regulatory requirements and processes. Object storage, especially when leveraging public cloud tiered pricing, can be a highly cost-effective answer for this issue, keeping the data stored away, but readily available for recovery. Since object storage connectivity is via API, it provides potential cost savings and air-gaps backup data from the operational network.

Geographical dispersal can be as simple as sharing the same encrypted copy to multiple cloud providers or locations to ensure if there is an issue on one platform, data can be easily recovered from another source. Other options available in the market today can split the data with resiliency across multiple cloud locations or providers – giving you an extra layer of security and speedy recovery when needed.  Whether that’s a ransomware or malware attack, or even in the event of a natural disaster, companies can be assured that their protected data is safe and recoverable.

Keep in mind with object storage, there are unique challenges, particularly privacy. While cloud service providers (CSPs) provide secure environments or even protection through encryption, you can only ensure proper security of the data in object stores of any cloud, when you are in control. With the right approach, object store dependency and privacy concerns can be alleviated. Organizations must have technical and operational processes in place to explicitly block CSPs from accessing that data. The right approach is to use client-side access controls, encryption and encryption key management as a standard part of the organization’s data protection strategy. By securing the data before it goes to object storage you won’t sacrifice data security.

The Aftermath of a Ransomware Attack

Ransomware enables cybercriminals to take command and control of systems and business operations for quick financial gain or other malicious intent. Once a successful attack begins, companies often no longer have control or access to their most valuable assets: their data.

Getting back up and running after a ransomware infection, with minimal impact to time and resources, is essential to all organizations, regardless of their size. This necessitates making data protection with secure backup and recovery an essential part of any security process. or resiliency Remember the basics when you’re recovering from a ransomware attack:

  • Identify the infected machines and remove them from the network
  • Determine if any other areas are impacted
  • Examine your backups to ensure they are not affected
  • Patch and scan devices on the network
  • Bring new machines online as needed

By employing these best practices and taking a layered approach to ransomware prevention, you can ensure your data is protected. That way, if a ransomware attack still occurs, you’ll be in the best position to regain control of your data so that you can get back online much faster, avoiding business disruption and data loss.

About the Author

Best Practices to Minimize Negative Impact,Downtime After a Ransomware InfectionJim joined SecurityFirst in 2014 with over 36 years of experience in silicon technology, server development, telecom, security systems, and software management solutions at IBM and BLADE Network Technologies. He assumed the role of President and CEO of SFC in January of 2017. Jim is well respected as a subject matter expert in the areas of data security, server systems, and management solutions. Jim earned a degree in Engineering from Youngstown State University and currently splits his time between North Carolina and Southern California, typically close to the beach and the waves. For more information, visit https://securityfirstcorp.com

March 21, 2019

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Global InfoSec Awards for 2024 are now Open! Take advantage of co-marketing packages and enter today!

X