NIST Issues Cybersecurity Framework for Ransomware Risk Management
A Ransomware Profile*, published recently by the National Institute of Standards and Technology (NIST), identifies steps organisations can take to prevent, respond to, and recover from ransomware events**. The Ransomware Profile* was developed by the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST). “The objective of this tool…is to assist enterprises in identifying and prioritising possibilities for increasing their security and resilience against ransomware attacks,” according to the company profile. The National Institute of Standards and Technology (NIST) urges companies to utilise the document as a reference for evaluating the condition of their own readiness and identifying gaps in order to reach their goal.
It is based on the National Institute of Standards and Technology’s Cybersecurity Framework Version 1.1 and gives practical advise to enterprises on how to protect themselves against the ransomware threat, including the following “basic preventative steps”:
- Antivirus software should be used at all times.
- Maintain complete patching of machines, including scheduled inspections and the installation of patches “as soon as reasonably possible”;
- Network segmentation;
- Monitor directory services (and other primary user stores) on a continuous basis for signs of breach or active attack;
- Access to server names, IP addresses, or ports and protocols that are known to be malicious or suspected to be signs of malicious system activity should be blocked using goods or services.
- Allow only approved applications to be listed on an allowlist, and provide procedures for reviewing, adding, and removing permitted applications from the list.
- When at all feasible, avoid using administrator accounts and instead utilise normal user accounts instead of administrative accounts
- Personal devices should not be allowed to connect to company networks.
- Work computers should not be used to access personal applications such as email, chat, and social networking.
- Employees should be educated on social engineering techniques.
- Assign and maintain credential authorization for all corporate assets and software, and perform frequent checks to ensure that each account has just the access that it is authorised to have.
- It provides a number of procedures that firms “may take today” to aid in the recovery from a potential ransomware attack, such as:
Develop and implement an incident recovery strategy that includes clearly defined responsibilities and strategies for decision-making, as well as a list of business-critical services that can be prioritised for recovery in the event of an incident.
Ensure that a data backup and restoration strategy is meticulously planned, implemented, and tested, including safe and separated backups of critical data;
Create and keep up to date a list of internal and external contacts in the event of a ransomware attack.
It applies the five core pillars of cybersecurity (identify, protect, detect, respond, and recover) to ransomware in order to mitigate its effects. Organizations should, among other things, follow the recommendations made in this framework.
Assets, systems, and processes should be inventoried, as well as any areas where controls may be shared with third parties.
- • Ascertain that everyone in the organisation understands his or her role and responsibility in terms of avoiding and responding to ransomware events, and that the structure is documented;
- Establish and disseminate procedures that will help to avoid or minimise ransomware attacks in accordance with legal and regulatory obligations, where necessary.
- Incorporate ransomware concerns into the governance of your organization’s risk management.
- Ensure that information-sharing providers can provide you with cyber threat intelligence; and
- Recognize the financial and operational consequences of future ransomware incidents;
- Implement a ransomware incident response plan that is appropriately prioritised, has defined roles, includes both technical and business responses, and is regularly tested (to ensure that the plan and processes continue to meet changing organisational needs and structures, as well as new ransomware types and tactics); and
- Manage the coordination of ransomware contingency plans with suppliers and third-party service providers;
- Maintain a continuous training programme for ransomware risks; and,
- Employee activity should be monitored for signs of insider threats, insecure work habits, and compromised credentials, among other things.
- Earlier this year, the Biden administration announced a number of initiatives to combat ransomware, which included the following:
- Anne Neuberger’s Open Letter to Corporate Executives and Business Leaders, published on June 2, 2021, emphasised that the private sector has a “critical responsibility” to protect against cyber threats, “urging[ing]” businesses “to take ransomware crime seriously and ensure [their] corporate cyber defences match the threat,” and recommending a variety of cyber “best practises” to be implemented by companies (e.g., multifactor authentication, endpoint deception, and endpoint protection).
- It is planned to establish a Ransomware and Digital Extortion Task Force, which will be led by the Departments of Justice and Homeland Security of the United States, on June 3, 2021.
- In an August 25, 2021, discussion with CEOs from the technology, finance, energy and water sectors as well as insurance and education sectors, President Joe Biden will highlight the need for a “whole-of-nation” approach to combating cyber threats, particularly in key infrastructure.
- The US Department of the Treasury’s September 21, 2021, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments; and the FBI’s September 21, 2021, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments
Internet Crime Compliant Center (IC3) (Ransomware: What It Is & What To Do About It), Cybersecurity and Infrastructure Security Agency (CISA) (Stop Ransomware), as well as joint guidance from the FBI and CISA (Ransomware: What It Is & What To Do About It) are all available (Ransomware Awareness for Holidays and Weekends).
In addition, a bipartisan group of United States Senators has introduced the Cyber Incident Notification Act, which, if passed, would require federal agencies, government contractors, and owners and operators of critical infrastructure to report cyber intrusions to the Center for Internet Security (CIS) within 24 hours of their discovery. There are a number of jurisdictions proposing legislation that would prohibit or severely restrict state and municipal governments from paying ransom in the case of a cyberattack, including New York, North Carolina, Pennsylvania, and Texas.
The recent guidance from the National Institute of Standards and Technology (NIST), as well as parallel actions by the executive and legislative branches, demonstrate that ransomware is a top-of-mind concern across the government, and that there may be higher expectations for what constitutes reasonable cybersecurity measures.