A week ago news broke that a major energy infrastructure company that is responsible for delivering fuel to stations from Texas to New Jersey fell victim to a ransomware attack. The attack manifested in the operator, Colonial Pipeline, shutting down all operations of the nearly 5,500 mile long distribution pipe. Media outlets have focused on the consumer impacts – potential gas shortages likely to result in a higher fuel demand which could lead to price hikes. What the main news networks haven’t really discussed much is how an attack like this can occur, how often it happens, and what companies can do to mitigate the risk of ransomware attacks.
Ransomware – A Digital Sneak Attack
If you aren’t familiar, ransomware attacks are a class of malware that typically affects victims by encrypting important data or infecting entire operating systems and presenting the impacted party with a message instructing them that they need to pay someone to have their data unlocked. It’s an increasingly popular method of attack and over the past decade it has shifted from primarily being used to affect individuals to being used heavily on companies. Without naming all companies that have experienced a major ransomware attack, it is safe to say that ransomware criminals don’t discriminate. Their targets range from major Fortune 500 companies to small and medium sized businesses. All industries are potential targets and whether you like it or not, criminals will extort you. So what can you do about it?
Risk Mitigation – Protect with Proaction
There are a few steps that you can take to reduce the risk of a major company-wide – potentially publicly embarrassing – attack:
Network Segmentation
Early indicators of this most recent attack and lessons learned from the countless examples preceding this are reminders that separating systems that don’t need to coexist on the same network could very well prevent the mass spreading of a ransomware attack. The bottom line is that if you have a segmented network design you can isolate disasters and react quicker when one occurs. If your camera system is on the same network as your Windows workstations, that is a recipe for disaster should one of your cameras fall victim to some vulnerability. I wrote an article about this before and covered this in much deeper detail.
Phishing Tests
Many of these attacks are actually caused by someone clicking on an email which directs them to a website that runs malicious code locally on their workstation. This has been the root cause of several highly publicized attacks and it continues to be very common. The way to combat this is to test and train your users because they are the last line of defense in your security program. There are several products that assist with this and while it may feel like a nuisance from the users’ perspective, making them think about clicking on a link could be the thing that saves your company from an attack. Again, we’ve written about this before.
Patching
Another really important and often unfortunately deprioritzed step you can take to reduce your attack surface is to patch your systems. Simply patching your workstations, firewall, wireless access points, industrial systems like HVACs and cameras, and servers (don’t forget about the ones in the cloud!) addresses vulnerabilities that are found regularly. As such it is important to perform this on a schedule! Leveraging automation tools to assist with this can lesson the burden and outsourcing this to a managed service provider is another way to ensure someone is owning the responsibility.
Backups and Automation
The unsung heroes in thwarting ransomware attacks are the countless backups and deployment automation that companies use to restore to nominal operations. This one is a no-brainer. Think ahead and establish a sound system backup process for your data and where possible automate the deployment of production systems. This will greatly reduce your recovery time.
Incident Response Planning
The best way to handle a security incident is to exercise what you’ve already rehearsed. It may sound extreme but companies invest considerable resources (time, people, and money) into IR preparation. We’ve written about the importance of establishing a robust security program and part of that is having an incident response plan. Take it one step further and not only establish and document your plan but rehearse it! You’ll be glad if you get hit with a ransomware attack.
I’ve said it before and I’ll say it again, it is a scary internet out there. Take a lesson from someone else’s misfortune in this case and bolster your security posture. There’s always room for improvement.
