There has been a lot of recent news and discussion about several malware variants that have been defined as ransomware attacks. There are and have been other damaging malware attacks, but ransomware popularity is currently very well publicized.
Ransomware attacks are not simple but are commonplace in the market today. These attacks typically find their way into an organization through social engineering. To be more specific, the malware is embedded in an attachment as an executable. There are several outcomes from ransomware that we have seen thus far: an individual machine is encrypted and the decryption key is held for ransom by the attacker and a currency request of a “Bitcoin” is requested to decrypt the machine in question. The nastier variants can traverse from machine to machine through the network, creating a systemwide infection. This attack causes severe networkwide shutdowns, causing an organization to recover through more significant ransom payments, or if the company was prepared, backup remediation steps are taken.
The availability of targets for ransomware attacks is almost unlimited, with small and medium businesses (SMBs) being the most vulnerable. Most SMBs are not well-equipped to handle these attacks. There are a few typical dilemmas the SMBs face: What is a bitcoin and how do I get one/them? We did not prepare our network and back-up processes to remediate the problem. Lastly, law enforcement does not recommend payment to the ransom and there is no guarantee that the attacker will actual provide a legitimate decryption key.
The other type of attack—less publicized but equally damaging—is the “insider threat,” wherein the attacker is currently or was previously authorized to work inside your organization. These individuals can cause incalculable damage to your company. As an example, these can be system level attacks or result in losses of intellectual property. The insider threat is as complex to detect and remediate as an external attack. The differentiator here is the insider knows the weaknesses and knows where to find the most valuable information. As with external threats, experts recommend both employee training and monitoring capabilities to detect real-time behavioral changes.
Some additional processes to help SMBs monitor their employees, networks and behaviors to identify insider and external threats include:
- Developing and enforcing policies for access to information systems
- Monitoring and auditing inappropriate access – remediating upon discovery
- Enforcing authentication and limited login attempt processes
- Monitoring printers, downloading (large), queries and email
- Deploying real-time networks monitoring for flow, files, connections, ports and suspicious IPs
- Managing identities of current and past employees