Readiness for Ransomware Attacks against Vendor Organizations

Guest Blog Post from Phil Mellinger, Vice President Information Security & Information Security Officer, Tower Federal Credit Union
CAMI Advisory Council Member

As reported in the news, ransomware can be used to attack storage of customer data (e.g., Kaseya), thereby incapacitating a large number of its customers. 

As a result, this document provides readiness guidelines for organizations that rely on vendors that store data critical to operations and, therefore, susceptible to similar attacks. Strategies for defending against ransomware rely on highly layered and redundant controls, the cumulative effect being that this strategy decreases the reliance on any individual control. 

There are generally six required controls against ransomware:
1) Border-level Controls: Does the organization inspect received traffic to prevent ransomware from penetrating its security perimeter?
Examples of controls for border-level systems include: a) hardening systems; b) patching systems; c) encryption of storage; d) antivirus detection and removal (up-to-date); e) firewalls; f) runtime inspection; and, g) intrusion prevention to detect and prevent attacks within network traffic.

2) Device-level Controls: Does the organization prevent ransomware functioning on internal devices?
Examples of device-level controls include: a) hardening systems; b) patching systems; c) encryption of storage; d) antivirus detection and removal (up-to-date); e) firewalls; f) runtime inspection; and, g) intrusion prevention to detect and prevent attacks within network traffic. 

3) Network-level Controls: Does the organization segment or partition network(s) to prevent the potential lateral movement of ransomware across its networks?
Examples of network-level controls for internal network routers and switches include: a) hardening; b) patching; c) firewalls; and other segmentation tools.

4) Storage-level Controls: Does the organization maintain necessary backups to enable recovery from successful ransomware attacks?
Ransomware recovery best practices advise organizations to maintain copies of backups stored off network.

5) Employee-level Controls: Does the organization maintain a security awareness program for training employees about ransomware attacks?
Ransomware security awareness best practices advise organizations to conduct regular phishing-by-email assessments to ensure the effectiveness of employee training. 

6) Incident Response Controls: Does the organization maintain an incident response plan that is responsive to ransomware attacks?
Organizations should regularly validate incident response plans effectiveness against ransomware incidents via testing and exercises.

While there is no foolproof defense against ransomware, highly layered and redundant controls against ransomware decrease the organization’s reliance on individual controls.