Cybermaturity and Protecting Against Ransomware

Tom Conkle
Author: Tom Conkle, CISSP, Optic Cyber Solutions
Date Published: 15 November 2021

Ransomware continues to dominate the headlines in both cybersecurity journals and mainstream media. Companies of all sizes across sectors are seeing continued increases in ransomware attacks. This rise in attacks has resulted in companies paying out millions of dollars or, in some cases, failing due to the irreparable harm caused by the loss of ransomed data. Ransomware attacks will continue to increase primarily due to the successful monetization of attacks and because ransomware methods continue to evolve.

Ransomware began with attackers simply gaining access to, and encrypting, a company’s data. This enabled the attackers to sell a decryption key back to the company to allow them to regain access to company data. Ransomware has since evolved. One method includes taking over a company’s access control features and locking users out of systems until the victim pays the ransom. Attackers have even been known to weaponize regulators. After breaching company data and requesting payment, attackers will threaten to notify the regulators themselves if not paid.

Attacks that lead to ransom payments being demanded have been realized through multiple attack methods. One of the first ransomware attacks reported in 1989 occurred when an AIDS researcher distributed 20,000 floppy disks infected with malware to attendees at a World Health Organization (WHO) conference. The malware has been used to exploit known and zero-day vulnerabilities to allow access to systems as a vector for ransomware. Malware used in ransomware attacks has been deployed through many methods, including social engineering attacks (e.g., phishing), seeding parking lots with infected USB drives, and even exploiting publicly available systems. Other forms of ransomware have occurred due to companies unknowingly leaving their data exposed to the internet, allowing attackers to steal or encrypt the data.

Due to the variety of forms of ransomware and the many ways it can be deployed, a single solution does not exist. Companies must take a holistic view of their cybersecurity program and implement capabilties across the entire program.

Organizations need to defend their infrastructure on all fronts to thwart ransomware attacks. First, the organization must ensure the development and integration of secure solutions within their environment. For example, when purchasing new Software as a Service (SaaS) capabilities, companies should safeguard systems by changing defaults passwords, hardening configurations, deploying cloud protection capabilities (e.g., Cloud Access Security Broker (CASB)), and implementing Multi-Factor Authentication (MFA). While each of these protections may not prevent a successful ransomware attack alone, a multipronged approach to defending against ransomware reduces the chance of an attacker’s success.

Organizations also need to implement robust protective technologies to ensure systems are routinely patched and vulnerabilities are managed. Additionally, to provide a defense-in-depth approach, the organization must enable effective auditing and logging to allow early detection of potential breaches that could lead to a ransomware attack. While an attacker only has to be successful once to implant their ransomware malware, organizations must effectively defend their network at all times, across all aspects of their cybersecurity program.

There are many resources available to assist organizations in defining a robust cybersecurity program. For starters, there are various industry accepted cybersecurity guidelines, such as the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework), and the Center for Internet Security (CIS) Common Security Controls (CSC). Additionally, there are many regulatory and compliance requirements across sectors, such as the Payment Card Industry (PCI) Data Security Standard (DSS), the Health Insurance Portability and Accountability Act (HIPAA), and North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP). There are also tools, such as ISACA’s CMMI Cybermaturity Platform (CCP), that measure current cybersecurity capabilities and recommends specific solutions needed to mitigate organizational business risks.

The CCP tool includes 16 Capability Areas that represent a full cybersecurity program. Each area assists organizations in defining cybersecurity capabilities needed to manage operational risk, including the risk of a ransomware attack. The CCP Cybersecurity Model (“the Model”) identifies key proficiencies to help organizations prevent ransomware within its Capability Areas, including System Trustworthiness and Protective Technology. The Model also defines specific actions, referred to as Practices, that companies can take to detect ransomware before it spreads in the Incident Detection and Continuous Monitoring Capability Areas.

The holistic approach for implementing a maturity-based cybersecurity program, as realized in the CCP, enables companies to evaluate risks to establish tailored Target Maturity Levels. The CCP then translates these Target Maturity Levels into Practices that can be implemented to mitigate their cybersecurity risks to an acceptable level, including the risk of ransomware disrupting business operations. Additionally, the Model within the CCP is updated bi-annually to ensure cybersecurity capabilities evolve with ever-changing threats and vulnerabilities.

Editor’s note: Find out more information about CCP here.