Businesses should no longer be held to ransom

Mohammed Abukhater, regional director, Middle East and Africa, FireEye

  • E-Mail
Businesses should no longer be held to ransom Most cyber attacks often target weaknesses in the defence of organisations which are created, knowingly or unknowingly, by staff or third-parties, Abukhater warns.
By  Mohammed Abukhater Published  June 18, 2017

Recent attacks like WannaCry have rattled the most confident and experienced IT and security experts in recent days, and are showing the world that everything is not as safe and secured in the technology world as we would like to think. As the term ransomware suggests, these attacks transfer control of digital assets to the attacker, forcing the owner to pay a ‘ransom’ to gain their control back. With the value that individuals and organisations place on personal and organizational data, you can imagine the quick returns made from this malicious activity.

With the increase in technology adoption and as digital assets often become the most valuable assets of an organization, there is undoubtedly an increase in electronic financial crimes affecting all parts of the world, including the Middle East. These threats often target weaknesses in the defence of organisations which are created – knowingly or unknowingly – by staff or third-parties.

Ransomware becomes even more of a concern when organisations realise that there is no way to predict or detect attacks in advance. It is also hard to stop it from spreading once it strikes, and can result in losing the digital assets if the owner takes a ‘no ransom’ stand. In addition to dealing with the attack itself, a situation could arise where a ransom needs to be paid to get hackers out of the system. Then you consider the potential fines from the regulators, and you can see how this can escalate into a board-level discussion about security strategy, practices, and measures.

As seen recently, ransomware can gain entry through phishing mails, and infected devices such as USB drives. Once in a system, it is only a matter of time before it spreads within the corporate network, affecting devices (computers, laptops, smartphones), and even the storage systems attached to the network.

Organisations that have strong data back-up policies and procedures in place will usually not be affected re – they can simply ignore the ransom demands, review and repair all vulnerabilities in their architecture after the attackers deleted their primary data, bring the backed-up data back online, and carry on as normal. Other organisations that do not prioritise back-up as a regularly scheduled task, may realise the importance the hard way.

There is a long list of known ransomware variants, with a marked increase in the brazenness, prominence, frequency and number of ransomware attacks in recent years. Some of the ones to watch out for include Cryptolocker and its variants, such as Kriptovor and Teslacrypt, Cerber, Dridex and Locky and most recently, WannaCry.

Given this ever-present threat environment, what can organizations do to protect themselves against ransomware? There are five key areas of focus required for organizations to minimize the risk of the threat.

The first is to minimize the likelihood that a phishing campaign will be successful, by educating users of the importance of knowing or verifying the origin, history, and trustworthiness of an email or website. This not only builds a pool of more aware users within the infrastructure, but also allows them to flag suspicious activity to the security experts. While not a foolproof method, this is a great way to limit the possibility of success right from the entry point.

The second level of protection is to implement technology on email and web gateways that scans for known or suspicious URLs. Such solutions can help sort legitimate content from malware or unknown, suspicious sites.

The third layer of defence is to have technology installed on the end-user devices. This typically monitors the behaviour of applications and usage, and can detect activity that indicates ransomware behaviour. For example, a process that is sequentially encrypting files is likely to be ransomware, and it could also possibly be a legitimate process used for data protection purposes. In these cases, the process can be whitelisted for more detailed review by experts.

The fourth level is the use of network security solutions that can detect ransomware before it takes hold and can quarantine the suspicious process or even e-detonate it in an e-sandbox. It may even be able to utilize intelligence on known sources and features to detect the likelihood of the ransomware process from its download source or other attributes.

Finally, suspicious file activity on the server should be detected, using similar parameters as those on the endpoints. Servers also need to be backed-up on a daily – or even more frequent – basis, according to good data governance procedures and depending on the business need. As long as this backup plan involves storage that is inaccessible to ransomware from within the same infrastructure, this step can go a long way in mitigating the impact of a ransomware attack.

None of these approaches are particularly new or innovative, but it is worthwhile to consider if all these have been deployed in a cohesive and strategic manner. Maturity around security considerations need not come from size-alone – probably the most-affected in the recent attacks were large enterprises, while smaller businesses and start-ups were less impacted due to less complex architecture, and possibly more control over digital assets of a more manageable size.

The best way to avoid ransomware is to ensure that all digital assets are secured with a well-educated workforce guarded by-planned and dynamic security protocol that is mature and effective even in a constantly-evolving threat landscape.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code