5 White House Recommendations for Modern Data Protection Against Ransomware
Ransomware has been making headlines for several weeks. It caused widespread gas shortages and disrupted meat plant operations. It also exposed critical police files. This latest wave of ransomware attacks is only the tip of an iceberg.
According to a report from Group-IB, ransomware attacks surged by 150% in 2020, with the average extortion amount doubling. Ransomware attacks have been on the rise, affecting both the public and private sectors in increasing numbers.
In response to these increasing cyber threats, the White House recently raised ransomware to the top of the national security agenda, issuing a bluntly worded warning for American businesses to take urgent security measures to protect against attacks.
Ransomware is on the Rise at a Massive Scale
Ransomware attacks are not only increasing in frequency, but they have also become more disruptive and costly. In fact, according to Sophos’ global survey, “The State of Ransomware 2021,” the average total cost of recovery from a ransomware attack increased from $761,106 in 2020 to $1.85 million in 2021–and these ransoms are continuing to increase. FBI Director Christopher Wray went so far as to compare the string of recent attacks to the challenge posed by the 9/11 terrorist attacks. What has changed?
Hackers gained access to computers mainly through phishing emails. These emails would send malware to employees who clicked on the link. The malware would encrypt company servers and offer the decryption keys in return for a ransom of five to six figures. These threat actors did not target company information and they didn’t know which company they would eventually target. It was all about finding ways to exploit a system.
The game has changed and is now a serious threat to core business operations. The attacks of today involve stealing company information, understanding financial data, and identifying potential opportunities for maximum profit.
Many threat actors are sophisticated criminal organizations that seize sensitive company information and target backup systems before issuing an ultimatum. Ransom demands are often tens of millions of dollars.
Ransomware protection is a national security priority
Ransomware is now a top national security priority. The US government has started to implement a variety of measures to counter attacks. These include new policies around ransom payments and holding cybercriminals accountable for their harboring.
Anne Neuberger, deputy national security adviser for cyber and emerging technology at the White House, believes the executive order will “set the goal, give it a timeline, and then establish the process to work out the details.”
However, it is important to address the risk together with the businesses.
5 Steps To Reduce Ransomware Risks
Five steps businesses can take to strengthen their defenses against ransomware threats are outlined in the White House memo.
1. Back up your data. __S.26__ Unfortunately, today’s sophisticated attacks head straight for backups–compromising everything before taking over production environments. Standard backups don’t suffice.
A multilayered defense with a modern approach to backup and restore is essential. Backup data and backup metadata should be kept in an immutable condition. Organizations can rest assured that their data is safe from malicious attacks by backing up files with frequent snapshots that aren’t easily deleted, encrypted, modified, or altered. This data must be accessible quickly and easily, so it is important to have an infrastructure that provides accessibility. Businesses can avoid major organizational, reputational and financial consequences of ransomware attacks by ensuring data protection and restoration.
It is also important to know that backing up data involves two crucial components:
- Organizations must demonstrate recoverability beyond immutability. Although sophisticated attackers cannot alter an immutable backup, they can delete it if they have access to the correct credentials. A solution like Pure’s SafeMode(TM) snapshots eliminates the ability for the attacker to delete your backups and is essential for recoverability.
- Recover quickly: You need an immutable point of recovery, but you also need to be capable of recovering quickly. Ransoms were used by organizations to speed up recovery times due to slow backup systems. Backups and recovery are not enough. You need speed to get key systems up and running quicker, such as the petabytes per day you can achieve using solutions like Pure FlashRecover(TM), Power by Cohesity(r), and Rapid Restore.
2. Patch and update systems immediately. __S.44__ It can be beneficial to have a centralized logging platform that records details about all systems as well as a patch management program. It is important to have a risk-based assessment strategy that supports patch management programs and a security analytics program that identifies anomalies in your environment.
A solution like Pure FlashBlade(r) gives you the ability to log all your systems via a platform like Splunk or Elastic. It provides critical, fast analytics processing to identify attackers in your environment.
3. Test your incident response plan. __S.51__ Consider the infrastructure that will support your incident response plan. The best plans today are focused on prevention and have solutions in place to prevent problems from ever happening. Your response plan should include testing all parts of the process and supporting infrastructure. It is not enough to test the process and table-top it. This will not reveal the true gaps in restoration capabilities.
Testing is incomplete without the ability to failover between sites. Organizations must ensure that their storage solutions can fail over seamlessly and with minimal data loss. Solutions like Pure ActiveCluster(TM) offer a true zero RPO/RTO. This is true, instantaneous failover that doesn’t require any manual intervention. Pure ActiveDR(TM), for example, offers a near-zero RTO/RPO at the touch of a button. These solutions are also useful in disaster recovery testing, as they allow you to test failover capabilities, then failback without any user intervention. This is especially important for large or geographically dispersed organizations.
4. You can check the work of your security team. __S.65__ It is worth investing in a third-party penetration testing company. Next, identify and fix any vulnerabilities. You can also use bug bounties to gain a more realistic view of how vulnerable your company is through the eyes and hands of external attackers. Penetration testers often take a siloed approach when testing. Their assessment methods and tools are not universally applicable, which can limit the results that they provide. Bug bounty programs on the other side have no such safeguards and allow attackers full creative freedom to discover vulnerabilities that will allow them to gain access to your environment.
5. Segment your networks. __S.74__ You should filter internet access to corporate networks and identify links between them. Then, develop workarounds and manual controls to ensure that ICS networks can be isolated from any potential threats.
Remember that segmentation is a way to limit an attacker’s ability to destroy systems and ensure some degree of recovery. Segmentation can be expensive and time-consuming. Segmentation requires constant care, feeding, and the ability to manage. SafeMode achieves the same technical result without the complexity and overhead of virtual networking. SafeMode also creates out-of-band, multifactor-authentication-protected backup snapshots that can’t be deleted, even by an attacker who holds administrative credentials.
These best practices are not the only ones recommended by the executive order. Businesses should also implement the following security and common-sense practices immediately:
- Enable multifactor authentication.
- Install an endpoint detection system and response system.
- All data should be encrypted, both in transit and during use.
- Create or search for a competent, empowered security team.
Corporate Boards also play a role in data security oversight
The US Federal Trade Commission (FTC), along with the White House has raised the alarm about data security concerns. The FTC urges companies to:
- Create a team of stakeholders across your organization. Data security programs should include stakeholders from legal, business, and technology departments. This includes both operational and high-level experts.
- Establish board-level oversight. __S.91__ Cybersecurity threats, defenses, and responses can be managed by the board. This will ensure that senior management is aware of the situation and has the resources to respond.
- Regular security briefings should be held. __S.94__ Board members must be kept informed, involved, and up-to-date. Boards can manage their oversight responsibility effectively by having regular briefings. They will also be able to understand the security landscape and prioritize potential threats to the company.
- Do not confuse security with legal compliance __S.98__ It doesn’t. It doesn’t. Cybersecurity threats are constantly evolving. Boards should ensure that their security programs align with their needs, priorities, and technology. They shouldn’t just be geared towards complying with compliance requirements and obligations.
Protection, Detection, & Rapid Recovery
No business wants to experience the disruption of a ransomware attack or pay a costly ransom. It is essential to have cyber resilience with modern data protection. This protects your data from being a target and minimizes downtime.
Pure places a special emphasis on data security with solutions such as SafeMode and ActiveCluster, ActiveDR, and Rapid Restore. Pure doesn’t help organizations follow the above guidance, but we help them surpass it. Although the White House guidance is very practical, it fails to address the crucial aspect of recovery.
It doesn’t matter how many backups are available or how quickly they can be taken. What really matters when systems fail is the speed at which you can get your business back online. An appropriate data protection architecture with a data bunker for long-term retention and recoverability must be designed and implemented to enable a rapid restore that ensures both recoverability and speed.
We learned over the past year that business is not always as it used to be. It’s all about being prepared for the unexpected and alert to what could happen if we let go of our responsibility to monitor the network. Everyone has a part to play in security. This level of attention requires the right partner and technology.