With so much ransomeware in the news I have often wondered if the companies that get hit and simply not following best practices or if there is something I am not aware of.
If you are doing your updates, have antivirus and malware which are geared towards ransomware, and have proper backups shouldn't that cover most of this stuff?
Granted there is always the new stuff that slips by but at the rates of occurrence this doesn't seem to be the case.
I have a pentesting company that I have been operating for a while. I whole heartedly agree that there are many organizations that are not adhering to "best practices". The other statement being "abysmal state" is probably more accurate based on what I see on a daily basis.
In a recent conversation with a vendor, the sales person stated to me that "well, most companies are probably doing the basics, and this is where we come in, above that level." I replied "I'm going to have to stop you there. Based on what I've seen, you don't realize how low the low hanging fruit really is..."
In all seriousness, my experience has been that "size matters". Really small companies, say <100 employees may not have an IT person, and if they do, it is contractual, and a break-fix service only. There is no time being spent on security. At the other end of the spectrum, really large companies, >100K employees are many times disorganized and disjointed enough that they miss some of the critical "low hanging fruit" but making global exceptions as policy for a specific niche use case. As an example, "We need to ensure TLS 1.2 is in use on all assets. Response: Well, Bob in accounting has this check-pay system that is critical, and it can't use TLS 1.2, so leave TLS 1.0 on. Response: Ok, we can't disable TLS 1.0 anywhere."
Oversimplified and cynical, I know, but the reality is I have seen the conversations go that way when the agenda is more about political power struggle than solving the security issues for the good of the company.
If your organisation really needs next to no downtime, then you may want to examine if automating deletion and recreation of servers from an offline pre-patched image via automation is a useful place to move to. Being able to blow away all suspected compromised server and rebuild them by firing a script, then restoring affected files from backups is a quick way back into service. It does however require a change to a more proactive automated approach, rather than trying to fix up legacy infrastructures.
My job involves me in cyber incident response in other organisations and helping advise on protective measures for the sector I work within. While I wholeheartedly endorse most of what I have read on this thread, I would emphasis more than anything that word “SHOULD” because I have multiple direct experience where the ransomware was not stopped by all the standard defences. Only this week I was also helping a UK National agency advise on backups to a major organisation for a determined ransomware attack against a high profile target. Why, because the last three major ransomware attacks in the sector had fully compromised the backups as well as the attacker compromising the hypervisor and the network appliances.
Having a backup is not good enough, you need a really good backup in depth strategy. As an absolute minimum you need the 3-2-1 approach - 3 backups, 2 local to your network geographically dispersed and in different network segments and 1 offline - that is off your network. If the attacker breaches your network serious enough you are not going to have any usable backup that is connected to your core network, an APT actor may have been in that network for weeks or months before triggering that ransomware attack - that is what happened in 2 of the major cases I have dealt with in last 12 months. When an APT is in the network that long you are backing up the attacker activity, hope you are building that assumption into your backup restore test plans as well. If your anti-malware defences failed to detect the attack, understand it is not going to catch it on checking the restore either - use something that will. An APT attacker in a worst case may be present in your offline backup but at least the offline backup gives you a chance to safely restore to a controlled environment for advanced detection and eradication in the event you have nothing left on the core network. Incidentally, remember I said this all should be your minimum prep. I feel our backup technology and approaches as an industry are currently lagging behind where it needs to be for robust protection from APTs - and they are increasing in number and sophistication.
On the subject of bandwidth capacity for those precious backups, if you have significant volumes to backup, lessons also show don’t use tape, use secure cloud backup vaults and if needed put in dedicated WAN connections just for your backup. These days in the UK a GB WAN connection is pretty cheap.
May I also say that nearly everyone assumes it will never happen to them until it does, and that is always too late. I sincerely hope no one reading this ever suffers a major ransomware event - one which takes out your whole organisation for months. The costs in material and money are devastating enough, the cost on the people impacted can go beyond all expectations, including and up to loss of life.
Hope this helps someone - stay safe 🙂
@kevinkidder This is a very good post and I like to think that I truly understand what you are saying. I have worked with companies of all sizes and the problems do vary. With most smaller companies they tend to have to trust whatever company the use to handle things, and when it's a vendor they do not have the clients but interest in mind but rather how they can make the most money. Sadly since so many small businesses do not understand the technology they are at their mercy. I was retained by a few places that did not have an IT person and I made it my job to guide them to the best technology choices I could find. At time I would bring in outside vendors for certain thing but I also kicked many out because I could spot the BS!
With the larger companies they seem to loose focus and get caught up in the reactive firefighter mode and let things slip. The have the best intentions but you really need a strong manager who understands the problems and the risks. Your TLS example to me should have been a matter of, ok contact the vendor and find out when they will fix this and if they will not inform them that you will be forced to start looking for a more secure solution. And if you wanted to be mean you could also mention that you would publicly disclose that they will not upgrade and that anyone who uses the product is at risk. Yup, I can be a jerk at times.
To me it's a matter of understanding. I have a friend who's company wanted to have a pen test done. My response is why would you waste the money when you don't have a security person to act on the result?!?