The entire planet has been severely impacted in the first several months of 2020. SARS-CoV-2, the virus that caused COVID-19 is now dominating the daily worldwide news. No one was prepared for this, and no one thought it would last this long.
Countries throughout the world are doing what they can do to mitigate problems and casualties by containing the spread of the virus through isolation and sanitation, monitoring and testing, development of effective treatments, and eventually prevent future spread with a vaccine.
Unfortunately, the rise of COVID-19 also came with an uprising of email and phishing cyber threats. We’ve all heard these types of stories long before January 22, 2020. Cyberattacks such as CryptoLocker (2013-2014), Petya (2016), Bad Rabbit (2017) and many others, are variants of previous ransomware attacks. WannaCry was notorious for the global impact it had in January of 2017.
There are similar correlations between a virus in nature and a virus in cyberspace:
Nature and cyberattacks have the same basic problems:
An available and active virus.
A vulnerable carrier or host.
Transmission by an interconnected contact.
The lack of isolation or segmentation allows for more infection.
The lack of testing to detect a virus, allows it to spread to a massive level before being noticed.
The lack of alerting due to lack of detections and universally mature monitoring systems.
The lack of ability to prevent new infections or reinfections until an anti-virus, a.k.a. vaccine, is developed.
Experts triage infected hosts to the best of their ability; supporting system functions in efforts to avoid termination of the host.
If you review the problems in both WannaCry and SARS-CoV-2, the remedy is the same in both cases. Failure to take appropriate steps increases risk of ongoing infection, spread, and consequences. For humans with COVID-19, we know it means a certain percentage of people will lose their friends, family, and coworkers. For businesses effected with ransomware, it means systems will be lost, impacting operations. A certain percentage of companies may never recover and close their doors.
What does it take to reopen a company after a ransomware attack?
We would do well to heed the same best practices for computer systems when considering how to protect your company from ransomware. Fortunately for us, technology is typically more forgiving than COVID-19.
What can you do to detect and prevent the spread of viruses in your organization?
Protect the endpoint:
Host based firewalls
Principle of least privilege for role-based access control and operating privilege level
Strong authentication mechanisms
Protect the enclave:
Multi-factor Authentication systems.
Isolate network segments/Virtual Local Area Networks (VLANS) with Access Control Lists (ACLs).
Monitor and alert on log events which correlate to bad behavior (SIEM).
Monitor, alert, and block network anomalies (Network Anomaly Detection).
Automate response to threats, because ransomware moves at the speed of light (SOAR).
Encrypted and private networks for the workforce outside the organization’s digital protections (VPNs).
Any CISO and most CIOs will readily recognize the above steps as strong strategies to keep their business systems up and running in the face of active and automated threats.
How committed are you to protecting your work force?
Rich Lindberg vCISO & Senior Security Consultant Nth Generation