Ransomware: It’s Really About Organizational Failure
Another day, another system, another hack. It’s not uncommon to feel hopeless about protecting our data and systems. But unless you’re a digital hermit, rich enough to keep your data from the dark web, or time-traveled from before the internet, it’s not a matter of “if” but “when” you will become a ransomware victim.
Often the blame is put on humankind; to some extent, that’s true. Unlike Hollywood movies’ depiction of brute force code-war-like attacks against firewalls (represented in colorful 3-D visual), ransomware is about successfully hacking boring humans.
All it takes is a single ego trip, an emotional appeal, an urgent financial need, or a curious porn escapade for ransomware attackers to create havoc. And a breach is born.
Well, not actually.
Organizational error
The truth that companies never want to admit is that ransomware is becoming an operational issue rather than human failings.
While it’s true that ransomware increased pandemic responses like WFH that subsequently saw humans using their corporate devices like their personal mobile phones, it only tells half the story. Yes, human complacency, curiosity, and ego have all played a part, but only because operational complacency allowed it.
Michael Uskert, Gartner’s chief of research, states that ransomware is an operational problem. That’s the title of his blog. He argues that it is time to stop pointing fingers and accept that ransomware stems from operational inadequacies. It comes down to bad practice, lack of enforcement, and hubris created by organizational structures.
“There exists a growing security puzzle consisting of aging infrastructure, bad cyber hygiene, poor end-of-life equipment management, employee reluctance to work with cybersecurity staff, and increased use of original equipment manufacturer (OEM) devices and software providers. The proliferation of the Industrial Internet of Things (IIoT) and operational technology (OT) has expanded the use of OEM devices and the role third parties play in your security,” Uskert explains.
The Ransomware Spotlight Year End Report, by Ivanti, Cyber Security Networks, and Cyware, sheds more light on these operational fault lines.
The report noted 157 ransomware families as of 2021, with 32 (or 26%) created in the year alone. All ransomware families are focused on exploiting 288 common vulnerabilities and exposures (CVEs), a 29% growth from 2020. Yes, these are CVEs we already know about. And because companies don’t heed the warning signs, they’re, on average, coughing up USD220,298 (often in cryptocurrencies) and facing 23 days of outage.
The bad news is that ransomware attackers are learning. For example, they are getting better at exploiting zero-day vulnerabilities — those that have yet to make it into national threat databases like the U.S. National Vulnerability Database (NVD). QNAP vulnerability, Sonic Wall, Kaseya, and — more recently — Apache Log4j are great examples.
Ransomware attackers are also going after supply chains, giving them multiple options to hijack systems. This is leading to an increase in supply chain attacks in oil & gas, food, pharmacy, and health care — sectors that have not paid as much attention as their peers in financial services and defense.
They are also targeting software weaknesses; the report highlighted 54 such vulnerabilities in software code. Then there are the end-of-line products that many ransomware groups like Cring and HelloKitty are zeroing on because of complacency or bad practices.
The most damning of all is that ransomware attackers are now beginning to string multiple CVEs together for multi-point devastations. PetitPotam and the four ProxyLogon vulnerabilities are some examples.
For Gartner’s Uskert, one major takeaway of these ransomware attack successes is that companies have made security an IT rather than an organizational issue. They shouldn’t.
“As operations digitalized, many failed to do one thing: productize security. This failure often results in policies appropriate for analog operations, not those needed by digitalized organizations,” he explains.
But all is not lost yet.
Framework approach
Rick Vanover, senior director for product strategy at Veeam Software, noted that companies should consider the NIST’s Cybersecurity Framework. It has five major components: Identify, Protect, Detect, Respond, and Recover.
The framework lays out a strategy for companies to adopt and adapt when dealing with threats, especially when recovering from a ransomware intrusion. It also released a whitepaper to help companies map the framework to their critical infrastructure.
Veeam Software claims it has taken a step further. “The NIST Framework is a recipe that can drive very high confidence in recovering data. Now what we've done here at Veeam is actually apply it and mapped out Veeam capabilities every step along the way,” says Vanover. This application and mapping can be found with the whitepaper “5 Ransomware Protection Best Practices.”
Based on his experience, Vanover pointed to “Respond” as to where most companies fail in a ransomware attack. “Simply put, companies are just not prepared to handle a ransomware situation.”
The reason: backup. Ransomware has made backup a priority, and poor backup practices make companies easy targets. In fact, today’s ransomware attackers are going after backups first. If there isn’t one available, they’ve rationalized, there is a higher chance the victimized company will pay up.
So, Vanover suggests companies rethink backup. One way is to keep backup servers isolated from the internet. No connection, no internet-based attack.
Companies should avoid using shared accounts for production data sources and backup. And should never think of using a single DOMAIN/Administrator account to access all essential infrastructure resources.
Veeam Software believes it is taking a step further. If the idea is that backup copies become vital during ransomware attacks, Vanover theorizes that it only makes sense to prohibit access and browsing of backup for the entire company. This eliminates any backup data leakage. Micro-segmentation and keeping explicit permitted traffic behind internal firewalls are other good practices.
These play to what Veeam Software calls the 3-2-1-1-0 rule. That’s three copies of data (in addition to the primary), two different media to store the backups, one offsite to store at least one copy offsite, and one more copy stored offline. The “0” refers to keeping the backup copies error-free using backup recoverability verification.
These steps veer away from simply replicating data in a secondary site. Vanover feels strong against data replication. He calls it a “gamble” and introduces the threats of having a “persistent connection.”
“This notion of a persistent connection is something that I think the market needs to stop doing, and replication basically requires that,” says Vanover.
Attitude problems
Veeam Software’s approach and the NIST framework make it obvious that cybersecurity is not the remit of any single C-officer or a team. Gartner’s Uskert feels that the reason for our poor responses to ransomware attacks is that the wrong people are doing product security.
“Too many security decisions are left to engineering, meaning proactive thoughtful productization of security features get watered down to secure by design elements that hackers have already figured out,” he writes.
By not getting chief digital officers and chief data officers (and even chief operational officers) involved, the company will continue to fall prey to attacks that exploit vulnerabilities in OT and IIoT environments. It will also see supplier risk “going unchecked against new digital offerings,” says Uskert.
In the end, ransomware essentially targets gaps in our operations. This is not a CISO vs. ransomware attack. It’s about organizations against ransomware attackers. And our inability to look at security as an organizational issue is offering ransomware attackers opportunities to enrich themselves.
Ka-Ching!
Winston Thomas is the editor-in-chief of CDOTrends and DigitalWorkforceTrends. He’s a singularity believer, a blockchain enthusiast, and believes we already live in a metaverse. You can reach him at [email protected].
Image credit: iStockphoto/Eightshot Studio
