Given the spate of recent ransomware attacks, the latest of which occurred shortly before Independence Day, this topic is likely at the top of mind for most organizations. Understanding the fundamentals of security, and the most common ways ransomware gets installed, is a must if a company hopes to truly lay the groundwork required to build and operationalize their security program.
Let me start off by saying this is not a technical resource. I won’t be talking about system configurations, or recommending a new tool or software. Instead, I will be discussing fundamentals of cybersecurity that can be applied to your organization to help prevent potential breaches. This is because when attackers begin identifying targets they always start with the basics, which means you should too.
Top attack vectors
The goal of any cybersecurity program is, ultimately, the reduction or removal of risk. Not every organization has the same technical landscape, regulatory requirements, or internal processes, which means their exposure to risk can vary wildly. When it comes to ransomware however, most attacks leverage one of the below avenues to gain a foothold on company systems.
One of the most common vectors for any type of security breach is employee errors. These mistakes can range from clicking on a malicious link in an email, plugging in a corrupted or vulnerable device, or even simply divulging their passwords. Attackers have dozens of ways of exploiting staff members to gain access to internal systems.
Some employees may even intentionally take actions to harm the company if they are disgruntled or have an ax to grind. Regardless of the reason, the effect on the organization is still the same – a breach.
System misconfiguration or vulnerability
As I noted in the beginning of this post, most attackers are looking for the low-hanging fruit when it comes to executing a breach. Attackers will regularly scan public facing IPs looking for signs of weakness they can exploit. These can include things like:
- Insecure or unpatched software
- Insecure or unnecessary ports
- Using manufacturer passwords, or default passwords
Searching for known weaknesses (such as an outdated version of software) allows attackers to quickly compromise networks with limited effort. As with any business, and these attackers have turned this into a business by the way, finding ways to reduce cost or effort is a fundamental component in increasing profits.
Last but most certainly not least, especially as seen recently, are breaches caused by third-parties. These may stem from what I discussed above, or come via another route, but vendors play a key role in your security. Vendors come in a variety of shapes and sizes, such as cloud providers, software developers, or contractors. Whether they are a software provider, a data host, or any other solution, each offers its own set of risks.
Depending on the type of service vendors provide, they may have direct links to your network which can greatly expand your attack surface.
Key components of cybersecurity
Now that we’ve highlighted some of the most common ways attackers gain illicit access to their target’s network, we can discuss the best ways to protect against them. The following is not an extensive list by any means but provides general guidance on steps you can take to better protect your organization.
Given the outsized role employees play in protecting an organization, training them to recognize (and respond to) potential attacks is critical. Training can take the form if in-person presentations, digital learning solutions, emails, social engineering campaigns, and beyond. It is standard practice to have at least annual training on general security best practices such as password creation and management, how to identify phishing emails, et cetera.
I personally always advise my clients to also conduct active social engineering campaigns as well to further reinforce education and identify areas for improvement.
Vulnerability Scanning and Penetration Testing
No system is perfect, and people make mistakes. These two points are some of the primary reasons’ organizations should always conduct regular vulnerability scans and partner with third-parties to conduct penetration testing. Understanding where your risks are goes a long way in preventing attacks from occurring, or mitigating the damage when they do. Picking all the low-hanging fruit means most attackers will move on to easier targets, thereby reducing some of the available threats.
Understanding who your vendors are, what services they provide, and the associated threat landscape is vital to protecting your organization. Once you know the threats your vendors introduce, compensating controls can be applied to reduce them. Where possible it is recommended that organizations conduct their own audits of vendor security as well to confirm they meet the organizations level of security and are capable of fulfilling security-related service level agreements.
It is recommended that vendors never receive permanent access to internal systems or software unless absolutely required. Additionally, vendors should never be provided with unmonitored administrative access for any purpose.
One overarching control that can be applied to help prevent long-term damage from a ransomware attack is a strong backup program. Backups allow organizations to restore lost or damaged data including things like system configurations, files, and more. One reason ransomware is so effective is because most organizations lack the ability to restore their encrypted files. With a strong backup system one of the major threats of ransomware is negated.
Backups should, at a minimum, cover all critical systems and any data the organization requires to continue operations such as databases, disaster recovery plans, et cetera. To provide additional security copies of backups should be stored offsite in a separate geographical area and be stored on modern media format. Relying on older technology to store backups can lead to issues with recovery depending on when the backup is needed. It is also important to choose media that can be stored without requiring network connection, to add a further layer of protection against attacks. They should also be tested regularly to ensure functionality and completeness.
Assessing your program
If you want to really confirm the strength of your security program bringing in a third-party to conduct a risk assessment is highly advised. Having an unassociated party, especially one removed from organizational pressures or personal investment, is the best way to understand if your program is effective. Having outside eyes on current operations can also highlight opportunities for improvement that may have been missed during initial development and implementation.
These types of assessments can vary from technical, such as penetration tests or configuration reviews, or operationally focused like AT&T’s Cyber Risk Posture Assessment. Both types of reviews are helpful, but it's important to select the most relevant one for your organization. It is recommended that an organization have both a penetration test and general risk assessment conducted annually to identify risks or gaps within current operations.
Internal reviews and audits should also be conducted, although these are quite time consuming and may suffer from internal pressures thereby distorting the final results.
When it comes to cybersecurity there are hundreds, if not thousands, of things that must be addressed to keep systems running and business moving along. Risks will always be present, and new threats will pop up every day. It is important to stay up to date with security news and industry best practices to make sure your organization is safe and functional.
Hopefully what I’ve written above will provide some insight into what good cybersecurity looks like and fixes gaps to prevent simple attacks from occurring.