May 18, 2017 WannaCry Highlights Need for Effective Backup, Training, Strategy
Yeah, I’ll admit it: I can be cranky.
So when my colleague texted me and asked if I was planning to blog about the WannaCry ransomware attack last week, my response was approximately, “Big whoop. Ransomware happens all the time. People never learn. I’ve been blogging about this for years. What’s new here?”
My colleague responded with, “This really is a big deal, Johna, given that it’s global and highly coordinated.”
I retorted, “Yeah, but from an enterprise perspective, nothing’s changed: companies need to be taking the same protective measures that we’ve been talking about for years!” I grumbled a bit more, and went back to my laptop, and didn’t bother posting a blog.
So here’s the thing. We’re both right.
My colleague has a point–WannaCry was the first ransomware attack to hit the major media, and it’s one of the most highly coordinated attacks in history, reportedly hitting 200,000 victims in 150 countries. And then there are the salacious tidbits about the NSA (whose code was likely used as the underpinnings of the attack) and the North Koreans (who may be behind it).
So yeah, it really is a big deal.
That said, my point holds as well. As ransomware attacks go, it’s fairly lame. For one thing, it’s incredibly stupid for assailants to coordinate a ransomware attack, because it reduces the chance that anyone will pay up.
In the hot spotlight of publicity, victims quickly discover that they’re not alone, and security specialists can come up to speed on mitigation and response. (Of course, that assumes that the motivation of this particular attack was primarily financial, which it may well not be–it’s equally possible that it was a state actor–North Korea, possibly–aiming to showcase its ability to steal software from the NSA. In that case, front page coverage was precisely the desired effect, and financial gain is immaterial.)
More importantly, for enterprise infosec pros, proactive protection against ransomware continues to require the same consistent approach, whether it’s a much-publicized, highly coordinated attack like WannaCry or an attack nobody’s ever heard of. Protecting against ransomware stands on three key pillars:
1. Real-time, robust backup. I’ve highlighted the good folks at Code42 software more than once; these guys deliver not only a solid, real-time backup solution but also some good endpoint security services as well. Plus, they’re based in the US (I like to see American companies doing good work–and given that state actors appear to be entering the ransomware game, the location of backups may matter).
2. Effective, consistent security training. Phishing remains the number one vector for most attacks, including ransomware. Yet according to Nemertes’ 2016/2017 Security and Risk Management Benchmark and Maturity Model, most companies aren’t doing enough to sensitize their employees to the risk. In our upcoming 2017/2018 Security and Risk Management Benchmark and Maturity Model, to be released this June, we’ll highlight best practices for security awareness training. And we’ve talked about it in several previous blogs and research reports, as well. The bottom line here: Don’t skimp on training, it pays dividends!
3. Finally, every company needs a robust security strategy that includes a documented incident response plan. What is your plan to protect against ransomware? How will you respond if an attack is detected? Who is responsible for communicating with employees? And so on. If you haven’t had this conversation, you should–and document the results. Then do regular war-gaming exercises to be sure that everyone internalizes the incident response plan–from the board and senior executives on down.
In sum, whether it’s a stealth attack or one that’s on the front page of every newspaper, ransomware is an omnipresent threat. Make sure your ransomware protection rests on the three pillars above, and you’ll be pretty far ahead of your peers.
Got it? Good! Now if you don’t mind, there’s something I need to check on at my window….
…Hey you kids! Get offa my lawn!!