Forty years ago, my friend and colleague, Donn Parker, suggested that "employees" would use cryptography to hide enterprise data from management. Employees because forty years ago only one's employees could send a message to one's systems. I laughed. It was obvious to me that such an activity would require both "read" and "write" access to the data. I was so young and naive that I could not foresee a world in which most of those connected to enterprise systems would be outsiders, including sophisticated criminal enterprises. Mostly, I could not anticipate a world in which "read/write" would be the default access control rule, not only for data, but also for programs.
We are now three years since the first "ransomware" attacks. We are still paying. Indeed, a popular strategy is to pay an insurance underwriter to share some of the risk. This is a strategy that only the underwriters and the extortioners can like. While this was an appropriate strategy to follow early, it is no substitute for resisting and mitigating the attacks as time permits. Has three years not been enough to address these attacks? One would be hard pressed to make that case.
The decision to pay is a business decision. However, the decision to accept or assign the risk, rather than resisting or mitigating the attack, that is a security decision. It seems clear that our plans for resisting and mitigating are not adequate and that paying the extortion is simply encouraging more attacks.
We are now three years since the first "ransomware" attacks. We are still paying. Indeed, a popular strategy is to pay an insurance underwriter to share some of the risk. This is a strategy that only the underwriters and the extortioners can like. While this was an appropriate strategy to follow early, it is no substitute for resisting and mitigating the attacks as time permits. Has three years not been enough to address these attacks? One would be hard pressed to make that case.
The decision to pay is a business decision. However, the decision to accept or assign the risk, rather than resisting or mitigating the attack, that is a security decision. It seems clear that our plans for resisting and mitigating are not adequate and that paying the extortion is simply encouraging more attacks.
By now every enterprise should have a plan to resist and mitigate, on a timely basis, any such attack. If an enterprise pays a ransom, then, by definition its plan to resist and mitigate has failed. As always an efficient plan for resisting attacks will employ layered defense. It will include strong authentication, "least privilege" access control, and a structured network or end-to-end application layer encryption. The measures for mitigating will include early detection, safe backup, and timely recovery of mission critical applications. "Safe backup" will include at least three copies of all critical data, two of which are hidden from all users and at least one of which is off-site. "Timely recovery" will include the ability to restore, not simply a file or two, but all corrupted data and critical applications within hours to days. (While some enterprises already meat the three copy requirement, few have the capability to recover access to large quantities of data in hours to days, rather than days to weeks.)
One last observation. If there is ransomware on your system, network, or enterprise, you have first been breached. Hiding your data from you to extort money, is only one of the bad things that can result from the breach. If one is vulnerable to extortion attacks, one is also vulnerable to industrial espionage, sabotage, credential and identity theft, account takeover and more. The same measures that resist and mitigate ransomware resist and mitigate all of these other risks.
Ransomware attacks will persist as long as any significant number of victims choose to pay the ransom, as long as the value of a successful attack is greater than its cost. The implication is that to resist attack one must increase its cost, not simply marginally but perhaps by as much as an order of magnitude. Failure to do so is at least negligent, probably reckless. Do, and protect, your job.
One last observation. If there is ransomware on your system, network, or enterprise, you have first been breached. Hiding your data from you to extort money, is only one of the bad things that can result from the breach. If one is vulnerable to extortion attacks, one is also vulnerable to industrial espionage, sabotage, credential and identity theft, account takeover and more. The same measures that resist and mitigate ransomware resist and mitigate all of these other risks.
Ransomware attacks will persist as long as any significant number of victims choose to pay the ransom, as long as the value of a successful attack is greater than its cost. The implication is that to resist attack one must increase its cost, not simply marginally but perhaps by as much as an order of magnitude. Failure to do so is at least negligent, probably reckless. Do, and protect, your job.
No comments:
Post a Comment