For An Effective Ransomware Solution, You Must Mind the Gap

Eleven hours on an overnight flight and I’m here. I’d been to London once before, but it was years ago before I began my career, and way before Internet security was a thing. The sun’s finally out and it’s time to see the sites; I enter the Underground station and wait for the Tube. As the train approaches, I hear the announcement “mind the gap” and it reminds me about the latest investment my company made in a ransomware solution to defend our sensitive and private data against cyberattacks. We created an air gap between our operational IT network and safe copies of our sensitive and private data following the best practices guidelines issued by the Department of Homeland Security.

Rise of Ransomware

The battle between cyberthieves and security teams resembles a classic game of cat and mouse. Every time a new attack technique is developed (the mouse), the industry produces a defensive measure (the cat) which works for a while before the game changes. DDoS, SQL injections, and phishing emails were all very popular in their time, but in recent days, ransomware has become a favorite tactic. The reason is simple, there’s no middleman.

Until recently, cyberattacks shared one common trait: they all were aimed at stealing or exfiltrating valuable data that could be sold to other participants on the Dark Web. Credit card numbers, Social Security information, driver’s licenses, etc. were valuable for making fraudulent charges or establishing fake identities. But the emergence of cryptocurrencies like BitCoin and the availability of hacker exploit kits helped expand the marketplace to the point where there was more data to sell than the fraudsters wanted to buy. Prices began to fall causing hackers to steal even more data.

Enter ransomware. It’s a different type of attack that’s actually harder to detect because it doesn’t necessarily require a large data transfer to an external IP address. The thieves simply penetrate the network and then move around laterally until they find something valuable or something that will cause a business disruption. Then they encrypt it in place and demand the owner pay a ransom to unlock their systems. It’s really remarkable how many security teams are unprepared for such an attack.

Don’t Be a Victim

The very first step in developing a ransomware solution is to recognize the threat and accept that you’re vulnerable. New exploit kits are available that no longer rely on the untrained user to open an email attachment or click on a bad link. There are more than 100,000 known vulnerabilities associated with hardware and software deployed in systems like yours, and not everyone has the time to deploy all required patches even if they’re available. One automated scanner can probe all ports on your network looking for a misconfiguration or default password.

Getting back to those DHS guidelines, it’s still important to install the firewalls, train the users and patch your systems, but the other crucial preparation is to perform regular backups. How often you create these is somewhat a function of how rapidly your data changes, but once a day—sort of like taking a vitamin—is a bare minimum approach. And generating one copy is probably not enough.

By their nature, backups are duplicates of important system images and data, and with the explosion in the amount of data we all now collect and process, few can afford to store redundant copies of everything on expensive on-premises devices such as NAS and SAN appliances. Magnetic tape has been the traditional alternative because it’s cheap and easy to take off-site (yes, air gap again). Tape-based backups are very effective if your IT administrators follow the proper media rotation and cartridge labeling procedures, but it can require a lot of tapes.

In response to the explosion of digital data associated with everything we do, a new alternative was developed called object storage. Object storage is another way to store large quantities of data on disks, but it doesn’t require identical and specially certified disks as a SAN would, and the ‘buckets’ created to hold the data are infinitely expandable. The repository itself can be located within your datacenter or within a third-party cloud, and vendors like Amazon offer low-cost, disk-based services (Simple Storage Service or S3 in this case) accessible through an application programming interface or API.

Time is Not on Your Side

Cloud-based, low-cost disk storage solves so many problems for organizations struggling to provide secure IT services. It reduces the pressure on datacenter growth; it avoids technology obsolescence issues; it eliminates media handling and labeling practices; and it provides an off-site, disaster recovery capability. And one more thing, it often presents a faster ransomware recovery solution because your backup data still resides on searchable, spinning disk media behind a protected API.

If you fall victim to a ransomware attack, the most costly element is not likely to be the ransom itself. Most attackers set them pretty low as a further incentive for organizations to just pay. But the FBI recommends that you don’t pay the ransom, because if you do the chances of being attacked a second time are pretty high, and might occur because somewhere in your recovery efforts, you missed a piece of malware hidden in your network. It’s generally better to wipe all your systems and begin anew.

What ends-up costing organizations like yours millions of dollars is the business disruption brought on by the attack. The news is full of accounts where workers have resorted to pen and paper systems for requesting services, filing reports, and conducting their normal operations until the security team declares “all clear” and the endpoints can once again function. Hopefully, you didn’t lose a lot of business and a fair number of customers in the process. In some industries, regulations mandate that if customer private data was lost that you notify all the affected individuals and potentially even offer identity monitoring services for a period of a year or more.

If the breach was massive, you might also suffer some brand reputational damage causing prospects to question whether it’s worth the risk of working with your organization in the future. Those companies that make the evening news also tend to see some stock price drops and even executive departures as someone must be to blame for this gross privacy violation. In the future, you might also face customer lawsuits as new laws are now being enacted in places like the State of California that provide a formal means of redress.

One final potential cost concerns any of the fines that might be levied against your organization if you fail to act in a willful and expeditious manner. It’s no longer legal to collect scads of personally identifiable data without employing some sort of data protection or pseudonymization in many parts of the world. The European Union’s General Data Protection Requirement (GDPR) is seen as the model against which all new legislation will be developed because it’s so comprehensive. GDPR not only requires data protection, but it also requires that organizations report data breaches to supervisory authorities within 72 hours of their being discovered. That’s not a lot of time, even for security teams with proper monitoring systems already in place.

Ransomware Solution

So that’s it, I’ve spent more time than I expected revisiting all of the reasons my team recently decided to add one more layer to our security solution, down at the data level to protect what all these bad guys are after in the first place. Using a solution like DataKeep doesn’t replace your pre-existing network backup capabilities, but rather adds an additional layer of access control and data protection to help you quickly recover from today’s favorite cyberattack technique. And all this reminiscing has led to a new observation. I’ve missed my bloody stop!

Leave a Comment





This site uses Akismet to reduce spam. Learn how your comment data is processed.