Protecting Against Ransomware
Blog Article Published: 10/07/2022
Thanks to Dr. Jim Angle, Michael Roza, and Vince Campitelli
Ransomware is a form of malware used by an attacker to encrypt a victim’s data and demand a ransom for the encryption key, which allows the victim access to their data. Part 1 of this blog series further explains what ransomware is and the stages of a ransomware attack.
In this blog, we’ll explain how to develop appropriate controls to protect your organization against ransomware. To aid in our explanation, we’ll be referencing two of the functions from the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
According to NIST, the Identify Function of the Cybersecurity Framework aims to “develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.” Identifying assets, the business environment, governance, risk management, and supply chain provides the foundation that an organization’s cybersecurity program is built on.
The first step is to identify and classify all IT systems (including third-party and cloud), all software (operating systems and application), and all data (collected, processed, stored, and transmitted). This entails a complete inventory: people, IT systems (hardware and software), data, and facilities. Identifying and classifying these will aid in knowing what to protect and prioritizing these for a disaster recovery plan.
The organization should ensure that all policies, procedures, and processes are documented, readily available, and communicated. Failure to identify where all the data is located can result in missing data during the recovery and reinfection of systems.
The Protect Function entails developing and implementing appropriate controls to ensure the delivery of services. This function provides the ability to limit or contain the impact of cybersecurity events, including ransomware. Prevention is the best defense against ransomware, and it is essential to implement controls for protection.
To protect an organization’s cloud from ransomware, start with protecting the computer. There are some basic things you can do to protect computer systems:
- Install endpoint protection.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users. Strong spam filters should be enabled.
- Employ logical or physical means of network segmentation and isolation to separate various departmental IT resources within the organization.
- Windows systems can use a Group Policy that allows the organization to define how users can use the system. It can block the execution of files from local folders, including temporary folders and the download folder. This stops attacks that begin by placing malware in a local folder that then opens and infects the computer system.
- Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should use them only when necessary. Additionally, Multi-Factor Authentication (MFA) should be required for all remote access.
- Implement an awareness and training program. Because end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.
- Consider versioning. Versioning means that the data is immutable, and any modification results in a new version. This makes versioning effective against ransomware because encryption attacks result in a new version. Not all providers offer versioning, so availability must be verified with the provider.
To defend against ransomware threats, a combination of data encryption with the use of homomorphic encryption to enable ongoing data management while encrypted and stored in the cloud, and cloud immutable/WORM storage, is the only sure way to address the new risks from ransomware.
Homomorphic encryption is different from standard encryption technology in that it allows computation to be performed directly on encrypted data without requiring access to a decryption key. Homomorphic encryption of backups and files before their move to a cloud repository guarantees data security in transit, at rest, and while in use. Homomorphic encryption enables ongoing management of encrypted data, dramatically reducing the issues associated with standard encryption methodologies while ensuring continuous data indexing, search, and overall management and governance processes.
To explore these concepts in more depth, check out the publication Ransomware in the Healthcare Cloud by CSA’s Health Information Management Working Group. Written specifically with healthcare delivery organizations in mind, this publication covers information that is also applicable to anyone interested in ransomware.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.